This paper provides a formal framework for the analysis of information hiding properties of anonymous communication protocols in terms of epistemic logic. The key ingredient is our notion of observational equivalence, which is based on the cryptographic structure of messages and relations between otherwise random looking messages. Two runs are considered observationally equivalent if a spy cannot discover any meaningful distinction between them. We illustrate our approach by proving sender anonymity and unlinkability for two anonymizing protocols, Onion Routing and Crowds. Moreover, we consider a version of Onion Routing in which we inject a subtle error and show how our framework is capable of capturing this flaw.
|Number of pages||10|
|Publication status||Published - 2005|
|Event||2005 ACM workshop on Formal methods in security engineering - Fairfax, VA, USA|
Duration: 1 Jan 2005 → 1 Jan 2005
|Workshop||2005 ACM workshop on Formal methods in security engineering|
|Period||1/01/05 → 1/01/05|