Technical Report UCAM-CL-TR-785 ISSN 1476-2986 Number 785 Computer Laboratory Anonymity, information, and machine-assisted proof Aaron R. Coble July 2010 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ (cid:13)c 2010 Aaron R. Coble This technical report is based on a dissertation submitted January 2010 by the author for the degree of Doctor of Philosophy to the University of Cambridge, King’s College. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/techreports/ ISSN 1476-2986 Abstract Thisreportdemonstratesatechniqueforprovingtheanonymityguaranteesofcommunicationsystems, using a mechanised theorem-prover. The approach is based on Shannon’s theory of information and can be used to analyse probabilistic programs. The information-theoretic metrics that are used for anonymityprovidequantitativeresults,eveninthe caseofpartialanonymity. Manyofthe developments in this text are applicable to information leakage in general, rather than solely to privacy properties. By developing the framework within a mechanised theorem-prover,all proofs are guaranteed to be logically andmathematicallyconsistentwithrespecttoagivenmodel. Moreover,thespecificationofasystemcan be parameterised and desirable properties of the system can quantify over those parameters;as a result, properties can be proved about the system in general, rather than specific instances. In order to develop the analysis framework described in this text, the underlying theories of infor- mation, probability, and measure had to be formalised in the theorem-prover; those formalisation are explained in detail. That foundational work is of general interest and not limited to the applications illustrated here. The meticulous, extensional approach that has been taken ensures that mathematical consistency is maintained. A series of examples illustrate how formalised information theory can be used to analyse and prove the informationleakageofprogramsmodelledinthe theorem-prover. Thoseexamplesconsideranumber of different threat models and show how they can be characterisedin the framework proposed. Finally, the tools developed are used to prove the anonymity of the dining cryptographers(DC) pro- tocol,therebydemonstratingtheuseoftheframeworkanditsapplicabilitytoprovingprivacyproperties; the DC protocol is a standard benchmark for new methods of analysing anonymity systems. This work includes the first machine-assisted proof of anonymity of the DC protocol for an unbounded number of cryptographers. 3 4 Acknowledgements My wife Alex has lived eachof my failures andsuccesses andeverymoment of elationordespair that has gone into these four years of work. She has withstood all of it with patience, love, and kindness and for that she has my undying gratitude. Without the encouragement and support of my parents and my sister I would not be where I am today. They were there holding my hand through my first steps and have cheered me on through the final sprint. Thank you. I’dliketothankLarryPaulsonforallhisguidanceduringthecourseofmyresearchandforremaining confident in my ability even when my own confidence faltered. Everyone that attended the HVG/ARG afternoonteashelpedtocreateawonderfulcommunityforsocialandacademicdiscussion;thosemeetings were always a welcome break in the workday. Unfortunately, I cannot mention everyone I would like to, butafewnamesdemandmention. MagnusMyreenhasbeenafriend,companion,mentor,andmore. Joe Hurd gave me a great deal of his time and patience early on during this work and discussions with him truly gave my research its first footing. Mike Gordon has always been at the ready with some friendly wisdom and Thomas Tuerk has revived the tea meetings, with a smile and delicious cakes, whenever I have fallen behind. Finally,I wouldliketothank the GatesCambridgeTrustandthe UniversityofCambridgeComputer Laboratory for their financial support. Without their generosity, none of this would have been possible. 5 6 Contents 1 Introduction 11 1.1 Anonymous communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.1.1 Quantifying Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.1.2 Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.2 Formal methods for security analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.3 Overview of technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1.3.1 Motivating goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1.3.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2 Probability, Measure, and Integration 18 2.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2 Related work and novel contributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.1 Hurd’s measure and probability theories in HOL4. . . . . . . . . . . . . . . . . . . 19 2.2.2 Richter’s integration theory in Isabelle/HOL . . . . . . . . . . . . . . . . . . . . . 20 2.2.3 Bia las and Ne¸dzusiak’s probability theories in Mizar . . . . . . . . . . . . . . . . . 20 2.2.4 Hasan’s expectation in HOL4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.2.5 Harrison’s gauge integral in HOL4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.2.6 Lester’s topology and probability in PVS . . . . . . . . . . . . . . . . . . . . . . . 21 2.3 Measure theory formalised in HOL4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.1 Subset classes and σ-algebras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.2 Measure spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.3 Measurable functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.4 Lebesgue integration formalised in HOL4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.4.1 Indicator functions and positive simple functions . . . . . . . . . . . . . . . . . . . 26 2.4.2 Integration of positive measurable functions . . . . . . . . . . . . . . . . . . . . . . 28 2.4.3 Lebesgue integration of measurable functions . . . . . . . . . . . . . . . . . . . . . 30 2.4.4 Radon-Nikody´m derivatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.4.5 Product measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.5 Probability theory formalised in HOL4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.5.1 A general formalisation of probability theory . . . . . . . . . . . . . . . . . . . . . 33 2.5.2 Extensions to the formalisation of probability theory . . . . . . . . . . . . . . . . . 34 2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 3 Information, Entropy, and Uncertainty 38 3.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 3.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 3.3 Related work and novel contributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.4 A gentle introduction to information theory . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.4.1 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3.4.2 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3.4.3 Conditional entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.4.4 Mutual information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.4.5 Conditional mutual information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.5 Information theory formalised in HOL4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 7 3.5.1 Kullback-Leibler divergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.5.2 Mutual information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 3.5.3 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.5.4 Conditional mutual information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4 Programs, Probabilism, and Information Leakage 49 4.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 4.2 Information leakage formalised in HOL4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 4.2.1 Adding probabilistic behaviour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 4.2.2 Modelling program state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 4.2.3 Formalising programdefinitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 4.2.4 Random variables over portions of program states . . . . . . . . . . . . . . . . . . 54 4.2.5 Formalised information leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 4.3 Assistance for information leakage analysis in HOL4 . . . . . . . . . . . . . . . . . . . . . 55 4.3.1 unif prog space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 4.3.2 Simplified leakage computation for unif prog space . . . . . . . . . . . . . . . . . 56 4.4 Formalised information leakage examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 4.4.1 Handling intermediate values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 4.4.2 Security through hidden probabilistic behaviour. . . . . . . . . . . . . . . . . . . . 63 4.4.3 What is being leaked? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 4.4.4 Information flow from low to high-security . . . . . . . . . . . . . . . . . . . . . . . 64 4.5 Related work and novel contributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.5.1 Towards probabilistic, quantitative analysis . . . . . . . . . . . . . . . . . . . . . . 65 4.5.2 Formal methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.5.3 Programming language approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.5.4 Computational-complexity approaches . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 5 Anonymity, Cryptographers, and Gastronomy 68 5.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 5.2 Anonymity as information non-leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 5.3 The dining cryptographers protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 5.4 The dining cryptographers protocol in HOL4 . . . . . . . . . . . . . . . . . . . . . . . . . 70 5.4.1 Setting the cryptographers’announcements . . . . . . . . . . . . . . . . . . . . . . 70 5.4.2 Computing the outcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 5.4.3 Putting it all together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 5.4.4 Defining the distribution on input states . . . . . . . . . . . . . . . . . . . . . . . . 72 5.5 Proof of the dining cryptographersprotocol in HOL4 . . . . . . . . . . . . . . . . . . . . . 73 5.5.1 Interactive, parameterised proof of anonymity . . . . . . . . . . . . . . . . . . . . . 73 5.5.2 Automatic computation of leakage for finite instances . . . . . . . . . . . . . . . . 77 5.5.3 Proofs of variations of the protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 5.6 Related work and novel contributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 5.6.1 Formal definitions of anonymity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 5.6.2 Tool-supported analysis of anonymity systems. . . . . . . . . . . . . . . . . . . . . 79 5.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 6 Summary 81 6.1 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 A Glossary of HOL4 notation 83 B measureTheory 84 C borelTheory 103 D lebesgueTheory 108 8 E probabilityTheory 119 F informationTheory 129 G leakageTheory 133 H dining cryptosTheory 142 9 10
Description: