Convexity in information hiding Konstantinos Chatzikokolakis Oxford Computing Lab and LIX ´ Ecole Polytechnique kostas@lix.polytechnique.fr Catuscia Palamidessi INRIA and LIX ´ Ecole Polytechnique catuscia@lix.polytechnique.fr Prakash Panangaden School of Computer Science, McGill University prakash@cs.mcgill.ca Abstract Convexity is an essential element of many results in the analysis of randomized information-hiding protocols using techniques from information theory and hypothesis testing. In this paper we provide various such results: we give a characterization of strong anonymity for the Dining Cryp- tographers protocol with biased coins. We also provide a constructive characterization of a convex base of the prob- ability of error, which allows us to compute its maximum value (over all input distributions), and to identify upper bounds for it in terms of simple functions. Finally, we es- tablish a monotonicity principle that enables high-level rea- soning about capacity, leading to a significant extension of algebraic information theory, intuitive graphical methods and new inequalities for comparing binary channels. 1 Introduction Information-hiding protocols try to hide the relation be- tween certain facts, that we wish to maintain hidden, and the observable consequences of these facts. Example of such protocols are anonymity protocols like Crowds [21] and Onion Routing [25]. Often these protocols use random- ization to obfuscate the link between the information that we wish to keep hidden and the observed events. Crowds, for instance, tries to conceal the identity of the originator of a message by forwarding the message randomly until its destination, so that if an attacker intercepts the message, it cannot be sure whether the sender is the originator or just a forwarder. In many cases, protocols like the ones above can be re- garded as information-theoretic channels, where the inputs are the facts to keep hidden, the outputs are the observables, and the matrix represents the correlation between the facts and the observed events, in terms of conditional probabil- ities. In this case, the capacity of the channel provides a measure of the security guarantees of the protocol. Capa- city 0 means that no information about the input (hidden facts) can be deduced by observing the output (observable events). In the opposite case of maximum capacity, the in- put can be completely determined by looking at the output. An adversary can try to infer the facts from the observed events using the Bayesian method, which is based on the principle of assuming an a priori probability distribution on the hidden facts (hypotheses), and deriving from that (and from the matrix) the a posteriori distribution after a cer- tain event has been observed. It is well known that the best strategy for the adversary is to apply the MAP (Maximum Aposteriori Probability) criterion, which, as the name says, dictates that one should choose the hypothesis with the max- imum a posteriori probability given the observation. “Best” means that this strategy induces the smallest probability of guessing the wrong hypothesis. The probability of error, in this case, is also called Bayes risk. When dealing with quantities such as capacity or proba- bility of error, one quickly realizes that, despite the intuitive definitions, these quantities are difficult to manipulate and reason about. Indeed, capacity is naturally defined in terms of maximum mutual information, yet no analytical formula that gives the capacity of a discrete channel exists in the general case. It can be only computed approximately using numerical algorithms such as the Arimoto-Blahut algorithm ([9]). And even in simple cases where an analytical formula does exist, for example in the case of binary channels hav- ing only two inputs and outputs, it is too complicated to be of practical use. The probability of error has an analytical formula, but it is still complicated enough to handle in a direct way. For example, in many problems we need to be able to predict how a channel will perform, but find that its noise matrix varies with several parameters that depend on ran- dom aspects of the environment which arise during the 1