Hideki Sakurada

Role Interchange for Anonymity and Privacy of Voting

We propose a new information-hiding property called role interchangeability for the verification of the anonymity and privacy of security protocols. First, we formally specify the new property in multi-agent systems, and describe its relationship with known anonymity properties that are also defined in multi-agent systems. Moreover, we define privacy in a way that is symmetric with anonymity, and show that exploiting this symmetry is useful for deriving anonymity and privacy from role interchangeability. Next, we show a way of verifying the new property. We show that role interchangeability in a multiagent system is characterized by the existence of role-interchange functions on the set of traces corresponding to the system. In addition, a simulation proof method is presented to prove the existence of the functions for a protocol described as an automaton. Finally, as a case study, we apply our method to the formal verification of the FOO electronic voting protocol.

On Backward-Style Anonymity Verification

Many Internet services and protocols should guarantee anonymity; for example, an electronic voting system should guarantee to prevent the disclosure of who voted for which candidate. To prove trace anonymity, which is an extension of the formulation of anonymity by Schneider and Sidiropoulos, this paper presents an inductive method based on backward anonymous simulations. We show that the existence of an image-finite backward anonymous simulation implies trace anonymity. We also demonstrate the anonymity verification of an e-voting protocol (the FOO protocol) with our backward anonymous simulation technique. When proving the trace anonymity, this paper employs a computer-assisted verification tool based on a theorem prover.

Computational Soundness of Symbolic Blind Signatures under Active Attacker

Blind signature schemes enable users to obtain signatures on texts without revealing the texts to signers. They are often used to provide anonymity in protocols such as electronic cash and voting protocols. To confirm the security of such a voting scheme, Kremer and Ryan employ a symbolic model for protocols that use blind signatures. However, the soundness of this model with respect to the computational model in which security of blind signatures is defined is yet to be explored. In this paper, we discuss certain difficulties involved in establishing the computational soundness of their symbolic model, propose an alternative symbolic model, and show its computational soundness.

Computationally Sound Formalization of Rerandomizable RCCA Secure Encryption

Rerandomizing ciphertexts plays an important role in protecting privacy in security protocols such as mixnets. We investigate the relationship between formal and computational approaches to the analysis of the security protocols using a rerandomizable encryption scheme. We introduce a new method of dealing with composed randomnesses in an Abadi-Rogaway-style pattern, formalize a rerandomizable RCCA secure encryption scheme, and prove its computational soundness.

An Adversary Model for Simulation-Based Anonymity Proof

The use of a formal method is a promising approach to developing reliable computer programs. This paper presents a formal method for anonymity, which is an important security property of communication protocols with regard to a users identity. When verifying the anonymity of security protocols, we need to consider the presence of adversaries. To formalize stronger adversaries, we introduce an adversary model for simulation-based anonymity proof. This paper also demonstrates the formal verification of a communication protocol. We employ Crowds, which is an implementation of an anonymous router, and verify its anonymity. After describing Crowds in a formal specification language, we prove its anonymity with a theorem prover.

A Formal Approach to Designing Anonymous Software

Many Internet services and protocols should guarantee anonymity; for example, an electronic voting system should guarantee to prevent the disclosure of who voted for which candidate. However, a methodology for designing software that preserves anonymity has not yet been established. In the field of software engineering, it is well known that software correctness can be verified with a formal method. Following the formal method approach, this paper introduces an anonymity proof technique. By finding a condition called an anonymous simulation, we prove the anonymity of communication software. Our approach can deal with both eavesdroppers and stronger adversaries. This paper also demonstrates a formal verification of communication software. We employ Crowds, which is an implementation of an anonymous router, and verify the anonymity. After describing Crowds in a formal specification language, we prove its anonymity with a theorem proven In this verification, we employ a formal verification tool called IOA-Toolkit.

Trust Trust Me (The Additivity)

We present a mathematical formulation of a trust metric using a quality and quantity pair. Under a certain assumption, we regard trust as an additive value and define the soundness of a trust computation as not to exceed the total sum. Moreover, we point out the importance of not only soundness of each computed trust but also the stability of the trust computation procedure against changes in trust value assignment. In this setting, we define trust composition operators. We also propose a trust computation protocol and prove its soundness and stability using the operators.

On compositional reasoning about anonymity and privacy in epistemic logic

In this paper, we exploit epistemic logic (or the modal logic of knowledge) for multiagent systems to discuss the compositionality of several privacy-related information-hiding/disclosure properties. The properties considered here are anonymity, privacy, onymity, and identity. Our initial observation reveals that anonymity/privacy properties are not necessarily sequentially compositional. This means that even though a system comprising several sequential phases satisfies a certain unlinkability property in each phase, the entire system does not always enjoy a desired unlinkability property. We show that the compositionality can be guaranteed provided that the phases of the system satisfy what we call independence assumptions. More specifically, we develop a series of theoretical case studies of what assumptions are sufficient to guarantee the sequential compositionality of various degrees of anonymity, privacy, onymity, and/or identity properties. Similar results for parallel composition are also discussed. Further, we use the probabilistic extension of epistemic logic to consider the compositionality of probabilistic anonymity/privacy. We show that the compositionality can also be guaranteed in the probabilistic setting, provided that the phases of the system satisfy a probabilistic independence assumption.

A Role-Based Specification of the SET Payment Transaction Protocol

In this paper, we define a language for specifying security protocols concisely and unambiguously. We use this language to formally specify the protocol for payment transactions in Secure Electronic Transaction (SET), which has been developed by Visa and MasterCard.