Skip to Main content Skip to Navigation
New interface

Formal approaches to information hiding : An analysis of interactive systems, statistical disclosure control, and refinement of specifications

Mário S. Alvim 1 
1 COMETE - Concurrency, Mobility and Transactions
LIX - Laboratoire d'informatique de l'École polytechnique [Palaiseau], Inria Saclay - Ile de France
Abstract : In this thesis we consider the problem of information hiding in the scenarios of interactive systems, statistical disclosure control, and refinement of specifications. We apply quantitative approaches to information flow in the first two cases, and we propose improvements for the usual solutions based on process equivalences for the third case. In the first scenario we consider the problem of defining the information leakage in interactive systems where secrets and observables can alternate during the computation and influence each other. We show that the information-theoretic approach which interprets such systems as (simple) noisy channels is not valid. The principle can be recovered, however, if we consider channels of a more complicated kind, that in information theory are known as channels with memory and feedback. We show that there is a complete correspondence between interactive systems and these channels, and we propose the use of directed information from input to output as the real measure of leakage in interactive systems. We also show that our model is a proper extension of the classical one, i.e. in the absence of interactivity the model of channels with memory and feedback collapses into the model of memoryless channels without feedback. In the second scenario we consider the problem of statistical disclosure control, which concerns how to reveal accurate statistics about a set of respondents while preserving the privacy of individuals. We focus on the concept of differential privacy, a notion that has become very popular in the database community. Roughly, the idea is that a randomized query mechanism provides sufficient privacy protection if the ratio between the probabilities that two adjacent datasets give a certain answer is bound by a constant. We observe the similarity of this goal with the main concern in the field of information flow, namely limiting the possibility of inferring the secret information from the observables. We show how to model the query system in terms of an information-theoretic channel, and we compare the notion of differential privacy with that of min-entropy leakage. We show that differential privacy implies a bound on the min-entropy leakage, and we also consider the utility of the randomization mechanism, which represents how close the randomized answers are, in average, to the real ones. Finally we show that the notion of differential privacy implies a tight bound on utility, and we propose a method that under certain conditions builds an optimal randomization mechanism. Moving the focus away from quantitative approaches, in the third scenario we address the problem of using process equivalences to characterize information-hiding properties (for instance secrecy, anonymity and non-interference). In the literature, some works have used this approach, based on the principle that a protocol P with a variable x satisfies such property if and only if, for every pair of secrets s1 and s2, P[s1 / x] is equivalent to P[s2 / x]. We show that, in the presence of nondeterminism, the above principle may rely on the assumption that the scheduler "works for the benefit of the protocol", and this is usually not a safe assumption. Non-safe equivalences, in this sense, include complete-trace equivalence and bisimulation. This problem arises naturally when refining a specification into an implementation, since usually the former is more abstract than the latter, and the refinement process involves reducing the nondeterminism. The scheduler is, in this sense, a final product of the refinement process, after all the nondeterminism is ruled out. We present a formalism in which we can specify admissible schedulers and, correspondingly, safe versions of complete-trace equivalence and bisimulation. We prove that safe bisimulation is still a congruence. Finally, we show that safe equivalences can be used to establish information-hiding properties.
Document type :
Complete list of metadata
Contributor : Mário Alvim Connect in order to contact the contributor
Submitted on : Monday, February 13, 2012 - 7:15:59 PM
Last modification on : Wednesday, February 2, 2022 - 3:55:09 PM
Long-term archiving on: : Monday, May 14, 2012 - 2:55:09 AM


  • HAL Id : tel-00639948, version 3



Mário S. Alvim. Formal approaches to information hiding : An analysis of interactive systems, statistical disclosure control, and refinement of specifications. Cryptography and Security [cs.CR]. Ecole Polytechnique X, 2011. English. ⟨NNT : ⟩. ⟨tel-00639948v3⟩



Record views


Files downloads