Universal Randomized Guessing with Application to Asynchronous Decentralized Brute—Force Attacks

Consider the problem of guessing a random vector X by submitting queries (guesses) of the form "Is X equal to x?" until an affirmative answer is obtained. A key figure of merit is the number of queries required until the right vector is guessed, termed the guesswork. The goal is to devise a guessing strategy which minimizes a certain guesswork moment. We study a universal, decentralized scenario where the guesser does not know the distribution of X, and is not allowed to prepare a list of words to be guessed in advance, or to remember its past guesses. Such a scenario is useful, for example, if bots within a Botnet carry out a brute–force attack to guess a password or decrypt a message, yet cannot coordinate the guesses or even know how many bots actually participate in the attack. We devise universal decentralized guessing strategies, first, for memoryless sources, and then generalize them to finite–state sources. For both, we derive the guessing exponent and prove its asymptotic optimality by deriving a matching converse. The strategies are based on randomized guessing using a universal distribution. We also extend the results to guessing with side information (SI). Finally, we design simple algorithms for sampling from the universal distributions.

[1]  Oliver Kosut,et al.  Asymptotics and Non-Asymptotics for Universal Fixed-to-Variable Source Coding , 2014, IEEE Transactions on Information Theory.

[2]  Suhas N. Diggavi,et al.  The effect of bias on the guesswork of hash functions , 2017, 2017 IEEE International Symposium on Information Theory (ISIT).

[3]  Rajesh Sundaresan,et al.  Guessing Revisited: A Large Deviations Approach , 2010, IEEE Transactions on Information Theory.

[4]  Rajesh Sundaresan Guessing Under Source Uncertainty With Side Information , 2006, 2006 IEEE International Symposium on Information Theory.

[5]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[6]  John O. Pliam On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks , 2000, INDOCRYPT.

[7]  Rajesh Sundaresan Guessing Under Source Uncertainty , 2006 .

[8]  C. E. Pfister,et al.  Renyi entropy, guesswork moments, and large deviations , 2004, IEEE Transactions on Information Theory.

[9]  E. Arıkan An inequality on guessing and its application to sequential decoding , 1995, Proceedings of 1995 IEEE International Symposium on Information Theory.

[10]  Abraham Lempel,et al.  Compression of individual sequences via variable-rate coding , 1978, IEEE Trans. Inf. Theory.

[11]  Ken R. Duffy,et al.  Guesswork subject to a total entropy budget , 2017, 2017 55th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[12]  Ken R. Duffy,et al.  Multi-User Guesswork and Brute Force Security , 2015, IEEE Transactions on Information Theory.

[13]  Ken R. Duffy,et al.  Guesswork, Large Deviations, and Shannon Entropy , 2012, IEEE Transactions on Information Theory.

[14]  David Malone,et al.  Guesswork and entropy , 2004, IEEE Transactions on Information Theory.

[15]  Neri Merhav,et al.  Guessing Subject to Distortion , 1998, IEEE Trans. Inf. Theory.

[16]  Muriel Médard,et al.  Why Botnets Work: Distributed Brute-Force Attacks Need No Synchronization , 2018, IEEE Transactions on Information Forensics and Security.

[17]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[18]  Imre Csiszár,et al.  Information Theory - Coding Theorems for Discrete Memoryless Systems, Second Edition , 2011 .

[19]  David Malone,et al.  Investigating the distribution of password choices , 2011, WWW.

[20]  Shigeaki Kuzuoka,et al.  Conditional Lempel-Ziv complexity and its application to source coding theorem with side information , 2003, IEEE International Symposium on Information Theory, 2003. Proceedings..

[21]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[22]  Neri Merhav,et al.  Universal Randomized Guessing With Application to Asynchronous Decentralized Brute–Force Attacks , 2020, IEEE Transactions on Information Theory.

[23]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2011, 2012 IEEE Symposium on Security and Privacy.

[24]  A. Robert Calderbank,et al.  Quantifying computational security subject to source constraints, guesswork and inscrutability , 2015, 2015 IEEE International Symposium on Information Theory (ISIT).

[25]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[26]  Raphail E. Krichevsky,et al.  The performance of universal encoding , 1981, IEEE Trans. Inf. Theory.

[27]  Muriel Médard,et al.  Centralized vs decentralized multi-agent guesswork , 2017, 2017 IEEE International Symposium on Information Theory (ISIT).