Previous | 
Home
Section: New Results
Foundations of information hiding
Information hiding refers to the problem of protecting private information while performing certain tasks or interactions, and trying to avoid that an adversary can infer such information. This is one of the main areas of research in Comète; we are exploring several topics, described below.
Axioms for Information Leakage
Quantitative information flow aims to assess and control the leakage of
sensitive information by computer systems. A key insight in this area is that no
single leakage measure is appropriate in all operational scenarios; as a result,
many leakage measures have been proposed, with many different properties. To
clarify this complex situation, we studied in [17]
information leakage axiomatically, showing important dependencies among
different axioms. We also established a completeness result about the
Up-To Techniques for Generalized Bisimulation Metrics
Bisimulation metrics allow us to compute distances between the behaviors of probabilistic systems. In [18] we presented enhancements of the proof method based on bisimulation metrics, by extending the theory of up-to techniques to (pre)metrics on discrete probabilistic concurrent processes.
Up-to techniques have proved to be a powerful proof method for showing that two systems are bisimilar, since they make it possible to build (and thereby check) smaller relations in bisimulation proofs. We defined soundness conditions for up-to techniques on metrics, and studied compatibility properties that allow us to safely compose up-to techniques with each other. As an example, we derived the soundness of the up-to-bisimilarity-metric-and-context technique.
The study was carried out for a generalized version of the bisimulation metrics, in which the Kantorovich lifting is parametrized with respect to a distance function. The standard bisimulation metrics, as well as metrics aimed at capturing multiplicative properties such as differential privacy, are specific instances of this general definition.
Compositional methods for information-hiding
Systems concerned with information hiding often use randomization to obfuscate the link between the observables and the information to be protected. The degree of protection provided by a system can be expressed in terms of the probability of error associated with the inference of the secret information. In [12] we considered a probabilistic process calculus to specify such systems, and we studied how the operators affect the probability of error. In particular, we characterized constructs that have the property of not decreasing the degree of protection, and that can therefore be considered safe in the modular construction of these systems. As a case study, we applied these techniques to the Dining Cryptographers, and we derive a generalization of Chaum's strong anonymity result.
Differential Privacy Models for Location-Based Services
In [13], we considered the adaptation of differential
privacy to the context of location-based services (LBSs), which personalize the
information provided to a user based on his current position. Assuming that the
LBS provider is queried with a perturbed version of the position of the user
instead of his exact one, we relied on differential privacy to quantify the
level of indistinguishability (i.e., privacy) provided by this perturbation with
respect to the user's position. In this setting, the adaptation of differential
privacy can lead to various models depending on the precise form of
indistinguishability required. We discussed the set of properties that hold for
these models in terms of privacy, utility and also implementation issues. More
precisely, we first introduced and analyzed one of these models, the
(D,eps)-location privacy, which is directly inspired from the standard
differential privacy model. In this context, we described a general
probabilistic model for obfuscation mechanisms for the locations whose output
domain is the Euclidean space
Practical Mechanisms for Location Privacy
The continuously increasing use of location-based services poses an important threat to the privacy of users. A natural defense is to employ an obfuscation mechanism, such as those providing geo-indistinguishability, a framework for obtaining formal privacy guarantees that has become popular in recent years.
Ideally, one would like to employ an optimal obfuscation mechanism, providing the best utility among those satisfying the required privacy level. In theory optimal mechanisms can be constructed via linear programming. In practice, however, this is only feasible for a radically small number of locations. As a consequence, all known applications of geo-indistinguishability simply use noise drawn from a planar Laplace distribution.
In [23] we studied methods for substantially improving the utility of location obfuscation, while having practical applicability as a central constraint. We provided such solutions for both infinite (continuous or discrete) as well as large but finite domains of locations, using a Bayesian remapping procedure as a key ingredient. We evaluated our techniques in two real world complete datasets, without any restriction on the evaluation area, and showed important utility improvements wrt the standard planar Laplace approach.
Preserving differential privacy under finite-precision semantics
The approximation introduced by finite-precision representation of continuous data can induce arbitrarily large information leaks even when the computation using exact semantics is secure. Such leakage can thus undermine design efforts aimed at protecting sensitive information. In [14] we focussed on differential privacy, an approach to privacy that emerged from the area of statistical databases and is now widely applied also in other domains. In this approach, privacy is protected by adding noise to the values correlated to the private data. The typical mechanisms used to achieve differential privacy have been proved correct in the ideal case in which computations are made using infinite-precision semantics. We analyzed the situation at the implementation level, where the semantics is necessarily limited by finite precision, i.e., the representation of real numbers and the operations on them are rounded according to some level of precision. We showed that in general there are violations of the differential privacy property, and we studied the conditions under which we can still guarantee a limited (but, arguably, acceptable) variant of the property, under only a minor degradation of the privacy level. Finally, we illustrated our results on two examples: the standard Laplacian mechanism commonly used in differential privacy, and a bivariate version of it recently introduced in the setting of privacy-aware geolocation.
Quantifying Leakage in the Presence of Unreliable Sources of Information
Belief and min-entropy leakage are two well-known approaches to quantify information flow in security systems. Both concepts stand as alternatives to the traditional approaches founded on Shannon entropy and mutual information , which were shown to provide inadequate security guarantees. In [16] we unified the two concepts in one model so as to cope with the frequent (potentially inaccurate, misleading or outdated) attackers' side information about individuals on social networks, online forums, blogs and other forms of online communication and information sharing. To this end we proposed a new metric based on min-entropy that takes into account the adversary's beliefs.
On the Compositionality of Quantitative Information Flow
In the min-entropy approach to quantitative information flow, the leakage is
defined in terms of a minimization problem, which, in the case of large systems,
can be computationally rather heavy. The same happens for the recently proposed
generalization called