Extending the definition of guesswork

To be able to perform an analytical and more exact description of security, quantitative security measures are desirable. In this paper, we continue our investigation of the quantitative security measure guesswork, which gives the average number of guesses in an optimal brute force attack. The definition of guesswork is extended to joint and conditional guesswork. We show that joint guesswork is always at least equal to the marginal guessworks, and that conditioning reduces guesswork. Hence, guesswork possesses the same two properties as entropy, i.e., joint entropy is always at least equal to the marginal entropies, and conditioning reduces entropy. However, unlike entropy, guesswork does not possess the chain rule property. For entropy, this rule states that joint entropy is equal to marginal entropy plus the corresponding conditional entropy.

[1]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI , 2007 .

[2]  Aaron D. Wyner,et al.  Claude Elwood Shannon: Collected Papers , 1993 .

[3]  Stefan Lindskog,et al.  On the Relationship between Confidentiality Measures: Entropy and Guesswork , 2007, WOSIS.

[4]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics , 2007 .

[5]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[6]  David Malone,et al.  Guesswork and entropy , 2004, IEEE Transactions on Information Theory.

[7]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[8]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[9]  Erdal Arikan An inequality on guessing and its application to sequential decoding , 1996, IEEE Trans. Inf. Theory.

[10]  Stefan Lindskog,et al.  Using Guesswork as a Measure for Confidentiality of Selectively Encrypted Messages , 2006, Quality of Protection.

[11]  Erland Jonsson,et al.  Adding Security to QoS Architectures , 2004 .

[12]  Shari Lawrence Pfleeger,et al.  Software Metrics : A Rigorous and Practical Approach , 1998 .

[13]  E. Bruce Lee,et al.  Ciphers and their products: group theory in private key cryptography , 1999 .

[14]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.