Traditional approaches to Quantitative Information Flow (QIF)
represent the adversary's prior knowledge of possible secret values
as a single probability distribution.
This representation may miss important
structure.
For instance, representing prior knowledge about
passwords of a system's users in this way
overlooks the fact that many users generate passwords using
some *strategy*. Knowledge of such strategies can
help the adversary in guessing a secret, so ignoring them may
underestimate the secret's vulnerability.
In this paper we explicitly model strategies as
distributions on secrets, and generalize the representation of
the adversary's prior knowledge from a distribution on secrets
to an *environment*, which is a distribution on strategies
(and, thus, a distribution on distributions on secrets,
called a *hyper-distribution*).
By applying information-theoretic techniques to environments
we derive several meaningful generalizations of the traditional
approach to QIF.
In particular, we disentangle the
*vulnerability of a secret* from the *vulnerability of the strategies*
that generate secrets, and thereby distinguish
*security by aggregation*-which relies on the uncertainty over
strategies-from *security by strategy*-which relies on the
intrinsic uncertainty within a strategy.
We also demonstrate that, in a precise way, no further generalization
of prior knowledge
(e.g., by using distributions of even higher order)
is needed to soundly quantify the vulnerability of the secret.

[ http ]

@INPROCEEDINGS{alvim17strat, AUTHOR = {M\'{a}rio S. Alvim and Piotr Mardziel and Michael Hicks}, TITLE = {Quantifying vulnerability of secret generation using hyper-distributions}, BOOKTITLE = {Proceedings of the Symposium on Principles of Security and Trust (POST)}, YEAR = 2017, MONTH = APR, NOTE = {Extended version of short paper that appeared at FCS 2016: \url{http://www.cs.umd.edu/~mwh/papers/stratquant.pdf}} }