Quantifying vulnerability of secret generation using hyper-distributions (extended version)

TL;DR

This paper introduces a new framework for Quantitative Information Flow that models adversary knowledge as distributions over strategies, allowing for more accurate vulnerability assessment of secrets like passwords.

Contribution

It generalizes traditional QIF by representing prior knowledge as hyper-distributions, enabling distinction between security by aggregation and security by strategy.

Findings

Disentangles secret vulnerability from strategy vulnerability.

Provides a formal method to quantify secret vulnerability using hyper-distributions.

Demonstrates no further generalization of prior knowledge is necessary.

Abstract

Traditional approaches to Quantitative Information Flow (QIF) represent the adversary's prior knowledge of possible secret values as a single probability distribution. This representation may miss important structure. For instance, representing prior knowledge about passwords of a system's users in this way overlooks the fact that many users generate passwords using some strategy. Knowledge of such strategies can help the adversary in guessing a secret, so ignoring them may underestimate the secret's vulnerability. In this paper we explicitly model strategies as distributions on secrets, and generalize the representation of the adversary's prior knowledge from a distribution on secrets to an environment, which is a distribution on strategies (and, thus, a distribution on distributions on secrets, called a hyper-distribution). By applying information-theoretic techniques to environments we derive several meaningful generalizations of the traditional approach to QIF. In particular, we disentangle the vulnerability of a secret from the vulnerability of the strategies that generate secrets, and thereby distinguish security by aggregation--which relies on the uncertainty over strategies--from security by strategy--which relies on the intrinsic uncertainty within a strategy. We also demonstrate that, in a precise way, no further generalization of prior knowledge (e.g., by using distributions of even higher order) is needed to soundly quantify the vulnerability of the secret.