The Science Of Quantitative Information Flow Mário S. Alvim

The Science Of Quantitative Information Flow
Mário S. Alvim download
https://textbookfull.com/product/the-science-of-quantitative-
information-flow-mario-s-alvim/
Download more ebook from https://textbookfull.com

We believe these products will be a great fit for you. Click
the link to download now, or visit textbookfull.com
to discover even more!
Applications of Social Research Methods to Questions in
Information and Library Science Second Edition Barbara
M. Wildemuth
https://textbookfull.com/product/applications-of-social-research-
methods-to-questions-in-information-and-library-science-second-
edition-barbara-m-wildemuth/
Portfolio Optimization with Different Information Flow
Hillairet Caroline And Jiao Ying (Auth.)
https://textbookfull.com/product/portfolio-optimization-with-
different-information-flow-hillairet-caroline-and-jiao-ying-auth/
Principles of Business Information Systems Ralph M.
Stair
https://textbookfull.com/product/principles-of-business-
information-systems-ralph-m-stair/
Quantitative Psychological Research The Complete
Student s Companion David Clark-Carter
https://textbookfull.com/product/quantitative-psychological-
research-the-complete-student-s-companion-david-clark-carter/

The ABC s of Science Giuseppe Mussardo
https://textbookfull.com/product/the-abc-s-of-science-giuseppe-
mussardo/
Evolutionary Psychology The New Science of the Mind
David M. Buss
https://textbookfull.com/product/evolutionary-psychology-the-new-
science-of-the-mind-david-m-buss/
Multi Method Social Science Combining Qualitative And
Quantitative Tools Jason Seawright
https://textbookfull.com/product/multi-method-social-science-
combining-qualitative-and-quantitative-tools-jason-seawright/
The Information Literacy Framework Case Studies of
Successful Implementation Association for Library and
Information Science Education Heidi Julien
https://textbookfull.com/product/the-information-literacy-
framework-case-studies-of-successful-implementation-association-
for-library-and-information-science-education-heidi-julien/
Quantum Information Theory Mark M. Wilde
https://textbookfull.com/product/quantum-information-theory-mark-
m-wilde/

Information Security and Cryptography
MárioS.Alvim
KonstantinosChatzikokolakis
AnnabelleMcIver·CarrollMorgan
CatusciaPalamidessi·GeoffreySmith
The Science
of Quantitative
Information
Flow

More information about this series at http://www.springer.com/series/4752
Series Editors
David Basin
Kenny Paterson
Advisory Board
Michael Backes
Gilles Barthe
Ronald Cramer
Ivan Damgård
Andrew D. Gordon
Joshua D. Guttman
Ueli Maurer
Tatsuaki Okamoto
Bart Preneel
Christopher Kruegel
Adrian Perrig

Mário S. Alvim • Konstantinos Chatzikokolakis
Annabelle McIver • Carroll Morgan
Catuscia Palamidessi • Geoffrey Smith
The Science
of Quantitative
Information Flow

ISSN 1619-7100 ISSN 2197-845X (electronic)
ISBN 978-3-319-96129-3 ISBN 978-3-319-96131-6 (eBook)
https://doi.org/10.1007/978-3-319-96131-6
© Springer Nature Switzerland AG 2020
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part
of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations,
recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission
or information storage and retrieval, electronic adaptation, computer software, or by similar or
dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this
publication does not imply, even in the absence of a specific statement, that such names are exempt
from the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this
book are believed to be true and accurate at the date of publication. Neither the publisher nor the
authors or the editors give a warranty, expressed or implied, with respect to the material contained
herein or for any errors or omissions that may have been made. The publisher remains neutral with
regard to jurisdictional claims in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Konstantinos Chatzikokolakis
Department of Informatics
and Telecommunications
University of Athens
Athens, Greece
Annabelle McIver
Department of Computing
Macquarie University
Sydney, NSW, Australia
Geoffrey Smith
School of Computing
Florida International University
Miami, FL, USA
& Information Sciences
Mário S. Alvim
Computer Science Department
Universidade Federal de Minas Gerais
Belo Horizonte, Brazil
Catuscia Palamidessi
Inria Saclay and LIX
École Polytechnique
Institut Polytechnique de Paris
Palaiseau, France
Carroll Morgan
School of Computer Science
& Engineering
University of New South Wales
Trustworthy Systems, Data61
CSIRO
Sydney, NSW, Australia

The authors dedicate this book as follows:
Mário S. Alvim to his mother, Maria Angélica, his stepfather, Mario, his brothers,
Marco Antônio and Marcus Vinícius, and his husband, Trevor.
Kostas Chatzikokolakis to his father, Thymios.
Annabelle McIver to her daughter, Eleanor, and her parents, Anne and Ted.
Carroll Morgan to the policy of diversity and tolerance deliberately instituted and
actively sustained at Data61’s Trustworthy Systems Group.
Catuscia Palamidessi to her husband, Dale Miller, and their children, Alexis and
Nadia Miller.
Geoffrey Smith to his parents, Marilynn and Seward, his wife, Elena, his sons, Daniel
and David, and his cockatiel, Yoshi.
Cockatiel Yoshi as a probabilistic channel C that maps a top-secret document X to a
(randomly generated) pile of shredded paper Y

Preface
Information Flow is the transfer of information from a source (who knows the
information) to a target (who does not yet know it). In history, that topic has
sometimes been studied in order to impede flow (e.g. Caesar’s Cipher from millennia
ago), and sometimes to facilitate it (e.g. Shannon’s work in the 1940’s). Usually,
however, the aims are a careful mixture of the two: to let information flow to those
who need to know it, but to keep it from those who must not have it. That is the
focus of our contemporary perspective –facilitate some flows, impede others– and our
main (but not exclusive) concern here is computer systems.
But first: what is so special about now? Information-flow security is a critical prob-
lem today because of recent technological developments and their –largely uncontrolled–
spread to many hands: all the way from everyday home users to super-skilled hackers,
and all over the earth. Data is being collected more than ever before (smart phones,
surveillance cameras, “loyalty” cards); networks then enable its transmission to un-
known (or unintended) destinations; and powerful corporate and governmental agents
gain financial and/or political benefits by collecting and analyzing that data. And, of
course, there are the criminals.
Because so much is flowing, and so many have access to it, and we know so little
specifically about who they are, we can no longer protect our information by relying
on the people through whose hands it passes. Thus the standard technologies like
access control and encryption are insufficient, because there we require the entities
granted access to our data to handle it appropriately, and that implied trust might
well be misplaced: a smartphone app could legitimately need access to our location,
for example, but then leak that information to some other party, perhaps maliciously
— but also perhaps just by accident.
Thus instead we must try to generate, process, and transfer our data with systems
that protect themselves, that are safe no matter who accesses them or how they
might abuse that access. It demands a fundamental, rigorous approach; and that
fundamental rigor is exactly the science that we are striving for.
Thus, second: how can it be done? Early rigorous work in information-flow security
(since the 1970’s) suggested ways in which programs could be analyzed to see whether
the program variables an adversary “could see” might depend on variables that were
not supposed to be seen: our secrets. If there was no dependence, then the program
was secure; but if there was any dependence at all, then the program was deemed
insecure. That “depends or not” criterion was later realized to be too coarse, however:
even a password-checking program, no matter how carefully constructed, would be
deemed insecure, because Access Denied still unavoidably exhibits a dependence —
on what the password is not.
vii

Preface
Quantitative information flow solves the “depends or doesn’t”, the “black or white”
problem by relativizing information leaks, recognizing that it’s not really that clear-cut
— some leaks are more important than others, and thus some are tolerable (e.g. leaking
what a password isn’t, provided it’s only infrequently). A typical quantitative approach
is to use Shannon’s information theory to measure the “entropy” of a secret (roughly,
how hard it is to guess) before a system is run, and then to determine what the
entropy would become after the program is run (by analyzing the source code, which
we assume is available to our adversary). The difference between the two entropies,
before minus after, is then how many bits have flowed from the system (escaped, if
that flow is not desirable) and –again roughly– if it’s a small proportion of the bits
that should remain secret, then the actual impact might be considered to be quite
limited. Further, because the flow is quantified, the impact can actually be reasoned
about rather than merely regretted. That technique realizes a powerful insight, and it
works well in many situations: quantifying secrecy in the Shannon style (via entropy)
provides the needed nuance to escape the earlier “all or nothing” judgments. For
example, if the amount of entropy leaked by a failed login is indeed very small, it is
exactly there that quantitative reasoning allows us to calculate with “very small” and
“how often” and compare the result to “tolerable”.
But much more recently still, it was suggested that Shannon’s approach could be
generalized, taken further, because in some situations also it turned out to be too
inflexible: were the numbers it produced, how many bits escaped, really the numbers
we needed to know? The generalization was to allow a selection of entropies –many
more than just Shannon’s alone– whose characteristics were derived empirically from a
study of the possible adversaries’ motivations and capabilities. Which secrets do they
really want, and which ones would they not bother to steal? What exactly can they
do with their knowledge about the secret? That last step –the generalized entropies–
completes the conceptual trajectory from “Does information flow at all?” (simple
dependence) through “How many bits of information flow?” (Shannon leakage) to
finally (at least for the moment) “What is the value to the adversary of the information
that flows?” or, dually, “What damage to us is caused by that flow, and how much
would we spend (or should we have spent) to prevent it?” Generalized entropies (of
which Shannon entropy is a special case) are captured by what we call “loss functions”;
dually, we also consider generalized “vulnerabilities”, captured by “gain functions”.
Furthermore, loss- and gain functions enable a connection with the science of program
development, where specification programs are “refined” into implementation programs
that satisfy those specifications both in terms of functionality and security. (Shannon-
entropy leakage is not usually a compositional criterion; and yet compositionality is
essential for reliable program construction. The use of generalized entropies, however,
is compositional.)
For all of those reasons, our study of the science of quantitative information flow
aims to understand fundamentally how sensitive information “flows” as it is processed
by an authorized entity (e.g. our computer program), and to ensure that those flows are
acceptable to us in terms of the quantified damage they might cause. And here –as we
will emphasize– it is important to understand “flows” in a very broad sense: indeed flow
occurs whenever sensitive information is correlated with observable outputs, allowing
an adversary to make inferences about the sensitive information. Such correlations
can be blatant, as when a sensitive file is copied to some publicly observable place,
but they can also be subtle, as when a medical database outputs a patient’s country
as “United States” if the patient has diabetes and as “USA” if not: in that case the
patient’s diabetes status “flows” to the country output in a way that probably was
not intended.
viii

Extant studies of information flow encompass a variety of domains –such as non-
interference, anonymity, unlinkability, secure multi-party computation, differential
privacy, statistical databases, side channels, voting, and anonymous communication
and publishing– and we have tried to do the same. Something that makes those studies
challenging, and our study as well, is that perfection is often unachievable, because
some undesirable flows cannot be helped. Publishing statistics about a database of
medical records necessarily involves revealing some information about the individual
records: keeping those records completely private is not an option in that case. Indeed
there are many practical reasons for accepting flows that –in a perfect world– we would
prefer not to have:
• Sometimes a flow is intentional: we want to learn something from our statistical
database.
• Sometimes a flow is due to side channels that are hard or impossible to control
fully.
• Sometimes a flow is in exchange for a service, one which for example might need
our location.
• Sometimes a flow is in exchange for efficiency, as when a weaker but more
efficient anonymous communication system is used instead of a stronger but less
efficient protocol.
All of those support our belief that we must not (only) ask whether there is an
information flow, and not even (only) how many bits of Shannon entropy might flow.
We try to study instead how much damage an information flow would cause; and
because of the generality of that approach, the earlier two are special cases.
The six authors of this book come from a number of distinct research domains,
including process calculi, privacy, type systems for secure information flow, and
programming-language semantics and refinement. As we all came to understand
information flow better, we recognized that our efforts shared deep commonalities;
and so, merging our earlier specialties, we have been working intensively as a group
together since about 2010. This book is our comprehensive treatment of quantitative
information flow (QIF) as we currently understand it — and we hope that it will lead
to further and wider collaboration with those who might read it.
Much of what we present here is based on material already published, but by no
means all of it — it is not at all merely “a collection of papers”. Instead we have tried
hard to write a unified and self-contained text, hoping as we did that to find better
terminology and notation than we might have used before, and then in some cases
even rewriting whole presentations from scratch to take advantage of it. As well, in
many cases we have also replaced earlier mathematical proofs with new ones that are
clearer and more self-contained.
Finally, while this book is mainly focused on the systematic development of the
theory of quantitative information flow, we also demonstrate the theory’s practical
utility by including (in Part V) case studies showing how quantitative−information-flow
analysis can be applied to a number of interesting realistic scenarios.
ix
Preface

Preface
Intended readership
Our intended reader is anyone interested in the mathematical foundations of computer
security. As far as the required technical background is concerned, we have tried to
make the main story understandable to anyone with just a basic knowledge of discrete
probability, though sometimes deeper concepts are used. But, in those cases, we have
tried to minimize the need for prior familiarity by presenting the necessary material
within our text.
It is worth clarifying however that this book is not aimed at readers interested in
the legal, ethical, or sociological aspects of information flow. While it is clear that
some information flows are beneficial and others are harmful, we make no effort to
address the question of which are which.
And finally, we recognize that information flow is in fact a general phenomenon
with relevance beyond security. So while the theory developed here has largely been
motivated by the question of how to limit the leakage of sensitive information, that
same theory can no doubt be applied fruitfully in diverse contexts such as machine
learning, recommendation systems, and robotics. (Interestingly, in those contexts
information flow would typically be seen as a good thing.) For this reason, readers
outside the field of security may also profit from reading this book.
Organization and structure
We now briefly describe the overall structure of the book.
In Part I, we motivate the study of quantitative information flow, and we give an
informal overview of some of its important concepts by discussing information leakage
in a very simple context.
In Part II, we begin our detailed development by explaining what a secret X actually
is, or at least what we consider it to be: a probability distribution π that specifies the
adversary’s knowledge about the likelihood of X’s possible values. We also consider
how π can be used in quantifying either X’s vulnerability or (complementarily) the
adversary’s uncertainty about X, observing that there are many reasonable ways to
do that, depending on the operational scenario, and showing that a single framework,
based on “gain functions” (or dually “loss functions”), can encompass them all.
In Part III, we move from secrets to systems, modeled as information-theoretic
channels that process secret information and possibly leak some of it to their public
outputs. We develop a rich family of gain-function−leakage measures to quantify
the damage a channel’s leakage might cause, carefully considering the operational
significance of such measures and developing theory that supports robust judgments
about leakage.
In Part IV, we consider a more detailed model of systems as programs written in a
simple probabilistic imperative programming language, enabling compositional reason-
ing about information leakage. Here, with assignment statements to program variables
we can treat secrets that change over time. For that we introduce a mathematical
technique that generalizes both channels (which leak secrets) and assignments (which
update them). The technique is based on Hidden Markov Models.
Finally, in Part V we present a number of case studies showing how one can
apply quantitative−information-flow analysis to many interesting realistic scenarios —
including anonymity protocols, side-channel attacks on cryptography, voting protocols,
and even differential privacy in statistical databases. Those chapters are intended
to be somewhat self-contained, and readers interested in applications might wish to
browse through them early.
x

Details of presentation
We sometimes format a definition, theorem, or paragraph in a box to give it
greater visual prominence, as we have done in this paragraph. Our intent in doing
that is to express our judgments, necessarily subjective, about which things are
particularly significant or interesting.
The main text has been kept essentially free of literature citations and historical
remarks — instead they are collected in a final section “Chapter Notes” for each
chapter. The bibliography is, similarly, organized chapter by chapter.
Cited authors can be found alphabetically in the index, where they appear within
square brackets, for example “[ Claude E. Shannon ]”. A glossary appears just before
the index, and its entries are in order of first occurrence in the main text. The entry
usually reads “see something”, without a page number, in the hope that the something
on its own will be enough to jog the memory. If it isn’t, the index entry for “something”
itself should be consulted to get a page reference.
Possible usage as a textbook
We have used draft chapters from Parts I, II, and III in a master’s-level course on the
foundations of cybersecurity that also included extensive coverage of cryptography.
For a full-semester course, we envisage that a course based on Parts I, II, and III and
selected chapters from Part V could be taught at both the advanced undergraduate
and master’s levels. Part IV is more advanced mathematically, and is probably more
suitable for doctoral students.
To facilitate the use of the book as a course textbook, we have included a section of
Exercises at the end of most chapters. Solutions to these exercises are available to
qualified instructors.
Language issues
Turning finally to questions of language: we come from six different countries (Brazil,
Greece, the United Kingdom, Australia, Italy, and the United States) — which had
the advantage that the sun never set on this book’s preparation: at all times at least
one of us could be found hard at work on it. But such diversity also raises issues of
spelling and usage. For the sake of consistency we have made an essentially arbitrary
choice to follow American conventions throughout.
Also, with respect to the thorny question of personal pronouns, we have chosen to
refer to the defender (i.e. the person or entity trying to protect sensitive information)
as “he” or “him”, to the adversary as “she” or “her”, and to the authors and readers
of this book as “we” or “us”. When there are several points of view, for example
in multi-party protocols, we will occasionally use the neuter “it”. While assigning
genders to the defender and adversary is of course arbitrary (and some readers might
indeed prefer the opposite assignment), it has the advantages of avoiding the syntactic
awkwardness of “he or she” and, more importantly, of enabling us to write with greater
clarity and precision.
xi
Preface

Preface
Acknowledgments
Our many collaborators have made profound contributions to our understanding of
quantitative information flow — and we are particularly grateful to Arthur Américo,
Miguel Andrés, Nicolás Bordenabe, Chris Chen, Michael R. Clarkson, Pierpaolo
Degano, Kai Engelhardt, Barbara Espinoza, Natasha Fernandes, Jeremy Gibbons,
Michael Hicks, Yusuke Kawamoto, Boris Köpf, Piotr Mardziel, Larissa Meinicke,
Ziyuan Meng, Tahiry Rabehaja, Andre Scedrov, Fred B. Schneider, Tom Schrĳvers,
David M. Smith, Marco Stronati, and Roland Wen.
The authors are grateful for support from Digiteo and the Inria équipe associée
Princess. Also, Mário S. Alvim was supported by the Computer Science Department
at Universidade Federal de Minas Gerais (DCC/UFMG), by the National Council for
Scientific and Technological Development (CNPq), by the Coordenação de Aperfeiçoa-
mento de Pessoal de Nível Superior (CAPES), and by the Fundação de Amparo à
Pesquisa de Minas Gerais (FAPEMIG). Konstantinos Chatzikokolakis was supported
by the Centre national de la recherche scientifique (CNRS), by the Institut national
de recherche en sciences et technologies du numérique (Inria), and by the Department
of Informatics and Telecommunications of the National and Kapodistrian University
of Athens. Annabelle McIver was supported by the Department of Computing at
Macquarie University and the Optus Macquarie Cyber Security Hub, Carroll Morgan
by the Trustworthy Systems Group of CSIRO’s Data61 and the School of Engineering
and Computer Science at the University of New South Wales, and both of them by
the Australian Research Council and the Information Security Group at ETH Zürich.
Catuscia Palamidessi was supported by the Institut national de recherche en sciences
et technologies du numérique (Inria), by her ERC grant HYPATIA and by the ANR
project REPAS. Geoffrey Smith was supported by the School of Computing and
Information Sciences at Florida International University and by the National Science
Foundation under grant CNS-1116318.
Belo Horizonte Mário S. Alvim
Athens Konstantinos Chatzikokolakis
Sydney Annabelle McIver
Sydney Carroll Morgan
Paris Catuscia Palamidessi
Miami Geoffrey Smith
April 2020
xii

Contents
Preface vii
I Motivation 1
1 Introduction 3
1.1 A ﬁrst discussion of information leakage . . . . . . . . . . . . . . . . . 5
1.1.1 Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1.2 Bayes vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1.3 Deterministic channels . . . . . . . . . . . . . . . . . . . . . . . 6
1.1.4 Posterior distributions and hyper-distributions . . . . . . . . . 7
1.1.5 Posterior Bayes vulnerability . . . . . . . . . . . . . . . . . . . 8
1.1.6 Quantifying leakage . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2 Looking ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.4 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
II Secrets and How to Measure Them 15
2 Modeling secrets 17
2.1 Secrets and probability distributions . . . . . . . . . . . . . . . . . . . 17
2.2 Shannon entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.3 Bayes vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.4 A more general view . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.6 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3 On g-vulnerability 25
3.1 Basic deﬁnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.1.1 Graphing g-vulnerability . . . . . . . . . . . . . . . . . . . . . . 27
3.2 A catalog of gain functions . . . . . . . . . . . . . . . . . . . . . . . . 29
3.2.1 The identity gain function . . . . . . . . . . . . . . . . . . . . . 29
3.2.2 Gain functions induced from distance functions . . . . . . . . . 30
3.2.3 Binary gain functions . . . . . . . . . . . . . . . . . . . . . . . 31
3.2.4 Gain functions for a password database . . . . . . . . . . . . . 33
xiii

Contents
3.2.5 A gain function that penalizes wrong guesses . . . . . . . . . . 34
3.2.6 A gain function for a medical diagnosis scenario . . . . . . . . . 35
3.2.7 A loss function that gives guessing entropy . . . . . . . . . . . 35
3.2.8 A loss function that gives Shannon entropy . . . . . . . . . . . 37
3.3 Classes of gain functions . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.3.1 Finite-valued, non-negative vulnerabilities: the class GX . . . . 39
3.3.2 Finitely many actions: Gfin
X . . . . . . . . . . . . . . . . . . . 40
3.3.3 Non-negative gain functions: G+
X . . . . . . . . . . . . . . . . 40
3.3.4 One-bounded gain functions: Gl
X . . . . . . . . . . . . . . . . 41
3.4 Mathematical properties . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.4.1 Gain function algebra . . . . . . . . . . . . . . . . . . . . . . . 42
3.5 On “absolute” versus “relative” security . . . . . . . . . . . . . . . . . 43
3.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.7 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
III Channels and Information Leakage 47
4 Channels 49
4.1 Channel matrices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2 The eﬀect of a channel on the adversary’s knowledge . . . . . . . . . . 51
4.3 From joint distributions to hyper-distributions . . . . . . . . . . . . . 54
4.4 Abstract channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.5 More on abstract channels . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.6 A ﬁrst look at channel compositions . . . . . . . . . . . . . . . . . . . 63
4.6.1 Convex combinations of channels . . . . . . . . . . . . . . . . . 63
4.6.2 Cascading and the Data-Processing Inequality . . . . . . . . . 64
4.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.8 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5 Posterior vulnerability and leakage 71
5.1 Posterior g-vulnerability and its basic properties . . . . . . . . . . . . 71
5.2 Multiplicative and additive g-leakage . . . . . . . . . . . . . . . . . . . 80
5.3 A closer look at posterior Bayes vulnerability and Bayes leakage . . . 82
5.4 Measuring leakage with Shannon entropy . . . . . . . . . . . . . . . . 84
5.5 More properties of posterior g-vulnerability and g-leakage . . . . . . . 86
5.5.1 A matrix-based formulation of posterior g-vulnerability . . . . 86
5.5.2 A trace-based formulation of posterior g-vulnerability . . . . . 87
5.5.3 A linear-programming formulation . . . . . . . . . . . . . . . . 90
5.6 Example channels and their leakage . . . . . . . . . . . . . . . . . . . 91
5.7 Max-case posterior g-vulnerability . . . . . . . . . . . . . . . . . . . . 93
5.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.9 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6 Robustness 101
6.1 The need for robustness . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.2 Approaches to robustness . . . . . . . . . . . . . . . . . . . . . . . . . 103
6.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6.4 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
xiv

Contents
7 Capacity 107
7.1 Multiplicative Bayes capacity . . . . . . . . . . . . . . . . . . . . . . . 107
7.2 Additive Bayes capacity . . . . . . . . . . . . . . . . . . . . . . . . . . 111
7.3 General capacities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
7.4 Multiplicative capacities . . . . . . . . . . . . . . . . . . . . . . . . . . 117
7.4.1 Fixed g, maximize over π . . . . . . . . . . . . . . . . . . . . . 117
7.4.2 Fixed π, maximize over g . . . . . . . . . . . . . . . . . . . . . 118
7.4.3 Maximize over both g and π . . . . . . . . . . . . . . . . . . . 119
7.5 Additive capacities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
7.5.1 Fixed g, maximize over π . . . . . . . . . . . . . . . . . . . . . 119
7.5.2 Fixed π, maximize over g . . . . . . . . . . . . . . . . . . . . . 120
7.5.3 Maximize over both g and π . . . . . . . . . . . . . . . . . . . 123
7.6 Obtaining bounds on leakage . . . . . . . . . . . . . . . . . . . . . . . 124
7.6.1 The additive miracle theorem . . . . . . . . . . . . . . . . . . . 124
7.6.2 Improved miracle bounds . . . . . . . . . . . . . . . . . . . . . 124
7.6.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
7.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.8 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
8 Composition of channels 131
8.1 Compositions of (concrete) channel matrices . . . . . . . . . . . . . . . 131
8.1.1 Parallel composition . . . . . . . . . . . . . . . . . . . . . . . . 132
8.1.2 External fixed-probability choice . . . . . . . . . . . . . . . . . 133
8.1.3 External conditional choice . . . . . . . . . . . . . . . . . . . . 134
8.1.4 External (general) probabilistic choice . . . . . . . . . . . . . . 135
8.1.5 Internal fixed-probability choice . . . . . . . . . . . . . . . . . . 136
8.1.6 Internal conditional choice . . . . . . . . . . . . . . . . . . . . . 137
8.1.7 Internal (general) probabilistic choice . . . . . . . . . . . . . . 137
8.1.8 Cascading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
8.2 Compositions of abstract channels . . . . . . . . . . . . . . . . . . . . 138
8.2.1 The issue of compositionality . . . . . . . . . . . . . . . . . . . 138
8.2.2 Parallel composition . . . . . . . . . . . . . . . . . . . . . . . . 139
8.2.3 External fixed-probability choice . . . . . . . . . . . . . . . . . 139
8.2.4 External conditional choice . . . . . . . . . . . . . . . . . . . . 140
8.2.5 External (general) probabilistic choice . . . . . . . . . . . . . . 140
8.2.6 The internal choices, and cascading . . . . . . . . . . . . . . . . 140
8.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
8.4 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
9 Refinement 147
9.1 Refinement: for the customer; for the developer . . . . . . . . . . . . . 147
9.2 Structural refinement: the developer’s point of view . . . . . . . . . . 148
9.2.1 Structural refinement for deterministic channels . . . . . . . . . 148
9.2.2 Structural refinement for probabilistic channels . . . . . . . . . 150
9.3 Testing refinement: the customer’s point of view . . . . . . . . . . . . 152
9.4 Soundness of structural refinement . . . . . . . . . . . . . . . . . . . . 153
9.5 Completeness of structural refinement: the Coriaceous theorem . . . . 154
9.6 The structure of abstract channels under refinement . . . . . . . . . . 157
9.7 Refinement and monotonicity . . . . . . . . . . . . . . . . . . . . . . . 159
9.7.1 Compositionality for contexts . . . . . . . . . . . . . . . . . . . 159
9.7.2 Monotonicity with respect to refinement . . . . . . . . . . . . . 160
xv

Contents
9.8 Why does refinement (⊑) have to be so complicated? . . . . . . . . . . 160
9.8.1 Who gets to define refinement, anyway? . . . . . . . . . . . . . 160
9.8.2 A subjective argument: keeping the customer satisfied . . . . . 162
9.8.3 An objective argument: compositional closure . . . . . . . . . . 164
9.9 Capacity is unsuitable as a criterion for refinement . . . . . . . . . . . 166
9.10 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
9.11 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
10 The Dalenius perspective 171
10.1 Dalenius scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
10.2 Compositional closure for Dalenius contexts . . . . . . . . . . . . . . . 175
10.2.1 Safety and necessity with respect to Dalenius contexts . . . . . 175
10.2.2 Justifying refinement: an example . . . . . . . . . . . . . . . . 176
10.3 Bounding Dalenius leakage . . . . . . . . . . . . . . . . . . . . . . . . 177
10.4 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
11 Axiomatics 183
11.1 An axiomatic view of vulnerability . . . . . . . . . . . . . . . . . . . . 183
11.2 Axiomatization of prior vulnerabilities . . . . . . . . . . . . . . . . . . 185
11.2.1 Soundness and completeness of Vg with respect to continuous,
convex functions . . . . . . . . . . . . . . . . . . . . . . . . . . 186
11.3 Axiomatization of posterior vulnerabilities . . . . . . . . . . . . . . . . 188
11.3.1 Possible definitions of posterior vulnerabilities . . . . . . . . . . 189
11.4 Applications of axiomatization to understanding leakage measures . . 197
11.5 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
12 The geometry of hypers, gains and losses 205
12.1 Barycentric representation of gain/loss functions . . . . . . . . . . . . 208
12.2 Barycentric representation of hypers and their refinement . . . . . . . 210
12.3 Primitive hyper-distributions and their refinements . . . . . . . . . . . 213
12.4 Hyper-distributions are not a lattice under refinement . . . . . . . . . 216
12.5 A geometric proof of antisymmetry of refinement . . . . . . . . . . . . 218
12.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
12.7 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
IV Information Leakage in Sequential Programs 223
13 Quantitative information flow in sequential computer programs 225
13.1 Markovs don’t leak; and channels don’t update . . . . . . . . . . . . . 226
13.2 Specifications and implementations: a review . . . . . . . . . . . . . . 228
13.2.1 When is one program better than another, and why? . . . . . . 228
13.2.2 When is one channel better than another, and why? . . . . . . 229
13.2.3 Programs and channels together: what is “better” for both? . . 230
13.3 Aligning functional refinement with information-flow refinement . . . . 230
13.3.1 Generalizing Hoare logic for probability . . . . . . . . . . . . . 230
13.3.2 Using loss functions . . . . . . . . . . . . . . . . . . . . . . . . 231
13.3.3 Refinement in general . . . . . . . . . . . . . . . . . . . . . . . 232
13.3.4 Initial-final correlations, and Dalenius . . . . . . . . . . . . . . 233
13.4 Larger information-flow-aware programs . . . . . . . . . . . . . . . . . 235
13.4.1 Sequential composition . . . . . . . . . . . . . . . . . . . . . . . 235
13.4.2 On the terms prior, posterior, initial and final . . . . . . . . . 240
xvi

Contents
13.4.3 Conditionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
13.4.4 The power of the adversary: gedanken experiments . . . . . . . 242
13.4.5 Iteration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
13.5 Syntax for probabilistic choice . . . . . . . . . . . . . . . . . . . . . . . 243
13.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
13.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
13.8 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
14 Hidden-Markov modeling of QIF in sequential programs 255
14.1 Concrete Hidden Markov Models . . . . . . . . . . . . . . . . . . . . . 255
14.1.1 A priori versus a posteriori reasoning — in more detail . . . . 257
14.2 Operations on and specializations of concrete HMM’s . . . . . . . . . 258
14.2.1 Pure-channel and pure-markov HMM’s . . . . . . . . . . . . . 258
14.2.2 Sequential composition of concrete HMM’s . . . . . . . . . . . 258
14.2.3 General (concrete) HMM’s . . . . . . . . . . . . . . . . . . . . 260
14.3 Abstract Hidden Markov Models . . . . . . . . . . . . . . . . . . . . . 260
14.3.1 Sequential (Kleisli) composition of abstract HMM’s . . . . . . 261
14.4 Syntax and abstract-HMM semantics of QIF-programs . . . . . . . . . 264
14.4.1 Probabilistic assignment . . . . . . . . . . . . . . . . . . . . . . 264
14.4.2 Information flow via channels: leaking with PRINT . . . . . . . 265
14.4.3 External probabilistic choice . . . . . . . . . . . . . . . . . . . 266
14.4.4 (Internal probabilistic choice) . . . . . . . . . . . . . . . . . . . 267
14.4.5 Sequential composition . . . . . . . . . . . . . . . . . . . . . . . 268
14.4.6 Conditional . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
14.4.7 Iteration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
14.4.8 Local variables . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
14.5 Leaks caused by conditionals and by external choice . . . . . . . . . . 270
14.6 Examples of small QIF programs . . . . . . . . . . . . . . . . . . . . . 272
14.6.1 First example: Bertrand’s Boxes . . . . . . . . . . . . . . . . . 272
14.6.2 Second example: Goldfish or piraña? . . . . . . . . . . . . . . . 274
14.6.3 Third example: Repeated independent runs . . . . . . . . . . . 275
14.7 Underlying and unifying structures: a summary . . . . . . . . . . . . . 275
14.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
14.9 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
15 Program algebra for QIF 283
15.1 Semantics, logic, and program algebra . . . . . . . . . . . . . . . . . . 283
15.2 Static visibility declarations; multiple variables . . . . . . . . . . . . . 284
15.3 Simple examples of program derivations in QIF . . . . . . . . . . . . . 286
15.3.1 The Encryption Lemma . . . . . . . . . . . . . . . . . . . . . . 286
15.3.2 From qualitative proofs to quantitative proofs . . . . . . . . . . 287
15.3.3 The One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . 287
15.4 Algebraic rules for reordering statements . . . . . . . . . . . . . . . . . 290
15.5 Larger example 1: Oblivious Transfer . . . . . . . . . . . . . . . . . . 291
15.6 Larger example 2: Two-party conjunction, or The Lovers’ protocol . . 296
15.7 Sub-protocols and declassification . . . . . . . . . . . . . . . . . . . . . 298
15.8 Refinement and quantitative analyses . . . . . . . . . . . . . . . . . . . 298
15.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
15.10 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
xvii

Contents
16 Iteration and nontermination 307
16.1 Why iteration is “different” . . . . . . . . . . . . . . . . . . . . . . . . 307
16.2 Classical nontermination . . . . . . . . . . . . . . . . . . . . . . . . . . 307
16.3 Nontermination for markovs and channels . . . . . . . . . . . . . . . . 308
16.3.1 Nontermination for markovs . . . . . . . . . . . . . . . . . . . . 308
16.3.2 Nontermination for channels . . . . . . . . . . . . . . . . . . . 310
16.3.3 Applying abstract channels and markovs to sub-hypers . . . . . 310
16.3.4 The semantic model for nontermination . . . . . . . . . . . . . 311
16.4 The algebra of nontermination in QIF . . . . . . . . . . . . . . . . . . 311
16.5 A refinement order on sub−hyper-distributions . . . . . . . . . . . . . 313
16.6 From nontermination to termination . . . . . . . . . . . . . . . . . . . 316
16.7 Example of (certain) termination: how to design a password checker . 317
16.8 A taxonomy of refinement orders . . . . . . . . . . . . . . . . . . . . . 319
16.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
16.10 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
17 A demonic lattice of information 325
17.1 A deterministic lattice of information — the original . . . . . . . . . . 325
17.1.1 Historical introduction, intuition and abstraction . . . . . . . . 325
17.1.2 Structural definition of refinement for deterministic channels . 328
17.1.3 Testing, soundness and completeness: deterministic . . . . . . . 329
17.2 Our probabilistic partial order . . . . . . . . . . . . . . . . . . . . . . . 330
17.3 Basic structure of the demonic lattice . . . . . . . . . . . . . . . . . . 331
17.4 Examples of demonically nondeterministic channels . . . . . . . . . . . 334
17.5 Testing, soundness and completeness: demonic . . . . . . . . . . . . . 336
17.6 A reformulation of demonic testing . . . . . . . . . . . . . . . . . . . . 337
17.7 Reduced demonic channels . . . . . . . . . . . . . . . . . . . . . . . . . 339
17.8 Compositional closure . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
17.9 “Weakest pre-tests” and source-level reasoning . . . . . . . . . . . . . 342
17.10 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
17.11 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
V Applications 351
18 The Crowds protocol 353
18.1 Introduction to Crowds, and its purpose . . . . . . . . . . . . . . . . . 353
18.2 Modeling the Crowds protocol . . . . . . . . . . . . . . . . . . . . . . . 354
18.3 Bayes vulnerability and Bayes leakage . . . . . . . . . . . . . . . . . . 357
18.4 Explanation of the paradox . . . . . . . . . . . . . . . . . . . . . . . . 358
18.4.1 Modified Crowds . . . . . . . . . . . . . . . . . . . . . . . . . . 358
18.4.2 Vulnerability of the original protocol . . . . . . . . . . . . . . . 359
18.5 Why ϕ matters, even for uniform priors . . . . . . . . . . . . . . . . . 360
18.5.1 Probable innocence as no lion leakage . . . . . . . . . . . . . . 361
18.6 Refinement: increasing ϕ is always safe . . . . . . . . . . . . . . . . . . 361
18.7 Multiple paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
18.7.1 Paths recreated by the initiator . . . . . . . . . . . . . . . . . . 363
18.7.2 Paths repaired by the last working node . . . . . . . . . . . . . 364
18.7.3 Multiple detections and deviating from the protocol . . . . . . 365
18.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
18.9 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
xviii

Contents
19 Timing attacks on blinded and bucketed cryptography 369
19.1 Cryptographic background . . . . . . . . . . . . . . . . . . . . . . . . . 369
19.2 A first leakage bound . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
19.3 A better leakage bound . . . . . . . . . . . . . . . . . . . . . . . . . . 372
19.4 Analytic results about capb(n) . . . . . . . . . . . . . . . . . . . . . . . 374
19.5 Analytic proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
19.6 Another proof of Theorem 19.5 . . . . . . . . . . . . . . . . . . . . . . 384
19.7 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
20 Defense against side channels 389
20.1 Evaluating a defense against side channels . . . . . . . . . . . . . . . . 389
20.2 QIF exploration of the fast-exponentiation algorithm . . . . . . . . . . 391
20.2.1 Cost/benefit analysis . . . . . . . . . . . . . . . . . . . . . . . . 394
20.3 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
21 Multi-party computation: The Three Judges protocol 399
21.1 Introduction to The Three Judges . . . . . . . . . . . . . . . . . . . . 400
21.2 Developing an implementation of the Three Judges . . . . . . . . . . . 401
21.2.1 First attempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
21.2.2 Second development attempt (sketch) . . . . . . . . . . . . . . 402
21.2.3 Successful development . . . . . . . . . . . . . . . . . . . . . . 403
21.2.4 Two-party exclusive-or . . . . . . . . . . . . . . . . . . . . . . . 405
21.2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
21.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
21.4 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
22 Voting systems 413
22.1 Elections and privacy risks . . . . . . . . . . . . . . . . . . . . . . . . . 413
22.2 An illustrative and simplified QIF model for elections . . . . . . . . . 414
22.2.1 The tallying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
22.2.2 The casting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
22.2.3 The Dalenius perspective: casting then tallying . . . . . . . . . 416
22.3 Election by simple majority: first past the post . . . . . . . . . . . . . 417
22.3.1 QIF channels for simple-majority elections: two examples . . . 417
22.4 Election by preferences: instant run-off . . . . . . . . . . . . . . . . . . 418
22.4.1 QIF channels for instant−run-off elections: two examples . . . 419
22.5 Gain functions for privacy of elections: a first example . . . . . . . . . 419
22.6 The effect of small electorates in general . . . . . . . . . . . . . . . . . 421
22.7 Case studies of small-electorate impact . . . . . . . . . . . . . . . . . . 422
22.7.1 First past the post, in small electorates . . . . . . . . . . . . . 422
22.7.2 Instant run-off in small electorates . . . . . . . . . . . . . . . . 426
22.8 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
23 Differential privacy 433
23.1 Notation and definition . . . . . . . . . . . . . . . . . . . . . . . . . . 434
23.2 Mechanisms as information-theoretic channels . . . . . . . . . . . . . . 435
23.3 The relation between differential privacy and multiplicative g-leakage . 436
23.3.1 Bounds on leakage do not imply differential privacy . . . . . . 438
23.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
23.5 Chapter notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Glossary and Index 445
xix

List of definitions, theorems, examples,
etc.
Theorem 1.1 . . . . . . . . . . . . . . . 8
Corollary 1.2 . . . . . . . . . . . . . . . 9
Definition 2.1 . . . . . . . . . . . 17
Conjecture 2.2 . . . . . . . . . . . . 20
Definition 2.3 . . . . . . . . . . . 20
Definition 3.1 . . . . . . . . . . . 25
Definition 3.2 . . . . . . . . . . . 26
Example 3.3 . . . . . . . . . . . . . . 26
Definition 3.4 . . . . . . . . . . . 27
Definition 3.5 . . . . . . . . . . . . . 30
Theorem 3.6 . . . . . . . . . . . . . . 30
Definition 3.7 . . . . . . . . . . . . . 30
Definition 3.8 . . . . . . . . . . . . . 31
Definition 3.9 . . . . . . . . . . . . . 39
Definition 3.10 . . . . . . . . . . . . 40
Definition 3.11 . . . . . . . . . . . . 40
Definition 3.12 . . . . . . . . . . . . 41
Theorem 3.13 . . . . . . . . . . . . . 41
Theorem 3.14 . . . . . . . . . . . . . 42
Definition 4.1 . . . . . . . . . . . 50
Example 4.2 . . . . . . . . . . . . . . 52
Theorem 4.3 . . . . . . . . . . . . . . 53
Example 4.4 . . . . . . . . . . . . . . 56
Definition 4.5 . . . . . . . . . . . 56
Definition 4.6 . . . . . . . . . . . . . 57
Definition 4.7 . . . . . . . . . . . 57
Corollary 4.8 . . . . . . . . . . . . 58
Definition 4.9 . . . . . . . . . . . . . 59
Theorem 4.10 . . . . . . . . . . . . . 59
Corollary 4.11 . . . . . . . . . . . . . 59
Example 4.12 . . . . . . . . . . . . . 59
Definition 4.13 . . . . . . . . . . . . 60
Definition 4.14 . . . . . . . . . . . . 61
Example 4.15 . . . . . . . . . . . . . 61
Theorem 4.16 . . . . . . . . . . . . . 62
Example 4.17 . . . . . . . . . . . . . 62
Definition 4.18 . . . . . . . . . . 64
Example 5.1 . . . . . . . . . . . . . . 71
Definition 5.2 . . . . . . . . . . . 72
Example 5.3 . . . . . . . . . . . . . . 73
Example 5.4 . . . . . . . . . . . . . . 73
Example 5.5 . . . . . . . . . . . . . . 75
Theorem 5.6 . . . . . . . . . . . . . . 77
Theorem 5.7 . . . . . . . . . . . . . . 78
Theorem 5.8 . . . . . . . . . . . . 78
Theorem 5.9 . . . . . . . . . . . . 79
Theorem 5.10 . . . . . . . . . . . . . 79
Definition 5.11 . . . . . . . . . . 80
Theorem 5.12 . . . . . . . . . . . . . 80
Theorem 5.13 . . . . . . . . . . . . . 81
Example 5.14 . . . . . . . . . . . . . 81
Theorem 5.15 . . . . . . . . . . . . . 83
Example 5.16 . . . . . . . . . . . . . 83
Theorem 5.17 . . . . . . . . . . . . . 84
Theorem 5.18 . . . . . . . . . . . . . 86
Example 5.19 . . . . . . . . . . . . . 87
Theorem 5.20 . . . . . . . . . . . . . 87
Definition 5.21 . . . . . . . . . . . . 87
Lemma 5.22 . . . . . . . . . . . . . . . 88
Theorem 5.23 . . . . . . . . . . . . . 88
Theorem 5.24 . . . . . . . . . . . 89
Example 5.25 . . . . . . . . . . . . . 89
Example 5.26 . . . . . . . . . . . . . 89
Algorithm 5.27 . . . . . . . . . . . . 90
Algorithm 5.28 . . . . . . . . . . . . 91
Definition 5.29 . . . . . . . . . . . . 93
Theorem 5.30 . . . . . . . . . . . . . 94
Theorem 5.31 . . . . . . . . . . . . . 94
Definition 7.1 . . . . . . . . . . 107
Theorem 7.2 . . . . . . . . . . . 108
xxi

List of definitions, theorems, examples, etc.
Corollary 7.3 . . . . . . . . . . . . . 108
Corollary 7.4 . . . . . . . . . . . . . 108
Theorem 7.5 . . . . . . . . . . . 109
Example 7.6 . . . . . . . . . . . . . 109
Theorem 7.7 . . . . . . . . . . . . . 110
Theorem 7.8 . . . . . . . . . . . . . 110
Definition 7.9 . . . . . . . . . . 111
Example 7.10 . . . . . . . . . . . . 111
Theorem 7.11 . . . . . . . . . . 112
Theorem 7.12 . . . . . . . . . . 113
Definition 7.13 . . . . . . . . . 116
Theorem 7.14 . . . . . . . . . . . . 118
Example 7.15 . . . . . . . . . . . . 118
Definition 7.16 . . . . . . . . . . . 121
Definition 7.17 . . . . . . . . . . . 121
Lemma 7.18 . . . . . . . . . . . . . 121
Lemma 7.19 . . . . . . . . . . . . . 122
Theorem 7.20 . . . . . . . . . . . . 122
Theorem 7.21 . . . . . . . . . . 122
Example 7.22 . . . . . . . . . . . . 123
Theorem 7.23 . . . . . . . . . . 124
Theorem 7.24 . . . . . . . . . . . . 125
Definition 8.1 . . . . . . . . . . 132
Definition 8.2 . . . . . . . . . . 133
Definition 8.3 . . . . . . . . . . 134
Definition 8.4 . . . . . . . . . . 135
Definition 8.5 . . . . . . . . . . 136
Definition 8.6 . . . . . . . . . . . . 138
Definition 8.7 . . . . . . . . . . . . 138
Definition 8.8 . . . . . . . . . . . . 139
Definition 8.9 . . . . . . . . . . . . 139
Definition 8.10 . . . . . . . . . . . 140
Definition 8.11 . . . . . . . . . . . 140
Definition 8.12 . . . . . . . . . . . 141
Lemma 8.13 . . . . . . . . . . . . . 141
Definition 8.14 . . . . . . . . . . . 141
Lemma 8.15 . . . . . . . . . . . . . 141
Definition 9.1 . . . . . . . . . . . . 149
Theorem 9.2 . . . . . . . . . . . . . 149
Theorem 9.3 . . . . . . . . . . . . . 149
Theorem 9.4 . . . . . . . . . . . . . 150
Definition 9.5 . . . . . . . . . . 150
Definition 9.6 . . . . . . . . . . 151
Theorem 9.7 . . . . . . . . . . . . . 151
Example 9.8 . . . . . . . . . . . . . 151
Corollary 9.9 . . . . . . . . . . . . . 152
Definition 9.10 . . . . . . . . . 152
Theorem 9.11 . . . . . . . . . . 153
Theorem 9.12 . . . . . . . . . . 155
Theorem 9.13 . . . . . . . . . . 156
Theorem 9.14 . . . . . . . . . . 157
Example 9.15 . . . . . . . . . . . . 158
Definition 9.16 . . . . . . . . . . . 160
Definition 9.17 . . . . . . . . . . . 162
Example 9.18 . . . . . . . . . . . . 163
Definition 9.19 . . . . . . . . . . . 165
Example 9.20 . . . . . . . . . . . . 166
Definition 10.1 . . . . . . . . . 173
Theorem 10.2 . . . . . . . . . . 173
Example 10.3 . . . . . . . . . . . . 173
Theorem 10.4 . . . . . . . . . . 175
Definition 10.5 . . . . . . . . . 177
Theorem 10.6 . . . . . . . . . . 178
Theorem 10.7 . . . . . . . . . . . . 178
Theorem 10.8 . . . . . . . . . . 179
Definition 11.1 . . . . . . . . . 185
Definition 11.2 . . . . . . . . . 185
Definition 11.3 . . . . . . . . . 186
Theorem 11.4 . . . . . . . . . . 187
Theorem 11.5 . . . . . . . . . . 187
Definition 11.6 . . . . . . . . . 188
Definition 11.7 . . . . . . . . . 188
Definition 11.8 . . . . . . . . . 189
Definition 11.9 . . . . . . . . . 190
Theorem 11.10 . . . . . . . . . . . 190
Theorem 11.11 . . . . . . . . . . . 191
Theorem 11.12 . . . . . . . . . . . 191
Lemma 11.13 . . . . . . . . . . . . 191
Theorem 11.14 . . . . . . . . . . . 192
Definition 11.15 . . . . . . . 193
Theorem 11.16 . . . . . . . . . . . 193
Example 11.17 . . . . . . . . . . . 194
Theorem 11.18 . . . . . . . . . . . 194
Theorem 11.19 . . . . . . . . . . . 194
Corollary 11.20 . . . . . . . . . . 195
Definition 11.21 . . . . . . . 195
Theorem 11.22 . . . . . . . . . . . 196
Example 11.23 . . . . . . . . . . . 196
Definition 12.1 . . . . . . . . . . . 210
Lemma 12.2 . . . . . . . . . . . . . 213
Definition 12.3 . . . . . . . . . . . 216
Lemma 12.4 . . . . . . . . . . . . . 218
Corollary 12.5 . . . . . . . . . . . . 218
Example 12.6 . . . . . . . . . . . . 220
Definition 13.1 . . . . . . . . . . . 232
Definition 14.1 . . . . . . . . . . . 258
Definition 14.2 . . . . . . . . . . . 260
Definition 14.3 . . . . . . . . . 262
Theorem 14.4 . . . . . . . . . . 263
Definition 16.1 . . . . . . . . . . . 309
Definition 16.2 . . . . . . . . . . . 313
Definition 16.3 . . . . . . . . . . . 314
xxii

List of definitions, theorems, examples, etc.
Definition 16.4 . . . . . . . . . . . 314
Lemma 16.5 . . . . . . . . . . . . . 315
Corollary 16.6 . . . . . . . . . . . . 315
Theorem 16.7 . . . . . . . . . . . . 315
Theorem 16.8 . . . . . . . . . . . . 316
Definition 17.1 . . . . . . . . . . . 331
Definition 17.2 . . . . . . . . . . . 332
Definition 17.3 . . . . . . . . . . . 332
Definition 17.4 . . . . . . . . . . . 333
Definition 17.5 . . . . . . . . . . . 333
Lemma 17.6 . . . . . . . . . . . . . 333
Lemma 17.7 . . . . . . . . . . . . . 333
Lemma 17.8 . . . . . . . . . . . . . 333
Lemma 17.9 . . . . . . . . . . . . . 334
Theorem 17.10 . . . . . . . . . . . 337
Definition 17.11 . . . . . . . . . . 337
Lemma 17.12 . . . . . . . . . . . . 338
Lemma 17.13 . . . . . . . . . . . . 339
Definition 17.14 . . . . . . . . . . 339
Lemma 17.15 . . . . . . . . . . . . 339
Definition 17.16 . . . . . . . . . . 340
Definition 17.17 . . . . . . . . . . 340
Theorem 17.18 . . . . . . . . . . . 341
Definition 18.1 . . . . . . . . . 354
Theorem 18.2 . . . . . . . . . . 361
Theorem 18.3 . . . . . . . . . . 363
Theorem 18.4 . . . . . . . . . . . . 363
Theorem 19.1 . . . . . . . . . . . . 371
Definition 19.2 . . . . . . . . . 372
Theorem 19.3 . . . . . . . . . . 373
Theorem 19.4 . . . . . . . . . . 375
Theorem 19.5 . . . . . . . . . . . . 376
Theorem 19.6 . . . . . . . . . . . . 377
Theorem 19.7 . . . . . . . . . . 377
Theorem 19.8 . . . . . . . . . . . . 377
Definition 22.1 . . . . . . . . . . . 419
Definition 22.2 . . . . . . . . . . . 420
Definition 22.3 . . . . . . . . . . . 420
Definition 22.4 . . . . . . . . . . . 420
Definition 22.5 . . . . . . . . . . . 421
Definition 22.6 . . . . . . . . . . . 422
Theorem 22.7 . . . . . . . . . . . . 423
Theorem 22.8 . . . . . . . . . . . . 423
Definition 23.1 . . . . . . . . . . . 435
Theorem 23.2 . . . . . . . . . . . . 437
Corollary 23.3 . . . . . . . . . . . . 437
Theorem 23.4 . . . . . . . . . . . . 437
Example 23.5 . . . . . . . . . . . . 438
Example 23.6 . . . . . . . . . . . . 439
xxiii

List of figures
Figure 3.1 . . . . . . . . . . . . . . . . . 28
Figure 3.2 . . . . . . . . . . . . . . . . . 29
Figure 3.3 . . . . . . . . . . . . . . . . . 35
Figure 3.4 . . . . . . . . . . . . . . . . . 36
Figure 3.5 . . . . . . . . . . . . . . . . . 37
Figure 4.1 . . . . . . . . . . . . . . . . . 53
Figure 5.1 . . . . . . . . . . . . . . . . . 75
Figure 5.2 . . . . . . . . . . . . . . . . . 76
Figure 5.3 . . . . . . . . . . . . . . . . . 77
Figure 5.4 . . . . . . . . . . . . . . . . . 82
Figure 9.1 . . . . . . . . . . . . . . . . 148
Figure 9.2 . . . . . . . . . . . . . . . . 156
Figure 9.3 . . . . . . . . . . . . . . . . 162
Figure 11.1 . . . . . . . . . . . . . . 190
Figure 11.2 . . . . . . . . . . . . . . 193
Figure 11.3 . . . . . . . . . . . . . . 198
Figure 12.1 . . . . . . . . . . . . . . 206
Figure 12.2 . . . . . . . . . . . . . . 207
Figure 12.3 . . . . . . . . . . . . . . 211
Figure 12.4 . . . . . . . . . . . . . . 211
Figure 12.5 . . . . . . . . . . . . . . 212
Figure 12.6 . . . . . . . . . . . . . . 212
Figure 12.7 . . . . . . . . . . . . . . 214
Figure 12.8 . . . . . . . . . . . . . . 215
Figure 12.9 . . . . . . . . . . . . . . 217
Figure 12.10 . . . . . . . . . . . . . 217
Figure 12.11 . . . . . . . . . . . . . 219
Figure 14.1 . . . . . . . . . . . . . . 256
Figure 14.2 . . . . . . . . . . . . . . 259
Figure 14.3 . . . . . . . . . . . . . . 263
Figure 15.1 . . . . . . . . . . . . . . 295
Figure 15.2 . . . . . . . . . . . . . . 299
Figure 17.1 . . . . . . . . . . . . . . 326
Figure 17.2 . . . . . . . . . . . . . . 327
Figure 17.3 . . . . . . . . . . . . . . 327
Figure 17.4 . . . . . . . . . . . . . . 329
Figure 17.5 . . . . . . . . . . . . . . 329
Figure 17.6 . . . . . . . . . . . . . . 330
Figure 17.7 . . . . . . . . . . . . . . 343
Figure 18.1 . . . . . . . . . . . . . . 354
Figure 18.2 . . . . . . . . . . . . . . 357
Figure 18.3 . . . . . . . . . . . . . . 361
Figure 19.1 . . . . . . . . . . . . . . 373
Figure 19.2 . . . . . . . . . . . . . . 374
Figure 19.3 . . . . . . . . . . . . . . 375
Figure 20.1 . . . . . . . . . . . . . . 390
Figure 20.2 . . . . . . . . . . . . . . 391
Figure 20.3 . . . . . . . . . . . . . . 392
Figure 20.4 . . . . . . . . . . . . . . 393
Figure 21.1 . . . . . . . . . . . . . . 406
Figure 21.2 . . . . . . . . . . . . . . 407
Figure 21.3 . . . . . . . . . . . . . . 408
Figure 22.1 . . . . . . . . . . . . . . 418
Figure 22.2 . . . . . . . . . . . . . . 424
Figure 22.3 . . . . . . . . . . . . . . 424
Figure 22.4 . . . . . . . . . . . . . . 425
Figure 22.5 . . . . . . . . . . . . . . 426
Figure 22.6 . . . . . . . . . . . . . . 427
Figure 22.7 . . . . . . . . . . . . . . 428
Figure 22.8 . . . . . . . . . . . . . . 428
Figure 22.9 . . . . . . . . . . . . . . 429
Figure 23.1 . . . . . . . . . . . . . . 435
Figure 23.2 . . . . . . . . . . . . . . 436
Figure 23.3 . . . . . . . . . . . . . . 438
Figure 23.4 . . . . . . . . . . . . . . 439
xxv

List of exercises
Exercise 1.1 . . . . . . . . . . . . . . . 11
Exercise 1.2 . . . . . . . . . . . . . . . 11
Exercise 2.1 . . . . . . . . . . . . . . . 22
Exercise 3.1 . . . . . . . . . . . . . . . 44
Exercise 3.2 . . . . . . . . . . . . . . . 44
Exercise 4.1 . . . . . . . . . . . . . . . 65
Exercise 4.2 . . . . . . . . . . . . . . . 66
Exercise 4.3 . . . . . . . . . . . . . . . 66
Exercise 4.4 . . . . . . . . . . . . . . . 66
Exercise 5.1 . . . . . . . . . . . . . . . 94
Exercise 5.2 . . . . . . . . . . . . . . . 94
Exercise 5.3 . . . . . . . . . . . . . . . 94
Exercise 5.4 . . . . . . . . . . . . . . . 95
Exercise 5.5 . . . . . . . . . . . . . . . 96
Exercise 5.6 . . . . . . . . . . . . . . . 96
Exercise 5.7 . . . . . . . . . . . . . . . 96
Exercise 6.1 . . . . . . . . . . . . . . 103
Exercise 7.1 . . . . . . . . . . . . . . 127
Exercise 7.2 . . . . . . . . . . . . . . 127
Exercise 7.3 . . . . . . . . . . . . . . 127
Exercise 7.4 . . . . . . . . . . . . . . 127
Exercise 7.5 . . . . . . . . . . . . . . 127
Exercise 8.1 . . . . . . . . . . . . . . 142
Exercise 8.2 . . . . . . . . . . . . . . 142
Exercise 8.3 . . . . . . . . . . . . . . 142
Exercise 8.4 . . . . . . . . . . . . . . 142
Exercise 8.5 . . . . . . . . . . . . . . 143
Exercise 8.6 . . . . . . . . . . . . . . 143
Exercise 8.7 . . . . . . . . . . . . . . 143
Exercise 8.8 . . . . . . . . . . . . . . 143
Exercise 8.9 . . . . . . . . . . . . . . 143
Exercise 8.10 . . . . . . . . . . . . . 143
Exercise 8.11 . . . . . . . . . . . . . 143
Exercise 8.12 . . . . . . . . . . . . . 143
Exercise 9.1 . . . . . . . . . . . . . . 167
Exercise 9.2 . . . . . . . . . . . . . . 167
Exercise 9.3 . . . . . . . . . . . . . . 167
Exercise 9.4 . . . . . . . . . . . . . . 167
Exercise 9.5 . . . . . . . . . . . . . . 167
Exercise 9.6 . . . . . . . . . . . . . . 167
Exercise 9.7 . . . . . . . . . . . . . . 167
Exercise 9.8 . . . . . . . . . . . . . . 167
Exercise 9.9 . . . . . . . . . . . . . . 167
Exercise 9.10 . . . . . . . . . . . . . 167
Exercise 12.1 . . . . . . . . . . . . . 220
Exercise 13.1 . . . . . . . . . . . . . 246
Exercise 13.2 . . . . . . . . . . . . . 246
Exercise 13.3 . . . . . . . . . . . . . 247
Exercise 13.4 . . . . . . . . . . . . . 247
Exercise 14.1 . . . . . . . . . . . . . 278
Exercise 14.2 . . . . . . . . . . . . . 278
Exercise 14.3 . . . . . . . . . . . . . 279
Exercise 14.4 . . . . . . . . . . . . . 279
Exercise 14.5 . . . . . . . . . . . . . 279
Exercise 15.1 . . . . . . . . . . . . . 301
Exercise 15.2 . . . . . . . . . . . . . 301
Exercise 15.3 . . . . . . . . . . . . . 302
Exercise 15.4 . . . . . . . . . . . . . 302
Exercise 15.5 . . . . . . . . . . . . . 302
Exercise 15.6 . . . . . . . . . . . . . 303
Exercise 15.7 . . . . . . . . . . . . . 303
Exercise 15.8 . . . . . . . . . . . . . 303
Exercise 15.9 . . . . . . . . . . . . . 303
Exercise 15.10 . . . . . . . . . . . . 303
Exercise 15.11 . . . . . . . . . . . . 303
Exercise 15.12 . . . . . . . . . . . . 303
Exercise 15.13 . . . . . . . . . . . . 303
Exercise 16.1 . . . . . . . . . . . . . 321
Exercise 16.2 . . . . . . . . . . . . . 321
Exercise 16.3 . . . . . . . . . . . . . 321
Exercise 16.4 . . . . . . . . . . . . . 321
Exercise 16.5 . . . . . . . . . . . . . 321
Exercise 17.1 . . . . . . . . . . . . . 345
Exercise 17.2 . . . . . . . . . . . . . 345
xxvii

List of exercises
Exercise 17.3 . . . . . . . . . . . . . 345
Exercise 17.4 . . . . . . . . . . . . . 345
Exercise 17.5 . . . . . . . . . . . . . 345
Exercise 17.6 . . . . . . . . . . . . . 345
Exercise 17.7 . . . . . . . . . . . . . 345
Exercise 17.8 . . . . . . . . . . . . . 345
Exercise 17.9 . . . . . . . . . . . . . 346
Exercise 17.10 . . . . . . . . . . . . 346
Exercise 17.11 . . . . . . . . . . . . 346
Exercise 17.12 . . . . . . . . . . . . 346
Exercise 17.13 . . . . . . . . . . . . 346
Exercise 18.1 . . . . . . . . . . . . . 365
Exercise 18.2 . . . . . . . . . . . . . 365
Exercise 21.1 . . . . . . . . . . . . . 409
Exercise 21.2 . . . . . . . . . . . . . 409
Exercise 21.3 . . . . . . . . . . . . . 409
Exercise 21.4 . . . . . . . . . . . . . 409
Exercise 23.1 . . . . . . . . . . . . . 439
Exercise 23.2 . . . . . . . . . . . . . 440
Exercise 23.3 . . . . . . . . . . . . . 440
Exercise 23.4 . . . . . . . . . . . . . 440
xxviii

Chapter 1
Introduction
Protecting sensitive information from improper disclosure or corruption is a long-
standing, fundamental goal of computer security: but it is one that is not currently
being achieved well at all, as is evident from continual news reports of large-scale data
compromises. Such compromises result from many causes, of course. Sometimes the
compromises are essentially social, as in “phishing” attacks: users are led to fraudulent
websites and tricked into disclosing their authentication credentials there, enabling
attackers to impersonate them and to gain access to their sensitive data. Other
compromises are more technical, resulting from flaws (both malicious and inadvertent)
in the design and implementation of computer systems that process sensitive data.
Whenever a compromise is discovered, it is natural and important to investigate its
particular causes, so that whatever flaws were exploited can be corrected. But the
approach of patching flaws as they are discovered is fundamentally limited — at best
it brings us to a situation where all the flaws we know about have been corrected, but
it leaves open the question of whether there might be other flaws yet to be discovered.
Achieving a secure and trustworthy cyber-infrastructure requires a more disciplined
approach, one where the focus turns from particular attacks to a true science of
security. This book aims to contribute to such a science by carefully studying one
aspect of computer security, namely the information flow that occurs when a computer
system processes sensitive information.
Imagine a system that is given some sensitive information as input and then, as it
processes it, somehow produces some publicly observable output. The output might be
the result of the computation, intentionally made public, or it might be some aspect
of the computation itself, such as time taken, or energy used, or number of cache
faults — such outputs, often unintentional, are called side channels. A basic question
that we wish to answer is whether the system causes some of the sensitive information
to “flow” from the input to the observable output, thereby causing “leakage” of that
information — and of course we need to understand precisely what that means. Also,
while our first thought might be that a “secure” system should have no such leakage,
we find in fact that some leakage is unavoidable in many practical situations.
Consider for example a password checker that has been given a secret password,
which of course it should not leak. But when a user tries to log in with some guessed
password, the checker must reveal whether the guess is correct or not, and rejecting
an incorrect guess leaks the fact that the secret password is different from the guess.
As a second example, consider an election-tallying program that takes as inputs
the ballots of a group of voters. Typically we would demand that the ballots be
kept secret, yet the election system needs to output the result of the election, usually
3
© Springer Nature Switzerland AG 2020
M. S. Alvim et al., The Science of Quantitative Information Flow, Information
Security and Cryptography, https://doi.org/10.1007/978-3-319-96131-6_1

1 Introduction
including the tally of votes for each candidate. That clearly leaks some information
about the secret ballots — in the extreme case of an election that turns out to be
unanimous, for instance, the tally reveals how everyone voted. What then is the best
choice for publishing the election results so that the aims of both integrity and privacy
are served?
A third example involves side channels. In typical implementations the time required
to do an RSA decryption varies, depending on the secret key: that can lead to a
timing attack. Similarly, the cache state that results from an AES decryption varies,
depending on the secret key. In both those cases, there is then leakage from the
secret key to system timing or caching behavior, which might be publicly observable
and might indeed leak enough to allow an adversary to recover the secret key. If some
defense against the side channel is employed, how do we determine its effectiveness?
Those last examples highlight an important challenge concerning the modeling of
the computer systems we wish to analyze. To facilitate our analyses, we would prefer
simple mathematical models that exhibit the essential features of the systems while
abstracting from irrelevant details. But what is essential and what is irrelevant? As
shown by side channels, many low-level system details (e.g. timing, caching behavior,
power consumption), which a mathematical model might naturally ignore, turn out to
give significant leaks of sensitive information. As a consequence, we need to choose
system models with a skeptical eye, always being mindful of the abstractions that
we make and sensitive to the issues that we might be overlooking. In the case of a
password checker, for instance, we might model the checker as outputting only whether
the guessed password is correct or not. But it might turn out that the implementation
of the checker works by comparing the guess to the secret password character by
character, rejecting as soon as a mismatch is found. In that case, the time taken by
the checker would be proportional to the length of the maximum correct prefix of the
guess. If an adversary could observe that running time precisely, the leakage would be
far greater.
Returning to the issue of whether a system leaks sensitive information, we see from
the above examples that “whether” is often not very useful, as all of those systems
do in fact leak some information. But it is intuitively clear that many of those leaks
are “small”, and that suggests that it would be more fruitful to ask instead how much
sensitive information is leaked and how useful it is to the adversary: perhaps it’s
“large”? In the case of an election system, for instance, we would expect to be able to
show that if the number of voters is large, then the leakage caused by releasing the
tally is somehow “small”, enabling us to show that a quantitative leakage policy is
satisfied. But what, precisely, would such a policy mean, and what security guarantees
would it provide?
To address such questions, in this book we develop a theory of Quantitative In-
formation Flow, which aims to explain precisely what information leakage is, how
it can be assessed quantitatively, and how systems can be constructed that satisfy
rigorous information-flow guarantees. We begin in the following section with an in-
formal discussion of information leakage, briefly introducing some key concepts of
Quantitative Information Flow and trying to build intuition that will motivate the
detailed discussion in later chapters.
4

1.1 A first discussion of information leakage
1.1 A first discussion of information leakage
In this section we discuss information leakage in a “toy” system, chosen to make the
analysis relatively simple.
1.1.1 Secrets
Let us consider a simple example. Suppose that a secret called X is generated by
rolling a pair of distinguishable dice, one red and one white. Then the set X of possible
values of X has 36 elements, as shown here:
We can write each such value more compactly as a pair (r, w), where r is the value of
the red die and w is the value of the white die. (From a security perspective, we can
think of X as a two-digit PIN, where the digits are limited to numbers from 1 to 6.)
What does it mean to say that X is a secret with respect to an adversary? We take
that to mean that the adversary knows only a probability distribution π that specifies
the probability πx of each possible value x of X. (Secrets will be defined formally in
Def. 2.1.) If we assume here that the two dice are fair and independent, then in fact π
will be uniform, i.e. will be such that πx=πx′ for all x, x′
in X. As a mnemonic, we
will usually write ϑ for the uniform distribution, generic in X, 1
so that in this case
the probability 1/36 is assigned to each outcome: that is,
ϑ(1,1) = ϑ(1,2) = ϑ(1,3) = · · · = ϑ(6,6) = 1/36 .
In general (i.e. whether it is uniform or not) we refer to the above as a prior distribution,
because it reflects the adversary’s knowledge about X before observing the output of
a system. Later we will discuss posterior distributions, which reflect the adversary’s
knowledge after observing the output.
1.1.2 Bayes vulnerability
Assuming that the adversary’s knowledge of X is limited to π, we now wish to quantify
the “threat” to X. As we will discuss subsequently, there are many reasonable ways of
doing that. But for now we focus on a basic measure that we call Bayes vulnerability,
and which is an adversary’s maximum probability of guessing the value of X correctly
in one try — clearly the adversary should guess any value x whose probability πx is
maximum. Denoting the Bayes vulnerability of π by V1(π), we then have
V1(π) := max
x∈X
πx .
1 Think of ϑ as an elaborate “u”.
5

1 Introduction
(The “1” subscript in V1 is chosen to reflect the “one try” nature of Bayes vulnerability,
which is discussed in detail in §2.3.) In our dice example, where the prior π is the
uniform distribution ϑ, we have V1(π) = V1(ϑ) = 1/36, since 1/36 is the maximum
probability assigned by ϑ; in that case note that all 36 of the possible values are
equally good guesses.
1.1.3 Deterministic channels
Now we turn our attention to the information leakage caused by a system C that
processes a secret X. 2
In the first part of this book, we consider systems that take a
secret X as input and whose only publicly observable behavior is to produce an output
Y ; such systems are known as channels. In this section we restrict our attention to
deterministic channels, where each input value x leads to a unique output value y,
which we describe as C(x)=y. (More general systems are considered in Parts III and
IV.) What is the effect of such a C on the secrecy of X? The key observation is that
an adversary seeing an output value y learns that the value of X must be one of the
values in X that are mapped by C to y; all other values for X are eliminated. (That
conclusion depends on the worst-case assumption, which we make throughout this
book, that the adversary knows how channel C works. That assumption is related
to the slogan “No security through obscurity” and it is sometimes called Kerckhoffs’
Principle.)
Returning to our dice example, we suppose that C takes as input the value (r, w)
of X and outputs the sum of the two dice, so that C(r, w) = r+w. (From a security
perspective, we can think of C as a malicious program that leaks the sum of the digits
of a PIN.)
Here the space Y of possible output values is {2, 3, 4, . . . , 12}, and the effect is to
partition the space X into blocks consisting of the pairs of dice that sum to each of
those values:
Y Possible values of X
2 {(1, 1)}
3 {(1, 2), (2, 1)}
4 {(1, 3), (2, 2), (3, 1)}
5 {(1, 4), (2, 3), (3, 2), (4, 1)}
6 {(1, 5), (2, 4), (3, 3), (4, 2), (5, 1)}
7 {(1, 6), (2, 5), (3, 4), (4, 3), (5, 2), (6, 1)}
8 {(2, 6), (3, 5), (4, 4), (5, 3), (6, 2)}
9 {(3, 6), (4, 5), (5, 4), (6, 3)}
10 {(4, 6), (5, 5), (6, 4)}
11 {(5, 6), (6, 5)}
12 {(6, 6)}
That partition reflects the 11 possible states of knowledge, or “worlds”, that an
adversary seeing the output of C can end up in. Note that those blocks are not equally
good from the adversary’s perspective: the blocks when Y is 2 or 12 are singletons,
meaning that the value of X is known exactly, while the block when Y is 7 has size 6,
meaning that the value of X remains quite uncertain.
Thinking about deterministic channels in general, we note that many partitions are
possible. At one extreme, the partition might consist of a single block, which contains
all of X. That happens when the channel is a constant function, giving the same
output on all inputs, which means that there is no leakage at all. Later we will call it
2 We use upper-case letters like X for the names of secrets, and lower-case letters like x for the actual
values they might take.
6

Another Random Scribd Document
with Unrelated Content

hears a voice bidding him proceed to the Castle of Maidens and rid it
of its bad customs. He encounters on the way seven knights whom
he must overcome, such was the custom of the castle. He forces
them to flight, and an old priest brings him the keys of the castle. He
finds therein numberless maidens, and learns that the former lord of
the castle had been, with his son, slain by the seven knights, who
had striven beforehand to carry off his daughter. She foretold that as
they had gained the castle for a maiden’s sake, they would lose it
through a maiden, and be overcome by a single knight, whereupon
they determined to make prisoner every maiden passing that way.
Galahad delivers the captives, and puts a daughter of the former
duke in possession of the castle. He learns then that the seven
brothers have been slain by Gawain, Gheriot, and Ywain. (10) The
story now returns to Gawain. He passes by the abbey where
Galahad found the shield, then that where Melians lay ill, is
reproached by a friar with being too sinful to be with Galahad, meets
Gheheries, his brother, meets Ywain on the morrow, meets the
seven brothers who attack them and are slain; then Gawain comes
alone to a hermitage, confesses for the first time since fourteen
years, is admonished by the hermit, learns that the Castle of
Maidens signifies hell, the captives the good souls wrongfully therein
confined before Christ’s coming, the seven knights the seven sins.
Gawain is pressed, but vainly, to make penitence. (11) The story
returns to Galahad. After wandering for awhile without adventures
he meets Lancelot and Perceval. They do not recognise him, not
knowing his arms (shield),[18] and attack him. He overcomes them,
but learning from the words of a recluse, who sees the combat, that
she really knows him, and, fearing recognition, he hurries off.[19]
(12) Perceval stays with the recluse, and Lancelot starts in pursuit of
the Unknown Knight. He comes in the night to a stone cross near
which stands (an old)[20] chapel. He dismounts and enters, but an
iron rail hinders his progress; through it he sees an altar whereon
burn seven candles (a silver candlestick, a wax taper).[21] He leaves
the chapel, unsaddles his horse, and lies down to sleep by the cross.
Then comes a sick knight on a bier drawn by two horses,
dolourously lamenting. He looks at Lancelot, but says no word,

thinking him asleep, nor does Lancelot say aught, but remains half
asleep. And the sick knight laments, “When may I have solace from
the holy vessel for the pain I suffer for such a small fault (was ever
so much pain as is upon me who have done no evil at all)?”[22] But
Lancelot says no word, nor when the candlestick comes towards the
cross and the Holy Grail approaches the sick knight, who prays he
may be made whole to join likewise the quest. Then crawling to the
table whereon the vessel stands, and touching his eyes with
(kissing) it, feels relief and slumbers. The Grail disappears and
Lancelot still says never a word, for which aftertimes much
mischance was his. The sick knight arises well, a squire appears and
arms him (with Lancelot’s sword and helm),[23] and brings him
Lancelot’s steed, and the knight swears never to rest till he knows
why the Holy Grail appears in so many places of the Kingdom of
Logres, and by whom it was brought to England. So he departs, and
his squire carries off Lancelot’s armour. Lancelot awakes wondering
whether what he has seen be dream or truth. And he hears a voice
saying—harder than stone, bitterer than wood, more despised than
the fig tree—he must away, not pollute the spot where is the Holy
Grail. He wanders forth weeping, comes to a hermit, confesses his
great sin, his love for Guinevere, is admonished to tear it from his
heart, when there may still be hope for him. Lancelot promises, and
has the adventure at the chapel explained to him, and stays with the
hermit for penance and instruction. (13) The story now returns to
Perceval. The recluse orders he be well taken care of, she loves him
well, he is her nephew. She dissuades him from fighting Galahad as
he wishes, does he wish to die and be killed as his brothers for their
outrages (in their combats and tournaments)? He and Galahad and
Bors will achieve the Quest. She is his aunt, formerly Queen of the
Waste Land. He asks about his mother whom he fears he has badly
treated, and learns she died when he went to Arthur’s court.[24] He
asks further concerning the knight with the red arms, and is told as
follows:—Since Christ’s coming were three chief tables; first, the
table at which Christ often ate with his Apostles; second, the table of
the Holy Grail, established in semblance and remembrance of the
first, by which so many miracles were wrought in this land in the

time of Joseph of Arimathea, in the beginning when Christianity was
brought to this country. He came with four thousand poor
companions. One day, wandering in a forest, they had nothing to
eat, but an old woman brought twelve (ten) loaves, these they
bought and they were wroth with one another when they came to
divide them. Joseph angry, took the twelve loaves, made the people
sit, and by virtue of the Holy Grail multiplied the loaves to their
need. At that table was a seat where Josephes, son of Joseph, might
sit, but none other, for, as the history tells, the place was blessed by
our Lord himself. Now two brothers, relatives of Josephes, envied
him his leadership, saying they were of as good seed as he, and one
sat in Josephes’ seat, and was straightway swallowed up by the
earth, whence the seat was called the Dreaded Seat. Last came the
Round Table, made by Merlin’s counsel, to show the roundness of
the world and of the firmament. And Merlin foretold that by
companions of this table should the truth of the Grail be known, and
that three should achieve it, two virgins and one chaste, and the one
should surpass his father as man surpasses wolf, and he should be
master, and for him Merlin made a great and wonderful seat,
wherein none might sit unharmed save he, and it was known as the
Seat Perillous. And as at Whitsuntide the Holy Spirit came to the
Apostles in guise of fire, so at Whitsuntide Galahad came clad in red
armour. And on the day he came the questing for the Grail began,
which might not cease till the truth concerning it and the lance was
known. To find Galahad, Perceval must first try Castle Gher (Goth)
where dwells a cousin of Galahad, and then Castle Corbenic where
dwells the Maimed King. (14) His aunt then tells how after that her
husband fell in war against King Laban she withdrew into that wild
place. And her son went to serve King Pelles, their relative, and since
two years she only knows of him that he is following tournaments
throughout Great Britain. (15) On the morrow Perceval comes to a
monastery, and seeing mass being performed would enter but
cannot, and sees a sick bed with a man or woman lying on it, whom,
as he rises when the body of our Lord is raised, he sees to be an old
man crowned, with his body full of wounds and crying out, “Father,
forget me not.” He seems as if he were over four hundred (one

hundred and four) years old. Perceval asks concerning these
wonders, and is told as follows:—When Joseph of Arimathea came to
this land, the Saracen, King Crudel, hearing of the Grail by which he
lived, threw him and his son Josephes and some hundred others into
prison for forty days, and forbade food to be given them. But they
had the holy vessel with them. When Mordrains and his brother-in-
law, Seraphe, heard these things, they assembled their host, landed
in Britain, overcame Crudel, and freed Joseph. On the morrow
Evelac, as he was called before he became Christian, desired to see
the Holy Grail plainly, and though warned to desist pressed forward
to do so, and was struck blind and helpless. He accepted his
punishment submissively, but only prayed to Christ that he might
survive till the good knight should come, the best[25] of his seed (the
knight who is to achieve the adventures of the Holy Grail). A voice
answered his prayer should be granted, and then he should receive
the light of his eyes and his wounds should be made whole. This
happened four hundred (one hundred and four) years before, and it
was that King Evelac whom Perceval had seen, and during that while
he had fed on nought else save the Lord’s body. (16) Perceval riding
forth on the morrow is attacked by twenty knights, sore pressed,
and only rescued by the Red Knight’s help, who then disappears.
(17) Perceval, having lost his horse, asks one vainly from a passing
squire, from whom it is shortly afterwards carried off by another
knight, whom Perceval, mounted on the squire’s cob, attacks but is
overthrown. (18) At night a woman appears and offers him a horse
if he will do her will—she is, in truth, the enemy. He agrees, she
mounts him, he comes to a river, and, before essaying to ford it,
makes the sign of the cross, whereupon the horse rushes howling
into the water. (19) Perceval, rescued from this peril, finds himself
on a wild island mountain, full of savage beasts; he helps a lion
against a snake and wins its service. He is ill at ease on his island,
but he trusts God, and is not like those men of Wales where sons
pull their fathers out of bed and kill them to save the disgrace of
their dying in bed. (20) That night, sleeping by the lion’s side,
Perceval dreams of two women visiting him, one mounted on a lion,
the second on a serpent; this one reproaches him for killing the

serpent. On the morrow an old man comes ship-borne, comforts
Perceval with good counsel, and interprets his dream: the dame on
the lion was Christ’s new law, she on the serpent the old law. (21) A
damsel then appears, warns Perceval against the old man, prepares
for him a rich banquet with good wine, not British, as in Great
Britain they only drink cervoise and other home-made drinks, and
excites his passion. He is on the point of yielding, but seeing the
cross-handled pommel of his sword crosses himself, and the damsel
disappears in flames. Perceval pierces his thigh with his sword in his
contrition. The old man reappears, exhorts, explains the various
features of his temptation, and finally takes him away with him in his
ship. (22) The story now returns to Lancelot. After three
exhortations from the hermit he sets forth, and first meets a servant,
who assails him bitterly as an unfaithful traitorous knight, in that
having openly seen the Holy Grail doing its wonders before him, he
yet moved not from his seat. (23) He comes to a hermit’s hut and
finds the hermit lamenting over the dead body of his companion,
who, at his nephew, Agaran’s, request, had left the hermitage to aid
him against his enemies, and had been treacherously slain by the
latter. These things are told by a devil, which had entered into the
dead hermit’s body. Lancelot is admonished at great length, receives
stripes, puts on the dead hermit’s hair shirt, and finally leaves with
the advice that he should confess every week. (24) He meets a
damsel who encourages him, but tells him he will find no lodging for
the night. He dismounts at the foot of a cross at the cross-ways, and
has a vision of a man surrounded with stars, crowned and
accompanied by seven Kings and two knights, who pray to be taken
to heaven; a man descending from heaven orders one of the knights
away, whilst to the other he gives the shape of a winged lion, so that
he flies up to heaven and is admitted.[26] (25) Lancelot meets the
knight who had carried off his arms, and who attacks, but is
overthrown by him. (26) He comes to a hermitage, confesses, tells
his vision, and learns that it has a great meaning in respect of his
lineage, which must be expounded at much length: forty-two years
after the Passion of Christ, Joseph of Arimathea left Jerusalem, came
to Sarras, helped Evelac, who received baptism at the hands of

Josephes, together with his brother-in-law, Seraphe (who took the
name Nasciens), and who became a pillar of the holy faith, so that
the great secrets of the Holy Grail were opened to him, which none
but Joseph had beheld before, and no knight after save in dream.
Now Evelac dreamed that out of his nephew, son of Nasciens, came
forth a great lake, whence issued nine streams, eight of the same
size, and the last greater than all the rest put together; our Lord
came and washed in the lake which King Mordrains thus saw flowing
from Celidoine’s belly. This Celidoine was the man surrounded by
stars in Lancelot’s vision, and this because he knew the course of
the stars and the manner of the planets, and he was first King of
Scotland, and the nine streams were his nine descendants, of whom
seven Kings and two knights:—first, Warpus; second, Chrestiens;[27]
third, Alain li Gros; fourth, Helyas; fifth, Jonaans, who went to Wales
and there took to wife King Moroneus’ daughter; sixth, Lancelot,
who had the King of Ireland’s daughter to wife; seventh, Bans.
These were the seven Kings who appeared to Lancelot. The eighth
stream was Lancelot himself, the elder of the knights of the vision.
The ninth stream was Galahad, begot by Lancelot upon the Fisher
King’s daughter, lion-like in power, deepest of all the streams.[28]
(27) Lancelot comes to a castle with a meadow before it, whereon a
throng of black armoured knights is tourneying against knights in
white armour. Lancelot goes to the help of the former,[29] but is
captured, and on being released rides off lamenting. At night, as he
sleeps, a man comes from heaven and reproaches him with his ill
faith. A hermitess expounds the allegorical meaning of the
adventure. The white knights are those of Eliezer, son of King Pelles,
the black those of Argastes, son of King Helain; this symbolised the
Quest, which was a tournament between the heavenly knights and
the earthly ones, and in that Quest none might enter who was black
with sin; and Lancelot though sinful, having entered thereon had
joined the black knights, and his capture by the others was his
overthrow by Galahad, and his lamentation his return to sin, and it
was our Lord who reproached him in his vision; let him not depart
from truth. (28) Lancelot comes to Lake Marchoise, is attacked by a
knight in black armour, who kills his horse and rides off; he lays

down on the shore and awaits trustfully God’s help. (29) The story
returns to Gawain. After journeying many days adventureless, he
meets Hector de Mares. Neither has heard aught of Lancelot,
Galahad, or Bohors. Travelling together they come to a deserted
chapel, where, passing the night, Gawain dreams he sees in a
meadow one hundred and fifty bulls all spotted, save three, one
being dingy, the two others being pure white. Of the one hundred
and forty-seven who set off to find better pasture many die and
some return, of the three one returns, but two remain between
whom strife arises and they separate. Hector dreams that he and
Lancelot, being companions, are attacked by a man who knocks
Lancelot off his horse and sits him on an ass, after which Lancelot,
coming to a fair fountain, would drink of it, but it vanishes; he,
Hector, keeping his horse comes to a castle, the lord of which
refuses him admission for that he is too high mounted. Whilst telling
one another their dreams, a hand with a taper appears and
vanishes, and a voice tells them that, poor of belief as they are, they
cannot attain the Holy Grail. On their way to find a hermit who may
explain these wonders, Gawain is attacked by and kills a knight,
Ywains the Adulterer, son of King Urien. They then come to the
hermit, Nasciens, who explains the bulls as the companions of the
Round Table, the spotted ones those stained by sin, the three
unspotted ones are the achievers, two white, virgins—Galahad and
Perceval—one dingy, having once sinned carnally, Bors. The last part
of the dream may not be explained, as evil might come of it. In
Hector’s dream the two horses are Pride and Ostentation. Lancelot’s
being seated on an ass signifies the putting off of pride, the fountain
is the Holy Grail. Both knights are too full of sin to continue in the
quest of the Grail. They ride forth and meet with no adventure worth
notice. (30) The story returns to Bors. After first coming to a hermit,
who exhorts him to abandon the Quest if he do not feel himself free
from sin, to whom he confesses, from whom he receives absolution,
and to whom he vows to eat nought save bread and water till the
Quest be achieved, he comes to a castle whose mistress is sore
oppressed by her sister, against whose champion, Priadam the Black,
she has vainly sought a defender. Bors promises to come to help. He

passes the night at the castle and will not sleep in the rich bed she
offers him, though in the morning he tumbles it as if he had lain in
it. He overcomes Priadam, and reinstates the lady in her lordship.
(31) On the morrow he meets his brother, naked, bound on a hack,
being beaten with thorns by two knights. At the same moment
passes a very fair maiden being carried off by a knight, and she cries
to him for help. He is in anguish, but goes to the maiden’s help,
wounds her would-be ravisher, and restores her to her friends. (32)
He then hurries after his brother, but meets a seeming monk who
makes him believe his brother is dead, and gives him an explanation
of dreams he has had. He then comes to a tower and is welcomed
by its inmates. A damsel offers him her love, and when he refuses
threatens with twelve other damsels to throw herself from the tower.
Bors is full of pity, but thinks they had better lose their souls than he
his. They fall from the tower, Bors crosses himself, and the whole
vanishes, being a deceit of the devil. His brother’s corpse that had
been shown him is also gone. (33) On the morrow he comes to an
abbey, where he learns that his brother lives, and where all his
dreams and adventures are allegorically explained. He then meets
Lionel, his brother, who reproaches him bitterly for his conduct, and
falls upon him with intent to kill. First a hermit, then a passing
knight, Calogrenant, would stop him, but he slays both. Bors is at
length, in spite of prayers and entreaties, compelled to draw in self
defence, but a voice tells him to flee, and a fiery brand comes from
heaven between them. Bors follows the command of the voice
directing him towards the sea, where Perceval awaits him. He comes
to a ship covered with white samite, and finds therein Perceval, who
at first does not know him again, and who tells him all that he has
passed through. (34) The story returns to Galahad. After countless
adventures he finds himself one day opposed to Gawain and Hector
de Mares in a tournament; he deals the former such a blow as
knocks him out of his saddle. (35) He is brought to the ship wherein
are Perceval and Bors by a damsel, who accompanies them until,
fourteen days’ sail from Logres, they come to a desert isle off which
is another ship, on which is written[30] that those who would enter
should see they were full of faith. The damsel then tells Perceval she

is his sister, daughter of King Pellehem. They enter the ship and find
a rich bed with a crown at its head, and at its foot a sword six inches
out of the scabbard, its tip a stone of all the colours in the world, its
handle of the bones of two beasts, the serpent Papagast, the fish
Orteniaus; it is covered with a cloth whereon is written that only the
first of his line would grasp the sword. Perceval and Bors both essay
vainly. Galahad, on being asked, sees written on the blade that he
only should draw who could strike better than others. The damsel
tells the story of the sword as follows:—When the ship came to the
Kingdom of Logres there was war between King Lambar, father to
the Maimed King, and King Urlain, heretofore Saracen, but newly
baptised. Once Urlain, discomfited, fled to the ship, and, finding
therein the sword, drew it and slew King Laban[31] with it, and that
was the first blow struck with the sword in the Kingdom of Logres,
and there came from it such pestilence and destruction in the land of
the two kingdoms that it was afterwards called the Waste Land.
When Urlain re-entered the ship he fell down dead. (36) Galahad,
further examining the sword, finds the scabbard of serpent’s skin,
but the hangings of poor stuff. On the scabbard is written that the
wearer must surpass his fellows, and the hangings be changed only
by a King’s daughter and she a maid; on turning the sword over, the
other side is found black as pitch, and bearing words that he who
should praise it most should blame it most in his greatest need.
Perceval’s sister explains this as follows: Forty years after our Lord’s
Passion, Nasciens, Mordrains’ brother-in-law, came to the Turning
Isle, and found this ship, and therein bed and sword, this last he
coveted, but had not the hardihood to draw it, though he stayed
eight days food and drinkless longing for it; on the ninth day a
tempest drove him to another island, where, assailed by a giant, he
drew the sword, and though it snapped in two and thus fulfilled the
inscription, yet he overcame the giant. He afterwards met Mordrains
and told him of these wonders; Mordrains reunited the fragments,
then, in obedience to a voice, they left the ship, but in going
Nasciens was wounded for having dared to draw a sword of which
he was not worthy, thus he who praised it most had most reason to
blame it. As for the other words, King Pelles,[32] called the Maimed

King (a lame King who was my, i.e., the damsel’s, uncle) once came
to this ship on the shore of the sea over against Ireland, and
entering it found the sword, drew but was wounded through the
thighs by a lance, and might not be healed till Galahad come.[33]
(37) They then examine the bed and find it has three spindles; that
in front, snow white; that behind, blood red; that above, emerald
green, and lest this be thought a lie the story turns from its straight
path to explain about these spindles. After Eve, yielding to the devil’s
advice, had caused Adam to sin, and both knew themselves carnal
and were ashamed, and were driven forth from Paradise, Eve kept
the branch of the Tree of Life which she had plucked, and planted it
and it grew to a tree with branches and leaves white in token that
Eve was a virgin when she planted it. Sitting one day beneath the
tree, God commanded them to know one another carnally, and when
they were ashamed to set about such foul work sent darkness over
them. Abel was thus begotten, and the Tree of Life turned green.
Afterwards Cain slew Abel underneath that same tree and it turned
red. At the Deluge it remained unharmed and lasted till Solomon’s
time. Whilst the wise King was pondering over the malice of his wife
and of all women, a voice told him a woman of his line should bring
men more joy than her sex had caused sorrow, and that a virgin
knight should be the last of his lineage. His wife, whom he consults
as to how he shall let this knight know he had foreknowledge of his
coming, advised the building of the ship, and the taking of David’s
sword to be fitted with a new hilt of precious stones, and a new
pommel and scabbard, and placed in the ship together with
Solomon’s crown on a rich bed; she furthermore had three spindles
made from the Tree of Life and from trees grown from it. And when
all was ready Solomon saw in dreams angels coming from heaven
and putting the different inscriptions on the sword and ship. (38)
The story speaks now of other things. New hangings had not been
put on the sword, this was to be done by a damsel. Perceval’s sister
supplies hangings made of her own hair, and names the sword “The
Sword of Strange Hangings,” and the scabbard “Memory of Blood,”
and Galahad girds on the sword. (39) On the morrow they set sail
and come to Castle Carchelois, in the March of Scotland, the inmates

whereof attack them but are all slain. Galahad is sorry for those he
has killed, but a priest tells him they are heathens, and he has done
the best work in the world, as the three knights who held the castle
had ravished their own sister and wounded their father, Count
Ernous, to death. Before the latter dies he urges Galahad to go to
the assistance of the Maimed King (to undertake other adventures).
[34] (40) On the morrow they meet a white stag led by four lions;
these come to a hermitage, hear mass, the stag becomes a man and
sits on the altar, the lions a man, an eagle, a lion, and an ox, all
winged. (41) On the morrow Perceval takes Galahad’s sword, which
he will wear from henceforth. They come to a castle, the inmates of
which demand that Perceval’s sister should pay the custom of the
castle, which is to give a dishful of blood from her right arm. The
three companions protect Perceval’s sister against overwhelming
odds till nightfall, when, learning that the blood is asked to heal the
Lady of the Castle suffering from leprosy, Perceval’s sister sacrifices
herself. Before dying she gives directions that her body is to be put
in a ship and buried in the Palace Spiritual in Sarras. Bors then
leaves his two companions to succour a wounded knight pursued by
a knight and a dwarf;[35] and Perceval and Galahad, after seeing the
castle they had thus left destroyed by fire from heaven in vengeance
of the blood of the good maidens which had there been shed,
likewise separate. (42) The story returns to Lancelot. He is at the
Water of Marcoise, surrounded by the forest and high rocks, but he
does not lose faith in God; in obedience to a voice he goes on board
a passing ship and finds therein Perceval’s sister, whose story he
learns from the letter at her head. After a month’s journeying a
knight joins them who proves to be Galahad, and they pass together
half a year achieving marvellous adventures. After Easter, at the new
time when the birds sing their sweet and varied songs, they come to
land, and a knight in white arms bids Galahad leave his father, which
he does. (43) After a month’s further wandering on the sea, Lancelot
comes to a castle guarded by two lions,[36] against whom he would
at first defend himself, but is reproved for trusting his strength rather
than his Creator. Entering, he comes to a room wherein are the Holy
Vessel, and a priest celebrating mass; Lancelot is warned not to

enter, but when he sees that the priest about to raise the body of
God has a man put into his hands, he cannot refrain from pressing
forward to his aid, but is struck down by a fiery wind and remains
fourteen days dumb, food- and drinkless. He finds he is in Castle
Corbenic, and a damsel tells him his quest is ended. King Pelles
rejoices to see him, at dinner the Holy Grail fills the tables so that
living man could not think of greater plenty; whilst at dinner Hector
de Mares comes to the castle door, but is ashamed to enter, hearing
that Lancelot is within, and rides off pursued by the reproaches and
taunts of those of the castle. Lancelot returns to Arthur’s court,
passing on the way the tomb of Bandamagus, whom Gawain had
slain. (44) The story returns to Galahad. He comes to an abbey
wherein is King Mordrains, who knows his approach, and asks that
he may die in his arms; Galahad takes him on his breast, Mordrains
dies and all his wounds are found healed. (45) Galahad cools the
boiling fountain by putting his hand in it. (46) Galahad delivers from
the tomb where he had been burning three hundred and fifty-four
years his relative, Symeu, who thus expiated his sin against Joseph
of Arimathea. (47) Galahad rides five years before he comes to the
house of the Maimed King (the court of King Peleur), and during all
the five years Perceval bears him company, and within that time they
achieve the great adventures of the Kingdom of Logres (cast out the
evil adventures of the Island of Britain). (48) One day they met Bors,
who in the five years had not been in bed four times. The three
come to Castle Corbenic[37] (the court of King Peleur) where they
are greeted by King Pelles, and where Eliezer, King Pelles’ son,
brings the broken sword with which Joseph had been pierced
through the thighs; Bors cannot rejoin the pieces, Perceval can only
adjust them together, Galahad alone can make the sword whole, and
it is then given to Bors. (50) At vesper-time a hot wind strikes the
palace, and a voice orders all unfit to sit at Christ’s table to depart,
as the true knights were to be fed with Heaven’s food. All leave save
King Pelles, Eliezer, his son, and his niece, the most religious maid
on the earth (a young maiden); to them enter nine knights[38] and
salute Galahad: three are from Gaul (Wales), three from Ireland,
three from Denmark. Then four damsels bring in on a wooden bed a

man, crowned, in evil plight, who greets Galahad as his long-
expected deliverer. A voice orders out of the room him who has not
been a companion of the Quest, and straightway King Pelles and
Eliezer and the damsel depart. From heaven comes a man clad like a
Bishop and borne in a chair by four[39] angels, who place him before
the table upon which stands the Holy Grail. Upon his forehead is
written that he was Joseph (son of Joseph of Arimathea) first Bishop
of Christendom, whereat they wonder, as they know that man lived
three hundred years before. He kneels before the altar and opens
the door of the ark (chamber), and four angels[39] issue, two bearing
burning lights, the third a cloth of red samite, the fourth a lance
bleeding so hard that the drops run into a box he holds in his other
hand (two with torches, the third with the lance, the fourth holding
the box into which the blood drops); the candles are placed on the
table, the cloth is placed on the holy vessel so that the blood fell into
it. Joseph then celebrates the Sacrament, and on his raising the
wafer, as it were a child descends from heaven and strikes itself into
the wafer, so that it takes man’s form. Joseph then kisses Galahad
and bids him be fed by the Saviour’s own hand, and vanishes. But
there comes out of the holy vessel, a man with hands bleeding and
feet and body, and says He will reveal His secrets, and give the high
food so long desired and toiled for. He gives the Sacrament to
Galahad and his companions, and explains that the Grail is the dish
of the Last Supper, and Galahad shall see it more fully in the City of
Sarras, whither it is going, Britain being unworthy of it, and whither
he is to follow it with Perceval and Bors; but as he must not leave
the land without healing the Maimed King he is to take some of the
blood of the lance and therewith anoint his legs.[40] Galahad asks
why all may not come with him; but Christ says they are twelve who
have eaten as the Apostles were twelve, and they must separate as
the Apostles separated. Galahad then heals the Maimed King, who
goes into an abbey of white monks. (51) The three companions,
after sending messages to Arthur’s court through Estrois de Gariles
and Claudius, son of King Claudas,[41] coming to Solomon’s ship,
herein they find the Holy Grail, set sail; on landing bury Perceval’s
sister, heal a cripple to help them carry the Grail-table, are cast in

prison by King Escorant for a year, are fed by the Holy Grail; at
Escorant’s death Galahad is made King, fashions a tree of gold and
precious stones over the Grail and prays before it every morning as
do his companions. (52) On the anniversary of Galahad’s crowning
the three see before the holy vessel a man clad like a Bishop, who
begins mass and calls Galahad to see what he has so longed to see,
and at the sight Galahad trembles very greatly, and he thanks God
for letting him see that which tongue may not describe nor heart
think, and he begs that he may pass away from this earthly life to
the heavenly one. The Bishop then gives him the body of God, and
reveals himself as Josephus, son of Joseph of Arimathea. Galahad
kisses Perceval and Bors, and sends greetings to Lancelot through
Bors, his soul then leaves his body and angels take it away. A hand
from heaven then comes to the vessel and takes it and the lance,
and bears it heavenwards, so that since there was no man bold
enough to say he has seen the Holy Grail (except Gwalchmai once).
(52) Galahad’s body is buried. Perceval goes into a hermitage, where
Bors stays with him for a year and two months; Perceval dies, and is
buried by Bors in Galahad’s tomb; Bors left alone in a place as
strange as Babylon, sets sail for Britain, and comes to Camelot,
when all are greatly joyed to see him; he tells the adventures of the
Holy Grail; they are written down and kept in the Abbey of Salisbury,
and from these Master Walter Map drew to make his book of the
Holy Grail for the love of King Henry his lord, who had the story
translated from Latin into French. The story now is silent and tells no
more concerning the adventures of the Holy Grail.[42]
Grand St. Graal.—(1) The writer salutes all who have faith in the
Holy Trinity. He does not name himself for three reasons: lest his
declaration that he received the story from God Himself be a
stumbling block; lest his friends pay less honour to the book if they
know the author; lest if he have made any blunder all the blame fall
upon him.
(2) In the year 717 after the Passion of Christ, as the writer lies in
his hut in one of the wildest parts of White Britain, on Good Friday

Eve and doubts of the Trinity, Christ appears to him and gives him a
little book not larger than a man’s palm, and this book will resolve all
his doubts; He Himself has written it, and only he who is purified by
confession and fasting may read it. On the morrow the writer opens
it and finds therein four sections, headed each as follows: This is the
book of thy lineage; here begins the book of the Holy Grail; here is
the beginning of the terrors; here begin the marvels. As he reads
lightning and thunder come and other wonders. On Good Friday, as
he is celebrating the service, an angel raises him in spirit to the third
heaven, and his doubts concerning the Trinity are set at rest. When
his spirit returns to his body he locks up the book; but on Easter
Sunday, when he would read further, finds it gone; a voice says he
must suffer to have the book back again, must go to the plains of
Walescog, follow a wonderful beast to Norway, and there find what
he seeks. He obeys, the beast leads him first to a hermit’s, then past
the pine of adventures to a knight’s castle, on the third day to the
queen’s lake and a nunnery. After exorcising a hermit possessed of
the devil, he finds the book, and on his return Christ commands him
to make a fair copy before Ascension Day. He sets to work at once,
on the fifteenth day after Easter.[43] The book begins as follows: Few
believe on Christ at His crucifixion, among whom is Joseph of
Arimathea, as the Holy Scripture of the Grail testifies. He is in all
things a good man. He lives in Jerusalem with his wife and a son,
Josephes (not the same Josephes who so often quotes the Scripture,
but not less learned than he), he it was who passed his father’s kin
across sea to White Britain, since called England, without rudder or
sail, but in the fold of this shirt. Joseph, having much loved the Lord,
longs after His death to possess somewhat having belonged to Him;
goes to the house of the Last Supper, and carries off the dish
wherein He had eaten. Having been a knight of Pilate’s for seven
years, he craves a boon of him, which is Christ’s body. Pilate grants
it; Joseph descends the body from the Cross, places it in a
sepulchre, and, fetching the dish from his house, collects in it the
blood flowing from the body,[44] and finishes laying the body in the
tomb. The Jews hear of this, are angered, seize Joseph, throw him
into prison in the most hideous and dirtiest dungeon ever seen, feed

him at first on bread and water, but when Christ is found to have
arisen, Caiaphas, Joseph’s jailor, lets him starve. But Christ brings
the holy dish that Joseph had sent back to his house with all the
blood in it. Joseph is overjoyed. Christ comforts him, and assures
him he shall live and carry His name to foreign parts. Joseph thus
remains in prison. Meanwhile his wife, though often pressed to
marry, refuses until she shall have had sure tidings of her husband;
as for his son he will only marry Holy Church. (3) Forty years go by;
after Christ’s death Tiberius Cæsar reigned ten years, then Caius,
one year; then Claudius, fourteen years; then Noirons, in whose
reign S.S. Peter and Paul were crucified, fourteen years; then Titus,
and Vespasian, his son, a leper. The freeing of Joseph befalls in the
third year of Titus’ reign and in this wise: Titus has vainly sought a
leech to heal Vespasian. At last a strange knight from Capernaum
promises his help and tells how he in his youth had been healed of
the leprosy by a prophet. The Emperor on hearing this sent to Judea
to seek out that prophet; his messenger comes to Felix, and orders
him to have proclamation made for aught Christ has touched;
hereupon an old woman, Marie la Venissienne, brings the cloth upon
which the Saviour’s likeness had painted itself when she wiped His
face. The messenger returns to Rome with this cloth and the mere
sight of it heals Vespasian, who straightway resolves to avenge
Christ’s death. He goes to Jerusalem, Joseph’s wife appears before
him, accuses the Jews of having made away with her husband; none
of the Jews know where he is save Caiaphas, who reveals the secret
on condition that he is to be neither burnt or slain. Vespasian himself
goes down into the prison and finds it as light as though one
hundred candles had burnt in it. He tells Joseph who he is, whereat
the latter wondered, not thinking he had been longer than from
Friday to Sunday, not once had it been dark. A voice tells Joseph not
to fear, and that he will find the Holy Vessel at his home. Joseph
returns to Jerusalem with Vespasian, and points out to him the
abettors of Christ’s death, whom Vespasian has burnt. Caiaphas is
set adrift in a boat. (4) The night before Vespasian returns to Rome,
Christ appears to Joseph and commands him to go forth and fill
foreign lands with his seed; he must be baptised, and must go forth

without money or aught but the dish; all heart can want or wish he
shall have, all who accompany him must be baptised likewise.
Joseph is baptised by St. Philip, then Bishop of Jerusalem, as is also
Vespasian, concerning whom the story is now silent. (5) Joseph
preaches to his friends and relatives and converts seventy-five of
them. They leave Jerusalem and come to Bethany, where the Lord
appears to Joseph, promises him aid as once to the Jews in the
wilderness, commands him to make a wooden ark for the dish,
which he is to open when he wants to speak to Him, but no one is to
touch it save Joseph and his son Josephes; Joseph does as
commanded, his troop is miraculously fed, and on the eleventh day
they come to the town of Sarras, between Babilone and Salavandre,
whence the Saracens have their name, and not from Sara. (6)
Joseph and his seventy-five companions enter the city and go to the
Temple of the Sun, to the seat of judgment, where the Saracens are
assembled with their lord, Evalach the Unknown: he had been a man
of prowess in his youth, but was now old; seven days before, the
Egyptians had beaten his army, and the council is now devising how
vengeance may be taken therefor. Joseph is greatly joyed at these
events, and when the council advises peace assures the King of
victory, but he must destroy his images and believe on Him who died
on the Cross. Evalach asks how one who could not save himself
could save another. Joseph, in answer, tells of Christ’s birth, life,
death, descent into hell, resurrection, ascension, and of the sending
of the Holy Ghost. Evalach cannot understand either the Incarnation
or the Trinity, and although Joseph explains that the Virgin conceived
by the overshadowing of the Holy Ghost through her ear, and that
her virginity was no more hurt than is water when a sunbeam enters
it, remains stubborn and calls his learned men to his aid, but Joseph
confounds these, and Evalach lodges the Christians for the night and
gives them good beds. (7) Evalach dreams of a tree-stock whence
spring three equal trunks and though three yet are truly one, also of
a room with a secret door of marble, through which a child passes
without opening it; a voice tells him this is a type of the miraculous
conception of Christ. (8) Meanwhile, Joseph, unable to sleep, prays
for comfort and adjures the Lord by all His mercies to help Evalach;

he is told by a voice he shall be sent for to explain the King’s dream.
Joseph then goes to sleep with his wife, Helyab, but not as lustful
folk do, for there was nothing between them till the Lord
commanded the begetting of Galahad, and then, so full of love to
the Saviour were they that they had no desire. From Galahad came
the high race which honoured the land of White Britain, now called
England. (9) The morrow morning Joseph and his company worship
before the ark (now the place wherein they were had been called
the Spiritual Palace by Daniel) when a soft sweet wind comes and
the Holy Ghost descends and Christ speaks and urges all to love
Him; He tells Josephes to draw near and take charge of His flesh
and blood; Josephes opens the door of the ark and sees a man all in
red, and with him five angels, each six winged, all in red, each with
a bloody sword in his left, and in their rights severally, a cross, nails,
lance, sponge, and scourge; Josephes sees Christ nailed to the
Cross, and the blood running down from His side and feet into the
dish; he would enter the ark but angels restrain him. Joseph,
wondering at his son’s state, kneels before the ark and sees therein
an altar covered with white cloths, under which is a red samite one,
covering three nails, a lance head all bloody, and the dish he had
brought, and in the middle of the altar an exceeding rich vessel of
gold and precious stones; seven angels issue from the ark with
water and watering pot (2), gold basins and towels (2), and gold
censers (3), an eighth carrying the holy dish, a ninth a head so rich
and beautiful as never mortal eye saw, a tenth a sword, three more
with tapers, lastly Jesus. The company of angels go over the house
sprinkling it with holy water, because it had heretofore been dwelt in
by devils. Christ tells Josephes he is to receive the sacrament of His
flesh and blood, and be made sovran shepherd over His new sheep;
bishop’s vestments are brought out of the ark. Josephes is seated in
a chair, which afterwards made a Saracen King’s eyes fly out of his
head, is consecrated, an angel keeps the holy oil wherewith all Kings
of Britain were anointed till the time of Uther Pendragon, of whom
none of the many that have told his history have rightly known why
he was so called; the meaning of the episcopal vestments is
explained to Josephes, and his duties set forth. (10) Josephes then

goes into the ark and celebrates the sacrament using Christ’s words
only, whereat bread and wine become flesh and blood, and in place
of the bread a child, which, though as bidden, he divides into three
parts yet is eaten as one whole; an angel puts patina and chalice
into the dish; Joseph and his company receive the sacrament in the
form of a child; Christ bids Josephes celebrate the sacrament daily;
tells him that he and Joseph are to go with Evalach’s messengers
now nigh at hand. Leucans, Josephes’ cousin, is appointed guardian
of the ark. (11) Joseph and his son go before the King and overcome
all the heathen clerk’s objections; Josephes tells Evalach he will be
given over to his enemies for three days, and shall only escape by
believing on Christ; the heathen idols are smashed by a devil at the
compelling of Josephes’ two angels. A messenger brings the news
that King Tholomes has entered and is capturing the land, and he
will not rest till he be crowned at Sarras. Josephes tells the King this
ill-hap is to mind him of his lowly origin, he is son of a shoemaker in
an old city of France, Meaux, and was one of a tribute of one
hundred youths and one hundred maidens claimed by Augustus
Cæsar from France, as here dwelt a prouder folk than elsewhere,
and the two daughters of the Count of the Town, Sevain, were
among the tribute, and Evalach was among their servants. When
Felix was named Governor of Syria by Tiberius he had taken Evalach
with him, and held him in high honour until one day, angry with
Felix’s son, Evalach slew him and had to fly, after which he entered
the service of Tholome Cerastre, King of Babylon, who had given
him the land he now ruled. Josephes further explains the King’s
dreams, and when the latter declares himself willing to believe, asks
for his shield, upon which he fixes a red cross and tells him to look
on it in his need and pray to God and he shall be saved. (12)
Evalach marches with his army against Tholomes, is joined by his
brother-in-law, Seraphe (whom he thought hated him most of any
man in the world) at the Queen’s entreaty; numerous combats
ensue between the two armies; Seraphe performs prodigies of
valour; Evalach is taken prisoner, and in his need looks on the shield,
sees thereon Christ crucified, prays to God for help, a White Knight
appears, overcomes Tholomes, who is taken prisoner, and Evalach’s

army is victorous. (13) Meanwhile Josephes, remaining in Sarras,
has been counselling Queen Sarraquite, secretly a Christian, since
her mother was cured of a bloody flux, and since Christ appeared to
her when she was afraid of the hermit her mother had led her to for
baptism because he had such a long beard; she dares not avow her
faith for fear of her husband. Josephes tells her of the battle which
has taken place and of the White Knight. (14) Evalach and Seraphe
return; the King asks at once after the Christians, and learns that he
owes his victory to the Lord to whom also Seraphe owed his
strength in battle; the shield is uncovered, a man with a wounded
arm is healed by it, and then the cross vanishes; Seraphe turns
Christian, is baptised and receives the name Nasciens, he is
straightway healed of his wounds, exhorts Evalach to believe, and
tells of Tholomes’ death. Evalach is baptised, and re-christened
Mordrains, or Slow-of-Belief. After baptising the town and destroying
all images, Josephes leaves three of his companions in charge of the
Grail Ark, and goes with the rest to Orcanz, turns out of an image a
devil who had slain Tholomes, and converts more of the heathen
folk. (15) Meanwhile Mordrains has ordered his people to be
baptised or to leave his land; many take the latter course and are
met outside the town by a devil who wounds them grievously,
whereupon Josephes hurries to their aid, but is met by an angel with
a lance and smitten through the thigh for having left his baptising
work to trouble himself about contemners of God’s law, and the
mark of the wound should stay with him all his life, and the iron
spear head remain in the wound so that ever after he limped, and
he had later to smart for it, as the tale will show in due season.
Many more people are converted, Bishops are left in the land and
holy relics at Sarras. (16) Josephes brings Mordrains, Sarraquite, and
Nasciens to the holy shrine, and shows them the vessel wherein is
Christ’s blood. Nasciens thinks he has never seen aught to match it,
and he gives it a name that since it has never lost. For, says he,
nothing he had seen before but somewhat displeased him (li
degraast), but this pleases him (li grée) entirely; he further tells how
once when a young man, hunting, as he stood deep in thought a
voice made itself heard, saying “Thou shall’t never accomplish what

thou thinkest on until the wonders of the Grail are disclosed,” and he
knows now this must be the Grail as every wish of his heart is
accomplished. And he draws nearer and lifts the vessel’s lid and
looks therein, but straightway falls to trembling, feeling he can no
longer see. And he knew that the blindness was to punish his
curiosity, and turning to Josephes tells him that the iron shall not be
drawn out of that wound inflicted by the angel at Orcanz, nor he
himself recover his sight until Josephes, wounded, himself comes to
draw out the iron.
So they stand lost in thought, till a voice is heard, “After my
vengeance my healing” and an angel appears, touches Josephes’
thigh with the lance shaft, whereupon the head comes out, and from
it drop great drops of blood which the angel collects in a vessel, and
wherewith he anoints Josephes’ wound, making it whole, and
Nasciens’ eyes, restoring to him his sight. And the angel tells them
that the meaning of the lance is that of the beginning of the
wonderful adventures which shall befall in lands whither God
purposes leading them; when the true knights should be separated
from the false ones, and the earthly knighthood become a heavenly
one. And at the beginning of those adventures the lance would drop
blood as then, but beforehand none; and then wonders would
happen all over the world where the lance was, great and terrible
wonders, in recognition of the Holy Grail and of the lance; and the
marvels of the Grail should never be seen save by one man alone;
and by the lance wherewith Josephes was struck should but one
other man be struck, and he a King of Josephes’ kin, and the last of
the good men; he should be struck through the two thighs, and only
healed when the Grail wonders were disclosed to the Good Knight,
and that one should be last of Nasciens’ kin. Thus, as Nasciens was
the first to behold the wonders of the Grail, that one should be the
last; so saith the true crucified one, adding, “Upon the first and last
of My new ministers will I spend the vengeance of the adventurous
lance in token of Myself having received the lance stroke whilst on
the Cross.” And so many days as Josephes had born the lance head
in his wound so many days should the marvellous adventures last.

Now these days (years)[45] were twenty-two. (17) Josephes explains
Mordrains’ vision, and makes him destroy the image of a woman he
had kept in a secret chamber, known, so he thought, only to himself.
(18) Josephes and his company go forth from Sarras, but the tale
tells nothing of them in this place, but keeps straight on. On the
following night Mordrains dreams that, sitting in Sarras at table, of a
sudden a thunderbolt strikes crown from his head and the first
mouthful from his lips; a great wind carries him up into a far land
where he is fed by a lion and lioness, and after a while an eagle
carries off Nasciens’ son to a land whereof the inhabitants bow down
before him, and out of this nephew’s belly comes a great lake giving
rise to nine streams, eight of equal breadth and depth, the ninth as
wide and deep as the remainder put together, and rushing and
turbulent, and at first foul and muddy, but afterwards clear and pure
as a precious stone; then comes down from heaven a man in
likeness of one crucified, who bathes hands and feet in the lake and
eight streams, but in the ninth his whole body. (19) Mordrains tells
his vision to Nasciens and confesses to former treacherous and
jealous feelings he had against him; they seek counsel of the priests,
but none can expound the vision, and as they sit together a great
tumult is heard and the sound of a horn announcing “the beginning
of dread,” and they fall senseless to the ground; but Mordrains is
caught up by the Holy Ghost and borne off. (20) Meanwhile Nasciens
is accused by Kalafier, a Christian-hater, of having made away with
Mordrains, and is cast into prison with Kalafier for gaoler. (21)
Meanwhile Mordrains has been carried off by the Holy Ghost to an
island lying between Babylon, Scotland, and Ireland, a high land
from which the western sea can be looked over as far as Spain; it
was once a pirates’ lair, but Pompey drove them thence. To
Mordrains comes a noble man who gives his name as Tout-entour,
comforts him, and exhorts him to steadfastness in the faith; when
he leaves a fair woman appears and tempts the King, who luckily
does not pay heed to her, and well for him, as he learns from the
noble man that she is Lucifer in disguise. He is assailed by many
temptations; storm, thunder, and lightning affright him; the
wonderful bird Phœnix attacks him and snatches the bread from his

lips; Lucifer again visits him and shows him Nasciens’ dead body, but
it is only an invention; finally, all these trials withstood, the noble
man comes again and expounds the dream of the nine streams: the
lake is a son of Nasciens, from whom descend nine Kings, all good
men and true, but the ninth surpassing all in every virtue; he is the
knight to whom the wonders of the Grail shall be shown, and Christ
shall bathe Himself wholly in him. (22) Meanwhile Nasciens has been
kept in prison together with his son, Celidoine (Heaven-given) by
Kalafier. But a miraculous hand appearing from out a cloud strikes
off Nasciens’ fetters, and carries him out of the dungeon; Kalafier
pursues but is struck down by the hand; on his death bed he orders
that Celidoine be cast from the battlements, but nine hands bear
him up in mid air, whilst Kalafier, slain by fire from heaven, goes to
eternal death. Sarraquite, overjoyed to hear of her brother’s escape,
sends out messengers to meet them. Meanwhile Nasciens’ wife,
Flegentyne, has set out in search of her husband accompanied by
the old knight, Corsapias, and his son, Helicoras. (23) Now Nasciens
has been carried fourteen days journey off to the Turning Isle
(concerning which many wonders are told); all of these things are
true, as Christ Himself has written the book of the Holy Grail, and He
never wrote aught else save the Lord’s Prayer for the disciples and
the judgment upon the woman taken in adultery. And no man is bold
enough to say that since the Resurrection Christ wrote aught else
save this “haute escripture del S. Graal.” (24) A ship comes to
Nasciens’ isle which he would enter but for words warning him
against it unless he be full of faith. However, crossing himself he
enters [and finds therein the same wonders as those described in
Queste, Inc. 35, 36, 37, viz.:—the sword and the three spindles,
precisely the same story about which is told as in the Queste]. (25)
Nasciens deeming there must be magic in this, the ship splits in
twain, and had well nigh drowned him, but he regains the isle
swimming, and on the morrow an old man comes in a ship and gives
him an allegorical explanation of what has befallen him. (26)
Meanwhile Celidoine, carried off by the hands to the land of the
heathen King Label, wins his favour by expounding a dream,
converts him, but at his death is cast adrift by the heathen barons in

a boat with a lion, and after three days comes to Nasciens’ island.
(27) The two rejoice on their meeting, and leave the island together
in Solomon’s ship, come after four days to another island, where
Nasciens, attacked by a giant, seizes Solomon’s sword but it breaks
in his hand, nevertheless, with another sword he overcomes the
giant. He chides Solomon’s sword, but Celidoine says it is some sin
of his made it break. Thereafter they see a ship approaching
wherein is Mordrains. There is rejoicing between the three, and
much telling of past adventures. Nasciens shows the broken sword
to Mordrains, who, taking it in his hands, joins it together,
whereupon a voice bids them leave the ship; Nasciens, not obeying
fast enough, is wounded in the shoulder by a fiery sword in
punishment of his having drawn Solomon’s sword. (28) The
messengers sent out by Sarraquite in search of Nasciens have,
meantime, had many adventures, have come across the daughter of
King Label, suffered shipwreck, and been thrown upon a desert isle
formerly the home of the great physician, Ypocras (of whom a long
story is told how he was tricked by a Roman lady), been tempted in
divers fashions, but at last they are led to Mordrains, Nasciens, and
Celidoine. (29) On the third night a priest clad in white comes
walking on the sea, heals Nasciens’ wound, and sends off Celidoine
in another ship. The remainder come to land, Mordrains and
Sarraquite are reunited; Nasciens’ wife, Flegentyne, is sent for; and
Label’s daughter is christened by Petrone, a holy man and kinsman
of Joseph. She was after Celidoine’s wife, as my lord Robert of
Borron testifies, who translated this history from Latin into French
after the holy hermit to whom our Lord first gave it. (30) Nasciens
sets forth in search of his son, his knights follow on his track, and
two are struck dead for their sins. Nasciens comes again to
Solomon’s ship, is tempted by the devil in the shape of a fair damsel,
goes on board the ship and dreams as follows:—Celidoine is in the
promised land with all those who had left Sarras; he, Nasciens, shall
go thence likewise and never depart thence, nor shall the ship until
it take back the last of his line to Sarras, together with the Holy
Grail, and that shall be after three hundred years; and thereafter
Celidoine leads before him nine persons, all in guise of Kings, save

the eighth who was like a dog, and the ninth turns into a lion, and at
his death the whole world mourns over him. And the names of
these, Nasciens’ descendants, are: Celidoine, Marpus, Nasciens,
Alains li Gros, Ysaies, Jonans, Lancelot, Bans, Lancelot, like unto a
dog until his end, Galahad, foul at the source, but afterwards clear,
in whom Christ shall bathe Himself wholly, and who shall end all the
adventures. On the morrow it is explained to Nasciens that the
eighth of his descendants likens a dog on account of his sins, and
the ninth is foul at the beginning as engendered in fornication and
not as Holy Church wills. (31) The story, after touching on
Flegentyne, who retires to her own land, returns to Joseph, who,
with his son, Josephes, and his companions, has been wandering
about. Joseph is ordered by a voice from heaven to beget a son,
whose name shall be Galaad. At length the company comes to the
sea shore and laments that it has no ships; Joseph rebukes them,
and says those may pass who have kept chaste, whereupon four
hundred and sixty come forward to confess their lechery. Josephes is
told to put forward the Grail-bearers, to take the shirt off his back,
and having spread it on the water, all the pure companions shall find
place on it. This happens, and all find place save Symeu and his son,
who are not as they should be, and who sink and are well nigh
drowned. The chosen company arrive on the morrow in Great
Britain, then full of Saracens and infidels. Josephes then prays for
the remainder of the company; a heavenly voice says they shall
come in good time, and that this is the promised land in which they
shall multiply and become the worthiest race anywhere. (32)
Meantime Nasciens has been led in Solomon’s ship to those of
Joseph’s followers who had been left behind, as the history of the
Holy Grail testifies. After being warned against fresh falling into sin
they are brought over to Joseph, and are fed with as much meat as
they could want. But the fifth day the company, not having eaten for
a day, come to the tent of a poor woman, wherein are twelve loaves
about which they dispute. Josephes, referred to, breaks each loaf in
three, and having placed the Holy Grail at the head of the table by
its power the bread suffices for more than five hundred people. (33)
Hereafter the company comes to Castle Galafort, where Celidoine is

Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade
Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!
textbookfull.com

The Science Of Quantitative Information Flow Mário S. Alvim

More Related Content

Similar to The Science Of Quantitative Information Flow Mário S. Alvim (20)

Recently uploaded (20)

The Science Of Quantitative Information Flow Mário S. Alvim