Document Type



Doctor of Philosophy (PhD)


Computer Science

First Advisor's Name

Mark Finlayson

First Advisor's Committee Title

Committee Chair

Second Advisor's Name

Ning Xie

Second Advisor's Committee Title

Committee member

Third Advisor's Name

Naphtali Rishe

Third Advisor's Committee Title

Committee member

Fourth Advisor's Name

Catuscia Palamidessi

Fourth Advisor's Committee Title

Committee member

Fifth Advisor's Name

Kemal Akkaya

Fifth Advisor's Committee Title

Committee member


information flow, privacy, security metrics, information leakage

Date of Defense



Across our digital lives, two powerful forces of data utility and data privacy push and pull against each other. In response, technologies have been designed to help navigate this tension, by revealing, or leaking, information that could be useful to an adversary in exchange for some added utility. For many of these technologies, there is uncertainty about how harmful these leaks are. How much security and privacy are we sacrificing? Under what circumstances are these technologies safe to use?

To bring clarity to these compromises between security and utility, this dissertation applies the information-theoretic framework of quantitative information flow (QIF), which models systems as channels correlating secret inputs with observable outputs. The QIF framework can determine an optimal adversary's expected probability of success, and thereby isolate the effect that these technologies have on security and privacy.

In this work, we apply QIF to three applications: We first examine two forms of property-revealing encryption: equality- and order-revealing encryption. These techniques allow database management systems to respond to queries and sort much faster without direct access to sensitive values, but the leakage implications are still unclear. The third application is local differential privacy and the shuffle model. Differential privacy aims to protect the privacy of individuals participating in statistical databases but must balance utility and privacy. The shuffle model can improve this balance, but exactly how much security it is providing is uncertain.

Through novel combinatorics and exact calculations, we precisely quantify the leakage of these applications under different parameters and relevant adversaries. For each application, we provide clarity about how much information is leaked and under what circumstances an application could be safe to deploy.





Previously Published In

Chapter 2:

M. Jurado and G. Smith, “Quantifying information leakage of deterministic
encryption,” in Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW’19, (New York, NY, USA), p. 129–139, Association for Computing Machinery, 2019.

Chapter 3:

M. Jurado, C. Palamidessi, and G. Smith, “A formal information-theoretic
leakage analysis of order-revealing encryption,” in 2021 IEEE 34th Computer
Security Foundations Symposium (CSF), pp. 1–16, 2021.

Creative Commons License

Creative Commons Attribution 4.0 License
This work is licensed under a Creative Commons Attribution 4.0 License.

Available for download on Saturday, June 29, 2024



Rights Statement

Rights Statement

In Copyright. URI:
This Item is protected by copyright and/or related rights. You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s).