Guesswork and Entropy as Security Measures for Selective...

Guesswork and Entropy as Security Measures for Selective Encryption

Reine Lundin

Dissertation | Karlstad University studies | 2012:36

Computer science

Faculty of economic sciences, Communication and it

Dissertation | Karlstad University studies | 2012:36

Guesswork and Entropy as Security Measures for Selective Encryption

Reine Lundin

Distribution:Karlstad University Faculty of economic sciences, Communication and itComputer sciencese-651 88 Karlstad, sweden+46 54 700 10 00

© the author

isBn 978-91-7063-443-7

Print: Universitetstryckeriet, Karlstad 2012

issn 1403-8099

Karlstad University studies | 2012:36

Dissertation

reine Lundin

Guesswork and entropy as security Measures for selective encryption

www.kau.se

Guesswork and Entropy as SecurityMeasures for Selective Encryption

REINE LUNDINDepartment of Computer Science

Karlstad UniversitySweden

Abstract

More and more effort is being spent on security improvements in today’s com-puter environments, with the aim to achieve an appropriate level of security.However, it might be necessary for small computing devices to reduce the com-putational cost imposed by security in order to gain reasonable performanceand/or to decrease energy consumption. Selective encryption that provides con-fidentiality by encrypting only chosen parts of the information can be used toaccomplish this. Previous work on selective encryption has mainly focused onhow to reduce the computational cost while still making the information percep-tually secure, not on how computationally secure the information is.

Despite the efforts made and due to the complex nature of computer security,good quantitative assessment methods for computer security are still lacking. In-venting new ways to measure security in general and selective encryption inparticular are therefore necessary in order to better understand, assess and im-prove the security of computer environments. Two proposed probabilistic quan-titative security measures are entropy and guesswork. Entropy gives the averagenumber of guesses in an optimal binary search attack, and guesswork gives theaverage number of guesses in an optimal linear search attack. In information the-ory, a considerable amount of research has been carried out on entropy and onentropy-based metrics. However, the same does not hold for guesswork.

In this thesis, we evaluate performance improvement when using the pro-posed generic selective encryption scheme. We also examine the confidentialitystrength of selectively encrypted information by using and adopting entropy andguesswork. Moreover, since guesswork has been less theoretically investigatedthan entropy, we extend guesswork in several ways and investigate some of itsbehaviors.

Keywords: computer security, security metrics, selective encryption, confiden-tiality, entropy, guesswork.

i

Acknowledgments

First and foremost I would like to express my gratitude to my main supervisorStefan Lindskog and co-supervisor Simone Fischer-Hubner. They have encour-aged, guided, and supported me in my research studies during the whole time.

I also would like to thank my other co-authors of publications appended inthis thesis, namely Anna Brunstrom, and Thijs Holleboom, for the many valu-able and stimulating discussions, and all colleagues at the Computer Sciencedepartment for providing such a nice working place. Additionally, I would liketo thank Anders Johansson for the innumarable discussions about nothing andeverything ranging from teoretical considerations to everyday perplexities. Fi-nally, I dedicate this thesis to my two children Martin and Rebecka Lundin forproviding so much joy.

This work was financially supported by the Knowledge Foundation of Swe-den with TietoEnator and Ericsson as industrial partners, county administrativeboard of Varmland, and the European Regional Development Fund (ERDF)through the Compare Business Innovation Centre phase 2 (C-BIC 2) project,due to which I am grateful.

In memorial of my father

Karlstad, August, 2012

Reine Lundin

iii

List of Appended Papers

This thesis is based on the work presented in the following eight papers. Refer-ences to the papers will in the introductory summary be made using the romannumbers associated with the papers.

I Stefan Lindskog, Reine Lundin, and Anna Brunstrom. Middleware Sup-port for Tunable Encryption. In Proceedings of the 5th International Work-shop on Wireless Information Systems (WIS 2006), pages 36–46, Paphos,Cyprus, May 23, 2006. INSTICC press, Portugal.

II Reine Lundin, Stefan Lindskog, Anna Brunstrom, and Simone Fischer-Hubner. Using Guesswork as a Measure for Confidentiality of SelectivelyEncrypted Messages. In Dieter Gollmann, Fabio Massacci, and ArtsiomYautsiukhin, editors, Quality of Protection: Security Measurements andMetrics, Advances in Information Security, volume 23, pages 173–184.Springer, New York, NY, USA, 2006.

III Reine Lundin, Thijs Holleboom, and Stefan Lindskog. On the Relation-ship between Confidentiality Measures: Entropy and Guesswork. In Pro-ceedings of the 5th International Workshop on Security in InformationSystems (WOSIS 2007), pages 135–144, Funchal, Madeira, Portugal, June12–13, 2007. INSTICC press, Portugal.

IV Reine Lundin and Stefan Lindskog. Joint and Conditional Guesswork:Definitions and Implications. Journal of Information Assurance and Secu-rity (JIAS), volume 6, issue 2, pages 89–97. Dynamic Publishers Incorpo-ration, Atlanta, GA, USA, 2011.

V Reine Lundin and Stefan Lindskog. Changes in Guesswork over Time inMulti-processor Attacks. Journal of Information Assurance and Security(JIAS), volume 7, issue 4, pages 241–251. Dynamic Publishers Incorpora-tion, Atlanta, GA, USA, 2012.

VI Reine Lundin and Stefan Lindskog. Security Implications of SelectiveEncryption. In Proceedings of the 6th International Workshop on Secu-rity Measurements and Metrics (MetriSec 2010), Bolzano-Bozen, Italy,September 15, 2010. ACM Digital Library, New York, NY, USA.

v

VII Reine Lundin and Stefan Lindskog. Entropy of Selectively EncryptedStrings. In Claudio Agostino Ardagna and Jianying Zhou, editors, Pro-ceedings of Information Security Theory and Practice: Security and Pri-vacy of Mobile Devices in Wireless Communication (WISTP 2011), Lec-ture Notes in Computer Science, volume 6633, pages 234–243. Springer,Berlin Heidelberg, Germany, 2011.

VIII Reine Lundin and Stefan Lindskog. An Investigation of Entropy of Se-lectively Encrypted Bitmap Images. Under submission

Some of the papers have been subjected to minor editorial changes.

Comments on My Participation

In paper I, I have contributed with ideas, discussions and some written materialconcerning selective encryption. However, most of the written material and per-formance evaluations is accomplished by Stefan Lindskog. For papers II–VIII, Iam responsible for most of the written material and ideas while Stefan Lindskog,Simone Fischer-Hubner, Anna Brunstrom and Thijs Holleboom have proofreadand commented on ideas.

vi

Other Papers

Apart from the papers appended to the thesis, I have also authored or co-authoredthe following papers:

– Christer Andersson, Simone Fischer-Hubner, and Reine Lundin. mCrowds:Anonymity for the Mobile Internet. In J-S. Pettersson, editor, HumanIT 2003,pages 79–92. Karlstad University Studies, 2003:26, Karlstad, Sweden, 2003.

– Christer Andersson, Simone Fischer-Hubner, and Reine Lundin. EnablingAnonymity for the Mobile Internet using the mCrowds System. In Proceed-ings of the IFIP WG 9.2, 9.6/11.7 Summer School on Risks and Challengesof the Network Society, Karlstad, Sweden, August 4–8, 2003.

– Christer Andersson, Simone Fischer-Hubner, and Reine Lundin. EnablingAnonymity for the Mobile Internet using the mCrowds System. In PennyDuquenoy, Simone Fischer-Hubner, Jan Holvast, and Albin Zuccato, edi-tors, Risk and Challenges of the Network Society, pages 178–189. KarlstadUniversity Studies 2004:35, Karlstad, Sweden, August, 2004.

– Christer Andersson, Reine Lundin, and Simone Fischer-Hubner. PrivacyEnhanced WAP Browsing with mCrowds: Anonymity Properties and Perfor-mance Evaluation of the mCrowds System. In Proceedings of the 4th AnnualInformation Security South Africa Conference (ISSA 2004), Johannesburg,South Africa, June 30–July 2, 2004.

– Reine Lundin, Stefan Lindskog, Anna Brunstrom, and Simone Fischer-Hubner. Measuring Confidentiality of Selectively Encrypted Messages Us-ing Guesswork. In Proceeding of the Third Swedish National Computer Net-working Workshop (SNCNW 2005), pages 99–102, Halmstad, Sweden,November 23–24, 2005.

– Stefan Lindskog, Anna Brunstrom, Reine Lundin, and Zoltan Faigl. A Con-ceptual Model of Tunable Security Services. In Proceedings of the Third In-ternational Symposium on Wireless Communication Systems (ISWCS 2006),pages 531–535, Valencia, Spain, September 5–8, 2006.

vii

– Christer Andersson and Reine Lundin. On the Fundamentals of AnonymityMetrics. In Proceedings of the IFIP WG 9.2, 9.6/11.7, 11.6/FIDIS SummerSchool on The Future of Identity in the Information Society, Karlstad, Swe-den, August 6–10, 2007.

– Reine Lundin, Stefan Lindskog, and Anna Brunstrom. Analysis of Ano-nymity Services from a Tunable Perspective. In Proceedings of the IFIP WG9.2, 9.6/11.7, 11.6/FIDIS Summer School on The Future of Identity in theInformation Society, Karlstad, Sweden, August 6–10, 2007.

– Reine Lundin. Towards Measurable and Tunable Security. Licentiate The-sis, Karlstad University Studies 2007:39, Karlstad, Sweden, October 2007.

– Reine Lundin, Stefan Lindskog, and Anna Brunstrom. A Model-basedAnalysis of Tunability in Privacy Services. In Simone Fischer-Hubner, PennyDuquenoy, Albin Zuccato, and Leonardo Martucci, editors, The Future ofIdentity in the Information Society, Springer Series in Computer Science,vol. 262, pages 343–356. Springer, New York, NY, USA, 2008.

– Christer Andersson and Reine Lundin. On the Fundamentals of AnonymityMetrics. In Simone Fischer-Hubner, Penny Duquenoy, Albin Zuccato, andLeonardo Martucci, editors, The Future of Identity in the Information Soci-ety, Springer Series in Computer Science, vol. 262, pages 325–341. Springer,New York, NY, USA, 2008.

– Reine Lundin and Stefan Lindskog. Extending the Definition of Guess-work. In Proceedings of the 6th International Conference on InformationAssurance and Security (IAS 2010), Atlanta, GA, USA, August 23–25, 2010.IEEE.

– Mohammad Rajiullah, Reine Lundin, Anna Brunstrom and Stefan Lind-skog. Syslog Performance: Data Modeling and Transport. In Proceedings ofthe Third International Workshop on Security and Communication Networks(IWSCN 2011), pages 31–37, Gjøvik, Norway, May 18–20, 2011. IEEE.

– Mohammad Rajiullah, Reine Lundin, Anna Brunstrom and Stefan Lind-skog. Data Modeling and Transport of Syslog Messages. In Proceedings of

viii

the 7th Swedish National Computer Networking Workshop (SNCNW 2011),Linkoping, Sweden, June 13–14, 2011.

– Reine Lundin and Stefan Lindskog. Guesswork Changes in Multi-processorAttacks. In Proceedings of the 7th International Conference on InformationAssurance and Security (IAS 2011), pages 145–150, Malacca, Malaysia, De-cember, 5–8, 2011. IEEE.

– Mohammad Rajiullah, Reine Lundin, Anna Brunstrom and Stefan Lind-skog. Performance Analysis and Improvement of PR-SCTP for Small Mes-sages. Under submission.

ix

Contents

Page

Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

List of Appended Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Comments on My Participation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Other Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Introductory Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 The Generic Selective Encryption Scheme . . . . . . . . . . . . . . . . . . . . . . . . 64 Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4.1 A Note on Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84.2 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.3 Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114.4 The Relationship between Entropy and Guesswork . . . . . . . . . . . . 13

5 Confidentiality Strength of Selective Encryption . . . . . . . . . . . . . . . . . . . 145.1 Neighborhoods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145.2 Guessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

6 Research Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Research Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Main Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Summary of Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2310 Concluding Remarks and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Paper I: Middleware Support for Tunable Encryption . . . . . . . . . . . . 311 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Middleware Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.1 Architectural Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363.2 Block-based Selective Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.3 High-level Application Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.4 Transport Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4 Implementation and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414.1 Measured Computational Gain and Overhead . . . . . . . . . . . . . . . . . 414.2 Impacts of Dynamic Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Paper II: Using Guesswork as a Measure for Confidentiality ofSelectively Encrypted Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 A Note on Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Selective Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.1 General Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.2 Previous Work on Selective Encryption . . . . . . . . . . . . . . . . . . . . . . 523.3 Application Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4 Guesswork as a Measure of Confidentiality . . . . . . . . . . . . . . . . . . . . . . . 544.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544.2 Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554.3 Guesswork and α-work-factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574.4 Measure for Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5 Conclusions and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Paper III: On the Relationship between Confidentiality Measures:Entropy and Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 Entropy, Guesswork and Guessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663 The Relationship between Entropy and Guesswork . . . . . . . . . . . . . . . . . 68

3.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683.2 Formal Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693.3 Redefinition of Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713.4 Redefined Guesswork and Cross Entropy . . . . . . . . . . . . . . . . . . . . 723.5 Redefined Guesswork and Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . 73

4 Conclusion and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Paper IV: Joint and Conditional Guesswork: Definitions andImplications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792 A Note on Measure Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

xii

2.1 Scales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812.2 Set Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

3 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823.1 Marginal Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823.2 Joint Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833.3 Conditional Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843.4 Properties of Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

4 Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854.1 Marginal Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854.2 Permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864.3 Joint Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874.4 Conditional Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

5 Properties of Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905.1 Majorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905.2 Guesswork and Joint Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . 915.3 Guesswork and Conditional Guesswork . . . . . . . . . . . . . . . . . . . . . 945.4 The Chain Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96


Paper V: Changes in Guesswork over Time in Multi-processorAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032 A Note on Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053 Guesswork Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

3.1 Single-processor Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073.2 Dual-processor Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1083.3 Multi-processor Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

4 Probability Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124.1 The English Alphabet Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . 1134.2 The Geometric Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1154.3 The Truncated Geometric Distribution . . . . . . . . . . . . . . . . . . . . . . . 117

5 Guesswork Increment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1226 Concluding Remarks and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Paper VI: Security Implications of Selective Encryption . . . . . . . . . . . 1291 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1312 Selective Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1333 Entropy and Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

3.1 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

xiii

3.2 Guesswork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1373.3 A Note on the Chain Rule of Guesswork . . . . . . . . . . . . . . . . . . . . . 138

4 Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1395 Confidentiality of Selectively Encrypted Messages . . . . . . . . . . . . . . . . . 140

5.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1405.2 Zero-order Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1415.3 First-order Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1435.4 Second-order Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144


Paper VII: Entropy of Selectively Encrypted Strings . . . . . . . . . . . . . 1511 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1532 Terminology and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

2.1 Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1542.2 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

3 Selective Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1564 Confidentiality of Selective Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 158

4.1 Zero- and First-order Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1584.2 Second-order Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1594.3 Third-order Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1624.4 n-order Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

5 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Paper VIII: An Investigation of Entropy of Selectively EncryptedBitmap Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1672 Bitmap Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

2.1 Bitmap Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1692.2 Previous Work on Bitplane Encryption . . . . . . . . . . . . . . . . . . . . . . 170

3 Neighborhoods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1724 Entropy of Selectively Encrypted Bitmap Images . . . . . . . . . . . . . . . . . . 175

4.1 Zero-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1764.2 First-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1764.3 Second-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177


xiv

Introductory Summary

1. Introduction 3

1 Introduction

Computer security is an important branch of computer science and an increas-ing part of overall society, with its purpose to secure entities from being tam-pered with in an unauthorized manner. The best known way of defining com-puter security is to divide it into the three categories confidentiality, integrity andavailability. Confidentiality is the prevention of unauthorized disclosure of infor-mation, integrity is the prevention of unauthorized modification of information,and availability is the prevention of unauthorized withholding of informationor resources. They are collectively known as the “CIA”. Another way of defin-ing computer security is to divide it into the categories of prevention, detection,response and recovery, based on where in the line of defense the attacks areresisted [15]. Prevention is when direct resistance against attacks is provided,detection is when signatures of ongoing attacks are searched for in the environ-ment, response is when different countermeasure activities are triggered basedon the detected attack and, finally, recovery is when the computer environmentis restored from the attack. Other definitions and categorizations of security existas well, see for example [11, 33].

When protecting security items, a computational cost is imposed on thecomputer environment. This extra computational overhead might negatively af-fect performance, e.g., the response time, availability and throughput. For smallcomputing devices with restricted resources, such as mobile phones or sensornetwork devices, security mechanisms can put a significant extra burden on theperformance and energy consumption of the device. Furthermore, security itemsshould be secured according to the adequate security principle [25]. This princi-ple states that the items should only be protected to a degree consistent with theirvalue. Hence, if the value of an item changes over time, so should the protectionlevel.

The concept of selective encryption may be used to reduce computationalcost and fulfill the principle of adequate security. Selective encryption is a con-cept that reduces computational cost when it provides confidentiality by only en-crypting chosen parts of the information. Previous work on selective encryptionhas mainly been aimed towards multimedia applications with short informationlifetime, such as TV or radio broadcast of events, in order to reduce the com-putational cost and/or energy consumption while still making the informationperceptually secure to a certain protection level. The perception protection uti-lizes the fact that different parts of the information have different impacts on ourperception senses, i.e., eyes and ears. However, the confidentiality strength in thesense of computational security has only been briefly mentioned or rudimentarily

4 Introductory Summary

analyzed. Furthermore, by altering the distribution of encrypted parts, selectiveencryption can also be used to trade confidentiality against computational cost.

In this thesis, we investigate the performance improvement and examine theconfidentiality strength of a proposed generic selective encryption scheme. Theperformance improvement of the scheme is evaluated in paper I and initial re-sults on its confidentiality strength are presented in paper II by adopting thesecurity measure guesswork to selective encryption. In papers VI and VII, anentropy equation of selective encryption is derived and investigated for differ-ent orders of languages. In paper VIII the entropy equation is further extendedwith information neighborhoods to capture information dependencies in severaldimensions, and then applied on bitmap images. In order to better understandguesswork, we generalize and explore some behaviors of guesswork in papersIII–V. The relation between entropy and guesswork is examined in paper III,the definition of guesswork is extended to joint and conditional guesswork inpaper IV and, finally, an investigation of how guesswork changes over time inmulti-processor attacks is conducted in paper V.

The notations and mathematical expressions have changed over time in theappended papers, hopefully thanks to increased knowledge. For instance, theinformation parts in the selective encryption scheme are sometimes referred toas units or blocks, and the entropy expression for selectively encrypted stringshas gone through several notation changes and information encapsulations toincrease abstraction. This notation evolution process followed to find a better andmore exact description of the research topic under consideration was expressedby Einstein as [1]:

“It can scarcely be denied that the supreme goal of all theory is to makethe irreducible basic elements as simple and as few as possible with-out having to surrender the adequate representation of a single datum ofexperience.”

The remainder of this introductory summary is organized as follows. Relatedwork is addressed in Section 2, and the generic selective encryption scheme usedis presented in Section 3 together with a short discussion of its performance. En-tropy and guesswork are defined in Section 4, and the confidentiality strength ofselective encryption is discussed in Section 5. The research questions addressedin this thesis are given in Section 6, the research methodology is presented inSection 7, and the main contributions are stated in Section 8. A summary ofthe papers included is given in Section 9 and, finally, Section 10 concludes theintroductory summary and discusses future work.

2. Related Work 5

2 Related Work

The concept of selective encryption was first and independently introduced bySpanos and Maples [32], Li et al. [16], and Meyer and Gadegast [24] in 1995 and1996. The purpose was to reduce the amount of encrypted MPEG data in a videosequence by only encrypting a subset of the video frames while still providing anacceptable level of perceptive security. Selective encryption has also been usedfor H.264/AVC video streams [30] and in a wireless video camera [12] to saveenergy and processing time.

For uncompressed bitmap images, selective bitplane encryption was investi-gated in [27,35] for the purpose of saving energy and computational cost in mo-bile environments while still protecting image perception. Selective encryptionhas also been studied for JPEG2000 images [4, 23]. Furthermore, a perception-based selective encryption scheme for telephone data compressed with the ITU-T G.729 8 kb/s speech encoding standard was presented in [29]. To decide whichparts of the bit stream from the compression algorithm to encrypt, the authorssystematically corrupted a given bit and then measured the corresponding per-ceptual impact. Selective encryption for the G.729 speech encoding standard hasalso been studied in [34].

[19] presented an “m-out-of-n” information-independent selective encryp-tion model. The model lets the user or application decide which parts of theinformation to encrypt by dividing the information into n equally sized parts.The first m parts are then encrypted with a strong encryption algorithm and thefollowing n −m parts with a weaker and faster encryption algorithm. This pat-tern is repeated for the whole message. A content independent or generic se-lective encryption service was also presented in [17]. In the service, the user orapplication decides which parts of the information to encrypt by dividing the in-formation into equally n sized parts and then using a bit mask to indicate whichparts should be encrypted. The remaining parts are unencrypted.

The confidentiality strength of selectively encrypted information has onlybeen briefly mentioned or rudimentarily analyzed before; see for instance [27].Moreover, good quantitative assessment methods for computer security are de-spite numerous efforts still lacking [13,14,18,36]. This is mainly due to the harshnature of computer security, since attacker environments are difficult to model.To better understand, assess and improve the security of computer environmentsnew ways of measuring security are therefore needed. Two proposed, and inthis thesis used, probabilistic quantitative security measures are entropy [31] andguesswork [22, 26]. These two measures are further described in Section 4.


3 The Generic Selective Encryption Scheme

The generic selective encryption scheme used throughout the thesis consists ofthree entities: the information, I, to selectively encrypt, the bit vector, b, con-trolling which parts of I to encrypt, and the selectively encrypted information,E(I). In the scheme, I is divided into the n information parts Ii. Hence,

I =n−1

|i=0

Ii (1)

where | denotes the binary concatenate operator. A part Ii is then encrypted ifbi mod |b| = 1 and left unencrypted if bi mod |b| = 0. The modulus operator isused if the number of information parts is larger than the size of the bit vector.From this, the selectively encrypted message is constructed as

E(I) =n−1

|i=0

{Ii if bi mod |b| = 0

E(Ii) if bi mod |b| = 1(2)

Fig. 1 illustrates the generic selective encryption scheme. Moreover, the size and

Fig. 1: The generic selective encryption scheme with the three entities: the information, I, toselectively encrypt, the bit vector, b, controlling which parts of I to encrypt, and the selectivelyencrypted information, E(I).

fraction of the encrypted parts in E(I) naturally define the encryption level,according to the following definition.

3. The Generic Selective Encryption Scheme 7

Definition 1. Let E(I) be selectively encrypted information consisting of nparts. The encryption level, EL, is then defined as

EL =

n−1∑i=0

|Ii|bi mod |b|

|I|(3)

where |I| and |Ii| denote the size of the information and its parts, respectively.

The generic selective encryption scheme was implemented in paper I inC/C++, and performance was evaluated by using two connected PCs, acting asa sender and a receiver. In the experiment |I| = 10 MB, |b| = 64 bits and theAES algorithm were used with a 128 bit key; hence, |Ii| = 128 bits. The meanencryption and transmission time from the experiment are shown in Fig. 2. As

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0 20 40 60 80 100

Tim

e (s

econ

ds)

Encryption level (%)

Pure AES Selective encryption

Fig. 2: Time for encryption and transmission at different encryption levels.

a reference, pure AES encryption was also measured. The figure indicates thatthe computational overhead scales almost linearly with respect to the encryptionlevel. The overhead produced by the selective encryption scheme can be foundby comparing it with the measured time for pure AES encryption. As long as theamount of encrypted information parts is less than or equal to 93% in the pro-totype implementation, the selective encryption scheme produces less overheadthan encrypting everything using pure AES.


4 Security Measures

In this section, the two proposed probabilistic quantitative security measures en-tropy and guesswork are defined. These two measures provide an indirect indi-cation from different guessing strategies of how computationally secure selec-tively encrypted information is. A brief note on measurements will however firstbe presented.

4.1 A Note on Measurements

In measurement theory [9], a measurement produces an instant value of an at-tribute by using a predefined measure process. The values might be divided intoqualitative or quantitative values. Qualitative values have a direct realization bymeans of a natural language description such as small, medium and large, whilequantitative values have an indirect realization by means of numbers, such as 5or 42. For quantitative values to be understandable, a unit must be added, for in-stance 8 meters or 2 seconds. Repeated measurements of the same measure canbe compared to each other by putting the values on a scale. A scale consists of aset of values corresponding to the range of possible values of the measure underconsideration. Five major types of scales exist [9]:

– Nominal– Ordinal– Interval– Ratio– Absolute

The nominal and ordinal scales use qualitative values, while the interval, ratioand absolute scales use quantitative values.

Despite numerous efforts made to quantify computer security, the securitymeasures are mostly qualitative, i.e., based on experience as in the common cri-teria [6]. Hence, they do not allow for an analytical and exact description ofsecurity and are therefore not very easy to use in order to more exactly under-stand, assess and improve the security of computer environments. The knowl-edge development from experience in mathematically proving that somethingholds unconditionally can be seen in the categorization of the strength of cryp-tographic algorithms [11]. In the categorization, the strength of cryptographicalgorithms that aim to provide confidentiality of information is divided into thefollowing three categories:

4. Security Measures 9

– Empirically secure– Provably secure– Unconditionally secure

Fig. 3 illustrates the relationship between the three categories. They are more

Fig. 3: The three categories: empirically, provably and unconditionally secure.

formally defined as follows.

Definition 2. An algorithm is empirically secure if it has by experience overtime a broad acceptance in the community that it provides confidentiality of in-formation as expected without any known drawbacks.

Note that empirically secure algorithms could with new insights be broken to-morrow.

Definition 3. An algorithm is provably secure if it can be proved that the costof breaking it exceeds the value or the useful lifetime of the information beingprotected.

When the computational speed increases and hardware becomes cheaper, thecost of breaking the algorithm decreases. Hence, it might from time to time bedesirable to update the algorithm or increase the key length used by the algorithmin order to maintain that the algorithm is still provably secure. Provably secureis sometimes also referred to as computationally secure. 1

1 To decide whether or not the information is computationally secure, a computational thresholdneeds to be determined. The value or size of the threshold is not considered in this thesis.


Definition 4. An algorithm is unconditionally secure if it cannot be broken re-gardless of what resources the attacker has.

Examples of unconditionally secure algorithms are the one-time-pad encryptionscheme [2] and the Dining Cryptographers Network (DC-net) [5].

Entropy and guesswork can be used to measure the number of guesses need-ed to break or find a secret. These two measures are therefore employed in thisthesis to indirectly measure how computationally secure selectively encryptedinformation is. The next two subsections will define and discuss these two mea-sures.

4.2 Entropy

The entropy H(X) [31] is the classical measure of uncertainty and was orig-inally suggested by Shannon in 1944. He defined the entropy as the averageamount of information of a discrete random variable X , where X attains val-ues from the sample space X = {x1, . . . , xn} with the probability distributionpi = p(X = xi). From this, entropy is defined as follows.

Definition 5. The entropy, H(X), of a random variable, X , with probabilitydistribution pi is defined as

H(X) = −∑i

pi log2 pi (4)

Entropy can also be seen as a measure giving the average number of guesses inan optimal binary search attack; see paper III for details.

The entropy can be extended to the joint and conditional entropy [7]. Thejoint entropy, H(X1, X2), gives the entropy of a pair of random variables withthe joint probability distribution pij = p(X1 = xi, X2 = xj).

Definition 6. The joint entropy, H(X1, X2), of a pair of random variables(X1, X2) with the joint probability distribution pij is defined as

H(X1, X2) = −∑i,j

pij log2 pij (5)

The conditional entropy H(X2|X1), or equivocation which it is often referred to,gives the remaining entropy of the random variable X2 given the random variableX1 with the conditional probability distribution pj|i = p(X2 = xj |X1 = xi).


Definition 7. The conditional entropy, H(X2|X1), of the random variable X2

given the random variable X1 with the conditional probability distribution, pj|i,is defined as

H(X2|X1) =∑i

piH(X2|X1 = xi)

= −∑i,j

pij log2 pj|i (6)

The marginal, joint and conditional entropies are related through the chainrule [7] as follows

H(X1, X2) = H(X1) +H(X2|X1) (7)

Hence, on average, the number of guesses needed to find the value of (X1, X2) isequal to the number of guesses needed to find the value of X1 and then X2 giventhe value of X1. Thus, the chain rule makes it possible to decompose the guessingproblem additively into smaller pieces. Moreover, the different entropies alsopossess the following inequalities

H(X1|X2) ≤ H(X1) ≤ H(X1, X2) (8)

giving that conditioning reduces entropy and joining increases entropy. Joint andconditional entropies might be generalized to n random variables, and so mightthe chain rule (7) and the inequalities in (8).

4.3 Guesswork

Guesswork [22,26] is a measure that gives the average number of guesses neededto find the value of a random variable X in an optimal brute force attack. A bruteforce attack is equal to a linear search attack; see paper III for details. When per-forming such an attack, the attacker is assumed to have complete knowledge ofthe probability distribution, pi, of X . Hence, before the guessing process starts,the attacker arranges p in a non-increasing probability order. Mathematically,this ordering of pi can be expressed through a permutation, σ(i), that maps theindex of the largest value to one, the index of the second largest value to two, andso on until the index of the smallest value is mapped to n. From this, guessworkis defined as follows.


Definition 8. The guesswork, W (X), of a random variable X with probabil-ity distribution pi that is arranged in a non-increasing probability order by thepermutation σ(i) is defined as

W (X) =∑i

σ(i)pi (9)

As shown in paper IV, in a similar way as in entropy, guesswork can be ex-tended to joint and conditional guesswork. The joint guesswork, W (X1, X2),gives the guesswork of a pair of random variables with the joint probability dis-tribution pij .

Definition 9. The joint guesswork, W (X1, X2), of a pair of random variables,(X1, X2), with The joint probability distribution pij that is ordered in a non-increasing probability order by the permutation π(i, j) is defined as

W (X1, X2) =∑i,j

π(i, j)pij (10)

The conditional guesswork, W (X2|X1), gives the remaining guesswork of therandom variable X2 given the random variable X1 with the conditional proba-bility distribution pj|i.

Definition 10. The conditional guesswork, W (X2|X1), of the random variableX2 given the random variable X1 with conditional probability distribution pj|ithat is ordered in a non-increasing probability order by the permutations ρi(j)is defined as

W (X2|X1) =∑i

piW (X2|X1 = xi)

=∑i,j

ρi(j)pij (11)

Moreover, the marginal, joint and conditional guessworks possess the same typeof inequalities as entropy. Hence,

W (X1|X2) ≤ W (X1) ≤ W (X1, X2) (12)

Thus, conditioning reduces guesswork and joining increases guesswork. How-ever, in contrast to entropy, the different guessworks are not related through thesame type of chain rule property, which makes it possible to easily decomposethe guessing process additively into smaller pieces.


4.4 The Relationship between Entropy and Guesswork

The relationship between entropy and guesswork has been under considerationfor a time [3, 21, 22]. Considering Definition 8, the last term in the sum isweighted with n. However, the second last guess in the guessing process de-termines the last two valuesof the random variable. That is, if the answer to thesecond last question is correct, then the searched value is xn−1 and the search fin-ishes. If instead the answer is incorrect, then the searched value must be xn andthe search also finishes. Based on this reasoning, guesswork has been redefinedas follows.

Definition 11. The guesswork, W ′(X), of a random variable X with probabil-ity distribution pi that is arranged in a non-increasing probability order by thepermutation σ(i) is defined as

W ′(X) =∑i

σ′(i)pi (13)

where

σ′(i) =

{σ(i) if σ(i) < nn− 1 if σ(i) = n

(14)

As derived in paper III, the redefined guesswork and entropy are related as

W ′(X) = H(X) +D(X||2−σ′(i)) (15)

where D(X||2−σ(i)) is the relative entropy [7]. The relative entropy, or KullbackLeibler distance to which it is also referred, is always non-negative and zero ifand only if p = q. Moreover, the relative entropy can be interpreted as a measureof inefficiency since it gives the extra number of bits needed for a code of anarbitrary distribution than for the code of the “true” distribution. Formally it isdefined as follows.

Definition 12. The relative entropy, D(X1||X2), of a random variable X1 withprobability distribution pi and a random variable X2 with probability distribu-tions qi is defined as

D(X1 ||X2) =∑i

pi log2

(piqi

)(16)


5 Confidentiality Strength of Selective Encryption

This section presents and discusses initial results on the confidentiality strengthof selective encryption. Before describing the confidentiality strength, a subsec-tion discussing information neighborhoods is provided.

5.1 Neighborhoods

In [31], contiguous sequences of symbols from a language, called n-grams, wereused to find the probabilities of the symbols in order to approximate texts in theconsidered language. The approximation was carried out for different n-gramsas follows:

– In the zero order approximation, ω = 0, the symbols are independent anduniformly distributed.

– In the first order approximation, ω = 1, the symbols are independent anddistributed as they are in the language.

– In the second order approximation, ω = 2, symbols are dependent on onepreceding symbol and distributed as they are in the language.

– In the n order approximation, ω = n, the symbols are dependent on n − 1preceding symbols and distributed as they are in the language.

The order gives the size of the n-grams used and thus determines the set ofdepending symbols in the approximation, referred to as an information neigh-borhood in paper VIII. In the remainder of this section, symbols will be referredto as points. Moreover, the neighborhoods might also contain succeeding pointsand have dependencies in several dimensions when the information has a multi-dimensional representation state. Hence, the order concept needs to be general-ized to an order vector, ω, where the elements give the order in the correspondingdimension. For instance, ω = (2, 1) means that the order is two in the first di-mension and one in the second dimension.

A neighborhood will be denoted N iω, where the sub index gives the order

and the super index gives the number of preceding points in the correspond-ing dimension of the neighborhood. The number of succeeding points is thengiven by ω − i − 1. Fig. 4 illustrates all nine basic neighborhoods of the two-dimensional family N3,3(x, y) = N3(x)×N3(y). A black square represents thepoint under consideration, p = (x, y), and the white squares represent the corre-sponding preceding or succeeding points of the neighborhoods. The N 1,1

3,3 (x, y)axis neighborhood is equal to the von Neumann neighborhood of range one [20]

5. Confidentiality Strength of Selective Encryption 15

Fig. 4: The nine basic neighborhoods of the two-dimensional family N3,3(x, y) = N3(x)×N3(y).A black square represents the considered point, p = (x, y), and the white squares represent thecorresponding preceding or succeeding points of the neighborhoods.

when using the L1 metric [10], which is also equal to the concept of 4-connectedpixels in computer images.

The basic neighborhoods contains only points located on the axes. However,all points outside the axes, but within a given distance determined by ω, couldalso be considered to be in the neighborhood. Using the L1 metric, a neighbor-hood can be constructed by joining the outermost points in the one-dimensionalbasic neighborhoods, thereby creating a convex polytope acting as the neighbor-hood. An n polytope is a set or geometric object in n dimensions with flat sides.A 2-polytope is usually referred to as a polygon and a 3-polytope as a poly-hedron. Fig. 5 shows the neighborhood for the basic neighborhood N 3,3

5,5 (x, y).Note the points in the neighborhood that are not included in the basic neighbor-hood. Furthermore, if the axis neighborhoods are symmetrically located aroundthe considered point, the neighborhoods are actually circles in the L1 metric.


Fig. 5: The neighborhood for the basic neighborhood N 3,35,5 (x, y).

When the neighborhoods have the shape of convex polytopes they can math-ematically be described by the convex hull [28]. The convex hull, Conv(S), ofa set S of points is the smallest convex polytope that contains S. From this, theneighborhood of depending points can be written as

D iω(p) = Conv(N i

ω(p)) \ p (17)

where \ is the setminus operation. In the next subsection, constructed informa-tion neighborhoods will be used to capture information dependencies in severaldimensions.

5.2 Guessing

Depending on the pre-knowledge that the attacker possesses before a guessingattack, different strategies can be considered to speed up the guessing process.For instance, knowledge about the probability distribution of the sample spacewill most likely affect the order in which the attacker guesses. By assumingthat the encryption algorithm used, e.g., RSA or AES, does not have any knownweaknesses, the attacker is more or less forced to perform a brute force attack on


the key space when trying to break the encrypted information. However, whenusing selective encryption, the unencrypted parts may leak information to theattacker about the encrypted parts owing to information dependencies, therebydecreasing the message space, consisting of all possible messages, which is typ-ically much larger than the key space. In this thesis, the attacker is assumed toperform a partial ciphertext only attack on the message space. That is, we as-sume that the attacker has complete knowledge of which parts of the messageare encrypted and that the probability distribution on the message space is alsoknown to the attacker. It is also assumed that the attacker knows when the correctmessage has been found in the guessing attack.

When the probability distribution of the sample space is known, the entropyand guesswork can be used to measure the average number of guesses in theguessing attack. The difference between the two measures resides in which ques-tions are allowed and used in the guessing process. Entropy measures the averagenumber of guesses in an optimal binary search attack, where the environmentallows questions on sets. Guesswork, on the other hand, measures the averagenumber of guesses in an optimal linear search attack, where the environmentonly allows questions on singletons. See paper III for a detailed discussion.

One question that now arises is: What are we actually guessing at in theguessing process? Ideally, the message space consists of all meaningful mes-sages matching the length of the encrypted part. However, generating meaning-ful messages of a specific length can be a cumbersome task. That is why theapproximation model described in the previous subsection is used to constructhypothetical meaningful messages. Moreover, since entropy possesses the chainrule property (7), the same result is achieved if the guessing attack is performedusing whole messages or singletons that construct the messages. Guesswork, onthe other hand, does not possess the same simple mathematical structure as en-tropy does, and at the time of this writing no chain rule decomposition for guess-work is known. Hence, most of the initial results on the confidentiality strengthof selective encryption are derived for entropy.

To model the behavior of selectively encrypted information, random vari-ables are associated to E(I) as follows:

E(Ii) ={Xi = Ii if bi = 0Xi if bi = 1

(18)

Thus, the Xi:s will be known if the corresponding part is unencrypted and un-known if the corresponding part is encrypted. Using this association and adopt-ing guesswork to selective encryption, it is shown in paper II for zero order


approximations that

W (E(I)) = |χ|ne + 1

2(19)

where |χ| is the size of the alphabet in the considered language. Since guessworkdoes not seem to possess a simple additive structure, higher order approxima-tions for guesswork are still an open research issue.

For entropy, an equation for selective encryption has been derived for higherorders and in several dimensions in papers VI-VIII to

H iω(E(I)) =

∑p

b(p)∏

p′∈R(p)

p(Ip′ |IDω(p′))H(Xp|XDω(p))

=∑p

b(p)p iω(XRi

ω(p))Hiω(Xp) (20)

The region Riω(p) is a connected subset of the information, restricted by jumps

of width Diω(p) over unencrypted areas or by the boundary of the informa-

tion. How to mathematically express the structure of Riω(p) is an issue of fu-

ture research. Moreover, in paper VIII, the entropy equation (20) is applied ona 512× 512 pixel bitmap version of the famous Lena image, depicted in Fig. 6.Moreover, the probability distributions, p12(Iz), of the Lena image are shown in

Fig. 6: The famous Lena image.

Fig. 7, where Iz denotes bitplane z in the image. No legend is inserted due to thelarge amount of plots in the graph. However, bits of equal adjacent values tendto cluster, and this property increases for higher bitplanes. The highest proba-bilities that occur with value one in bitplane eight are p12(1|110) and p12(0|001).


2 3 4 5 6 7 80

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Bitplane (z)

Pro

babi

lity

Fig. 7: The probability distributions p12(Iz) of the Lena image.

Finally, the case of only considering encryption of whole bitplanes and only thedependency of one adjacent bitplane, and assuming a steady state of the productin (20), the two entropies H1,1,1

2,2,2 (E(Iz)|bz−1 = 1) and H1,0,12,2,2 (E(Iz)|bz−1 = 1)

is shown in Fig. 8.

2 3 4 5 6 7 80

0.5

1

1.5

2

2.5

3x 10

5

Bitplane (z)

Ent

ropy

H2,2,21,1,1(E(I

z)|b

z−1=1)

H2,2,21,0,1(E(I

z)|b

z−1=1)

Fig. 8: Entropies H1,1,12,2,2 (E(Iz)|bz−1 = 1) and H1,0,1

2,2,2 (E(Iz)|bz−1 = 1) of the Lena image.


6 Research Questions

The research questions for this thesis are threefold.

1. How much is the performance improved when the generic selective encryp-tion scheme is used?

The main goal and purpose of selective encryption is to reduce the computa-tional cost when providing confidentiality by only encrypting chosen parts of theinformation. This research question is addressed in paper I.

2. How much is the confidentiality strength of the information affected whenthe generic selective encryption scheme is used?

Previous work on selective encryption has chiefly focused on how to reduce thecomputational cost while still making the information perceptually secure. How-ever, the confidentiality strength in the sense of computationally security hasonly briefly been mentioned or rudimentarily analyzed. This challenging ques-tion is addressed in papers II, VI and VII. Initial results on the confidentialitystrength of selective encryption by using guesswork are presented in paper II,and an equation for the entropy of selectively encrypted strings is derived in pa-pers VI-VII. Moreover, paper VIII constructs and discusses information neigh-borhoods in order to make it possible in future work to generalize the entropyequation for higher orders and dimensions.

3. How does guesswork relate to entropy and how can guesswork be general-ized in order to create a theory for guesswork?

Security measures are needed to investigate how computationally secure selec-tive encryption is. Entropy and guesswork are two measures that are consid-ered to measure the confidentiality strength of selective encryption. Until today,guesswork has been less theoretically investigated than to entropy. Therefore,in order to better understand guesswork, papers III-V investigate some behav-iors of guesswork. The relationship between entropy and guesswork is inves-tigated in paper III, and the definition of guesswork is extended to joint andconditional guesswork in paper VI, where it is also proved that the joining ofrandom variables increases guesswork while conditioning of random variablesreduces guesswork. Finally, an investigation of changes in guesswork over timein multi-processor attacks is conducted in paper V in order to understand howthe average number of guesses changes during the guessing process.

7. Research Methodology 21

7 Research Methodology

Research can be seen as the process of asking and answering questions in anorganized way in order to produce new knowledge. Hence, before exploring aresearch question, a research method that structures the research process mustbe decided upon. One structured way of conducting research is given by thefollowing steps [8]:

1. Problem identification2. Literature study3. Determine research questions4. Information gathering5. Analyzing and interpreting6. Reporting and evaluating

The first step investigates the overall research focus and, from new knowledgeobtained in step two, the third step breaks down the overall research focus to spe-cific research questions or hypotheses. The three specific research questions inthis thesis were presented in the previous section, and the overall research focusthat goes beyond the scope of this thesis could be stated as: From the viewpointof quality of service (QoS), could selective encryption be used to trade confi-dentiality against performance? Moreover, for performance and security anal-ysis, both experimental and analytical approaches are commonly used for thelast three steps. In this thesis, the experimental approach is mainly applied inresearch question one and the analytical approach in research questions two andthree. Hence, a major part of this thesis uses the analytical research approach.

In the analytical research approach, mathematical models are used to de-scribe, explain, predict and eventually control properties in the model. Further,by referring to the list of steps above, step four is used to make assumptions,identify unknowns, introduce suitable notations, investigate conditions and, ifpossible, transform the problem or parts of the problem into a previously knownproblem. Step five is used to choose a solving strategy and to carry out the ac-tual work of the chosen strategy. The set of strategies and solving skills will ofcourse depend on earlier experience and knowledge. Step six, finally, is used forreflection and generalization in order to investigate whether the derived result isreasonable and extendable. A problem in the analytical approach arises when thesystem under consideration becomes too complex with many variables. In suchsituations, assumptions are introduced to simplify the model, thereby increasingthe risk of oversimplifying the model and removing many important properties.The strength of modeling with mathematics lies in its exact description, hence


avoiding the possibility of subjective interpretations. Based on this and the factthat the security measures used in this thesis are probabilistically defined, theanalytical approach was chosen for research questions two and three.

When validating analytical models or investigating complex systems, the ex-perimental research approach might be used to gain insight into the defined re-search question. Real world experiments were conducted to investigate researchquestion one. The reasons for using real world experiments were that the selec-tive encryption scheme was already implemented and set up in a controllableenvironment.

8 Main Contributions

The main contribution of this thesis lies in the fields of selective encryption andsecurity measures. Below follows a summary of the main contributions:

– Selective encryption has earlier been studied for a specific application or con-tent context. In this thesis, we designed a content independent or generic se-lective encryption scheme as a middleware and investigated its performancegains in paper I. The experimental results show that the selective encryptionmiddleware offers a high degree of freedom in encryption adaptiveness at alow cost.

– Previous work on selective encryption has mainly focused on how to re-duce the computational cost while still making the information perceptu-ally secure. However, the confidentiality strength in the sense of computa-tional security has been only briefly mentioned or rudimentarily analyzed.In this thesis we address the problem of how computationally secure selec-tively encrypted information is by using guesswork and entropy. By adoptingguesswork to selective encryption and using zero-order languages, the workreported in paper II examines when the message space is more difficult tobreak than the key space. In papers VI and VII, an entropy equation of selec-tive encryption is derived and investigated for different orders of languages.To be able to generalize the entropy equation to higher dimensions, paperVIII constructs and discusses information neighborhoods. This is done bygeneralizing Shannon’s work on the order of languages [31] and using ideasfrom cellular automata [20]. The results are then applied to bitmap images.

– There is not an overwhelming amount of research that has been done forguesswork at the time of this writing, and we have therefore started to build

9. Summary of Papers 23

a theory for guesswork in this thesis. The relationship between entropy andguesswork, using inequalities, has been examined for a time and, in the workreported in paper III, a relationship was found between the two security mea-sures. From the relationship, it is shown that guesswork is always greaterthan or equal to entropy, with equality for the truncated geometrical distri-bution. Moreover, as entropy is extended through joint and conditional en-tropy, we generalize guesswork through the joint and conditional guessworkin paper IV. In the paper it is also proven that that the joining of randomvariables increases guesswork while conditioning of random variables de-creases guesswork. Thus, adding new unknown information to the guessingspace increases guesswork and gaining information about the guessing spacedecreases guesswork. This is similar to the corresponding properties of en-tropy. In the same paper it is also proven that guesswork does not possessthe simple additive chain rule property that entropy does. Hence, no simpleway of relating the marginal, joint and conditional guesswork in a decompo-sition equation seems possible for guesswork. Such a finding will provide abetter understanding of guesswork and the security implication of selectiveencryption by making it possible to calculate guesswork from sub pieces ofthe selectively encrypted information. Furthermore, time is the crucial factorfor operational security, and in paper V we generalize guesswork one stepfurther by investigating how guesswork changes over time through the num-ber of incorrect guesses in multi-processor attacks. It is interesting to notethat it is possible for guesswork, as well as for entropy, to increase after anincorrect guess. This is due to the fact that the probability distribution mightbecome more uniform after a guess.

9 Summary of Papers

This section summarizes the eight appended papers of the thesis. Each paper isbriefly described, addressing its position in the thesis as well as its contributionsand limitations.

Paper I – Middleware Support for Tunable Encryption

A tunable and differential treatment of security is required to achieve an appro-priate trade-off between security and performance for wireless applications. Inthis paper, we present a tunable encryption service designed as a middlewarethat is based on a selective encryption paradigm. The core component of the


middleware provides block-based selective encryption. Although the selectionof which data to encrypt is made by the sending application and is typically con-tent dependent, the representation used by the core component is application andcontent independent. This frees the selective decryption module at the receiver ofthe need of application or content specific knowledge. The sending applicationspecifies the data that shall be encrypted either directly or through a set of high-level application interfaces. A prototype implementation of the middleware isdescribed along with an initial performance evaluation. The experimental resultsdemonstrate that the generic middleware service offers a high degree of securityadaptiveness at a low cost.

Paper II – Using Guesswork as a Measure for Confidentiality of SelectivelyEncrypted Messages

In this paper, we start to investigate the security implications of selective encryp-tion. We do this by using the measure guesswork, which gives us the expectednumber of guesses that an attacker is assumed to perform in an optimal bruteforce attack to reveal the secret. The characteristics of the proposed measure areinvestigated for zero-order languages. We also introduce the concept of reduc-tion chains to describe how the message (or rather search) space changes for anattacker with different levels of encryption.

Paper III – On the Relationship between Confidentiality Measures:Entropy and Guesswork

In this paper, we investigate in detail the relationship between entropy and guess-work. The aim of the study is to lay the ground for future efficiency comparisonof guessing strategies. The formal definitions are given after a brief discussion ofthe two measures and the differences between them. A redefinition of guessworkis then given, since the measure is not completely accurate. The change is a mi-nor modification in the last term of the sum expressing guesswork. Finally, twotheorems are expressed. The first states that the redefined guesswork is equal tothe concept of cross entropy, and the second states, as a consequence of the firsttheorem, that the redefined guesswork is equal to the sum of the entropy and therelative entropy.

Paper IV – Joint and Conditional Guesswork: Definitions and Implications

The need for computer security in today’s open computer networks is now undis-puted. More and more effort is being spent on security enhancing methods and

9. Summary of Papers 25

techniques. Despite this, there is still a lack of good methods for quantitativelyassessing security. New metrics that provide a more exact description of securityare therefore desirable. To address this we present an in-depth investigation ofthe probabilistic measure guesswork, which gives the average number of guessesin an optimal brute force attack. The paper extends the definition of guessworkby defining joint and conditional guesswork. It is proved that joining increasesguesswork, while conditioning reduces it. This implies that the joint guessworkis always at least equal to the marginal guesswork and that the conditional guess-work is always at most equal to the marginal guesswork. The paper also providesa description of relations and similarities between guesswork and entropy.

Paper V – Changes in Guesswork over Time in Multi-processor Attacks

More and more effort is being spent on security improvements in today’s com-puter networking environments. However, owing to the nature of computer se-curity, there is still a lack of good quantitative assessment methods. Inventingand developing new ways of measuring security are therefore needed in orderto more exactly describe, assess and improve the security of computer envi-ronments. One existing quantitative security measure is guesswork. Guessworkgives the average number of guesses in a brute force attack to succeed in break-ing an encrypted message. In the current definition of guesswork, it is assumedthat the attacker uses a single processor when breaking an encrypted message.An intelligent and motivated attacker will however likely use several processorsthat run in parallel. This paper formally investigates how guesswork changesover time in multi-processor attacks. The result is applied to three probabilitydistributions, the English alphabet, the geometric and the truncated geometric,in order to illustrate some behaviors.

Paper VI – Security Implications of Selective Encryption

Quantitative measures are desirable to be able to give an analytical and moreexact description of security. Two quantitative security measures that have beenproposed are entropy and guesswork. When breaking an encrypted message, en-tropy measures the average number of guesses in an optimal binary search attack,whereas guesswork measures the average number of guesses in an optimal linearsearch attack. In this paper, we continue to investigate the security implicationsof a generic selective encryption procedure: that is, how entropy and guessworkchange with the number of encrypted units, i.e., the encryption level. This is done


for languages up to the second order by deriving equations for entropy of selec-tively encrypted messages and then transferring the results to guesswork throughan equation relating the two measures. Furthermore, unlike entropy, guessworkdoes not possess the chain rule, however, an equation connecting the differentguessworks is derived through the equation relating entropy and guesswork.

Paper VII – Entropy of Selectively Encrypted Strings

A feature that has become desirable for low-power mobile devices with limitedcomputing and energy resources is the ability to select a security configurationin order to create a trade-off between security and other important parameterssuch as performance and energy consumption. Selective encryption can be usedto create this trade-off by only encrypting chosen units of the information. In thispaper, we continue the investigation of the confidentiality implications of selec-tive encryption by applying entropy to a generic selective encryption scheme.By using the concept of run-length vector from run-length encoding theory, anexpression is derived for the entropy of selectively encrypted strings when thenumber of encrypted substrings, containing one symbol, and the order of thelanguage changes.

Paper VIII – An Investigation of Entropy of Selectively Encrypted BitmapImages

Selective encryption is a concept in which the main goal is to reduce computa-tional cost while providing confidentiality by encrypting only chosen parts of theinformation to be protected. Previous work on selective encryption has mainlybeen aimed towards multimedia applications in order to reduce the overhead in-duced by encryption while still making the information perceptually secure toa desired protection level. This was accomplished by utilizing the fact that dif-ferent parts of the information have different impacts on our perception senses,i.e., eyes and ears. How computationally secure the information is when usingselective encryption has however only briefly been mentioned or rudimentarilyanalyzed. In this paper, we therefore investigate the security implications of se-lective encryption by generalizing the work on entropy of selectively encryptedstrings to several dimensions and applying it to bitmap images. The generaliza-tion is done by constructing information neighborhoods that capture and modelinformation dependencies in several dimensions.

10. Concluding Remarks and Future Work 27

10 Concluding Remarks and Future Work

This thesis has evaluated the performance improvement of a proposed genericselective encryption scheme. The experimental results show that the selective en-cryption middleware offers a high degree of freedom in encryption adaptivenessat a low cost. The confidentiality strength of selectively encrypted informationin the sense of computational security when using the proposed scheme has alsobeen investigated using entropy and guesswork. Since guesswork is less theoret-ically investigated than entropy and does not persists of simple additive mathe-matical structures, only initial results have been achieved for guesswork. How-ever, guesswork has been adopted to selective encryption in the zero order case,and an examination has been made as to when the message space is more diffi-cult to break than the key space of the used encryption algorithm. For entropy,an equation of selectively encrypted information has been derived for differentorders and in several dimensions and applied to bitmap images. The generaliza-tion to several dimensions was done by constructing information neighborhoodsfrom Shannon’s work on the order of languages and the neighborhood conceptin cellular automata. However, more research is needed to clarify the securityimplications of selective encryption and, thus, be able to trade between confi-dentiality and performance.

To provide a better understanding of guesswork and build a theory of guess-work, this thesis extends and generalizes guesswork in several ways. The jointand conditional guesswork is defined and, as for entropy, it is proven that thejoining of random variables increases guesswork while the conditioning of ran-dom variables decreases guesswork. Hence, adding information to a secret in-creases guesswork and gaining information about a secret decreases guesswork.This is equal to the corresponding properties of entropy. However, guessworkdoes not possess the chain rule decomposition property, as entropy does. Hence,decomposing guesswork into a chain rule-like equation, relating the marginal,conditional and joint guessworks, is part of future work. Such a finding willmake it possible to actually calculate guesswork from sub pieces of the informa-tion, thereby making it possible to further investigate the security implicationsof selective encryption.

It is also proven in the thesis that guesswork is equal to the sum of the en-tropy and the relative entropy. Hence, guesswork is always greater than or equalto entropy, with equality for the truncated geometrical probability distribution.This finding also gives a connection between the two guessing strategies, opti-mal linear search and optimal binary search. Moreover, guesswork is extended toincorporate changes over time through the number of incorrect guesses in multi-


processor attacks. Normally, guesswork decreases after each incorrect guess.However, guesswork can locally increase due to the fact that the probability dis-tribution might become more uniform after a guess. However, guesswork willdecrease in the long term. Future research includes investigations of guessworkincrement, i.e., the difference between two consecutive changes in guessworkvalues and how entropy changes in multi-processor attacks. Furthermore, in thecurrent definition of guesswork, it is assumed that there is only one correct valuein the sample space. An investigation of what happens when there is a set ofcorrect values is also a part of future research.

References

1. A. Calaprice A. Einstein and F. Dyson. The Ultimate Quotable Einstein. Princeton UniversityPress. Princeton University Press, Princeton, NJ, USA, 2011.

2. R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems.John Wiley & Sons, New York, NY, USA, 2001.

3. E. Arikan. An inequality on guessing and its application to sequential decoding. IEEETransactions on Information Theory, 42(1):99–105, 1996.

4. Z. Brahimi, H. Bessalah, A. Tarabet, and M. K. Kholladi. Selective encryption techniquesof JPEG2000 codestream for medical images transmission. WSEAS Transactions on Circuitsand Systems, 7(7):718–727, July 2008.

5. D. Chaum. The dining cryptographers problem: Unconditional sender and recipient untrace-ability. Journal of Cryptology, 1:65–75, 1988.

6. Common Criteria Implementation Board. Common criteria for information technology secu-rity evaluation, version 3.1. http://www.commoncriteriaportal.org/, September 2006.

7. T. Cover and J. Thomas. Elements of Information Theory. John Wiley & Sons, New York,NY, USA, 1991.

8. J. W. Creswell. Educational Research: Planning, Conducting, and Evaluating Quantitativeand Qualitative Research. Pearson Education, Upper Saddle River, NJ, USA, 2011.

9. N. E. Fenton and S. L. Pfleeger. Software Metrics: A Rigorous & Practical Approach. PWSPublishing, Boston, MA, USA, 2nd edition, 1997.

10. G. B. Folland. Real Analysis, Modern Techniques and Their Applications. John Wiley &Sons, New York, NY, USA, 1999.

11. D. Gollmann. Computer Security. John Wiley & Sons, Chichester, West Sussex, UK, 2ndedition, 2006.

12. J. Goodman and A. P. Chandrakasan. Low power scalable encryption for wireless systems.Wireless Networks, 4(1):55–70, 1998.

13. D. S. Herrmann. Complete Guide to Security and Privacy Metrics. Auerbach Publications,Boca Raton, NY, USA, 2007.

14. A. Jaquith. Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley,Upper Saddle River, NJ, USA, 2007.

15. H. Kvarnstrom. On the Implementation and Protection of Fraud Detection Systems. PhDthesis, Chalmers University of Technology, Goteborg, Sweden, June 2004.

16. Y. Li, Z. Chen, S. M. Tan, and R. H. Campbell. Security enhanced MPEG player. In Proceed-ings of the 1996 International Workshop on Multimedia Software Development (MMSD’96),pages 169–176, Berlin, Germany, March 25–26 1996.

10. Concluding Remarks and Future Work 29

17. S. Lindskog and A. Brunstrom. Design and implementation of a tunable encryption servicefor networked applications. In Proceedings of the First IEEE/CREATE-NET Workshop onSecurity and QoS in Communications Networks (SecQoS 2005), September 9, 2005.

18. S. Lindskog and E. Jonsson. Adding security to QoS architectures. In R. Burnett, A. Brun-strom, and A. G. Nilsson, editors, Perspectives on Multimedia: Communication, Media andInformation Technology, chapter 8, pages 145–158. John Wiley & Sons, West Sussex, UK,2003.

19. S. Lindskog, J. Strandbergh, M. Hackman, and E. Jonsson. A content-independent scalableencryption model. In Proceedings of the 2004 International Conference on ComputationalScience and its Applications (ICCSA’04), part I, pages 821–830, Assisi, Italy, May 2004.

20. W. M. Luckett. Cellular Automata for Dynamic S-boxes in Cryptography. University ofLouisville, 2007.

21. D. Malone and W. G. Sullivan. Guesswork and entropy. IEEE Transactions on InformationTheory, 20(3):525–526, 2004.

22. J. Massey. Guessing and entropy. In Proceedings of the 1994 IEEE International Symposiumon Information Theory, page 204, Trondheim, Norway, 1994.

23. A. Massoudi, F. Lefebvre, C. De Vleeschouwer, and F.-O. Devaux. Secure and low costselective encryption for JPEG2000. In Tenth IEEE International Symposium on Multimedia(ISM 2008), pages 31–38, Berkeley, CA, USA, December 15–17, 2008.

24. J. Meyer and F. Gadegast. Security mechanisms for multimedia data with the example MPEG-I video, 1995. http://www.gadegast.de/frank/doc/secmeng.pdf.

25. C. P. Pfleeger and S. L. Pfleeger. Security in Computing. Prentice Hall, Upper Saddle River,NJ, USA, 3rd edition, 2003.

26. J. O. Pliam. Ciphers and their Products: Group Theory in Private Key Cryptography. PhDthesis, University of Minnesota, MN, USA, 1999.

27. M. Podesser, H. P. Schmidt, and A. Uhl. Selective bitplane encryption for secure transmis-sion of image data in mobile environments. In Proceedings of the 5th IEEE Nordic SignalProcessing Symposium (NORSIG’02), Tromsø/Trondheim, Norway, October 4–6, 2002.

28. R. T. Rockafellar. Convex Analysis. Princeton Mathematical Series. Princeton UniversityPress, 1997.

29. A. Servetti and J. C. De Martin. Perception-based selective encryption of G.729 speech.In Proceedings of the 2002 IEEE Internatinal Conference on Acoustics, Speech, and SignalProcessing, volume 1, pages 621–624, Orlando, Florida, USA, May 13–17, 2002.

30. Z. Shahid, M. Chaumont, and W. Puech. Fast protection of H.264/AVC by selective encryp-tion of CABAC for I & P frames. In Proceedings of the 17th European Signal ProcessingConference (EUSIPCO 2009), pages 2201–2205, Glasgow, Scotland, August 24–28, 2009.

31. C. E. Shannon. Claude Elwood Shannon: Collected Papers. IEEE Press, Piscataway, NJ,USA, 1993.

32. G. A. Spanos and T. B. Maples. Performance study of a selective encryption scheme forsecurity of networked, real-time video. In Proceedings of the 4th International Conference onComputer Communications and Networks (ICCCN’95), pages 72–78, Las Vegas, NV, USA,September 1995.

33. W. Stallings. Cryptography and Network Security: Principles and Practice. The WilliamStallings Books on Computer and Data Communications. Pearson/Prentice Hall, Upper Sad-dle River, NJ, USA, 2006.

34. Z. Su, J. Jiang, S. Lian, G. Zhang, and D. Hu. Hierarchical selective encryption for G.729speech based on bit sensitivity. Journal of Internet Technology, 10(5):599–608, 2010.


35. M. Van Droogenbroeck and R. Benedet. Techniques for a selective encryption of un-compressed and compressed images. In Advanced Concepts for Intelligent Vision Systems(ACIVS), pages 90–97, Ghent, Belgium, September 2002.

36. V. Verendel. Quantified security is a weak hypothesis. In New Security Paradigms Workshop(NSPW), pages 227–233, Oxford, UK, September 8-11, 2009.

Date post:	20-Jul-2020
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times

Guesswork and Entropy as Security Measures for Selective...

Documents