Quantification of Secrecy in Partially Observed Stochastic Discrete Event Systems

While cryptography is used to protect the content of information (e.g., a message) by making it undecipherable, behaviors (as opposed to information) may not be encrypted and may only be protected by partially or fully hiding through creation of ambiguity (by providing covers that generate indistinguishable observations from secrets). Having a cover together with partial observability does cause ambiguity about the system behaviors desired to be kept secret, yet some information about secrets may still be leaked due to statistical difference between the occurrence probabilities of the secrets and their covers. In this paper, we propose a Jensen-Shannon divergence (JSD)-based measure to quantify secrecy loss in systems modeled as partially observed stochastic discrete event systems, which quantifies the statistical difference between two distributions, one over the observations generated by secret and the other over those generated by cover. We further show that the proposed JSD measure for secrecy loss is equivalent to the mutual information between the distributions over possible observations and that over possible system status (secret versus cover). Since an adversary is likely to discriminate more if he/she observes for a longer period, our goal is to evaluate the worst case loss of secrecy as obtained in the limit over longer and longer observations. Computation for the proposed measure is also presented. Illustrative examples, including the one with side-channel attack, are provided to demonstrate the proposed computation approach. Note to Practitioners-Secrecy is the ability to hide private information. For communicated information, this can be done through encryption or access control. However, the same is not possible for system behaviors, and in contrast, cover is introduced for providing ambiguity. Quantifying the ability to hide secrets is a challenge. This paper provides a means to quantify this in terms of a type of distance measure between a secret and its cover. A computation of the same is also provided for partially observed stochastic discrete event systems and illustrated through a cache's side-channel secrecy loss example.