Quantitative information flow, with a view

Abstract

We put forward a general model intended for assessment of system security against passive eavesdroppers, both quantitatively (how much information is leaked) and qualitatively (what properties are leaked). To this purpose, we extend information hiding systems (ihs), a model where the secret-observable relation is represented as a noisy channel, with views: basically, partitions of the state-space. Given a view W and n independent observations of the system, one is interested in the probability that a Bayesian adversary wrongly predicts the class of W the underlying secret belongs to. We offer results that allow one to easily characterise the behaviour of this error probability as a function of the number of observations, in terms of the channel matrices defining the ihs and the view W. In particular, we provide expressions for the limit value as n → ∞, show by tight bounds that convergence is exponential, and also characterise the rate of convergence to predefined error thresholds. We then show a few instances of statistical attacks that can be assessed by a direct application of our model: attacks against modular exponentiation that exploit timing leaks, against anonymity in mix-nets and against privacy in sparse datasets. © 2011 Springer-Verlag.