M. Alvim, M. Andrés, C. Aldini, M. Bravetti, and R. Gorrieri, Information Flow in Interactive Systems A processalgebraic approach for the analysis of probabilistic noninterference, J. Comput. Secur, vol.12, issue.2, pp.191-245, 2004.

M. Abadi and A. D. Gordon, Reasoning about cryptographic protocols in the spi calculus, CONCUR'97: Concurrency Theory, pp.59-73, 1997.
DOI : 10.1007/3-540-63141-0_5

[. Abadi and A. D. Gordon, A calculus for cryptographic protocols, Proceedings of the 4th ACM conference on Computer and communications security , CCS '97, pp.1-70, 1999.
DOI : 10.1145/266420.266432

M. Roberto, D. Amadio, and . Lugiez, On the reachability problem in cryptographic protocols, Proceedings of CONCUR 00, 2000.

G. Brassard, A. Broadbent, J. Fitzsimons, S. Gambs, and A. Tapp, Anonymous quantum communication, ASIACRYPT, pp.460-473, 2007.

[. Braun, K. Chatzikokolakis, and C. Palamidessi, Compositional Methods for Information-Hiding, Foundations of Software Science and Computation Structures (FOSSACS), 2008.
DOI : 10.1007/978-3-540-78499-9_31

URL : https://hal.archives-ouvertes.fr/inria-00349227

[. Braun, K. Chatzikokolakis, and C. Palamidessi, Quantitative Notions of Leakage for One-try Attacks, Proceedings of the 25th Conf. on Mathematical Foundations of Programming Semantics, pp.75-91, 2009.
DOI : 10.1016/j.entcs.2009.07.085

URL : https://hal.archives-ouvertes.fr/inria-00424852

[. Bossi, R. Focardi, C. Piazza, S. Rossi, -. On et al., A proof system for information flow security A theory of communicating sequential processes, PROC. OF INT. WORK, pp.199-218, 1984.

[. Bell and . Padula, Secure computer system: Unified exposition and multics interpretation, MTR-2997, MITRE Corp, 1976.

M. Boreale, Quantifying information leakage in process calculi, Information and Computation, vol.207, issue.6, pp.699-725, 2009.
DOI : 10.1016/j.ic.2008.12.007

[. Bhargava and C. Palamidessi, Probabilistic anonymity INRIA Futurs and LIX To appear in the proceedings of CONCUR, 2005.

R. Beauxis and C. Palamidessi, Probabilistic and nondeterministic aspects of anonymity, Theoretical Computer Science, vol.410, issue.41, pp.4006-4025, 2009.
DOI : 10.1016/j.tcs.2009.06.008

URL : https://hal.archives-ouvertes.fr/inria-00424855

. J. Bs, C. Bradfield, and . Stirling, Modal mu-calculi. Handbook of Modal Logic, pp.721-756

]. C. Cac97 and . Cachin, Entropy measures and unconditional security in cryptography, 1997.

D. Chaum, The dining cryptographers problem: Unconditional sender and recipient untraceability, Journal of Cryptology, vol.1, issue.1, pp.65-75, 1988.
DOI : 10.1007/BF00206326

D. Clark, S. Hunt, and P. Malacaria, Quantitative Analysis of the Leakage of Confidential Data, Electronic Notes in Theoretical Computer Science, vol.59, issue.3, 2002.
DOI : 10.1016/S1571-0661(04)00290-7

]. D. Chm05a, S. Clark, P. Hunt, and . Malacaria, Quantified interference for a while language, In Electronic Notes in Theoretical Computer Science, vol.112, pp.149-166, 2005.

]. D. Chm05b, S. Clark, P. Hunt, and . Malacaria, Quantitative information flow, relations and polymorphic types Journal of Logic and Computation, Special Issue on Lambda-calculus, type theory and natural language, pp.181-199, 2005.

D. Clark, S. Hunt, and P. Malacaria, A static analysis for quantifying information flow in a simple imperative language, Journal of Computer Security, vol.15, issue.3, pp.321-371, 2007.
DOI : 10.3233/JCS-2007-15302

J. Mclean, C. , and J. Mclean, Security models and information flow, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy, pp.180-187, 1990.
DOI : 10.1109/RISP.1990.63849

R. Michael, A. C. Clarkson, F. B. Myers, and . Schneider, Quantifying information flow with beliefs, 2008.

[. Chatzikokolakis and C. Palamidessi, Probable innocence revisited INRIA Futurs and LIX, 2005.

[. Chatzikokolakis and C. Palamidessi, A framework for analyzing probabilistic protocols and its application to the Partial Secrets Exchange, Semantic and Logical Foundations of Global Computing, pp.512-527, 2007.
DOI : 10.1016/j.tcs.2007.09.006

URL : https://hal.archives-ouvertes.fr/inria-00201111

[. Chatzikokolakis and C. Palamidessi, Making Random Choices Invisible to the Scheduler, Luís Caires and Vasco Thudichum Vasconcelos Proceedings of CONCUR'07, pp.42-58, 2007.
DOI : 10.1007/978-3-540-74407-8_4

URL : https://hal.archives-ouvertes.fr/inria-00424860

[. Chatzikokolakis, C. Palamidessi, and P. Panangaden, Probability of Error in Information-Hiding Protocols, 20th IEEE Computer Security Foundations Symposium (CSF'07), pp.341-354, 2007.
DOI : 10.1109/CSF.2007.27

URL : https://hal.archives-ouvertes.fr/inria-00200957

[. Chatzikokolakis, C. Palamidessi, and P. Panangaden, Anonymity protocols as noisy channels Information and Computation, Joint Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis (FCS-ARSPA '06), pp.378-401, 2008.

[. Chatzikokolakis, C. Palamidessi, and P. Panangaden, On the Bayes risk in information-hiding protocols, Journal of Computer Security, vol.16, issue.5, pp.531-571, 2008.
DOI : 10.3233/JCS-2008-0333

URL : https://hal.archives-ouvertes.fr/inria-00349224

[. Cortier, M. Rusinowitch, and E. Zalinescu, Relating two standard notions of secrecy, Logical Methods in Computer Science, vol.3, issue.3, 2007.
URL : https://hal.archives-ouvertes.fr/inria-00108391

[. Clarke, O. Sandberg, B. Wiley, and T. W. Hong, Freenet: A Distributed Anonymous Information Storage and Retrieval System, Lecture Notes in Computer Science, pp.46-66, 2001.
DOI : 10.1007/3-540-44702-4_4

D. E. Denning, Cryptography and data security Panangaden. A logical characterization of bisimulation for labeled markov processes, Logic in Computer Science, Symposium on, p.478, 1982.

]. I. Dev03 and . Devetak, The private classical capacity and quantum capacity of a quantum channel, 2003.

V. [. Dhawan and . Ganapathy, Analyzing information flow in javascriptbased browser extensions, pp.382-391, 2009.

M. [. Dechesne, S. Mousavi, and . Orzan, Operational and Epistemic Approaches to Protocol Analysis: Bridging the Gap, Lecture Notes in Computer Science, vol.4790, p.226, 2007.
DOI : 10.1007/978-3-540-75560-9_18

[. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data, SIAM Journal on Computing, vol.38, issue.1, pp.97-139, 2008.
DOI : 10.1137/060651380

[. Pierro, C. Hankin, and H. Wiklicky, Approximate non-interference, CSFW '02: Proceedings of the 15th IEEE workshop on Computer Security Foundations, 2002.

[. Deng, C. Palamidessi, and J. Pang, Compositional Reasoning for Probabilistic Finite-State Behaviors, Aart Middeldorp, Vincent van Oostrom, Femke van Raamsdonk, and Processes, Terms and Cycles: Steps on the Road to Infinity, pp.309-337, 2005.
DOI : 10.1007/11601548_17

URL : https://hal.archives-ouvertes.fr/hal-00159683

[. Pang and P. Wu, Measuring anonymity with relative entropy, pp.65-79, 2007.

[. Diaz and S. Seys, Joris Claessens, and Bart Preneel. Towards measuring anonymity, pp.54-68, 2002.

[. Diaz and S. Seys, Joris Claessens, and Bart Preneel. Towards measuring anonymity, pp.54-68, 2002.

[. Díaz, L. Sassaman, and E. Dewitte, Comparison Between Two Practical Mix Designs, ESORICS, pp.141-159, 2004.
DOI : 10.1007/978-3-540-30108-0_9

[. Emerson and E. M. Clarke, Characterizing correctness properties of parallel programs using fixpoints, Proceedings of the 7th Colloquium on Automata, Languages and Programming, pp.169-181, 1980.
DOI : 10.1007/3-540-10003-2_69

[. Even, O. Goldreich, and A. Lempel, A randomized protocol for signing contracts, Communications of the ACM, vol.28, issue.6, pp.637-647, 1985.
DOI : 10.1145/3812.3818

M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song, Dynamic spyware analysis, ATC'07: 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, pp.1-14, 2007.

]. E. Eme90 and . Emerson, Temporal and modal logic, Handbook of Theoretical Computer Science, pp.995-1072, 1990.

R. [. Focardi and . Gorrieri, Automatic compositional verification of some Security properties, Lecture Notes in Computer Science, vol.1055, pp.167-186, 1996.
DOI : 10.1007/3-540-61042-1_44

R. Focardi and R. Gorrieri, The Compositional Security Checker: a tool for the verification of information flow security properties, IEEE Transactions on Software Engineering, vol.23, issue.9, 1997.
DOI : 10.1109/32.629493

[. Focardi, R. Gorrieri, and F. Martinelli, Classification of security properties (part ii: Network security), 1995.

R. [. Focardi, F. Gorrieri, and . Martinelli, Real-time information flow analysis, IEEE Journal on Selected Areas in Communications, vol.21, issue.1, pp.20-35, 2003.
DOI : 10.1109/JSAC.2002.806122

[. Focardi, Comparing two information flow security properties, Proceedings 9th IEEE Computer Security Foundations Workshop, p.116, 1996.
DOI : 10.1109/CSFW.1996.503696

R. Focardi and S. Rossi, Information flow security in dynamic contexts, CSFW '02: Proceedings of the 15th IEEE workshop on Computer Security Foundations, 2002.
DOI : 10.3233/JCS-2006-14103

A. Joseph, J. Goguen, and . Meseguer, Security policies and security models, IEEE Symposium on Security and Privacy, pp.11-20, 1982.

Y. Joseph, K. R. Halpern, and . Neill, Anonymity and information hiding in multiagent systems, Proc. of the 16th IEEE Computer Security Foundations Workshop, pp.75-88, 2003.

Y. Joseph, K. R. Halpern, and . Neill, Anonymity and information hiding in multiagent systems, BIBLIOGRAPHY [HP00] Oltea Mihaela Herescu and Catuscia Palamidessi. Probabilistic asynchronous ?-calculus, pp.483-512, 2005.

Y. Joseph, R. Halpern, and . Pucella, Probabilistic algorithmic knowledge, Logical Methods in Computer Science, pp.118-130, 2005.

[. Hennessy and J. Riely, Information flow vs. resource access in the asynchronous pi-calculus, ACM Transactions on Programming Languages and Systems, vol.24, issue.5, pp.566-591, 2002.
DOI : 10.1145/570886.570890

D. Hughes and V. Shmatikov, Information hiding, anonymity and privacy: a modular approach, Journal of Computer Security, vol.12, issue.1, pp.3-36, 2004.
DOI : 10.3233/JCS-2004-12102

[. Hillery, M. Ziman, V. Buzek, and M. Bielikova, Towards quantum-based privacy and voting, Physics Letters A, vol.349, issue.1-4, 2005.
DOI : 10.1016/j.physleta.2005.09.010

W. James and I. Gray, Toward a mathematical foundation for information flow security, IEEE Symposium on Security and Privacy, pp.21-35, 1991.

N. Adam and . Joinson, Self-disclosure in computer-mediated communication: The role of self-awareness and visual anonymity, European Journal of Social Psychology, vol.31, issue.2, pp.177-192, 2001.

F. [. Johnson and . Thayer, Security and the Composition of Machines, Proceedings of the Computer Security Foundations Workshop, pp.72-89, 1988.

[. Koepf and D. Basin, An information-theoretic model for adaptive side-channel attacks, Proceedings of the 14th ACM conference on Computer and communications security , CCS '07, pp.286-296, 2007.
DOI : 10.1145/1315245.1315282

J. Kilian, Founding cryptography on oblivious transfer, Proceedings of the 20th ACM Annual Symposium on the Theory of Computing, pp.20-31, 1988.

D. Kozen, Results on the propositional ??-calculus, Theoretical Computer Science, vol.27, issue.3, pp.333-354, 1983.
DOI : 10.1016/0304-3975(82)90125-6

S. Kramer, C. Palamidessi, R. Segala, A. Turrini, and C. Braun, A quantitative doxastic logic for probabilistic processes and applications to information-hiding. The Journal of Applied Non-Classical Logics, 2010.
URL : https://hal.archives-ouvertes.fr/inria-00445212

G. Lowe and . Casper, Casper: A compiler for the analysis of security protocols, Proceedings of 10th IEEE Computer Security Foundations Workshop, pp.53-84, 1997.
DOI : 10.3233/JCS-1998-61-204

G. Lowe, Defining information flow quantity, Journal of Computer Security, vol.12, issue.3-4, pp.619-653, 2004.
DOI : 10.3233/JCS-2004-123-410

A. Lomuscio and W. Penczek, Symbolic model checking for temporal-epistemic logics, ACM SIGACT News, vol.38, issue.3, pp.77-99, 2007.
DOI : 10.1145/1324215.1324231

G. Kim, A. Larsen, and . Skou, Bisimulation through probabilistic testing, Inf. Comput, vol.94, issue.1, pp.1-28, 1991.

P. Li and S. Zdancewic, Practical information-flow control in web-based information systems, CSFW '05: Proceedings of the 18th IEEE workshop on Computer Security Foundations, pp.2-15, 2005.

]. P. Mal07 and . Malacaria, Assessing security threat of looping constructs, Proc. 34th ACM Symposium on Principles of Programming Languages, pp.225-235, 2007.

H. Mantel, On the composition of secure systems, Proceedings 2002 IEEE Symposium on Security and Privacy, 2002.
DOI : 10.1109/SECPRI.2002.1004364

J. L. Massey, Guessing and entropy, Proceedings of 1994 IEEE International Symposium on Information Theory, p.204, 1994.
DOI : 10.1109/ISIT.1994.394764

P. Malacaria and H. Chen, Lagrange multipliers and maximum information leakage in different observational models, Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security , PLAS '08, pp.135-146, 2008.
DOI : 10.1145/1375696.1375713

D. Mccullough, Specifications for multi-level security and a hookup . Security and Privacy, IEEE Symposium on, p.161, 1987.

D. Mccullough, A hookup theorem for multilevel security, IEEE Transactions on Software Engineering, vol.16, issue.6, pp.563-568, 1990.
DOI : 10.1109/32.55085

J. K. Millen, Covert channel capacity. Security and Privacy, IEEE Symposium on, p.60, 1987.

]. R. Mil89 and . Milner, Communication and Concurrency. International Series in Computer Science, 1989.

A. Mciver and C. Morgan, A probabilistic approach to information hiding, pp.441-460, 2003.
DOI : 10.1007/978-0-387-21798-7_20

. S. Ira, R. E. Moskowitz, D. P. Newman, A. R. Crepeau, and . Miller, Covert channels and anonymizing networks, WPES, pp.79-88, 2003.

I. S. Moskowitz, R. E. Newman, and P. F. Syverson, Quasianonymous channels, IASTED CNIS, pp.126-131, 2003.

I. S. Moskowitz, Variable noise effects upon a simple timing channel. Security and Privacy, IEEE Symposium on, p.362, 1991.

C. Andrew and . Myers, Jflow: Practical mostly-static information flow control, Proc. 26th ACM Symp. on Principles of Programming Languages (POPL, pp.228-241, 1999.

[. Nielsen, Reasoning about the past, Proceedings of MFCS'98, pp.117-128, 1998.
DOI : 10.1007/BFb0055761

C. [. Norman, D. Palamidessi, P. Parker, and . Wu, Model Checking Probabilistic and Stochastic Extensions of the π-Calculus, IEEE Transactions on Software Engineering, vol.35, issue.2, pp.209-223, 2009.
DOI : 10.1109/TSE.2008.77

A. Narayanan and V. Shmatikov, De-anonymizing Social Networks, 2009 30th IEEE Symposium on Security and Privacy, 2009.
DOI : 10.1109/SP.2009.22

[. Palamidessi, Probabilistic and Nondeterministic Aspects of Anonymity, Proceedings of the 21st Annual Conference on Mathematical Foundations of Programming Semantics (MFPS XXI), pp.33-42, 2006.
DOI : 10.1016/j.entcs.2005.11.050

URL : https://hal.archives-ouvertes.fr/inria-00201106

[. Palamidessi and O. M. Herescu, A Randomized Distributed Encoding of the ??-Calculus with Mixed Choice, Theoretical Computer Science, vol.335, issue.2-3, pp.373-404, 2005.
DOI : 10.1007/978-0-387-35608-2_44

O. John and . Pliam, On the incomparability of entropy and marginal guesswork in brute-force attacks, INDOCRYPT, pp.67-79, 2000.

]. V. Pra81 and . Pratt, A decidable mu-calculus: Preliminary report, SFCS '81: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, pp.421-427, 1981.

A. Parma and R. Segala, Logical Characterizations of Bisimulations for Discrete Probabilistic Systems, FoSSaCS, pp.287-301, 2007.
DOI : 10.1007/978-3-540-71389-0_21

[. Pfitzmann and M. Waidner, Networks without user observability, Computers & Security, vol.6, issue.2, pp.158-166, 1987.
DOI : 10.1016/0167-4048(87)90087-3

O. Michael and . Rabin, How to exchange secrets by oblivious transfer, 1981.

A. Rényi, On measures of entropy and information, Proceedings of the 4th Berkeley Symposium on Mathematics, Statistics, and Probability, pp.547-561, 1960.

]. P. Ren09, K. Renaud, and . Cockshott, Handivote: Simple, anonymous, and auditable electronic voting, Journal of Information Technology & Politics, vol.6, issue.1, pp.60-80, 2009.

]. A. Ros95a and . Roscoe, Csp and determinism in security modelling, Proc. IEEE Symposium on Security and Privacy, pp.114-127, 1995.

]. A. Ros95b and . Roscoe, Modelling and verifying key-exchange protocols using CSP and FDR, Proceedings of the 8th IEEE Computer Security Foundations Workshop, pp.98-107, 1995.

K. Michael, A. D. Reiter, and . Rubin, Crowds: anonymity for Web transactions, ACM Transactions on Information and System Security, vol.1, issue.1, pp.66-92, 1998.

S. [. Ryan and . Schneider, Process algebra and non-interference, Journal of Computer Security, pp.214-227, 1999.

Y. Peter, S. Ryan, and . Schneider, Modelling and Analysis of Security Protocols, 2001.

J. [. Roscoe, L. Woodcock, and . Wulf, Non-interference through determinism, ESORICS '94: Proceedings of the Third European Symposium on Research in Computer Security, pp.33-53, 1994.
DOI : 10.1007/3-540-58618-0_55

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

]. P. Rya91 and . Ryan, A csp formulation of non-interference and unwinding, Cipher: IEEE Comput. Soc. Tech. Comm. Newsl. Secur. Priv, pp.19-30, 1991.

]. S. Sch96 and . Schneider, Security properties and CSP, Proceedings of the IEEE Symposium Security and Privacy, 1996.

]. A. Sd02a, G. Serjantov, and . Danezis, Towards an information theoretic metric for anonymity, Lecture Notes in Computer Science, vol.2482, pp.41-53, 2002.

A. Serjantov and G. Danezis, Towards an Information Theoretic Metric for Anonymity, Proceedings of the workshop on Privacy Enhancing Technologies (PET) 2002, pp.41-53, 2002.
DOI : 10.1007/3-540-36467-6_4

[. Segala, Modeling and Verification of Randomized Distributed Real-Time Systems, 1995.

B. Segala, Probability and Nondeterminism in Operational Models of Concurrency, Proceedings of the 17th International Conference on Concurrency Theory (CONCUR), pp.64-78, 2006.
DOI : 10.1007/11817949_5

F. Paul, D. M. Syverson, M. G. Goldschlag, and . Reed, Anonymous connections and onion routing, 1997.

C. E. Shannon, A Mathematical Theory of Communication, 1948.

R. Segala and N. Lynch, Probabilistic simulations for probabilistic processes, An extended abstract appeared in Proceedings of CONCUR '94, pp.250-273, 1995.

[. Smith, Adversaries and Information Leaks (Tutorial), Lecture Notes in Computer Science, vol.4912, pp.383-400, 2007.
DOI : 10.1007/978-3-540-78663-4_25

[. Smith, On the Foundations of Quantitative Information Flow, FOSSACS, pp.288-302, 2009.
DOI : 10.1137/060651380

V. Simonet and I. Rocquencourt, Flow caml in a nutshell, Proceedings of the first APPSEM-II workshop, pp.152-165, 2003.

S. Schneider and A. Sidiropoulos, CSP and anonymity, Proc. of the European Symposium on Research in Computer Security (ESORICS), pp.198-218, 1996.
DOI : 10.1007/3-540-61770-1_38

F. Paul, S. G. Syverson, and . Stubblebine, Group principals and the formalization of anonymity, World Congress on Formal Methods, pp.814-833, 1999.

A. Sabelfeld and D. Sands, Dimensions and principles of declassification, CSFW '05: Proceedings of the 18th IEEE workshop on Computer Security Foundations, pp.255-269, 2005.

]. D. Sut86 and . Sutherland, A model of information, Proc. of the 9th National Computer Security Conference, 1986.

D. Volpano and G. Smith, Verifying secrets and relative secrecy, Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages , POPL '00, pp.268-276, 2000.
DOI : 10.1145/325694.325729

J. [. Vaccaro, A. Spring, and . Chefles, Quantum protocols for anonymous voting and surveying, Physical Review A, vol.75, issue.1, p.12333, 2007.
DOI : 10.1103/PhysRevA.75.012333

[. Wittbold and D. M. Johnson, Information flow in nondeterministic systems. Security and Privacy, IEEE Symposium on, p.144, 1990.

Y. Shuiming-ye, J. Luo, . Zhao, S. Sen-ching, and . Cheung, Anonymous biometric access control, 2009.

D. Heng-yin, M. Song, C. Egele, E. Kruegel, and . Kirda, Panorama: capturing system-wide information flow for malware detection and analysis, CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pp.116-127, 2007.

Y. Zhu and R. Bettati, Anonymity vs. information leakage in anonymity systems, Proc. of ICDCS, pp.514-524, 2005.

E. [. Zakinthinos and . Lee, The composability of non-interference [system security], Proceedings The Eighth IEEE Computer Security Foundations Workshop, 1995.
DOI : 10.1109/CSFW.1995.518546

E. [. Zakinthinos and . Lee, How and why feedback composition fails [secure systems], Proceedings 9th IEEE Computer Security Foundations Workshop, p.95, 1996.
DOI : 10.1109/CSFW.1996.503694

E. [. Zakinthinos and . Lee, Composing secure systems that have emergent properties, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238), 1998.
DOI : 10.1109/CSFW.1998.683161