Anonymity, Information, and Machine-Assisted Proof Aaron R. Coble King’s College University of Cambridge A dissertation submitted for the degree of Doctor of Philosophy Abstract This thesis demonstrates a technique for proving the anonymity guarantees ofcommunicationsystems,usingamechanisedtheorem-prover. Theapproachis basedonShannon’stheoryofinformationandcanbeusedtoanalyseprobabilis- tic programs. The information-theoretic metrics that are used for anonymity provide quantitative results, even in the case of partial anonymity. Many of the developments in this text are applicable to information leakage in general, rather than solely to privacy properties. By developing the framework within a mechanisedtheorem-prover, allproofsareguaranteedtobelogicallyandmath- ematicallyconsistentwithrespecttoagivenmodel. Moreover,thespecification of a system can be parameterised and desirable properties of the system can quantify over those parameters; as a result, properties can be proved about the system in general, rather than specific instances. Inordertodeveloptheanalysisframeworkdescribedinthistext,theunder- lying theories of information, probability, and measure had to be formalised in the theorem-prover; those formalisation are explained in detail. That founda- tional work is of general interest and not limited to the applications illustrated here. The meticulous, extensional approach that has been taken ensures that mathematical consistency is maintained. A series of examples illustrate how formalised information theory can be used to analyse and prove the information leakage of programs modelled in the theorem-prover. Those examples consider a number of different threat models and show how they can be characterised in the framework proposed. Finally, the tools developed are used to prove the anonymity of the dining cryptographers(DC)protocol, therebydemonstratingtheuseoftheframework and its applicability to proving privacy properties; the DC protocol is a stan- dard benchmark for new methods of analysing anonymity systems. This work includes the first machine-assisted proof of anonymity of the DC protocol for an unbounded number of cryptographers. Acknowledgements My wife Alex has lived each of my failures and successes and every moment of elation or despair that has gone into these four years of work. She has withstood all of it with patience, love, and kindness and for that she has my undyinggratitude. Withouttheencouragementandsupportofmyparentsand my sister I would not be where I am today. They were there holding my hand through my first steps and have cheered me on through the final sprint. Thank you. I’d like to thank Larry Paulson for all his guidance during the course of my researchandforremainingconfidentinmyabilityevenwhenmyownconfidence faltered. Everyone that attended the HVG/ARG afternoon teas helped to cre- ate a wonderful community for social and academic discussion; those meetings were always a welcome break in the workday. Unfortunately, I cannot mention everyone I would like to, but a few names demand mention. Magnus Myreen has been a friend, companion, mentor, and more. Joe Hurd gave me a great deal of his time and patience early on during this work and discussions with him truly gave my research its first footing. Mike Gordon has always been at the ready with some friendly wisdom and Thomas Tuerk has revived the tea meetings, with a smile and delicious cakes, whenever I have fallen behind. Finally,IwouldliketothanktheGatesCambridgeTrustandtheUniversity of Cambridge Computer Laboratory for their financial support. Without their generosity, none of this would have been possible. Declaration Thisdissertationistheresultofmyownworkandincludesnothingwhichis the outcome of work done in collaboration, except where specifically indicated in the text. This dissertation does not exceed the regulation length of 60000 words, including tables and footnotes. Contents 1 Introduction 13 1.1 Anonymous communications. . . . . . . . . . . . . . . . . . . . . 13 1.1.1 Quantifying Anonymity . . . . . . . . . . . . . . . . . . . 15 1.1.2 Analysis Approaches . . . . . . . . . . . . . . . . . . . . . 19 1.2 Formal methods for security analysis . . . . . . . . . . . . . . . . 20 1.3 Overview of technique . . . . . . . . . . . . . . . . . . . . . . . . 22 1.3.1 Motivating goals . . . . . . . . . . . . . . . . . . . . . . . 22 1.3.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . 23 2 Probability, Measure, and Integration 25 2.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.2 Related work and novel contributions. . . . . . . . . . . . . . . . 27 2.2.1 Hurd’s measure and probability theories in HOL4. . . . . 27 2.2.2 Richter’s integration theory in Isabelle/HOL . . . . . . . 29 2.2.3 Bia(cid:32)las and N¸edzusiak’s probability theories in Mizar . . . 29 2.2.4 Hasan’s expectation in HOL4 . . . . . . . . . . . . . . . . 30 2.2.5 Harrison’s gauge integral in HOL4 . . . . . . . . . . . . . 30 2.2.6 Lester’s topology and probability in PVS . . . . . . . . . 30 2.3 Measure theory formalised in HOL4 . . . . . . . . . . . . . . . . 32 2.3.1 Subset classes and σ-algebras . . . . . . . . . . . . . . . . 32 2.3.2 Measure spaces . . . . . . . . . . . . . . . . . . . . . . . . 34 2.3.3 Measurable functions. . . . . . . . . . . . . . . . . . . . . 36 2.4 Lebesgue integration formalised in HOL4 . . . . . . . . . . . . . 38 2.4.1 Indicator functions and positive simple functions . . . . . 38 2.4.2 Integration of positive measurable functions . . . . . . . . 42 2.4.3 Lebesgue integration of measurable functions . . . . . . . 44 2.4.4 Radon-Nikody´m derivatives . . . . . . . . . . . . . . . . . 47 2.4.5 Product measures . . . . . . . . . . . . . . . . . . . . . . 48 2.5 Probability theory formalised in HOL4 . . . . . . . . . . . . . . . 49 9 2.5.1 A general formalisation of probability theory . . . . . . . 49 2.5.2 Extensions to the formalisation of probability theory . . . 50 2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3 Information, Entropy, and Uncertainty 57 3.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.3 Related work and novel contributions. . . . . . . . . . . . . . . . 59 3.4 A gentle introduction to information theory . . . . . . . . . . . . 60 3.4.1 Information . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.4.2 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.4.3 Conditional entropy . . . . . . . . . . . . . . . . . . . . . 62 3.4.4 Mutual information . . . . . . . . . . . . . . . . . . . . . 63 3.4.5 Conditional mutual information . . . . . . . . . . . . . . . 64 3.5 Information theory formalised in HOL4 . . . . . . . . . . . . . . 64 3.5.1 Kullback-Leibler divergence . . . . . . . . . . . . . . . . . 66 3.5.2 Mutual information . . . . . . . . . . . . . . . . . . . . . 67 3.5.3 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.5.4 Conditional mutual information . . . . . . . . . . . . . . . 71 3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 4 Programs, Probabilism, and Information Leakage 75 4.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 4.2 Information leakage formalised in HOL4 . . . . . . . . . . . . . . 78 4.2.1 Adding probabilistic behaviour . . . . . . . . . . . . . . . 79 4.2.2 Modelling program state . . . . . . . . . . . . . . . . . . . 82 4.2.3 Formalising program definitions . . . . . . . . . . . . . . . 82 4.2.4 Random variables over portions of program states . . . . 84 4.2.5 Formalised information leakage . . . . . . . . . . . . . . . 85 4.3 Assistance for information leakage analysis in HOL4 . . . . . . . 86 4.3.1 unif prog space . . . . . . . . . . . . . . . . . . . . . . . 86 4.3.2 Simplified leakage computation for unif prog space . . . 88 4.4 Formalised information leakage examples. . . . . . . . . . . . . . 89 4.4.1 Handling intermediate values . . . . . . . . . . . . . . . . 95 4.4.2 Security through hidden probabilistic behaviour. . . . . . 98 4.4.3 What is being leaked? . . . . . . . . . . . . . . . . . . . . 99 4.4.4 Information flow from low to high-security . . . . . . . . . 100 4.5 Related work and novel contributions. . . . . . . . . . . . . . . . 101 4.5.1 Towards probabilistic, quantitative analysis . . . . . . . . 101
Description: