# A Game-Theoretic Approach to Information-Flow Control via Protocol Composition

^{1}

^{2}

^{3}

^{4}

^{5}

^{*}

## Abstract

**:**

## 1. Introduction

**Example**

**1**(Differential privacy)

**.**

**Example**

**2**(Dining cryptographers)

**.**

**Example**

**3**(CRIME attack)

**.**

**Example**

**4**(Timing side-channels)

**.**

- We present a general framework for reasoning about information leakage in a game-theoretic setting, extending the notion of information leakage games proposed in [6] to both simultaneous and sequential games, with either a hidden or visible choice.
- We present a rigorous compositional way, using visible and hidden choice operators, for representing attacker’s and defender’s actions in information leakage games. In particular, we study the algebraic properties of visible and hidden choice on channels and compare the two kinds of choice with respect to the capability of reducing leakage, in the presence of an adaptive attacker.
- We provide a taxonomy of the various scenarios (simultaneous and sequential) showing when randomization is necessary, for either attacker or defender, to achieve optimality. Although it is well known in information flow that the defender’s best strategy is usually randomized, only recently has it been shown that when defender and attacker act simultaneously, the attacker’s optimal strategy also requires randomization [6].
- We compare the vulnerability of the leakage games for these various scenarios and establish a hierarchy of leakage games based on the order between the value of the leakage in the Nash equilibrium. Furthermore, we show that when the attacker moves first in a sequential game with hidden choice, the behavioral strategies (where the defender chooses his/her probabilistic distribution after he/she has seen the choice of the attacker) are more advantageous for the defender than the mixed strategies (where the defender chooses the probabilistic distribution over his/her possible functional dependency on the choice of the attacker). This contrast with the standard game theory, where the two types of strategies are equivalent. Another difference is that in our attacker-first sequential games, there may not exist Nash equilibria with deterministic strategies for the defender (although the defender has full visibility of the attacker’s moves).
- We use our framework in a detailed case study of a password-checking protocol. A naive program, which checks the password bit by bit and stops when it finds a mismatch, is clearly very insecure, because it reveals at each attempt (via a timing side-channel) the maximum correct prefix. On the other hand, if we continue checking until the end of the string (time padding), the program becomes very inefficient. We show that, by using probabilistic choice instead, we can obtain a good trade-off between security and efficiency.

#### Plan of the Paper

- Theorem 3, which concerns the defender’s behavioral strategies in the defender-first game with visible choice (Game II),
- the second half of Theorem 6, which deals with the adversary’s behavioral strategies in the attacker-first game with hidden choice (Game VI).

## 2. Preliminaries

#### 2.1. Basic Concepts from Game Theory

#### 2.1.1. Two-Player Games

#### 2.1.2. Simultaneous Games

#### 2.1.3. Sequential Games

#### 2.1.4. Zero-Sum Games and the Minimax Theorem

**Theorem**

**1**(von Neumann’s minimax theorem)

**.**

#### 2.2. Quantitative Information Flow

#### 2.2.1. Secrets and Vulnerability

#### 2.2.2. Channels, Posterior Vulnerability and Leakage

## 3. An Illustrative Example

`Program 0`returns the binary product of x and a, whereas

`Program 1`flips a coin with bias $\raisebox{1ex}{$a$}\!\left/ \!\raisebox{-1ex}{$3$}\right.$ (i.e., a coin that returns heads with probability $\raisebox{1ex}{$a$}\!\left/ \!\raisebox{-1ex}{$3$}\right.$) and returns x if the result is heads and the complement $\overline{x}$ of x otherwise. The two programs are represented in Figure 1.

## 4. Choice Operators for Protocol Composition

#### 4.1. Matrices and Their Basic Operators

#### 4.2. Channels and Their Hidden and Visible Choice Operators

#### 4.2.1. Hidden Choice

**Proposition**

**1**(Type of hidden choice)

**.**

#### 4.2.2. Visible Choice

**Proposition**

**2**(Type of visible choice)

**.**

#### 4.3. Properties of Hidden and Visible Choice Operators

**Definition**

**1**(Equivalence of channels)

**.**

**Proposition**

**3**(Idempotency)

**.**

**Proposition**

**4**(“Reorganization of operators”)

**.**

- (a)
- ${\u2a0a}_{i\leftarrow \mu}\phantom{\rule{0.277778em}{0ex}}{\u2a0a}_{j\leftarrow \eta}{C}_{ij}={\u2a0a}_{\begin{array}{c}i\leftarrow \mu \\ j\leftarrow \eta \end{array}}{C}_{ij}$, if all ${C}_{i}$’s have the same type;
- (b)
- ${\lfloor \phantom{\rule{-1.7pt}{0ex}}\xb7\phantom{\rule{-1.7pt}{0ex}}\rfloor}_{i\leftarrow \mu}\phantom{\rule{0.277778em}{0ex}}{\lfloor \phantom{\rule{-1.7pt}{0ex}}\xb7\phantom{\rule{-1.7pt}{0ex}}\rfloor}_{j\leftarrow \eta}{C}_{ij}\approx {\lfloor \phantom{\rule{-1.7pt}{0ex}}\xb7\phantom{\rule{-1.7pt}{0ex}}\rfloor}_{\begin{array}{c}i\leftarrow \mu \\ j\leftarrow \eta \end{array}}{C}_{ij}$, if all ${C}_{i}$’s are compatible; and
- (c)
- ${\u2a0a}_{i\leftarrow \mu}\phantom{\rule{0.277778em}{0ex}}{\lfloor \phantom{\rule{-1.7pt}{0ex}}\xb7\phantom{\rule{-1.7pt}{0ex}}\rfloor}_{j\leftarrow \eta}{C}_{ij}\approx {\lfloor \phantom{\rule{-1.7pt}{0ex}}\xb7\phantom{\rule{-1.7pt}{0ex}}\rfloor}_{j\leftarrow \eta}\phantom{\rule{0.277778em}{0ex}}{\u2a0a}_{i\leftarrow \mu}{C}_{ij}$, if, for each i, all ${C}_{ij}$’s have the same type $\mathcal{X}\times {\mathcal{Y}}_{j}\to \mathbb{R}$.

#### 4.4. Properties of Vulnerability w.r.t. Channel Operators

**Theorem**

**2**(Convexity/linearity of posterior vulnerability w.r.t. choices)

**.**

- 1.
- posterior vulnerability is convex w.r.t. to hidden choice: $\mathbb{V}\left[\pi ,{\u2a0a}_{i\leftarrow \mu}{C}_{i}\right]\le {\sum}_{i\in \mathcal{I}}\mu \left(i\right)\phantom{\rule{0.166667em}{0ex}}\mathbb{V}\left[\pi ,{C}_{i}\right]$ if all ${C}_{i}$’s have the same type.
- 2.
- posterior vulnerability is linear w.r.t. to visible choice: $\mathbb{V}\left[\pi ,{\lfloor \phantom{\rule{-1.7pt}{0ex}}\xb7\phantom{\rule{-1.7pt}{0ex}}\rfloor}_{i\leftarrow \mu}{C}_{i}\right]={\sum}_{i\in \mathcal{I}}\mu \left(i\right)\phantom{\rule{0.166667em}{0ex}}\mathbb{V}\left[\pi ,{C}_{i}\right]$ if all ${C}_{i}$’s are compatible.

**Proof.**

- Let us call $\mathcal{X}\times \mathcal{Y}\to \mathbb{R}$ the type of each channel ${C}_{i}$ in the family $\left\{{C}_{i}\right\}$. Then:$$\begin{array}{ccc}\hfill \mathbb{V}\left[\pi ,\underset{i\leftarrow \mu}{\u2a0a}{C}_{i}\right]=& \phantom{\rule{0.166667em}{0ex}}\mathbb{V}\left[\pi ,{\sum}_{i}\mu \left(i\right){C}_{i}\right]\hfill & \hfill \left(\mathrm{by}\phantom{\rule{4.pt}{0ex}}\mathrm{the}\phantom{\rule{4.pt}{0ex}}\mathrm{definition}\phantom{\rule{4.pt}{0ex}}\mathrm{of}\phantom{\rule{4.pt}{0ex}}\mathrm{hidden}\phantom{\rule{4.pt}{0ex}}\mathrm{choice}\right)\\ \hfill =& \phantom{\rule{0.166667em}{0ex}}\sum _{y\in \mathcal{Y}}p\left(y\right)\xb7\mathbb{V}\left[\frac{\pi (\xb7){\sum}_{i}\mu \left(i\right){C}_{i}(\xb7,y)}{p\left(y\right)}\right]\hfill & \hfill \left(\mathrm{by}\phantom{\rule{4.pt}{0ex}}\mathrm{the}\phantom{\rule{4.pt}{0ex}}\mathrm{definition}\phantom{\rule{4.pt}{0ex}}\mathrm{of}\phantom{\rule{4.pt}{0ex}}\mathrm{posterior}\phantom{\rule{4.pt}{0ex}}\mathbb{V}\right)\\ \hfill =& \phantom{\rule{0.166667em}{0ex}}\sum _{y\in \mathcal{Y}}p\left(y\right)\xb7\mathbb{V}\left[\sum _{i}\mu \left(i\right)\frac{\pi (\xb7){C}_{i}(\xb7,y)}{p\left(y\right)}\right]\hfill & \hfill \\ \hfill \le & \phantom{\rule{0.166667em}{0ex}}\sum _{y\in \mathcal{Y}}p\left(y\right)\xb7\sum _{i}\mu \left(i\right)\mathbb{V}\left[\frac{\pi (\xb7){C}_{i}(\xb7,y)}{p\left(y\right)}\right]\hfill & \hfill \left(\mathrm{by}\phantom{\rule{4.pt}{0ex}}\mathrm{the}\phantom{\rule{4.pt}{0ex}}\mathrm{convexity}\phantom{\rule{4.pt}{0ex}}\mathrm{of}\phantom{\rule{4.pt}{0ex}}\mathbb{V}\right)\\ \hfill =& \phantom{\rule{0.166667em}{0ex}}\sum _{i}\mu \left(i\right)\sum _{y\in \mathcal{Y}}p\left(y\right)\mathbb{V}\left[\frac{\pi (\xb7){C}_{i}(\xb7,y)}{p\left(y\right)}\right]\hfill & \hfill \\ \hfill =& \phantom{\rule{0.166667em}{0ex}}\sum _{i}\mu \left(i\right)\mathbb{V}\left[\pi ,{C}_{i}\right]\hfill & \hfill \end{array}$$
- Let us call $\mathcal{X}\times {\mathcal{Y}}_{i}\to \mathbb{R}$ the type of each channel ${C}_{i}$ in the family $\left\{{C}_{i}\right\}$. Then:$$\begin{array}{ccc}\hfill \mathbb{V}\left[\pi ,{\lfloor \phantom{\rule{-1.7pt}{0ex}}\xb7\phantom{\rule{-1.7pt}{0ex}}\rfloor}_{i\leftarrow \mu}{C}_{i}\right]=& \phantom{\rule{0.166667em}{0ex}}\mathbb{V}\left[\pi ,{\diamond}_{i}\mu \left(i\right){C}_{i}\right]\hfill & \hfill \left(\mathrm{by}\phantom{\rule{4.pt}{0ex}}\mathrm{the}\phantom{\rule{4.pt}{0ex}}\mathrm{definition}\phantom{\rule{4.pt}{0ex}}\mathrm{of}\phantom{\rule{4.pt}{0ex}}\mathrm{visible}\phantom{\rule{4.pt}{0ex}}\mathrm{choice}\right)\\ \hfill =& \phantom{\rule{0.166667em}{0ex}}\sum _{y\in \mathcal{Y}}p\left(y\right)\xb7\mathbb{V}\left[\frac{\pi (\xb7){\diamond}_{i}\mu \left(i\right){C}_{i}(\xb7,y)}{p\left(y\right)}\right]\hfill & \hfill \left(\mathrm{by}\phantom{\rule{4.pt}{0ex}}\mathrm{the}\phantom{\rule{4.pt}{0ex}}\mathrm{definition}\phantom{\rule{4.pt}{0ex}}\mathrm{of}\phantom{\rule{4.pt}{0ex}}\mathrm{posterior}\phantom{\rule{4.pt}{0ex}}\mathbb{V}\right)\\ \hfill =& \phantom{\rule{0.166667em}{0ex}}\sum _{y\in \mathcal{Y}}p\left(y\right)\xb7\mathbb{V}\left[{\diamond}_{i}\mu \left(i\right)\frac{\pi (\xb7){C}_{i}(\xb7,y)}{p\left(y\right)}\right]\hfill & \hfill \\ \hfill =& \phantom{\rule{0.166667em}{0ex}}\sum _{y\in \mathcal{Y}}p\left(y\right)\xb7\sum _{i}\mu \left(i\right)\mathbb{V}\left[\frac{\pi (\xb7){C}_{i}(\xb7,y)}{p\left(y\right)}\right]\hfill & \hfill \left(\mathrm{see}\phantom{\rule{4.pt}{0ex}}\right(*\left)\phantom{\rule{4.pt}{0ex}}\mathrm{below}\right)\\ \hfill =& \phantom{\rule{0.166667em}{0ex}}\sum _{i}\mu \left(i\right)\sum _{y\in \mathcal{Y}}p\left(y\right)\mathbb{V}\left[\frac{\pi (\xb7){C}_{i}(\xb7,y)}{p\left(y\right)}\right]\hfill & \hfill \\ \hfill =& \phantom{\rule{0.166667em}{0ex}}\sum _{i}\mu \left(i\right)\mathbb{V}\left[\pi ,{C}_{i}\right]\hfill & \hfill \end{array}$$

**Corollary**

**1**(Convex-linear payoff function)

**.**

**Proof.**

## 5. Information Leakage Games

#### 5.1. Defining Information Leakage Games

- (1)
- two nonempty sets $\mathcal{D}$, $\mathcal{A}$ of defender’s and attacker’s actions, respectively,
- (2)
- a function $C:\mathcal{D}\times \mathcal{A}\to (\mathcal{X}\times \mathcal{Y}\to \mathbb{R})$ that associates with each pair of actions $(d,a)\in \mathcal{D}\times \mathcal{A}$ a channel ${C}_{da}:\mathcal{X}\times \mathcal{Y}\to \mathbb{R}$,
- (3)
- a prior $\pi \in \mathbb{D}\mathcal{X}$ on secrets and
- (4)
- a vulnerability measure $\mathbb{V}$, used to define the payoff function $u:\mathcal{D}\times \mathcal{A}\to \mathbb{R}$ for pure strategies as $u(d,a)\stackrel{\mathrm{def}}{=}\mathbb{V}\left[\pi ,{C}_{da}\right]$. We have only one payoff function because the game is zero-sum.

- Phase 1: determination of players’ strategies and the subsequent choice of their actions.Each player determines the most convenient strategy (which in general is probabilistic) for himself/herself, and draws his/her action accordingly. One of the players may commit first to his/her action, and his/her choice may or may not be revealed to the follower. In general, knowledge of the leader’s action may help the follower choose a more advantageous strategy.
- Phase 2: observation of the resulting channel’s output and payoff computation.The attacker observes the output of the selected channel ${C}_{da}$ and performs his/her attack on the secret. In case he/she knows the defender’s action, he/she is able to determine the exact channel ${C}_{da}$ being used (since, of course, the attacker knows his/her own action), and his/her payoff will be the posterior vulnerability $\mathbb{V}\left[\pi ,{C}_{da}\right]$. However, if the attacker does not know exactly which channel has been used, then his/her payoff will be smaller.

- Simultaneous.The players choose (draw) their actions in parallel, each without knowing the choice of the other.
- Sequential, defender-first.The defender draws an action, and commits to it, before the attacker does.
- Sequential, attacker-first.The attacker draws an action, and commits to it, before the defender does.

- Visible choice.The attacker knows the defender’s action when he/she observes the output of the channel, and therefore, he/she knows which channel is being used. Visible choice is modeled by the operator $\lfloor \phantom{\rule{-1.7pt}{0ex}}\xb7\phantom{\rule{-1.7pt}{0ex}}\rfloor $.
- Hidden choice.The attacker does not know the defender’s action when he/she observes the output of the channel, and therefore, in general, he/she does not exactly know which channel is used (although in some special cases, he/she may infer it from the output). Hidden choice is modeled by the operator ⨊.

#### 5.1.1. Game I (Simultaneous with Visible Choice)

**Example**

**5.**

#### 5.1.2. Game II (Defender-First with Visible Choice)

**Theorem 3**(Pure-strategy Nash equilibrium in Game II: strategies of type $\mathbb{D}(\mathcal{D}\phantom{\rule{0.166667em}{0ex}}\to \phantom{\rule{0.166667em}{0ex}}\mathcal{A})$)

**.**

**Proof.**

**Example**

**6.**

**Theorem 4**(Pure-strategy Nash equilibrium in Game II: strategies of type $\mathcal{D}\to \mathbb{D}\left(\mathcal{A}\right)$)

**.**

**Proof.**

**Corollary 2**(Equivalence of optimal strategies of types $\mathbb{D}(\mathcal{D}\phantom{\rule{0.166667em}{0ex}}\to \phantom{\rule{0.166667em}{0ex}}\mathcal{A})$ and $\mathcal{D}\to \mathbb{D}\left(\mathcal{A}\right)$ in Game II)

**.**

**Proof.**

#### 5.1.3. Game III (Attacker-First with Visible Choice)

**Theorem 5**(Pure-strategy Nash equilibria in Game III and equivalence of $\mathbb{D}(\mathcal{A}\phantom{\rule{0.166667em}{0ex}}\to \phantom{\rule{0.166667em}{0ex}}\mathcal{D})$ and $(\mathcal{A}\to \mathbb{D}(\mathcal{D}\left)\right)$)

**.**

- 1.
- For every $\alpha \in \mathbb{D}\mathcal{A}$ and ${\sigma}_{\mathsf{d}}\in \mathbb{D}(\mathcal{A}\phantom{\rule{0.166667em}{0ex}}\to \phantom{\rule{0.166667em}{0ex}}\mathcal{D})$, we have $\mathit{U}({\mathit{s}}_{\mathsf{d}}^{*},\alpha )\le \mathit{u}({\mathit{s}}_{\mathsf{d}}^{*}\left({a}^{*}\right),{a}^{*})\le \mathit{U}({\sigma}_{\mathsf{d}},{a}^{*})$.
- 2.
- For every $\alpha \in \mathbb{D}\mathcal{A}$ and ${\varphi}_{\mathsf{d}}:\mathcal{A}\to \mathbb{D}\left(\mathcal{D}\right)$, we have: $\mathit{U}({\varphi}_{\mathsf{d}}^{*},\alpha )\le \mathit{U}({\varphi}_{\mathsf{d}}^{*}\left({a}^{*}\right),{a}^{*})\le \mathit{U}({\varphi}_{\mathsf{d}}\left({a}^{*}\right),{a}^{*})$.
- 3.
- $\mathit{u}({\mathit{s}}_{\mathsf{d}}^{*}\left({a}^{*}\right),{a}^{*})=\mathit{U}({\varphi}_{\mathsf{d}}^{*}\left({a}^{*}\right),{a}^{*})$.

**Proof.**

**Example**

**7.**

#### 5.1.4. Game IV (Simultaneous with Hidden Choice)

**Example**

**8.**

#### 5.1.5. Game V (Defender-First with Hidden Choice)

#### 5.1.6. Game VI (Attacker-First with Hidden Choice)

**Theorem**

**6**(Attacker’s pure-strategy Nash equilibrium in Game VI)

**.**

- 1.
- Mixed strategies, type $\mathbb{D}(\mathcal{A}\phantom{\rule{0.166667em}{0ex}}\to \phantom{\rule{0.166667em}{0ex}}\mathcal{D})$. Let ${a}^{*}\stackrel{\mathrm{def}}{=}{argmax}_{a}{min}_{{\sigma}_{\mathsf{d}}}\mathbb{V}\left[\pi ,{\u2a0a}_{{\mathit{s}}_{\mathsf{d}}\leftarrow {\sigma}_{\mathsf{d}}}{C}_{{\mathit{s}}_{\mathsf{d}}\left(a\right)a}\right]$, and let ${\sigma}_{\mathsf{d}}^{*}\stackrel{\mathrm{def}}{=}{argmin}_{{\sigma}_{\mathsf{d}}}\lambda a.\mathbb{V}\left[\pi ,{\u2a0a}_{{\mathit{s}}_{\mathsf{d}}\leftarrow {\sigma}_{\mathsf{d}}}{C}_{{\mathit{s}}_{\mathsf{d}}\left(a\right)a}\right]$. Then, for every $\alpha \in \mathbb{D}\mathcal{A}$ and ${\sigma}_{\mathsf{d}}\in \mathbb{D}(\mathcal{A}\phantom{\rule{0.166667em}{0ex}}\to \phantom{\rule{0.166667em}{0ex}}\mathcal{D})$ we have:$$\mathit{U}({\sigma}_{\mathsf{d}}^{*},\alpha )\le \mathit{U}({\sigma}_{\mathsf{d}}^{*},{a}^{*})\le \mathit{U}({\sigma}_{\mathsf{d}},{a}^{*})$$
- 2.
- Behavioral strategies, type $\mathcal{A}\to \mathbb{D}\left(\mathcal{D}\right)$. Let ${a}^{*}\stackrel{\mathrm{def}}{=}{argmax}_{a}{min}_{\delta}\mathbb{V}\left[\pi ,{\u2a0a}_{d\leftarrow \delta}{C}_{da}\right]$, and let ${\varphi}_{\mathsf{d}}^{*}\stackrel{\mathrm{def}}{=}{argmin}_{{\varphi}_{\mathsf{d}}}\lambda a.\mathbb{V}\left[\pi ,{\u2a0a}_{d\leftarrow {\varphi}_{\mathsf{d}}\left(a\right)}{C}_{da}\right]$ (the minimization is with respect to the point-wise ordering). Then, for every $\alpha \in \mathbb{D}\mathcal{A}$ and ${\varphi}_{\mathsf{d}}:\mathcal{A}\to \mathbb{D}\left(\mathcal{D}\right)$, we have:$$\mathit{U}({\varphi}_{\mathsf{d}}^{*},\alpha )\le \mathit{U}({\varphi}_{\mathsf{d}}^{*},{a}^{*})\le \mathit{U}({\varphi}_{\mathsf{d}},{a}^{*})$$

**Proof.**

- Let $\alpha $ and ${\sigma}_{\mathsf{d}}$ be arbitrary elements of $\mathbb{D}\mathcal{A}$ and $\mathbb{D}(\mathcal{A}\phantom{\rule{0.166667em}{0ex}}\to \phantom{\rule{0.166667em}{0ex}}\mathcal{D})$, respectively. Then:$$\begin{array}{ccc}\hfill \mathit{U}({\sigma}_{\mathsf{d}}^{*},\alpha )=& \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\sum _{a\in \mathcal{A}}\alpha \left(a\right)\phantom{\rule{0.166667em}{0ex}}\mathbb{V}\left[\pi ,\underset{{\mathit{s}}_{\mathsf{d}}\leftarrow {\sigma}_{\mathsf{d}}^{*}}{\u2a0a}{C}_{{\mathit{s}}_{\mathsf{d}}\left(a\right)a}\right]\hfill & \hfill \\ \hfill \le & \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\sum _{a\in \mathcal{A}}\alpha \left(a\right)\phantom{\rule{0.166667em}{0ex}}\mathbb{V}\left[\pi ,\underset{{\mathit{s}}_{\mathsf{d}}\leftarrow {\sigma}_{\mathsf{d}}^{*}}{\u2a0a}{C}_{{\mathit{s}}_{\mathsf{d}}\left({a}^{*}\right){a}^{*}}\right]\hfill & \hfill \left(\mathrm{by}\phantom{\rule{0.277778em}{0ex}}\mathrm{the}\phantom{\rule{0.277778em}{0ex}}\mathrm{definition}\phantom{\rule{0.277778em}{0ex}}\mathrm{of}{a}^{*}\mathrm{and}{\sigma}_{\mathsf{d}}^{*}\right)\\ \hfill =& \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\mathbb{V}\left[\pi ,\underset{{\mathit{s}}_{\mathsf{d}}\leftarrow {\sigma}_{\mathsf{d}}^{*}}{\u2a0a}{C}_{{\mathit{s}}_{\mathsf{d}}\left({a}^{*}\right){a}^{*}}\right]\phantom{\rule{0.277778em}{0ex}}(\phantom{\rule{0.277778em}{0ex}}=\phantom{\rule{0.277778em}{0ex}}\mathit{U}({\sigma}_{\mathsf{d}}^{*},{a}^{*}))\hfill & \hfill \left(\mathrm{since}\phantom{\rule{0.277778em}{0ex}}\alpha \mathrm{is}\phantom{\rule{0.277778em}{0ex}}\mathrm{a}\phantom{\rule{0.277778em}{0ex}}\mathrm{distribution}\right)\\ \hfill \le & \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\mathbb{V}\left[\pi ,\underset{{\mathit{s}}_{\mathsf{d}}\leftarrow {\sigma}_{\mathsf{d}}}{\u2a0a}{C}_{{\mathit{s}}_{\mathsf{d}}\left({a}^{*}\right){a}^{*}}\right]\hfill & \hfill \left(\mathrm{by}\phantom{\rule{0.277778em}{0ex}}\mathrm{the}\phantom{\rule{0.277778em}{0ex}}\mathrm{definition}\phantom{\rule{0.277778em}{0ex}}\mathrm{of}{\sigma}_{\mathsf{d}}^{*}\right)\\ \hfill =& \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\mathit{U}({\sigma}_{\mathsf{d}},{a}^{*})\hfill & \hfill \end{array}$$
- Let $\alpha $ and ${\varphi}_{\mathsf{d}}$ be arbitrary elements of $\mathbb{D}\mathcal{A}$ and $\mathcal{A}\to \mathbb{D}\left(\mathcal{D}\right)$, respectively. Then:$$\begin{array}{ccc}\hfill \mathit{U}({\varphi}_{\mathsf{d}}^{*},\alpha )=& \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\sum _{a\in \mathcal{A}}\alpha \left(a\right)\phantom{\rule{0.166667em}{0ex}}\mathbb{V}\left[\pi ,\underset{d\leftarrow {\varphi}_{\mathsf{d}}^{*}\left(a\right)}{\u2a0a}{C}_{da}\right]\hfill & \hfill \\ \hfill \le & \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\sum _{a\in \mathcal{A}}\alpha \left(a\right)\phantom{\rule{0.166667em}{0ex}}\mathbb{V}\left[\pi ,\underset{d\leftarrow {\varphi}_{\mathsf{d}}^{*}\left({a}^{*}\right)}{\u2a0a}{C}_{d{a}^{*}}\right]\hfill & \hfill \left(\mathrm{by}\phantom{\rule{0.277778em}{0ex}}\mathrm{the}\phantom{\rule{0.277778em}{0ex}}\mathrm{definition}\phantom{\rule{0.277778em}{0ex}}\mathrm{of}{a}^{*}\mathrm{and}{\varphi}_{\mathsf{d}}^{*}\right)\\ \hfill =& \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\mathbb{V}\left[\pi ,\underset{d\leftarrow {\varphi}_{\mathsf{d}}^{*}\left({a}^{*}\right)}{\u2a0a}{C}_{d{a}^{*}}\right]\phantom{\rule{0.277778em}{0ex}}(\phantom{\rule{0.277778em}{0ex}}=\phantom{\rule{0.277778em}{0ex}}\mathit{U}({\varphi}_{\mathsf{d}}^{*},{a}^{*}))\hfill & \hfill \left(\mathrm{since}\phantom{\rule{0.277778em}{0ex}}\alpha \mathrm{is}\phantom{\rule{0.277778em}{0ex}}\mathrm{a}\phantom{\rule{0.277778em}{0ex}}\mathrm{distribution}\right)\\ \hfill \le & \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\mathbb{V}\left[\pi ,\underset{d\leftarrow {\varphi}_{\mathsf{d}}\left({a}^{*}\right)}{\u2a0a}{C}_{d{a}^{*}}\right]\hfill & \hfill \left(\mathrm{by}\phantom{\rule{0.277778em}{0ex}}\mathrm{the}\phantom{\rule{0.277778em}{0ex}}\mathrm{definition}\phantom{\rule{0.277778em}{0ex}}\mathrm{of}{\varphi}_{\mathsf{d}}^{*}\right)\\ \hfill =& \phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\mathit{U}({\varphi}_{\mathsf{d}},{a}^{*})\hfill & \hfill \end{array}$$

**Example**

**9.**

**Example**

**10.**

- 1.
- Behavioral strategies, type $\mathcal{A}\to \mathbb{D}\left(\mathcal{D}\right)$. If the attacker chooses zero, which corresponds to committing to the system ${C}_{00}\phantom{\rule{0.277778em}{0ex}}{}_{p}\oplus \phantom{\rule{0.277778em}{0ex}}{C}_{10}$, then the defender will choose $p=\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$4$}\right.$, which minimizes its vulnerability. If he/she chooses one, which corresponds to committing to the system ${C}_{01}\phantom{\rule{0.277778em}{0ex}}{}_{p}\oplus \phantom{\rule{0.277778em}{0ex}}{C}_{11}$, then the defender will choose $p=1$, which minimizes the vulnerability. In both cases, the leakage is $p=\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$2$}\right.$; hence, both of these strategies are solutions to the minimax. Note that in the first case, the strategy of the defender is probabilistic, while that of the attacker is pure in both cases.
- 2.
- Mixed strategies, type $\mathbb{D}(\mathcal{A}\phantom{\rule{0.166667em}{0ex}}\to \phantom{\rule{0.166667em}{0ex}}\mathcal{D})$. Observe that there are only four possible pure strategies for the defender, corresponding to the four functions ${f}_{ij}:\mathcal{A}\phantom{\rule{0.166667em}{0ex}}\to \phantom{\rule{0.166667em}{0ex}}\mathcal{D}$ for $i,j\in \{0,1\}$ defined as ${f}_{ij}\left(a\right)\stackrel{\mathrm{def}}{=}i$ if $i=j$ and ${f}_{ij}\left(a\right)\stackrel{\mathrm{def}}{=}a\oplus i$ if $i\ne j$. Consider a distribution ${\sigma}_{\mathsf{d}}\in \mathbb{D}(\mathcal{A}\phantom{\rule{0.166667em}{0ex}}\to \phantom{\rule{0.166667em}{0ex}}\mathcal{D})$, and let ${p}_{ij}\stackrel{\mathrm{def}}{=}{\sigma}_{\mathsf{d}}\left({f}_{ij}\right)$. Then, we have ${p}_{ij}\ge 0$ and ${\sum}_{i,j}{p}_{ij}=1$. Observe that the attacker’s choice $a=0$ determines the matrix ${C}_{00}\phantom{\rule{0.277778em}{0ex}}{}_{p}\oplus \phantom{\rule{0.277778em}{0ex}}{C}_{10}$, with $p={p}_{00}+{p}_{10}$, whose vulnerability is $\mathbb{V}\left[\pi ,{C}_{00}\phantom{\rule{0.277778em}{0ex}}{}_{p}\oplus \phantom{\rule{0.277778em}{0ex}}{C}_{10}\right]=1-\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$2$}\right.p$. On the other hand, the attacker’s choice $a=1$ determines the matrix ${C}_{01}\phantom{\rule{0.277778em}{0ex}}{}_{{p}^{\prime}}\oplus \phantom{\rule{0.277778em}{0ex}}{C}_{11}$, with ${p}^{\prime}={p}_{00}+{p}_{01}$, whose vulnerability is $\mathbb{V}\left[\pi ,{C}_{01}\phantom{\rule{0.277778em}{0ex}}{}_{{p}^{\prime}}\oplus \phantom{\rule{0.277778em}{0ex}}{C}_{11}\right]=\raisebox{1ex}{$2$}\!\left/ \!\raisebox{-1ex}{$3$}\right.-\raisebox{1ex}{$2$}\!\left/ \!\raisebox{-1ex}{$3$}\right.p$ for ${p}^{\prime}\le \raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$4$}\right.$, and $\mathbb{V}\left[\pi ,{C}_{01}\phantom{\rule{0.277778em}{0ex}}{}_{{p}^{\prime}}\oplus \phantom{\rule{0.277778em}{0ex}}{C}_{11}\right]=\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$3$}\right.+\raisebox{1ex}{$2$}\!\left/ \!\raisebox{-1ex}{$3$}\right.p$ for ${p}^{\prime}>\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$4$}\right.$. By geometrical considerations (cf. the red dashed line in Figure 2), we can see that the optimal solutions for the defender are all those strategies, which give $p=\raisebox{1ex}{$6$}\!\left/ \!\raisebox{-1ex}{$7$}\right.$ and ${p}^{\prime}=\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$7$}\right.$, which yield payoff $\raisebox{1ex}{$4$}\!\left/ \!\raisebox{-1ex}{$7$}\right.$.

## 6. Comparing the Leakage Games

#### 6.1. Simultaneous Games vs. Sequential Games

**Proposition**

**1**(Game II ⩾ Game I)

**.**

**Proof.**

**Proposition**

**2**(Game I ≥ Game III)

**.**

**Proof.**

**Proposition**

**3**(Game IV ⩾ Game VI${}_{\mathsf{m}}$)

**.**

**Proof.**

#### 6.2. Visible Choice vs. Hidden Choice

**Proposition**

**4**(Visible choice ⩾ hidden choice)

**.**

**Proof.**

**Corollary**

**3**(Game I ⩾ Game IV)

**.**

**Corollary**

**4**(Game III ⩾ Game VI${}_{\mathsf{m}}$)

**.**

**Proposition**

**5.**

**Proof.**

**Corollary**

**5.**

## 7. Case Study: A Safer, Faster Password-Checker

#### 7.1. Modeling the Trade-Off between Efficiency and Security as a Game

`PWD`

_{1…n}of Algorithm 1, which performs a bitwise-check of an n-bit low-input $a={a}_{1},{a}_{2},\dots ,{a}_{n}$ provided by the attacker against an n-bit secret password $x={x}_{1},{x}_{2},\dots ,{x}_{n}$. The bits are compared in increasing order (1, 2, …, n), with the low-input being rejected as soon as it mismatches the secret, and accepted otherwise.

Algorithm 1: Password-checker PWD_{1…n}. |

`PWD`

_{1…n}accepts the low-input, the attacker learns that the password value is $a=x$. Yet, even when the low-input is rejected, there is some leakage of information: from the duration of the execution, the attacker can estimate how many iterations have been performed before the low-input was rejected, thus inferring a prefix of the secret password.

`PWD`

_{123}be a password checker that performs the bitwise comparison in increasing order (1, 2, 3). Channel ${C}_{123,101}$ in Table 4 models

`PWD`

_{123}’s behavior when the attacker provides low-input $a=101$. Note that this channel represents the fact that

`PWD`

_{123}accepts the low-input when the secret is $x=101$ (the channel outputs $(T,3)$ with probability one), and otherwise rejects the low-input in a certain number of steps (e.g., the checker rejects the low-input in two steps when the password is $x=110$, so in this case, the channel outputs $(F,2)$ with probability one).

`break`command within the loop in

`PWD`

_{1…n}, so no matter when the matching among high and low input happens, the password checker will always need n iterations to complete. For instance, in the context of our 3-bit password example, we can let

`PWD`

_{cons}be a constant-time 3-bit password checker that applies this counter measure. Channel ${C}_{\mathrm{cons},101}$ from Table 5 models

`PWD`

_{cons}’s behavior when the attacker’s low-input is $a=101$. Note that this channel reveals only whether or not the low-input matches the secret value, but does not allow the attacker to infer a prefix of the password. Indeed, this channel’s posterior Bayes vulnerability is $\mathbb{V}\left[\widehat{\pi},{C}_{123,101}\right]=0.4384$, which brings the multiplicative Bayes leakage down to an increase of only about $0.05\%$.

#### 7.2. On Optimal Strategies for the Defender

**Theorem**

**7**

**.**

## 8. Related Work

## 9. Conclusions and Future Work

## Author Contributions

## Acknowledgments

## Conflicts of Interest

## Appendix A. Proofs of Technical Results

#### Appendix A.1. Preliminaries for Proofs

**Lemma**

**A1**

#### Appendix A.2. Proofs of Section 4

**Proposition**

**1**(Type of hidden choice)

**.**

**Proof.**

**Proposition**

**2**(Type of visible choice)

**.**

**Proof.**

**Proposition**

**3**(Idempotency)

**.**

**Proof.**

- (a)
- Idempotency of hidden choice:$$\begin{array}{ccc}\hfill {\u2a0a}_{i\leftarrow \mu}{C}_{i}=& \phantom{\rule{0.166667em}{0ex}}\sum _{i}\mu \left(i\right){C}_{i}\hfill & \hfill (\mathrm{def}.\phantom{\rule{4.pt}{0ex}}\mathrm{of}\phantom{\rule{4.pt}{0ex}}\mathrm{hidden}\phantom{\rule{4.pt}{0ex}}\mathrm{choice})\\ \hfill =& \phantom{\rule{0.166667em}{0ex}}\sum _{i}\mu \left(i\right)C\hfill & \hfill \left(\mathrm{sin}\mathrm{ce}\phantom{\rule{4.pt}{0ex}}\mathrm{every}\phantom{\rule{4.pt}{0ex}}{C}_{i}=C\right)\\ \hfill =& \phantom{\rule{0.166667em}{0ex}}C\sum _{i}\mu \left(i\right)\hfill & \hfill \\ \hfill =& \phantom{\rule{0.166667em}{0ex}}C\hfill & \hfill (\mathrm{sin}\mathrm{ce}\phantom{\rule{4.pt}{0ex}}\mu \phantom{\rule{4.pt}{0ex}}\mathrm{is}\phantom{\rule{4.pt}{0ex}}\mathrm{a}\phantom{\rule{4.pt}{0ex}}\mathrm{prob}.\phantom{\rule{4.pt}{0ex}}\mathrm{dist}.)\end{array}$$
- (b)
- Idempotency of visible choice:$$$$