Information Leakage Games
Abstract
We consider a game-theoretic setting to model the interplay between attacker and defender in the context of information flow, and to reason about their optimal strategies. In contrast with standard game theory, in our games the utility of a mixed strategy is a convex function of the distribution on the defender’s pure actions, rather than the expected value of their utilities. Nevertheless, the important properties of game theory, notably the existence of a Nash equilibrium, still hold for our (zero-sum) leakage games, and we provide algorithms to compute the corresponding optimal strategies. As typical in (simultaneous) game theory, the optimal strategy is usually mixed, i.e., probabilistic, for both the attacker and the defender. From the point of view of information flow, this was to be expected in the case of the defender, since it is well known that randomization at the level of the system design may help to reduce information leaks. Regarding the attacker, however, this seems the first work (w.r.t. the literature in information flow) proving formally that in certain cases the optimal attack strategy is necessarily probabilistic.
Notes
Acknowledgments
The authors are thankful to Arman Khouzani and Pedro O. S. Vaz de Melo for valuable discussions. This work was supported by JSPS and Inria under the project LOGIS of the Japan-France AYAME Program, and by the project Epistemic Interactive Concurrency (EPIC) from the STIC AmSud Program. Mário S. Alvim was supported by CNPq, CAPES, and FAPEMIG. Yusuke Kawamoto was supported by JSPS KAKENHI Grant Number JP17K12667.
References
- 1.Alon, N., Emek, Y., Feldman, M., Tennenholtz, M.: Adversarial leakage in games. SIAM J. Discret. Math. 27(1), 363–385 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
- 2.Alvim, M.S., Chatzikokolakis, K., McIver, A., Morgan, C., Palamidessi, C., Smith, G.: Axioms for information leakage. In: Proceedings of CSF, pp. 77–92 (2016)Google Scholar
- 3.Alvim, M.S., Chatzikokolakis, K., Palamidessi, C., Smith, G.: Measuring information leakage using generalized gain functions. In: CSF, pp. 265–279 (2012)Google Scholar
- 4.Boreale, M., Pampaloni, F.: Quantitative information flow under generic leakage functions and adaptive adversaries. Log. Meth. Comput. Sci. 11(4:5), 1–31 (2015)MathSciNetzbMATHGoogle Scholar
- 5.Boyd, S., Mutapcic, A.: Subgradient methods. Lecture notes of EE364b. Stanford University, Winter Quarter 2007 (2006)Google Scholar
- 6.Boyd, S., Vandenberghe, L.: Convex Optimization. Cambridge University Press, New York (2004)CrossRefzbMATHGoogle Scholar
- 7.Braun, C., Chatzikokolakis, K., Palamidessi, C.: Quantitative notions of leakage for one-try attacks. In: Proceedings of MFPS. ENTCS, vol. 249, pp. 75–91. Elsevier (2009)Google Scholar
- 8.Chatzikokolakis, K., Palamidessi, C., Panangaden, P.: On the Bayes risk in information-hiding protocols. J. Comput. Secur. 16(5), 531–571 (2008)CrossRefGoogle Scholar
- 9.Chaum, D.: The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol. 1, 65–75 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
- 10.Clark, D., Hunt, S., Malacaria, P.: A static analysis for quantifying information flow in a simple imperative language. J. Comput. Secur. 15, 321–371 (2007)CrossRefGoogle Scholar
- 11.Dwork, C., McSherry, F., Nissim, K., Smith, A.: Calibrating noise to sensitivity in private data analysis. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 265–284. Springer, Heidelberg (2006). doi: 10.1007/11681878_14 CrossRefGoogle Scholar
- 12.Farhang, S., Grossklags, J.: FlipLeakage: a game-theoretic approach to protect against stealthy attackers in the presence of information leakage. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds.) GameSec 2016. LNCS, vol. 9996, pp. 195–214. Springer, Cham (2016). doi: 10.1007/978-3-319-47413-7_12 Google Scholar
- 13.Khouzani, M., Malacaria, P.: Relative perfect secrecy: universally optimal strategies and channel design. In: Proceedings of CSF, pp. 61–76. IEEE (2016)Google Scholar
- 14.Khouzani, M.H.R., Mardziel, P., Cid, C., Srivatsa, M.: Picking vs. guessing secrets: a game-theoretic analysis. In: Proceedings of CSF, pp. 243–257 (2015)Google Scholar
- 15.Köpf, B., Basin, D.A.: An information-theoretic model for adaptive side-channel attacks. In: Proceedings of CCS, pp. 286–296. ACM (2007)Google Scholar
- 16.Korzhyk, D., Yin, Z., Kiekintveld, C., Conitzer, V., Tambe, M.: Stackelberg vs. nash in security games: an extended investigation of interchangeability, equivalence, and uniqueness. J. Artif. Intell. Res. 41, 297–327 (2011)MathSciNetzbMATHGoogle Scholar
- 17.Manshaei, M.H., Zhu, Q., Alpcan, T., Bacşar, T., Hubaux, J.-P.: Game theory meets network security and privacy. ACM Comput. Surv. 45(3), 25:1–25:39 (2013)CrossRefzbMATHGoogle Scholar
- 18.Mardziel, P., Alvim, M.S., Hicks, M.W., Clarkson, M.R.: Quantifying information flow for dynamic secrets. In: Proceedings of S&P, pp. 540–555 (2014)Google Scholar
- 19.Massey, J.L.: Guessing and entropy. In: Proceedings of ISIT, p. 204. IEEE (1994)Google Scholar
- 20.Matsui, A.: Information leakage forces cooperation. Games Econ. Behav. 1(1), 94–115 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
- 21.Nedić, A., Ozdaglar, A.: Subgradient methods for saddle-point problems. J. Optim. Theor. Appl. 142(1), 205–228 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
- 22.Osborne, M.J., Rubinstein, A.: A Course in Game Theory. MIT Press, Cambridge (1994)zbMATHGoogle Scholar
- 23.Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. ACM Trans. Inf. Syst. Secur. 1(1), 66–92 (1998)CrossRefGoogle Scholar
- 24.Rubinstein, A.: Lecture Notes in Microeconomic Theory, 2nd edn. Princeton University Press, Princeton (2012)Google Scholar
- 25.Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(379–423), 625–656 (1948)MathSciNetzbMATHGoogle Scholar
- 26.Shmatikov, V.: Probabilistic analysis of anonymity. In: CSFW, pp. 119–128 (2002)Google Scholar
- 27.Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FoSSaCS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00596-1_21 CrossRefGoogle Scholar
- 28.Venkitasubramaniam, P., Tong, L.: A game-theoretic approach to anonymous networking. IEEE/ACM Trans. Netw. 20(3), 892–905 (2012)CrossRefGoogle Scholar
- 29.Von Neumann, J., Morgenstern, O.: Theory of Games and Economic Behavior. Princeton University Press, Princeton (2007)zbMATHGoogle Scholar
- 30.Wang, W., Carreira-Perpinán, M.A.: Projection onto the probability simplex: an efficient algorithm with a simple proof, and an application. arXiv preprint arXiv:1309.1541 (2013)
- 31.Xu, H., Jiang, A.X., Sinha, A., Rabinovich, Z., Dughmi, S., Tambe, M.: Security games with information leakage: modeling and computation. In: Proceedings of IJCAI, pp. 674–680 (2015)Google Scholar
- 32.Yang, M., Sassone, V., Hamadou, S.: A game-theoretic analysis of cooperation in anonymity networks. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 269–289. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28641-4_15 CrossRefGoogle Scholar
- 33.Yao, A.C.: Protocols for secure computations. In: IEEE 54th Annual Symposium on Foundations of Computer Science, pp. 160–164 (1982)Google Scholar