Traditional approaches to Quantitative Information Flow (QIF) represent the adversary's prior knowledge of possible secret values as a single probability distribution. This representation may miss important structure. For instance, representing prior knowledge about passwords of a system's users in this way overlooks the fact that many users generate passwords using some strategy. Knowledge of such strategies can help the adversary in guessing a secret, so ignoring them may underestimate the secret's vulnerability. In this paper we explicitly model strategies as distributions on secrets, and generalize the representation of the adversary's prior knowledge from a distribution on secrets to an environment, which is a distribution on strategies (and, thus, a distribution on distributions on secrets, called a hyper-distribution). By applying information-theoretic techniques to environments we derive several meaningful generalizations of the traditional approach to QIF. In particular, we disentangle the vulnerability of a secret from the vulnerability of the strategies that generate secrets, and thereby distinguish security by aggregation---which relies on the uncertainty over strategies---from security by strategy---which relies on the intrinsic uncertainty within a strategy. We also demonstrate that, in a precise way, no further generalization of prior knowledge (e.g., by using distributions of even higher order) is needed to soundly quantify the vulnerability of the secret.

[ http ]

@inproceedings{alvim17strat,
  author = {M\'{a}rio S. Alvim and Piotr Mardziel and Michael Hicks},
  title = {Quantifying vulnerability of secret generation using hyper-distributions},
  booktitle = {Proceedings of the Symposium on Principles of Security and Trust (POST)},
  year = 2017,
  month = apr,
  note = {Extended version of short paper that appeared at FCS 2016: \url{http://www.cs.umd.edu/~mwh/papers/stratquant.pdf}}
}

This file was generated by bibtex2html 1.99.