Hidden-Markov Program Algebra with iteration

We use Hidden Markov Models to motivate a quantitative compositional semantics for noninterference-based security with iteration, including a refinement- or “implements” relation that compares two programs with respect to their information leakage; and we propose a program algebra for source-level reasoning about such programs, in particular as a means of establishing that an “implementation” program leaks no more than its “specification” program.

This joins two themes: we extend our earlier work, having iteration but only qualitative, by making it quantitative; and we extend our earlier quantitative work by including iteration.

We advocate stepwise refinement and source-level program algebra, both as conceptual reasoning tools and as targets for automated assistance. A selection of algebraic laws is given to support this view in the case of quantitative noninterference; and it is demonstrated on a simple iterated password-guessing attack.

💡 Research Summary

The paper “Hidden‑Markov Program Algebra with iteration” develops a quantitative, compositional semantics for non‑interference security by exploiting Hidden Markov Models (HMMs). The authors view the hidden state of an HMM as a high‑security variable and the observable outputs as low‑security variables. They introduce the notion of a hyper‑distribution – a probability distribution over pairs consisting of an observable and a conditional distribution of the hidden state – which captures both the a‑priori distribution of outputs and the a‑posteriori knowledge an attacker gains after observing a run.

A refinement (or “implements”) relation is defined on programs by comparing their hyper‑distributions with respect to a partial order: Δ₁ ⊑ Δ₂ means that Δ₂ leaks no more information than Δ₁. This order is stronger than ordinary program equivalence because it accounts for information flow. The authors embed this structure in the well‑known probability monad D (discrete distributions). Using the monadic operations map, avg, and Kleisli composition, they give a clean categorical description of sequential composition of HMMs (H₁;H₂), preserving the hyper‑distribution type Y × DX → D(Y × DX).

A major contribution is the treatment of loops. Traditional fixed‑point theory relies on a complete lattice, which does not hold for hyper‑distributions. To overcome this, the paper defines a “termination order” that ranks hyper‑distributions according to the probability of termination and the amount of leaked information. This order enables the construction of least fixed points for while‑loops while staying within the discrete‑distribution setting, avoiding the need for full measure theory.

The algebraic component supplies a suite of refinement‑preserving laws for assignment, conditional, sequential composition, and iteration. For example, the law (v := h/2; v := v/2) ⊑ (v := h/4) is shown by reasoning about the induced hyper‑distributions, illustrating how a program that performs two coarse divisions leaks more about the hidden variable than a single finer division.

The theory is illustrated with a simple password‑guessing attack. The attacker is assumed to have perfect recall, meaning that all observed low‑security values persist across iterations. The loop models repeated guesses; each iteration refines the attacker’s posterior distribution over the secret password. By applying the algebraic laws, the authors prove that a particular implementation of the guessing loop does not leak more than a specified abstract specification, thereby demonstrating the practical utility of their framework.

In the related‑work discussion the authors compare their approach to earlier qualitative non‑interference models, to quantitative works that lack iteration, and to measure‑theoretic probabilistic semantics. They argue that the hyper‑distribution plus termination‑order combination offers a sweet spot: expressive enough to handle loops and information flow, yet simple enough to be amenable to mechanised reasoning.

The conclusion outlines future directions: extending the semantics to continuous distributions, integrating automated refinement checking tools, and exploring richer attacker models. Overall, the paper provides a mathematically rigorous yet operationally useful foundation for reasoning about quantitative information leakage in programs that contain loops, bridging the gap between HMM theory and security‑focused program algebra.