A Better Composition Operator for Quantitative Information Flow Analyses

Abstract

Given a description of the quantitative information flow (qif) for components, how can we determine the qif of a system composed from components? We explore this fundamental question mathematically and provide an answer based on a new composition operator. We investigate its properties and prove that it generalises existing composition operators. We illustrate the results with a fresh look on Chaum’s dining cryptographers. We show that the new operator enjoys various convenient algebraic properties and that it is well-behaved under composition refinement.

1 Introduction

In the area of quantitative information flow (qif) analysis, we concern ourselves with measuring or deriving the amount of information leaking from systems. A popular model of systems in qif is that of channel matrices which contain precise descriptions of the probabilities of observing certain public outputs given certain secret inputs.

We refer to the survey by Smith [27] for further motivation of this general direction in qif research. Compared to the literature, we use a slightly different definition of channels to prepare for the various composition operators later. Our change is similar to a move from opaque states as they are common in automata theory on the one hand to program states as mappings from variable names to values as they are common in treatments of program semantics on the other hand.

In Sect. 2 we define our model including the new operator \(\bowtie \) and argue that it is a reasonable choice for a composition operator. We do so by showing firstly that \(\bowtie \) offers a new and arguably elegant decomposition of the well-known dining cryptographers example. This decomposition uses simple laws from a channel algebra for equality between channels. In Sect. 3 a more interesting algebra emerges when replacing equality by composition refinement, a leakage-reducing notion of refinement on channels. We prove that \(\bowtie \) again enjoys interesting properties. We show in Sect. 4 that \(\bowtie \) subsumes various existing composition operators and that its algebraic laws specialise to laws for the existing operators.

2 Mix Composition

Notation. We write \(\mathbb {B}=\{\mathtt {0},\mathtt {1}\}\) for the Booleans. By [0, 1] we denote the closed real interval between 0 and 1. For \(a,b\in \mathbb {N}\) we define . We write \({f}\downarrow _{S}\) for the domain restriction \(\lambda s:S. f(s)\) of function f by set S. Our channels map named inputs to named outputs. These names correspond to wires in circuits and variables in programs. Each name is associated with a domain of possible values. To compose channels we require the names of their wires/variables so we know which of their inputs and outputs hook up. Formally, if \(S_k\) is a set for each \(k\in K\), we write \(\bigotimes _{k\in K}S_k\) for the set of functions \(f:K\longrightarrow \bigcup _{k\in K}S_k\) satisfying \(f(k) \in S_k\) for all \(k\in K\). All our logarithms are base 2. Binary operators that are commutative and associative such as our forthcoming composition operator are implicitly lifted to indexed families of arguments, just as \(+\) is lifted to \(\sum \), only that we don’t use a separate symbol.

Channels. Not surprisingly, functions in \(\bigotimes _{k\in K}S_k\) resemble states in program semantics. Programs or system components transform states to states according to their function. In qif research, programs and systems are commonly called channels and they map (secret) input states to distributions of (observable) output states.

We assume that secret inputs have some prior distribution which is known to observers. A channel can then be understood as mapping each prior to a posterior distribution on the outputs, which in turn can be understood as a distribution of distributions of inputs. We also assume that the channel itself is known to observers. We define channels formally.

Definition 1

(Channel). Let \(\mathcal {V}\) be a set we call variables. Let \(\mathcal {X}=(X_w)_{w\in \mathcal {V}}\) be a family of nonvoid finite sets, the domains of variables. Given a set V of variables, we denote their joint domain \(\bigotimes _{v\in V}X_v\) by \(\text {d}(V)\).

A \((\mathcal {V},\mathcal {X})\)-channel (I, O, c) (from inputs named I to outputs named O ) consists of a finite set \(I\subseteq \mathcal {V}\) of input variables, a finite set \(O\subseteq \mathcal {V}\) of output variables, and a channel matrix \(c\in [0,1]^{\text {d}(I)\times \text {d}(O)}\) such that each row adds up to one, that is: \(\forall x\in \text {d}(I)\left( \sum _{y\in \text {d}(O)}c_{x,y} = 1\right) \).

Denote the set of \((\mathcal {V},\mathcal {X})\)-channels from inputs named I to outputs named O by \(\mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\). A channel is called deterministic when its matrix contains only zeros and ones.

Note that I and O need not be disjoint. We often identify channels with their channel matrices, assuming that the input and output names are understood. Next we define a small set of basic channels that will be useful in later examples and algebraic laws. Write \(\mathbb {O}_{I,O}\) for the unit channel in \(\mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) that maps inputs named I to outputs named O in a uniform manner, i.e., \((\mathbb {O}_{I,O})_{x,y} = \frac{1}{|\text {d}(O)|}\) for all \(x\in \text {d}(I)\) and \(y\in \text {d}(O)\). A special case are the unit channels where \(O = \emptyset \). They have no designated output variables. Hence their channel matrices are column vectors full of ones. These are the only unit channels that are deterministic. Let \(\mathbb {I}_{V}\) denote the identity channel in \(\mathcal {C}_{\mathcal {V},\mathcal {X}}(V,V)\) with the matrix given by \((\mathbb {I}_{V})_{x,y} = \delta _{x,y}\) where \(\delta \) is the Kronecker delta. Identity channels are deterministic. Renaming channels are a generalisation of identity channels. Firstly, as the name suggests, renaming channels can rename the variables. Secondly, they allow a widening of the output variables’ domains. More formally, if \(I,O\subseteq \mathcal {V}\) and \(f:\text {d}(I)\longrightarrow \text {d}(O)\) is injective, we define the renaming channel (from I to O using f) \(\text {R}^{f}_{I,O}\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) by \((\text {R}^{f}_{I,O})_{x,y} = \delta _{f(x),y}\). We omit the injection if it is the identity function. We write \(\text {R}^{f}_{i,o}\) for \(\text {R}^{f}_{\{i\},\{o\}}\). We write injections f as expressions in the variables.

Example 2

Let \(\mathcal {V}=\{i,o\}\) and \(X_i = X_o = \mathbb {B}\). A 1-bit copying channel from i to o would be written as \(\text {R}^{}_{i,o}\). Its channel matrix is the identity matrix . Next consider a channel \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(\{i\},\{o\})\) given by the matrix . For instance, the probability of observing output \(o=\mathtt {1}\) of channel A when the secret input is .

Consider the distribution on the Booleans. Multiplying prior \(\pi \) as a row vector with A’s channel matrix yields the posterior distribution which means that with \(\pi \) as prior we expect to observe the output \(o=\mathtt {1}\) with probability . Multiplying each cell of A’s matrix with the prior probability of its row according to \(\pi \) yields the joint matrix , i.e., a distribution on input/output pairs. Normalising the columns results in . Its column labelled \(y=\{o\mapsto b\}\) for \(b\in \mathbb {B}\) can now be read as a distribution on the secret input, given the output is y. For instance, if \(y(o) = \mathtt {1}\), the input must have been \(\{i\mapsto \mathtt {0}\}\) with probability .

Next we define our new composition operator.

Definition 3

(Mix-composition). Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) and \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(J,P)\). We call them \(\bowtie \)-compatible if, for all \(x\in \text {d}(I\cup J)\) there exists a \(y\in \text {d}(O\cup P)\) such that both \(A_{{x}\downarrow _{I},{y}\downarrow _{O}}\) and \(B_{{x}\downarrow _{J},{y}\downarrow _{P}}\) are positive. If A and B are \(\bowtie \)-compatible we define their mix-composition as the channel \(A\bowtie B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I\cup J,O\cup P)\) by

$$\begin{aligned} (A\bowtie B)_{x,y} = \frac{A_{{x}\downarrow _{I},{y}\downarrow _{O}} B_{{x}\downarrow _{J},{y}\downarrow _{P}}}{\sum _{z\in \text {d}(O\cup P)}A_{{x}\downarrow _{I},{z}\downarrow _{O}} B_{{x}\downarrow _{J},{z}\downarrow _{P}}}\text {,} \end{aligned}$$

for all \(x\in \text {d}(I\cup J)\) and \(y\in \text {d}(O\cup P)\).

Note that our mix composition unifies

• inputs of the same name to model components sharing input variables and

• outputs with the same name to model that two components collude on such outputs. The components implicitly rule out contradicting observations with \(\bowtie \)-compatibility ensuring that there is at least one consistent observation per secret input.

In the remainder we typically assume \(\bowtie \)-compatibility for our results.

Example 4

Let \(X_i=X_o=\mathbb {B}\). Consider the two 1-bit channels \(A=\text {R}^{}_{i,o}\) and \(B=\text {R}^{(o=\lnot i)}_{i,o}\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(\{i\},\{o\})\). (The expression \((o=\lnot i)\) is shorthand for the injection \(\lambda b:\text {d}(\{i\}).\{o\mapsto \lnot b(i)\}\).) Their channel matrices are and , respectively. But their attempted \(\bowtie \) composition matrix indicates that they are not \(\bowtie \)-compatible. Intuitively A and B attempt to collude on outputs but fail to agree.

We collect some sanity checks in¹ our

Proposition 5

When channels are \(\bowtie \)-compatible

1. 1.

   mix composition is well-defined, commutative, and associative;

2. 2.

   mix composition of deterministic channels is again deterministic;

3. 3.

   mix composition is idempotent when restricted to deterministic channels.

Example 6

To see that mix composition is not necessarily idempotent on arbitrary channels, recall channel A from Example 2. We compute the channel matrix of \(A\bowtie A\) as the top row of which is clearly different from A’s. The same example demonstrates that in general row normalisation is required. Without it, the “channel” matrix of \(A\bowtie A\) had been with row sum for the top row.

An exact version of Proposition 5.3 is

Proposition 7

Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\). Mix composition is idempotent on A iff each row of A has a unique non-zero value:

Iterated self-composition of channels has limits that are non-trivial when the condition for idempotence is not met. Roughly speaking, self-composition is a form of amplification resembling established results in complexity theory such as the amplification lemma for BPP. In the limit, only the maximal values in each row survive—everything else becomes zero.

Proposition 8

Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\). Define \(A^{(k)} = \mathop {\bowtie }_{i=1}^k A\) for all \(k\in \mathbb {N}\). The limit \(\lim _{k\rightarrow \infty }A^{(k)}\) exists and is given by the channel matrix with cells

In many practical cases, row normalisation is not required when computing mix compositions.

Proposition 9

If A and B are deterministic and \(\bowtie \)-compatible, or if their output names are disjoint, then row normalisation is not required, that is, \((A\bowtie B)_{x,y} = A_{{x}\downarrow _{I},{y}\downarrow _{O}}\cdot B_{{x}\downarrow _{J},{y}\downarrow _{P}}\), for all \(x\in \text {d}(I\cup J)\) and \(y\in \text {d}(O\cup P)\).

A simple distributivity result holds whenever a particular channel in the composition is deterministic.

Proposition 10

Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) be deterministic. Let \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(J,P)\) and \(C\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(K,Q)\). Then \(A\bowtie (B\bowtie C) = (A\bowtie B)\bowtie (A\bowtie C)\).

Example 11

To see that determinism of A is required in general for the distributivity result to hold, recall once again channel A from Example 2. In Example 6 we showed that \(A\ne A\bowtie A\). Next we note that \(A\bowtie \mathbb {O}_{\{i\},\emptyset } = A\) and that \(\mathbb {O}_{\{i\},\emptyset }\bowtie \mathbb {O}_{\{i\},\emptyset } = \mathbb {O}_{\{i\},\emptyset }\). Clearly, \(A\bowtie (\mathbb {O}_{\{i\},\emptyset }\bowtie \mathbb {O}_{\{i\},\emptyset }) = A \ne A\bowtie A = (A\bowtie \mathbb {O}_{\{i\},\emptyset })\bowtie (A\bowtie \mathbb {O}_{\{i\},\emptyset })\).

Proposition 12

\(\mathbb {I}_{I}\bowtie \mathbb {I}_{J} = \mathbb {I}_{I\cup J}\)

The other fundamental channel composition operator is sequential, or cascading, composition.

Definition 13

For \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,M)\) with channel matrix c and \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(M,O)\) with channel matrix d we define their sequential composition \(A;B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) by the channel matrix cd.

2.1 Example: Dining Cryptographers

Chaum [7] introduced the dining cryptographers problem and offered a protocol as solution which has been studied to the extent that adding to the existing body of analyses induces a considerable amount of guilt. Here we investigate a slight variation of the problem insofar as we study the effect of collusion among the n cryptographers.

Let us write \(\otimes \) for exclusive-or, \(\oplus \) and \(\ominus \) for addition, resp., subtraction modulo n.

A gaggle of n cryptographers named \(0..n-1\) sit around a dinner table in clockwise order. When it’s time to pay, the waiter informs them that the bill has already been paid. Either exactly one of the cryptographers paid for the dinner or the NSA did. The problem is to figure out whether the NSA paid or not, without compromising the anonymity of the paying cryptographer if the NSA didn’t.

Chaum’s protocol solves the problem as follows. Each cryptographer m secretly flips a coin. The outcome \(c_m\) is then shared only with the cryptographer \(m \oplus 1\) immediately to their left. Each cryptographer m then announces the exclusive-or of three Boolean values: the two known coin values, \(c_m\) and \(c_{m\ominus 1}\), and whether m paid. The exclusive-or of all announcements is true if one of the cryptographers paid and false if the NSA paid.

We begin by describing some of the variables and their domains. The coins named \(c_0, \ldots , c_{n-1}\in \mathcal {V}\) have Boolean domains, that is, \(X_{c_m}=\mathbb {B}\) for \(m\in 0..n-1\). Who paid, named \(p\in \mathcal {V}\), ranges over \(X_p = 0..n\), where the value n denotes that the NSA paid. The announcements, named \(a_0, \ldots , a_{n-1}\in \mathcal {V}\) also have Boolean domains. We model each cryptographer m as a channel \(C^{(m)}\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(\{p, c_{m\ominus 1}, c_m\},\{a_m\})\) with the channel matrix given by

This matrix has \(2^2(n+1)\) rows and two columns. We note that \(C^{(m)}\) is deterministic. The view of an outside observer is

(See Fig. 1.) Its channel matrix has \(2^n(n+1)\) rows and \(2^n\) columns and, as a mix composition of deterministic channels, is deterministic.

Fig. 1.

Dining cryptographers as mix composition.

Cryptographer i observes not only \(\text {DC}_{n}\) but also the two coins \(c_i\) and \(c_{i\ominus 1}\). In other words, cryptographer i’s view of the situation is \(C_i = \text {DC}_{n}\bowtie \mathbb {I}_{\{c_i,c_{i\ominus 1}\}}\). (Technically, i also observes whether \(p=i\) but that’s already captured by the exclusive-or of its own three outputs, \(a_i\), \(c_i\), and \(c_{i\ominus 1}\). An output that is a function of other outputs can be safely omitted.)

Fig. 2.

Two colluding cryptographers i and k can eliminate one contiguous section, (a) or (b), as potential payers.

When considering two colluding cryptographers who pool their knowledge, we expect them to be able to divide the remaining cryptographers into two groups: (a) those to the right of i and to the left of k and (b) those to the left of i and to the right of k. (See Fig. 2.) The interesting result is that, in case one of the remaining cryptographers paid, the colluding cryptographers acquire (distributed) knowledge to which of the groups, (a) or (b), the payer belongs, thereby eliminating all members of the other group from the possible payers. If one of the two groups is empty then it cannot contain the payer, meaning that i and k learn less.

As a channel, i and k together have the view \(C_i\bowtie C_k\). Note that if i and k are adjacent (and \(n>2\)) then they observe three coins—otherwise they observe four coins. Intuitively, this already implies that the information leaked in the former situation is less than that leaked in the latter. Using Proposition 5 we simplify as follows.

3 Channel Refinement with Mix Composition

We briefly recall the relevant definitions of leakage-related notions. Details and pointers to their origin can again be found e.g. in [27]. The (multiplicative) min-capacity of a channel \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\), denoted \(\mathcal {ML}(A)\), is the maximum min-entropy leakage of A over all priors \(\pi \): \(\sup _\pi \log (\frac{V[\pi ,A]}{V[\pi ]})\). As proved by Braun et al. [6], the min-capacity of A can be computed as the logarithm of the sum of the column maximums of A, and it is always realised on a uniform prior \(\pi \), so we have \(\mathcal {ML}(A) = \log \sum _{y\in \text {d}(O)}\max _{x\in \text {d}(I)}A_{x,y}\).

Example 14

(Dining Cryptographers cont’d). Returning to the example in Sect. 2.1, we compute the min-capacities of various channels in case the number of cryptographers is \(n=4\).

Each individual cryptographer’s channel has the same \(\mathcal {ML}(C^{(m)}) \simeq 1.0\) because the channel is deterministic and has two columns. As a deterministic channel with \(2^4\) non-zero columns, the channel \(\text {DC}_{4}\) has the min-capacity 4.0. Once we add, say, cryptographer 1’s observation we obtain \(\mathcal {ML}(\text {DC}_{4} \bowtie \mathbb {I}_{\{c_0,c_1\}}) \simeq 5.58\). Adding a second adjacent cryptographer’s observation (as on the left of Fig. 3), say cryptographer 2’s, the min-capacity goes up to \(\mathcal {ML}(\text {DC}_{4} \bowtie \mathbb {I}_{\{c_0,c_1,c_2\}}) = 6.0\) whereas with a second cryptographer sitting opposite (as on the right of Fig. 3) \(\mathcal {ML}(\text {DC}_{4} \bowtie \mathbb {I}_{\{c_0,c_1,c_2,c_3\}})\) goes up to approx. 6.32.

A more general notion of the leakage of channels is that of g-leakage [2]. We recall the relevant definitions here, adapted to our channels.

Definition 15

Given a non-void set \(\mathcal {W}\) of guesses and a finite set of inputs I, a gain function is a function \(g:\mathcal {W}\times \text {d}(I)\longrightarrow [0,1]\). The value g(w, x) represents the gain of the attacker when the secret value is x and he makes a guess w on x. Given a gain function g and a prior \(\pi \) on \(\text {d}(I)\), the prior g-vulnerability is \(V_g (\pi ) = \max _{w\in \mathcal {W}}\sum _{x\in \text {d}(I)}\pi (x)g(w,x)\). Given \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\), the posterior g-vulnerability is \(V_g (\pi ,A) = \sum _{y\in \text {d}(O)}\max _{w\in \mathcal {W}}\sum _{x\in \text {d}(I)}\pi (x)A_{x,y}g(w,x)\). The prior and posterior g-entropy is \(H_g(\pi ) = -\log V_g (\pi )\), resp., \(H_g(\pi ,A) = -\log V_g (\pi ,A)\). The g-leakage is their difference \(\mathcal {L}_{g}(\pi ,A) = H_g(\pi ) - H_g(\pi ,A)\).

Fig. 3.

Different seating arrangements of otherwise equal cryptographers result in different leakage from the collusion.

Example 16

(Dining Cryptographers cont’d). Continuing on from Example 14, we compute the g-leakage of various channels. An adversary curious about who paid observes just cryptographer m. We assume a uniform prior, guesses \(\mathcal {W}=0..n\), and a gain function given by \(g (w,x) = \delta _{w,x(p)}\): the adversary gains 1 iff she guesses the payer exactly. That observing just one cryptographer is futile is indicated by \(\mathcal {L}_{g}(\pi ,C^{(m)}) = 0\). This remains unchanged if the model is modified such that the adversary only guesses whether the NSA paid or not, using \(\mathcal {W}=\mathbb {B}\) and \(g_\mathbb {B}(w,x) = \delta _{w,x(p)=n}\). With that goal the adversary is better off observing all n cryptographers. Assuming again a uniform prior we obtain and \(V_{g_\mathbb {B}}(\pi ,\text {DC}_{n}) = 1\) which results in . Returning to the task of guessing who paid, but removing the gain in case it was the NSA, we consider \(\mathcal {W}=0..n-1\) and calculate again that this is futile: \(\mathcal {L}_{g}(\pi ,\text {DC}_{n}) = 0\). This remains unchanged when we also remove the gain for cryptographer m and study what leaks to m about who paid (other than him and the NSA): with \(\mathcal {W}=0..n-1\setminus \{m\}\) we have \(\mathcal {L}_{g}(\pi ,C_m) = 0\). Even if two adjacently seated cryptographers collude (as on the left of Fig. 3), we still have \(\mathcal {L}_{g}(\pi ,C_m\bowtie C_{m\oplus 1}) = 0\) if \(n>3\) and both are removed from the guesses. If, however, they are separated on both sides by at least one cryptographer (as on the right of Fig. 3) then we find that \(\mathcal {L}_{g}(\pi ,C_m\bowtie C_{m\oplus 2}) > 0\).

This completes the illustration of the fact that there’s no obvious way to calculate relevant vulnerability measures of \(\bowtie \)-composed systems from the vulnerabilities of their components. We follow McIver et al. [21] in defining a robust leakage order on channels with the same inputs. The order is based on another familiar composition operator, sequential composition.

Definition 17

Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) and \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,M)\). We say that A refines B (written \(B \sqsubseteq A\)) if there exists a (post-processing) channel \(C\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(M,O)\) such that \(A=B;C\). We write \(A\equiv B\) whenever A and B refine each other.

As shown by MvIver et al. [21]², \(A\sqsubseteq B\) iff the g-leakage of A is never smaller than that of B, for any prior \(\pi \) and gain function g.

We list some immediate consequences of these definitions.

Proposition 18

Unit channels are the top elements in the refinement order and the neutral elements of mix composition. Identity channels are the bottom elements in the refinement order and weak zeros of mix composition. More formally, let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\). Let \(Q\subseteq \mathcal {V}\) be finite. Let \(J\subseteq I\).

$$\begin{aligned} \mathbb {I}_{I}&\sqsubseteq A\end{aligned}$$

(1)

$$\begin{aligned} A&\sqsubseteq \mathbb {O}_{I,Q}\end{aligned}$$

(2)

$$\begin{aligned} \mathbb {I}_{I}&\equiv \mathbb {I}_{I} \bowtie A\end{aligned}$$

(3)

$$\begin{aligned} \mathbb {O}_{J,Q}\bowtie A&\equiv A \end{aligned}$$

(4)

More interestingly, we have that \(\bowtie \) is monotone w.r.t. composition refinement if no outputs are fused.

Theorem 19

If \(A\sqsubseteq A'\) and \(B\sqsubseteq B'\) and neither A and B nor \(A'\) and \(B'\) share output names, then \(A\bowtie B\sqsubseteq A'\bowtie B'\).

Example 20

To see that \(\bowtie \) is in general not \(\sqsubseteq \)-monotone when output names are shared, recall channel A from Example 2. Let \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(\{i\},\{p\}) = A;\text {R}^{}_{o,p}\). Clearly \(A\equiv B\). Let us compare \(A\bowtie A\) to . Both \(\bowtie \) compositions are defined, that is, A is compatible with itself and B. Solving \((A\bowtie A);X = A\bowtie B\) for X yields the unique solution , which is not a channel matrix because . Hence \(A\bowtie A\not \sqsubseteq A\bowtie B\).

The equation \((A\bowtie B);X = A\bowtie A\) is solved by , which is a channel matrix, hence \(A\bowtie B\sqsubseteq A\bowtie A\).

Combining Theorem 19 with Proposition 18. (2) yields

Corollary 21

Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) and \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(J,P)\). Then

$$\begin{aligned} A\bowtie B\sqsubseteq A\bowtie \mathbb {O}_{J\setminus I,\emptyset }\text {,} \end{aligned}$$

provided \(O\cap P=\emptyset \).

Refining a channel to a mix composition means that the former refines to each of the components of the latter when a little care is taken with extra inputs.

Theorem 22

Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\), \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(J,P)\), and \(C\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(K,Q)\) such that \(I = J\cup K\). Then

$$\begin{aligned} A\sqsubseteq B\bowtie C \Rightarrow A\sqsubseteq B\bowtie \mathbb {O}_{I\setminus J,\emptyset } \wedge A\sqsubseteq C\bowtie \mathbb {O}_{I\setminus K,\emptyset }\text {,} \end{aligned}$$

provided \(P\cap Q=\emptyset \). The converse implication holds if, moreover, A is deterministic.

4 Operator Comparison

In this section we compare mix composition to a number of composition operators studied in the literature. Mix composition generalises the parallel composition operators, \(\Vert \) and \(\times \) defined, e.g., by Kawamoto et al. [16]. We rephrase their definition, adapted to our channels.

Definition 23

Given \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\), \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,P)\), and \(C\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(J,P)\) with \(I\cap J = O\cap P = \emptyset \) define the

• parallel composition with shared inputs \(A\Vert B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O\cup P)\) of A and B by \((A\Vert B)_{x,y} = A_{x,{y}\downarrow _{O}}B_{x,{y}\downarrow _{P}}\), and

• the parallel composition (with distinct inputs) \(A\times C\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I\cup J,O\cup P)\) of A and C by \((A\times C)_{x,z} = A_{{x}\downarrow _{I},{z}\downarrow _{O}}C_{{x}\downarrow _{J},{z}\downarrow _{P}}\).

From this definition it is obvious that we have

Corollary 24

• Parallel composition with shared inputs \(\Vert \) is \(\bowtie \) restricted to channels with the same input names and disjoint output names.

• Parallel composition (with distinct inputs) \(\times \) is \(\bowtie \) restricted to channels with disjoint input names and disjoint output names.

Oftentimes, the operators \(\Vert \) and \(\times \) are sufficient and more convenient to use than \(\bowtie \). Technically, they always are sufficient unless outputs are fused, as we show next.

Proposition 25

If A and B have disjoint output names then

$$\begin{aligned} A\bowtie B = (A\times \mathbb {O}_{J\setminus I,\emptyset }) \Vert (B\times \mathbb {O}_{I\setminus J,\emptyset }). \end{aligned}$$

The results proved for \(\bowtie \) above specialise to the following.

Corollary 26

Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\), \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,P)\), \(C\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,Q)\), \(D\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(J,R)\), \(E\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(K,S)\) such that I, J, K, O, P, Q, and S are pair-wise disjoint.

If A is also deterministic we have:

While mix composition subsumes the two parallel composition operators, \(\Vert \) and \(\times \), there are compositions that cannot be expressed with \(\bowtie \) alone. The obvious example is sequential composition. But those two together are rather powerful.

A first example is the non-standard sequential composition operator defined by Barthe and Köpf [3] called adaptive composition by Espinoza and Smith [10]. It differs from the usual sequential composition in that the second component receives not only the output but also the input of the first as input.

Definition 27

Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,M)\) and \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I\cup M,O)\). Provided \(I\cap M = \emptyset \), define the adaptive composition \(A \triangleright B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) by \((A \triangleright B)_{i,o} = \sum _{m\in \text {d}(M)}A_{i,m}B_{i\cup m,o}\), for all \(i\in \text {d}(I)\) and \(o\in \text {d}(O)\).

Another operator mentioned in [10] models repeated independent runs of a channel. To prevent the copies of the channel from colluding we need to disambiguate their output names with distinct tags, e.g., numbers.

Definition 28

Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) and \(n\in \mathbb {N}\) such that \((i,o)\in \mathcal {V}\) and \(X_{(i,o)} = X_o\), for all \(i\in 1..n\) and \(o\in O\).

Define the n repeated independent runs of A channel \(A^{(n)}\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,1..n\times O)\) by \((A^{(n)})_{x,y} = \prod _{i=1}^n A_{x,\lambda o:O.y(i,o)}\), for all \(x\in \text {d}(I)\) and \(y\in \text {d}(1..n\times O)\).

Adaptive composition can be expressed using “; ”, “\(\Vert \)” and identity channels. To express n repeated independent runs we require n renaming channels to disambiguate the copies of the output names.

Proposition 29

\(A \triangleright B = (\mathbb {I}_{I}\Vert A);B\) and \(A^{(n)} = \Vert _{i=1}^n (A;\text {R}^{}_{O,\{i\}\times O})\).

5 Related Work

In their seminal paper Goguen and Meseguer lamented that

Most of the models given in the literature [\(\ldots \)] are not mathematically rigorous enough to support meaningful determinations of the kind needed; some do not support a sufficiently general view of security (for example, they may fail to handle breaches of security by cooperating multiple users). [12, p. 12]

We argue that \(\bowtie \) is better at modelling colluding adversaries by allowing selectively shared inputs and outputs—a feature absent in the usual definitions of \(\Vert \) and \(\times \).

Gray and Syverson [13] extended with temporal operators the epistemic logic with probabilities of Halpern and Tuttle [15] to lay the foundation for a rigorous analysis of probabilistic channels. Their work is however concerned only with perfect security, that is, no leakage whatsoever.

In possibilistic settings, some recent works have presented preliminary findings for notions of refinement that preserve information-flow security properties [20, 26]. For probabilistic systems McIver et al. [25] present rely-guarantee rules.

Kawamoto et al. [16] explain how to decompose channels using \(\Vert \) and \(\times \) to then compute upper and lower bounds on measures of leakage such as g-leakage and min-entropy from the corresponding measures of the component channels. At the time of writing, the most recent version of this paper [17] mentions a connection to refinement including our Theorem 19 albeit without proof and based on a different (faulty) definition of \(\sqsubseteq \).

The abstract channels as introduced by McIver et al. [24] are too abstract for our purposes. After abstracting from the names of outputs, we can no longer model fused outputs as we did, e.g., when describing two colluding neighbours in the dining cryptographers example. The programs considered in [22, 23] lack any form of parallel composition although \(\Vert \) is defined and discussed in the appendix of the latter.

All these concurrent composition operators resemble the distributed knowledge of two agents observing different channels as described e.g. in [11] but in a probabilistic setting. The literature on knowledge in probabilistic worlds however appears to have gone in different research directions. Halpern and O’Neill [14] characterised notions of perfect secrecy for various classes of systems including ones with probabilistic choice. Clarkson et al. [8, 9] incorporate how an attacker’s beliefs can change over time while observing intermediate outputs.

6 Future Work and Conclusion

Future directions for this line of work include:

• investigating further the role of collusion, that is, common output names. So far these clashes are typically either a nuisance or a triviality. Do they make for a more powerful or more elegant algebra similar to how predicate transformers that ignore Dijkstra’s healthiness conditions make for a cleaner refinement algebra of sequential programs?

• exploring the concept of channel algebra further. Our channel model and \(\bowtie \) composition may be steps in the right direction but are these the only necessary ingredients?

• finding bounds on various leakage measures for \(\bowtie \) compositions similar to the results in [16] for \(\Vert \) and \(\times \).

• lifting channel algebra to the level of a programming language, resulting in leakage-sensitive refinement laws for programs.

• mechanising channel algebra in a theorem prover to facilitate evaluation on less trivial examples. We wrote a simple implementation of channels and operations on them, and used it for all our examples, but this library is not yet hooked up with a theorem prover for algebraic reasoning. The companion project for possibilistic compositional refinement is much more progressed in that respect [26]. Some of the infrastructure of that project could be recycled for the qif version.

• investigating how stages of verified compilers such as CompCert [19] and CakeML [18] affect leakage and how to enforce leakage bound preservation by compilation with the help of code transformations [1, 4].

We feel that we have so far only scratched the surface of the possibilities opened up by the slight change of channel model and the addition of the \(\bowtie \) operator. The latter appears to be a better parallel composition operator, generalising all existing ones and allowing for selective sharing, compared to the all-or-nothing of \(\Vert \) and \(\times \). This paper attempts to make a case for adopting the channel model and the \(\bowtie \) operator, thereby expressing little more than the author’s preferences. To the best of our knowledge, some of the results are new, including Theorem 22, or correctly stated and proved for the first time in this generality, such as Theorem 19. Besides the dining cryptographers, we have analysed a few more examples such as the combined leakage of two C bit masking assignments, all of which benefit from the new model and \(\bowtie \).

A Proofs

Proof

(of Proposition 5 ). Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) and \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(J,P)\) be \(\bowtie \)-compatible.

1. 1.

   For well-definedness of \(A\bowtie B\) it suffices to see that the denominator \(D_x = \sum _{z\in \text {d}(O\cup P)}A_{{x}\downarrow _{I},{z}\downarrow _{O}} B_{{x}\downarrow _{J},{z}\downarrow _{P}}\) is non-zero, for all \(x\in \text {d}(I\cup J)\). It is then clear that it normalises each row vector to sum one. Let \(x\in \text {d}(I\cup J)\). For the denominator to be zero it is required that \(A_{{x}\downarrow _{I},{z}\downarrow _{O}} B_{{x}\downarrow _{J},{z}\downarrow _{P}} = 0\), for all \(z\in \text {d}(O\cup P)\). But that contradicts our assumption of \(\bowtie \)-compatibility.

   Commutativity and associativity of \(\bowtie \) follow from the same properties of multiplication.

2. 2.

   If A and B are both deterministic then there’s exactly one 1 in each of their rows, which, together with \(\bowtie \)-compatibility implies that there is exactly one \(z\in \text {d}(O\cup P)\) for which \(A_{{x}\downarrow _{I},{z}\downarrow _{O}}= B_{{x}\downarrow _{J},{z}\downarrow _{P}} = 1\). Whence \(A\bowtie B\) is also deterministic.

3. 3.

   Each channel is \(\bowtie \)-compatible with itself. If A is also deterministic, then we have \(A_{x,y} = A_{x,y}^2 = (A\bowtie A)_{x,y}\).   \(\square \)

Proof

(of Proposition 7 ). If there are two different non-zero cells in a row of A, then the smaller one will decrease in \(A\bowtie A\) by the normalisation involved. On the other hand, if there’s just one such non-zero value, then the normalisation has no effect on that row.

   \(\square \)

Proof

(of Proposition 8 ). This follows on from the observation in the previous proof. The limit must satisfy \(A^{(\infty )}\bowtie A^{(\infty )} = A^{(\infty )}\).

   \(\square \)

Proof

(of Proposition 9 ). Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\) and \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(J,P)\). For the first claim, suppose A and B are deterministic and \(\bowtie \)-compatible. As per Proposition 5. 2, \(A\bowtie B\) is deterministic, too. This implies that row normalisation is not required.

Finally, in case A’s and B’s output names are disjoint, i.e., \(O\cap P = \emptyset \) holds (*), we check that A and B are \(\bowtie \)-compatible and that the denominator is one whenever the row sums of A and B are.

Proof

(of Proposition 10 ). By associativity and commutativity of \(\bowtie \), as well as idempotence on deterministic channels, we have that \(A\bowtie (B\bowtie C) = A\bowtie A\bowtie B\bowtie C = (A\bowtie B)\bowtie (A\bowtie C)\).   \(\square \)

Proof

(of Proposition 12 ). Let \(x,y\in \text {d}(I\cup J)\).

Proof

(of Proposition 18 ). Each proof requires finding one or two post-processing channels. We provide them in the following table.

E.g., for the “\(\sqsubseteq \)”-direction of claim (3), we propose to use the post-processing channel \(\mathbb {I}_{I} \bowtie A\), that is, we claim that \(\mathbb {I}_{I};(\mathbb {I}_{I} \bowtie A) = \mathbb {I}_{I} \bowtie A\) and hence \(\mathbb {I}_{I} \sqsubseteq \mathbb {I}_{I} \bowtie A\).   \(\square \)

Proof

(of Theorem 19 ). Let \(I,J,O,P,O',P'\subseteq \mathcal {V}\) such that \(O\cap P = O'\cap P' = \emptyset \). Let \(A\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O)\), \(A'\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(I,O')\), \(B\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(J,P)\), and \(B'\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(J,P')\) such that \(A\sqsubseteq A'\) and \(B\sqsubseteq B'\). Let \(D\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(O,O')\) and \(E\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(P,P')\) such that \(A;D = A'\) and \(B;E = B'\). Let \(x\in \text {d}(I\cup J)\) and \(z\in \text {d}(O'\cup P')\). We show that \(((A\bowtie B);(D\bowtie E))_{x,z} = (A'\bowtie B')_{x,z}\). Note that, by Proposition 5, none of the three mix compositions requires row normalisation.

We conclude that \((A\bowtie B);(D\bowtie E) = A'\bowtie B'\) and hence \(A\bowtie B \sqsubseteq A'\bowtie B'\).   \(\square \)

Proof

(of Theorem 22 ). “\(\Rightarrow \):” follows by two applications of Theorem 19 once we realise that \(B\bowtie \mathbb {O}_{I\setminus J,\emptyset } = B\bowtie \mathbb {O}_{K,\emptyset }\) and \(C\bowtie \mathbb {O}_{I\setminus K,\emptyset } = C\bowtie \mathbb {O}_{J,\emptyset }\).

“\(\Leftarrow \):” For the converse, suppose A is deterministic, \(A\sqsubseteq B\bowtie \mathbb {O}_{I\setminus J,\emptyset }\), and \(A\sqsubseteq C\bowtie \mathbb {O}_{I\setminus K,\emptyset }\). Let \(E\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(O,P)\) and \(F\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(O,Q)\) satisfy \(A;E = B\bowtie \mathbb {O}_{I\setminus J,\emptyset }\) and \(A;F = C\bowtie \mathbb {O}_{I\setminus K,\emptyset }\). Define \(D\in \mathcal {C}_{\mathcal {V},\mathcal {X}}(O,P\cup Q)\) by \(D_{o,z} = E_{o,{z}\downarrow _{P}} F_{o,{z}\downarrow _{Q}}\). Let \(x\in \text {d}(I)\); let \(z\in \in \text {d}(P\cup Q)\). Define \(p = {z}\downarrow _{P}\) and \(q = {z}\downarrow _{Q}\). We show that \((A;D)_{x,z} = (B\bowtie C)_{x,z}\).

It follows that \(A;D = B\bowtie C\) and hence \(A\sqsubseteq B\bowtie C\).   \(\square \)

Proof

(of Proposition 25 ).

Proof

(of Proposition 29 ). First let \(x\in \text {d}(I)\) and \(y\in \text {d}(O)\).