Friday 24 August 2012

Information Erasure and Release Duality

There is a duality between quantitative information erasure and information release in the sense that the sum of both is equal to the total body of information processed by a system:

Erasure + Release = Information Content you started with.

Why might this be useful? You ask. Well, since the information security community has developed various analyses for characterising information release, we can simply turn around the result to calculate the erasure! You buy one, and get the other free.

I suppose you might also ask, why is information erasure useful? Here is an excerpt from a paper (shameless plug, it is mine) : From Qualitative to Quantitative Information Erasure. 

"There is often a need to erase information in real systems. In particular, a system that processes confidential data may be expected to remove pieces of sensitive information from the body of information that it propagates. For example, statistical databases may not propagate sensitive information, which must be erased; but the database must release sufficient non-sensitive information to be useful for statistical purposes. A more everyday example requiring information erasure is e-commerce, where various pieces of data on a credit card used must not be stored by the merchant. The Payment Card Industry, which specifies standards for payment processing, stipulates which data must not be retained by a merchant, even though the data may be required to complete a transaction. For example, the card verification code, which is used to prevent card-not-present frauds, must not be stored by the merchant. There are also restrictions on the display of the primary account number (PAN) on screens or receipts, e.g. the first six and the last four digits are the maximum allowed to be displayed - the other digits must be masked (erased). 

Note that in these examples, as with other situations where information erasure is desired, erasure often goes hand-in-hand with information release: e.g. some PAN digits may be released whereas others must be erased. So, it is reasonable to study erasure in the context of information release. It is even better if the two can be accommodated under a single uniform policy model, as we propose. As a general observation, it is desirable to be able describe security requirements as an extensional policy statement independently of the operational properties or implementation of the system that satisfies the requirement. This separation of concerns is a well-understood good design principle of allowing policies and systems to be separately developed. A verification mechanism then ensures that the implementation conforms to the desired policy. The policy model proposed in this paper is extensional and describes the information security requirements directly as constraints on information release and erasure independently of an enforcement mechanism."
 The paper goes on to develop a mathematical theory of information erasure, and the statement above is one of its conclusions. The paper appeared at the Quantitative Aspects in Security Assurance (http://www.iit.cnr.it/qasa2012/) in September 2012. A copy of the paper may be obtained from here.





No comments:

Post a Comment