This thesis addresses the foundational aspects of formal methods for applications in security and in particular in anonymity. More concretely, we develop frameworks for the specification of anonymity properties and propose algorithms for their verification. Since in practice anonymity protocols always leak some information, we focus on quantitative properties, which capture the amount of information leaked by a protocol. The main contribution of this thesis is cpCTL, the first temporal logic that allows for the specification and verification of conditional probabilities (which are the key ingredient of most anonymity properties). In addition, we have considered several prominent definitions of information-leakage and developed the first algorithms allowing us to compute (and even approximate) the information leakage of anonymity protocols according to these definitions. We have also studied a well-known problem in the specification and analysis of distributed anonymity protocols, namely full-information scheduling. To overcome this problem, we have proposed an alternative notion of scheduling and adjusted accordingly several anonymity properties from the literature. Our last major contribution is a debugging technique that helps on the detection of flaws in security protocols.
and verify quantitative anonymity properties over complex systems where probabilistic and nondeterministic behavior may coexist.
We then turn our attention to more practical grounds: the constructions of algorithms to compute information leakage. More precisely, in Chapter 3 we present polynomial algorithms to compute the (information-theoretic) leakage of several kinds of fully probabilistic protocols (i.e. protocols without nondeterministic behavior). The techniques presented in this chapter are the first ones enabling the computation of (information-theoretic) leakage in interactive protocols.
In Chapter 4 we attack a well known problem in distributed anonymity protocols, namely full-information scheduling. To overcome this problem, we propose an alternative definition of schedulers together with several new definitions of anonymity (varying according to the attacker’s power), and revise the famous definition of strong-anonymity from the literature. Furthermore, we provide a technique to verify that a distributed protocol satisfies some of the proposed definitions.
In Chapter 5 we provide (counterexample-based) techniques to debug complex systems, allowing for the detection of flaws in security protocols. Finally, in Chapter 6 we briefly discuss extensions to the frameworks and techniques proposed in Chapters 3 and 4. This thesis would not have been possible without the continuous support of many people to whom I will always be grateful.
I am heartily thankful to my supervisor Bart Jacobs. He has closely followed the evolution of my PhD and made sure I always had all the resources a PhD student could possibly need.
I owe my deepest gratitude to my co-supervisor, Peter van Rossum. Four years have passed since he decided to take the risk to hire me, an Argentinian guy that he barely knew. I was really lucky to have Peter as my supervisor; he has always been very supportive, flexible, and extremely easygoing with me. I will never forget the football World Cup of 2006 (not that Argentina did very well); back then I was invited to spend one week in Nijmegen for an official job interview. But before I had the time to stress too much about formal talks and difficult questions, I found myself sharing a beer with Peter while watching Argentina vs the Netherlands (fortunately Argentina did not win -I still wonder what would have happened otherwise). This was just the first of many nice moments we shared together, including dinners, conversations, and trips. In addition to having fun, we have worked hard together -indeed we completed one of the most important proofs of this thesis at midnight after a long working day at Peter’s house (and also after Mariëlle finally managed to get little Quinten to sleep ⌣).
I cannot allow myself to continue this letter without mentioning Catuscia Palamidessi. Much has changed in my life since I first met her in June 2007. Catuscia came then to visit our group in Nijmegen and we discovered that we had many research interests in common. Soon after, Catuscia invited me to visit her group in Paris and this turned out to be the beginning of a very fruitful collaboration. Since then we have spent countless days (and especially nights) working very hard together, writing many articles, and attending many conferences -including some in amazing places like Australia, Barbados, and Cyprus. Catuscia is not only an exceptionally bright and passionate scientist, but she is also one of the most thoughtful people I have ever met (placing the interests of her colleagues and PhD students above her own), a wonderful person to work with (turning every work meeting into a relaxed intellectual discussion, enhanced with the finest caffè italiano), and, above all, an unconditional friend. For these reasons and many more (whose enumeration would require a second volume for this thesis), I am forever indebted to Catuscia.
This work has also greatly benefited from the insightful remarks and suggestions of the members of the reading committee Joost-Pieter Katoen, Pedro D’Argenio, and Frits Vaandrager, whom I wish to thank heartily. To Pedro I am also grateful for his sustained guidance and support in my life as a researcher. Many results in this thesis are a product of joint work, and apart from Peter and Catuscia, I am grateful to my co-authors Mário S. Alvim, Pedro R. D’Argenio, Geoffrey Smith and Ana Sokolova, all of whom shared their expertise with me. I am also thankful to Jasper Berendsen, Domingo Gómez, David Jansen, Mariëlle Stoelinga, Tingting Han, Sergio Giro, Jérémy Dubreil, and Konstantinos Chatizikokolakis for many fruitful discussions during my time as a PhD student. Also many thanks to Anne-Lise Laurain for her constant (emotional and technical) support during the writing of my thesis, Alexandra Silva for her insightful comments on the introduction of this work, and Marieke Meijer for devoting her artistic talent to the design of the cover of this thesis.
Special thanks to my paranymp
This content is AI-processed based on open access ArXiv data.
