Multi-user guesswork and brute force security

TL;DR

This paper extends the guesswork framework to multi-user systems, analyzing the asymptotic security and optimal guessing strategies when multiple users select strings independently, with results on guesswork growth rates and security bounds.

Contribution

It introduces an asymptotically optimal class of strategies for multi-user guesswork and derives the guesswork growth rate based on Rényi entropy, generalizing previous single-user results.

Findings

Asymptotically optimal guessing strategies exist for multi-user systems.

Guesswork growth rate is determined by Rényi entropy with a specific parameter.

Shannon entropy provides a lower bound on guesswork growth rate.

Abstract

The Guesswork problem was originally motivated by a desire to quantify computational security for single user systems. Leveraging recent results from its analysis, we extend the remit and utility of the framework to the quantification of the computational security for multi-user systems. In particular, assume that $V$ users independently select strings stochastically from a finite, but potentially large, list. An inquisitor who does not know which strings have been selected wishes to identify $U$ of them. The inquisitor knows the selection probabilities of each user and is equipped with a method that enables the testing of each (user, string) pair, one at a time, for whether that string had been selected by that user. Here we establish that, unless $U=V$, there is no general strategy that minimizes the distribution of the number of guesses, but in the asymptote as the strings become long we prove the following: by construction, there is an asymptotically optimal class of strategies; the number of guesses required in an asymptotically optimal strategy satisfies a large deviation principle with a rate function, which is not necessarily convex, that can be determined from the rate functions of optimally guessing individual users' strings; if all user's selection statistics are identical, the exponential growth rate of the average guesswork as the string-length increases is determined by the specific R\'enyi entropy of the string-source with parameter $(V-U+1)/(V-U+2)$, generalizing the known $V=U=1$ case; and that the Shannon entropy of the source is a lower bound on the average guesswork growth rate for all $U$ and $V$, thus providing a bound on computational security for multi-user systems. Examples are presented to illustrate these results and their ramifications for systems design.