Information Trust Institute Urbana-Champaign, September Physical-Layer Security. Lecture 4: Beyond Physical-Layer Security

Transcription

1 Information Trust Institute Urbana-Champaign, September 007 Short Intensive Course Physical-Layer Security Theory and Practice Lecture 4: Beyond Physical-Layer Security João Barros Instituto de Telecomunicações Department of Computer Science Universidade do Porto 005, it - instituto de telecomunicações. Todos os direitos reservados. Course Outline Lecture 1 Information-Theoretic Security Lecture : Security Protocols at the Physical-Layer Lecture 3 Secure Network Coding Lecture 4: Beyond Secure Communication João Barros, Link Consulting SA 1

2 The Wiretap Channel [Wyner, 1975] Reliability & Security For Bob and Alice, Prob{W W b Y n } 0 For Eve, (1/n) I(W; Z n ) 0 as n sends w Alice X n p(y x) Y n p(z y) Eve Z n decodes w b Bob Y K Secrecy Capacity: Largest transmission rate at which both conditions can be satisfied. Positive secrecy capacity only in the degraded case. João Barros, Gaussian Wiretap Channel [Leung & Hellman, 1978] N M Alice X + Y Bob N W + Z Eve 1 P 1 P = CM CW = log 1 + log 1 + σ M σ W C S João Barros, Link Consulting SA

3 Secret Key Agreement through Public Discussion [Maurer, 93] Alice X n p(yz x) Y n Z n Bob Eve public authenticated feedback channel Secret Key agreement scheme Clever protocol allows Alice and Bob to increase their secrecy capacity by exchanging information over the feedback channel Eve must still have a high probability of error... and you require a public authenticated feedback channel. João Barros, TODAY Lecture 4 Beyond Secure Communication multi-user secrecy systems bit commitment oblivious transfer secure multi-party computation coding and jamming João Barros, Link Consulting SA 3

4 Other Problems beyond Secure Communication Communicating securely is not the only problem in cryptography. Problem: Suppose Alice and Bob are linked through a network and want to flip a coin. How can they ensure that the coin flip is fair? $ Network $ Solution: Alice and Bob send one bit each in separate envelopes. They open the envelopes simultaneously and take the XOR of the two bits. The protocol works if and only if Bob knows nothing about Alice s bit before he sends his envelope; Alice cannot change her bit once the envelope is sealed....and vice versa (for Bob s bit). João Barros, Bit Commitment b Commit Open b Alice puts a bit b in a strong box Alice gives this box to Bob. She cannot change b Later Alice can unveil b to Bob A commitment scheme is said to be secure if it is: Binding: the probability that Alice can successfully open two different commitments is negligible. Concealing: Bob gets at most negligible information on b before the opening phase. Correct: The probability that honest Alice fails to open a commitment is negligible. João Barros, Link Consulting SA 4

5 Bit Commitment over the erasure channel X n n Commit Phase: Alice selects a random codeword with parity equal to the value she wants to commit to and sends it to Bob through the erasure channel. Open Phase: p-erasure Channel n b = parity(x) Alice sends the codeword she has sent in the commit phase over a noiseless channel. Bob rejects if the codeword he receives differs in at least one position from the codeword he received through the noisy channel. Y n João Barros, Bit Commitment over the erasure channel X n Protocol Analysis: Bob learns the commitment with probability P = ( 1 p) Alice unveils a bit different than the one she committed to and is not detected with probability Problems: n p-erasure Channel P A = p n b = parity(x) Non-negligible error probability (binding condition) The channel is used n times to commit to a single bit. B n Y n João Barros, Link Consulting SA 5

6 Commitment Rate and Capacity If we commit to a string of length k, what is the maximum commitment rate k/n of a secure protocol we can achieve (i.e., capacity)? Binary string k b {0,1 } Bob learns b with probability Alice cheats successfully with probability Commitment rate k R = n C Commitment capacity com P n B 0 = max P X R P n A 0 João Barros, The Commitment Capacity of DMC s Define a redundant channel (a channel is called non-redundant if none of its output distributions is a convex combination of its other output distributions). Redundancy can be cut from a channel, by removing all input symbols which are convex combinations of others. If after removing the redundancy of a channel, its equivocation becomes zero, the channel is called trivial. The commitment capacity of a DMC equals its equivocation H(X Y) after its redundancy is removed. [Winter, Nascimento, Imai 03] João Barros, Link Consulting SA 6

7 How about the Gaussian Channel? Motivation: - more realistic channel model (e.g. wireless medium) - commitment capacity for continuous channels unknown - techniques differ from the discrete case Y = X + Z i i Z i N(0, σ ) i X i + Yi Average Power Constraint: Channel Capacity: C 1 n n i= 1 x i P 1 P log 1 + σ = Z i João Barros, Using the Gaussian Channel Fundamental Issues: Alice and Bob must agree on a coding/modulation scheme. nσ Alice may cheat by sending basically any number she wants into the Gaussian channel. n( P +σ ) João Barros, Link Consulting SA 7

8 Our Commitment Protocol [Barros, Imai, Nascimento, Skudlarek, 006] k S Alice Bob Gaussian Channel variance k n n Open n X Alice announces X n σ G Bob accepts, if X n and Y n are jointly typical n Y We define an equivalent Gaussian wiretap channel and use appropriate wiretap codes. Analysis uses the secrecy capacity in [Leung and Hellman 78] João Barros, Concealing We randomly associate multiple codewords to each message. As long as the number of codewords is high enough, we obtain a protocol where Bob does not learn anything. We associate as many codewords to each message as to completely fill the output signal space of Bob. k n João Barros, Link Consulting SA 8

9 Concealing σ C* σ σ C * Since it hides information from Eve, we have a concealing protocol Since the code has to fight the noise we get the minimal distance which that makes the protocol binding João Barros, Binding r b x1 r cr / x The received vector associated to an input vector of length n, for large n, is approximately uniformly distributed on the surface of a hypersphere of radius depending on the variance of the channel. If the codewords are separated by a distance which is c r, where r is the radius of the hypersphere and 0 < c <, then the scheme is binding. n/ n 1 n/ n 1 π r b ( / 1) π r P = ( / 1) A Γ n + Γ n + 1 c = 1 n 1 n,0< c< 0 João Barros, Link Consulting SA 9

10 Commitment rate The rate of this scheme equals the capacity of the main channel minus the capacity of the eavesdropper channel concatenated with the main channel. C com 1 P log 1 + σ C 1 P log 1 + σ G = * σ C Any positive * will give us a binding protocol, by making it arbitrarily small, we get that the maximum achievable rate can be made arbitrarily large The commitment capacity of the Gaussian channel is infinite. João Barros, Comments We analyzed the commitment capacity of the Gaussian channel and showed that, in theory, it can be infinite. However, infinite capacity is not achievable in practice Infinite precision is not possible Unfair channels Need for strong concealing (ongoing work) Generalizing privacy amplification for continuous case Is it possible to design practical schemes based on wiretap code constructions? João Barros, Link Consulting SA 10

11 João Barros, João Barros, Link Consulting SA 11

12 [Bloch, Barros and McLaughlin, 007] João Barros, João Barros, Link Consulting SA 1

13 [Bloch, Barros and McLaughlin, 007] João Barros, [Bloch, Barros and McLaughlin, 007] João Barros, Link Consulting SA 13

14 [Bloch, Barros and McLaughlin, 007] João Barros, [Bloch, Barros and McLaughlin, 007] João Barros, Link Consulting SA 14

15 [Bloch, Barros and McLaughlin, 007] João Barros, João Barros, Link Consulting SA 15

16 Comments Information-theoretic commitment can be achieved without wiretap codes; The connection with secret key agreement provides useful guidelines for developing practical schemes. Commitment over the Gaussian channel is simpler. Open issues: More specific code constructions are next. Efficient protocols in terms of total communication cost. How do implement other cryptographic primitives? João Barros, Millionaires problem Suppose millionaires want to determine which one is richer, without revealing the precise amount of their wealth. In the general secure multi-party computation problem, users u 1, u,..., u n possess data d 1, d,..., d n and want to compute the outcome of a public function F(d 1, d,..., d n ) without revealing d 1, d,..., d n. Commitment is just the first step! João Barros, Link Consulting SA 16

17 What can we do beyond secure communication? Cryptographic protocols based on noisy channels, Crépeau, 1997 Commitment Capacity of Discrete Memoryless Channels, Winter, Nascimento, Imai, 003 Oblivious Transfer using noisy channels, Crépeau. Morozov, Wolf, 004 Pseudo-signatures, Broadcast, and Multi-party Computation, M. Fitzi, S. Wolf, and J. Wullschleger, 004 Commitment Capacity of Gaussian Channels, Barros, Imai, Nascimento and Skudlarek 006 Practical Information-Theoretic Commitment Bloch, Barros and McLaughlin, 007 João Barros, Multi-User Secrecy João Barros, Link Consulting SA 17

18 Network Security What happens when we have multiple parties communicating over unreliable noisy networks with multiple potential eavesdroppers and jammers? Y 1 X 1 Network Y X 4 Interference Cooperation Feedback? X X 3 João Barros, General Broadcast Channel with Multiple Secrecy Conditions Alice Û U, U 1 1 Decoder 1 X Encoder p( y 1 y x) Y 1 Bob Y Û Decoder Eve [Csiszár and Koerner, 1978] considered one secrecy condition. [Liu et al., 006] provided inner bound for two secrecy conditions, and also for interference channels. João Barros, Link Consulting SA 18

19 Multiple Access Channel with confidential messages U 1 Alice Encoder 1 X 1 Y Decoder Bob p(u 1 ) p(u ) Allison U Encoder X p(yz x 1 x ) Z Decoder Eve Cooperative jamming over the Gaussian MAC [Tekin and Yener, 006] With channel outputs at the encoders + individual secrecy conditions [Liang and Poor, 006] João Barros, Relay Channel with confidential messages Discrete Memoryless Case [Oohama, 004] Cooperative jamming General region of achievable rate-equivocation rates is still unknown X Y 1 X 1 Y João Barros, Link Consulting SA 19

20 Secret Key Agreement over Networks [Csizár and Narayan, 006] R U U 3 3 R 03 R 1 R 1 R 3 R 30 R 34 0 U 0 U R 4 4 U 4 R 40 The network is described by a graph G=(V,E). All nodes share common randomness. Nodes communicate over public authenticated channel. Secret key agreement rates are intimately related to the Slepian Wolf rate region. João Barros, LNT/TUM 5//007 In a nutshell... João Barros, Link Consulting SA 0

21 #1 It is important to specify one s notion of security rigorously. k-bit message W Alice X X Bob k-bit decoded message W b key K X Eve key K Computational Security Security schemes are based on (unproven) assumptions of intractability of certain functions; Typically done at upper layers of the protocol stack Information-Theoretic (Perfect or unconditional) Security strictest notion of security, no computability assumption H(M X)=H(M) or I(X;M)=0 Implementable at the physical layer João Barros, # Secrecy capacity can be strictly positive. equivocation rate H(M) D Alice X n p(y x) Y n p(z x) Z n Bob Y K Transmission rate Eve C S C M Theoretical results from the seventies (Wyner, Csiszár and Koerner) find new applicability. Caveat: Eavesdropper must have a worse channel. João Barros, Link Consulting SA 1

22 #3 State-of-the art channel coding can be used to enhance security. k-bit message w Tag X Nwt + + Nm Y Reader w b Z Attacker João Barros, #4 For simple instances, we know how to construct wiretap codes. k-bit message w Alice X o 1 X Bob w b 1-e e e 1-e o? Z 1 Eve Main channel is noiseless; wire-tapper s channel is a BEC with erasure probability e Eve receives a subset of the transmitted bits (or packets) For this instance, we already have secrecy capacity achieving codes! João Barros, Link Consulting SA

23 #5 Secret key agreement is possible, even when eavesdropper has a better channel. Alice X n p(yz x) Y n Z n Bob Eve public authenticated feedback channel Secret Key agreement scheme [Maurer, 93] Clever protocol allows Alice and Bob to increase their secrecy capacity by exchanging information over the feedback channel João Barros, #6 To generate secret keys we can borrow ideas from quantum cryptography. Common Randomness: Alice and Bob share correlated random sequences. Reconciliation: Alice sends Bob enough side information for Bob to reconstruct Alice s sequence. Privacy Amplification: Alice and Bob use hash functions to maximize Eve s equivocation. João Barros, Link Consulting SA 3

24 #7 When it comes to security, fading is a friend and not a foe. Wireless Network with Potential Eavesdropping Goal: Exploit channel variability to secure information at the physical-layer using secrecy channel codes. João Barros, LNT/TUM 5//007 #8 Secrecy capacity of wireless channels can be characterized in terms of outage. The outage probability: ( R ) = Pr( C R ) P < out s s s - Alice chooses a target secrecy rate R s. - if R s <C s then she can communicate securely. - otherwise, informationtheoretic security is compromised. Normalized average outage secrecy capacity. Thicker lines: AWGN case; Thinner lines: Fading case. João Barros, LNT/TUM 5// Link Consulting SA 4

25 #9 Secret Key Agreement can be done opportunistically. Cs>0 share common randomness Cs=0 generate secret key Cs=0 communicate securely (e.g one-time pad) João Barros, LNT/TUM 5//007 #10 Secret key agreement over wireless channels can be implemented in practice. Alice X Bit mapping Generate Parities via MLC Q(X) Privacy Amplification K Q(X) Transmission > 0 C S Reconciliation C S Privacy amplification = 0 C S = 0 Final key Secure communication with key Bob Y Bit mapping Q(Y) MS decode Iterative decoder Q(X) Privacy Amplification K João Barros, LNT/TUM 5// Link Consulting SA 5

26 #11 Network Coding breaks with the current routing paradigm and offers new security challenges. a b a S b Intermediate nodes have different levels of confidentiality; T a b U Nodes T and U have partial information about the data; a W a+b b Node W has full access to the data; Node X cannot decode any useful data a free cypher? Y a+b X a+b Z Active attacks can easily compromise the information flow. a b a b João Barros, LNT/TUM 5//007 #1 Random Linear Network Coding offers a certain level of intrinsic security. a b c d S e f g h a+b+c+d+e+f+g 3a+b+c+d+5f a+b+c+d+4g a+b+c+3d+5h S 5a+b+5h 6b+c+4g b+7c+3a b+c+9e T U T U R R In the left scheme, nodes T and U have access to half of the sent data. In the right scheme, nodes T and U cannot decode any useful data. João Barros, LNT/TUM 5// Link Consulting SA 6

27 #13 It is possible to find lightweight cryptographic solutions using the properties of network coding. We introduce two types of coefficients: Locked Unlocked Intermediate nodes run the same operations as in the standard (non-secure) network coding protocol. Requirements: Key management mechanism for end-to-end encryption Attacker cannot access the information Reduced complexity in comparison with end-to-end encryption. João Barros, #13 Network coding inspires new ways of distributing secret keys. Problem: How can each pair of sensor nodes agree on a secret key? Our approach: Key pre-distribution scheme; Uses a mobile node to complete the key distribution process blindly using network coding; Reduced memory requirements; João Barros, LNT/TUM 5// Link Consulting SA 7

28 #13 Physical-layer techniques can be used to solve other cryptographic problems. Cryptography is not only concerned with communicating securely. Based on noisy channels and state-of-the-art error correction codes we can implement bit commitment and oblivious transfer, which are the building stones of secure multi-party computation. Authentication can be carried out over noisy channels possibly without initial shared secret. [Wolf and Maurer 98], [Korzhik et al, MMM-ACNS 07]. How about anonymity? How about non-repudiation? João Barros, Classical Cryptography under the Computational Model Advantages no publicly-known, efficient attacks on public-key systems security is provided on a blockto-block basis if cryptographic primitive is secure then every encoded block is secure systems are widely deployed, technology is readily available, inexpensive Disadvantages Security is based on unproven assumptions No precise metrics trade off between reliability and security as a function of the block length is unknown security of the cryptographic protocol is measured by whether it survives a set of attacks or not. Conventional model (error free channel) secrecy capacity of these systems is zero can t guarantee reliable and perfectly secure system João Barros, Link Consulting SA 8

29 Physical layer security under the information-theoretic (perfect) security model Advantages: No computational restrictions placed on eavesdropper Very precise statements can be made about the information that is leaked Quantum key distribution implemented Wireless solutions appear Suitably long codes get exponentially close to perfect secrecy Disadvantages: Information-theoretic security is an average-information measure. Requires assumptions about the communication channels that may not be accurate in practice. Limits its application A few systems (e.g QKD) are deployed but the technology is not as widely available and is expensive. #14 It is reasonable to consider combining classical cryptography with physical-layer security. João Barros, Acknowledgements Matthieu Bloch, Georgia Tech Steven W. McLaughlin, Georgia Tech Miguel Rodrigues, University of Porto Muriel Médard, MIT Anderson Nascimento, University of Brasilia Hideki Imai, University of Tokyo Stefan Skudlarek, Technische Universität München Luísa Lima, University of Porto João Paulo Vilela, University of Porto Paulo Oliveira, University of Porto Rui Costa, University of Porto João Barros, Link Consulting SA 9

30 ITW 008 PORTO IEEE Information Theory Workshop May 5-9, 008 Porto, Portugal General Co-chairs João Barros Steven W. McLaughlin Program Committee Co-chairs Emina Soljanin Andreas Winter The 008 IEEE Information Theory Workshop (ITW 008) will take place on May 5-9 in Porto, Portugal. The chosen venue is the magnificient Palacio da Bolsa, right by the River Douro, in the heart of the World Heritage Site of Porto. Invited sessions will take a brief look into the recent information theory past to commemorate the 60th anniversary of Shannon's landmark paper, and then proceed to explore opportunities for information theory research in quantum computation, biology, statistics, and computer science. A large majority of papers will be contributed, and are solicited in (but not limited to) the following areas: * Codingtheoryand practice * Communication theory * Compression * Cryptographyand datasecurity * Detectionand estimation * Informationtheoryand statistics * Information theory in networks Contributionsbyauthorsnewtothe informationtheorycommunityareparticularlyencouraged. Information regarding important deadlines, paper submission, technical and social programs, final manuscript format, workshop registration, andhotelaccommodationswillbe postedsoonon the websiteat João Barros, LNT/TUM 5//007 * Multi-terminal information theory * Pattern recognition and learning * Quantum information theory * Sequencesand complexity * Shannon theory * Signal processing * Source Coding 001 Link Consulting SA 30