Probabilistic Anonymity Via Coalgebraic Simulations

  • Ichiro Hasuo
  • Yoshinobu Kawabe
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4421)


There is a growing concern on anonymity and privacy on the Internet, resulting in lots of work on formalization and verification of anonymity. Especially, importance of probabilistic aspect of anonymity is claimed recently by many authors. Among them are Bhargava and Palamidessi who present the definition of probabilistic anonymity for which, however, proof methods are not yet elaborated. In this paper we introduce a simulation-based proof method for probabilistic anonymity. It is a probabilistic adaptation of the method by Kawabe et al. for non-deterministic anonymity: anonymity of a protocol is proved by finding out a forward/backward simulation between certain automata. For the jump from non-determinism to probability we fully exploit a generic, coalgebraic theory of traces and simulations developed by Hasuo and others. In particular, an appropriate notion of probabilistic simulations is obtained by instantiating a generic definition with suitable parameters.


Computer Security Observable Action Proof Method Probabilistic Simulation Probabilistic Automaton 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Gordon, A.: A calculus for cryptographic protocols: The Spi calculus. In: Fourth ACM Conference on Computer and Communications Security, pp. 36–47. ACM Press, New York (1997)Google Scholar
  2. 2.
    Anonymity bibliography,
  3. 3.
    Barr, M., Wells, C.: Toposes, Triples and Theories. Springer, Berlin (1985)MATHGoogle Scholar
  4. 4.
    Bhargava, M., Palamidessi, C.: Probabilistic anonymity. In: Abadi, M., de Alfaro, L. (eds.) CONCUR 2005. LNCS, vol. 3653, pp. 171–185. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Chaum, D.: The dining cryptographers problem: Unconditional sender and recipient untraceability. Journ. of Cryptology 1(1), 65–75 (1988)MATHMathSciNetGoogle Scholar
  6. 6.
    Cheung, L.: Reconciling Nondeterministic and Probabilistic Choices. PhD thesis, Radboud Univ. Nijmegen (2006)Google Scholar
  7. 7.
    Garcia, F.D., et al.: Provable anonymity. In: Küsters, R., Mitchell, J. (eds.) 3rd ACM Workshop on Formal Methods in Security Engineering (FMSE05), Alexandria, VA, U.S.A., November 2005, pp. 63–72. ACM Press, New York (2005)CrossRefGoogle Scholar
  8. 8.
    Halpern, J.Y., O’Neill, K.R.: Anonymity and information hiding in multiagent systems. Journal of Computer Security, to appear.Google Scholar
  9. 9.
    Hasuo, I.: Generic forward and backward simulations. In: Baier, C., Hermanns, H. (eds.) CONCUR 2006. LNCS, vol. 4137, pp. 406–420. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Hasuo, I., Jacobs, B., Sokolova, A.: Generic trace theory. In: Ghani, N., Power, J. (eds.) International Workshop on Coalgebraic Methods in Computer Science (CMCS 2006). Elect. Notes in Theor. Comp. Sci, vol. 164, pp. 47–65. Elsevier, Amsterdam (2006)Google Scholar
  11. 11.
    Hughes, D., Shmatikov, V.: Information hiding, anonymity and privacy: A modular approach. Journal of Computer Security 12(1), 3–36 (2004)Google Scholar
  12. 12.
    Kawabe, Y., et al.: Backward simulations for anonymity. In: International Workshop on Issues in the Theory of Security (WITS ’06) (2006)Google Scholar
  13. 13.
    Kawabe, Y., et al.: Theorem-proving anonymity of infinite state systems. Information Processing Letters 101(1) (2007)Google Scholar
  14. 14.
    Lynch, N., Vaandrager, F.: Forward and backward simulations. I. Untimed systems. Inf. & Comp. 121(2), 214–233 (1995)MATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Palamidessi, C.: Probabilistic and nondeterministic aspects of anonymity. In: MFPS ’05. Elect. Notes in Theor. Comp. Sci, vol. 155, pp. 33–42. Elsevier, Amsterdam (2006)Google Scholar
  16. 16.
    Pfitzmann, A., Köhntopp, M.: Anonymity, unobservability, and pseudonymity: A proposal for terminology. Draft, version 0.17 (July 2000)Google Scholar
  17. 17.
    Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: Proceedings of the 13th IEEE Computer Security Foundations Workshop (CSFW’00), pp. 200–214 (2000)Google Scholar
  18. 18.
    Schneider, S., Sidiropoulos, A.: CSP and anonymity. In: Martella, G., et al. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 198–218. Springer, Heidelberg (1996)Google Scholar
  19. 19.
    Segala, R., Lynch, N.: Probabilistic simulations for probabilistic processes. Nordic Journ. Comput. 2(2), 250–273 (1995)MATHMathSciNetGoogle Scholar
  20. 20.
    Serjantov, A.: On the Anonymity of Anonymity Systems. PhD thesis, University of Cambridge (March 2004)Google Scholar
  21. 21.
    Shmatikov, V.: Probabilistic model checking of an anonymity system. Journ. of Computer Security 12(3), 355–377 (2004)Google Scholar
  22. 22.
    van Glabbeek, R.: The linear time-branching time spectrum (extended abstract). In: Baeten, J.C.M., Klop, J.W. (eds.) CONCUR 1990. LNCS, vol. 458, pp. 278–297. Springer, Heidelberg (1990)Google Scholar
  23. 23.
    Varacca, D., Winskel, G.: Distributing probabililty over nondeterminism. Math. Struct. in Comp. Sci. 16(1), 87–113 (2006)MATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Volpano, D.M., Smith, G.: Probabilistic noninterference in a concurrent language. Journ. of Computer Security 7(1) (1999)Google Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Ichiro Hasuo
    • 1
  • Yoshinobu Kawabe
    • 2
  1. 1.Radboud University NijmegenThe Netherlands
  2. 2.NTT Communication Science Laboratories, NTT CorporationJapan

Personalised recommendations