53,422 research outputs found
Data Minimisation in Communication Protocols: A Formal Analysis Framework and Application to Identity Management
With the growing amount of personal information exchanged over the Internet,
privacy is becoming more and more a concern for users. One of the key
principles in protecting privacy is data minimisation. This principle requires
that only the minimum amount of information necessary to accomplish a certain
goal is collected and processed. "Privacy-enhancing" communication protocols
have been proposed to guarantee data minimisation in a wide range of
applications. However, currently there is no satisfactory way to assess and
compare the privacy they offer in a precise way: existing analyses are either
too informal and high-level, or specific for one particular system. In this
work, we propose a general formal framework to analyse and compare
communication protocols with respect to privacy by data minimisation. Privacy
requirements are formalised independent of a particular protocol in terms of
the knowledge of (coalitions of) actors in a three-layer model of personal
information. These requirements are then verified automatically for particular
protocols by computing this knowledge from a description of their
communication. We validate our framework in an identity management (IdM) case
study. As IdM systems are used more and more to satisfy the increasing need for
reliable on-line identification and authentication, privacy is becoming an
increasingly critical issue. We use our framework to analyse and compare four
identity management systems. Finally, we discuss the completeness and
(re)usability of the proposed framework
Towards trajectory anonymization: a generalization-based approach
Trajectory datasets are becoming popular due to the massive usage of GPS and locationbased services. In this paper, we address privacy issues regarding the identification of individuals in static trajectory datasets. We first adopt the notion of k-anonymity to trajectories and propose a novel generalization-based approach for anonymization of trajectories. We further show that releasing
anonymized trajectories may still have some privacy leaks. Therefore we propose a randomization based reconstruction algorithm for releasing anonymized trajectory data and also present how the underlying techniques can be adapted to other anonymity standards. The experimental results on real and synthetic trajectory datasets show the effectiveness of the proposed techniques
How to Work with Honest but Curious Judges? (Preliminary Report)
The three-judges protocol, recently advocated by Mclver and Morgan as an
example of stepwise refinement of security protocols, studies how to securely
compute the majority function to reach a final verdict without revealing each
individual judge's decision. We extend their protocol in two different ways for
an arbitrary number of 2n+1 judges. The first generalisation is inherently
centralised, in the sense that it requires a judge as a leader who collects
information from others, computes the majority function, and announces the
final result. A different approach can be obtained by slightly modifying the
well-known dining cryptographers protocol, however it reveals the number of
votes rather than the final verdict. We define a notion of conditional
anonymity in order to analyse these two solutions. Both of them have been
checked in the model checker MCMAS
Some Remarks on the Ranking of Infinite Utility Streams
A long tradition in welfare economics and moral philosophy, dating back at least to Sidgwick(1907) is the idea that all generations must be treated alike. Perhaps, the most forceful assertion of this idea comes from Ramsey (1928) who declared that any argument for preferring one generation over another must come “merely from the weakness of the imagination”. The “equal treatment of all generations” or the intergenerational equity principle has been formalised in the subsequent literature as the axiom of Anonymity, which requires that two infinite utility streams be judged indifferent to one another if one can be obtained from the other through a permutation of utilities of a finite number of generations. Since it also seems “natural” to require that any social evaluation of infinite utility streams respond positively to an increase in the utility of any generation, the Pareto Axiom is also desirable. Unfortunately, Diamond(1965) showed that there is no social welfare function satisfying these axioms along with a continuity axiom. In a more recent paper, Basu and Mitra( 2003) prove a more general result by showing that the continuity axiom is superfluous
Asymptotic information leakage under one-try attacks
We study the asymptotic behaviour of (a) information leakage and (b) adversary’s error probability in information hiding systems modelled as noisy channels. Specifically, we assume the attacker can make a single guess after observing n independent executions of the system, throughout which the secret information is kept fixed. We show that the asymptotic behaviour of quantities (a) and (b) can be determined in a simple way from the channel matrix. Moreover, simple and tight bounds on them as functions of n show that the convergence is exponential. We also discuss feasible methods to evaluate the rate of convergence. Our results cover both the Bayesian case, where a prior probability distribution on the secrets is assumed known to the attacker, and the maximum-likelihood case, where the attacker does not know such distribution. In the Bayesian case, we identify the distributions that maximize the leakage. We consider both the min-entropy setting studied by Smith and the additive form recently proposed by Braun et al., and show the two forms do agree asymptotically. Next, we extend these results to a more sophisticated eavesdropping scenario, where the attacker can perform a (noisy) observation at each state of the computation and the systems are modelled as hidden Markov models
- …