theory and practice joão barros instituto de telecomunicações universidade do porto and eecs/mit...
TRANSCRIPT
![Page 1: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/1.jpg)
Theory and Practice
João Barros
Instituto de TelecomunicaçõesUniversidade do Porto
and EECS/MIT
Information-Theoretic Security
IEEE International Symposium on Information TheoryToronto, Canada, July 2008
Steven W. McLaughlin
School of Electrical and ComputerEngineeringGeorgia Institute of Technology
![Page 2: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/2.jpg)
2
Today’s Layered Architecture
Standard Protocol Stack
Application
Link
Transport
Network
Physical
Programs and applications
End-to-end reliability, cong. control
Routing and forwarding
Medium access control
Channel coding and modulation
Where is security ?
![Page 3: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/3.jpg)
3
Security: a patchwork of add-ons…
Application
Link
Transport
Network
Physical
End-to-end cryptography
Secure Sockets Layer (SSL)
Virtual private networks (IPSec)
Admission control (e.g.WPA)
Application
Link
Transport
Network
Physical Physical-layer security ?
![Page 4: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/4.jpg)
4
A typical graduate course in cryptography and security always starts by discussing Shannon's notion of perfect secrecy (widely accepted as the strictest notion of security):
Then, it emphasizes its conceptual beauty.
Then, it states that it is basically “useless” for any practical application.
Alice
Eve
BobMessage Wdecoded
message Wb
key K
X X
X key K
Computational Security
p(w|x)=p(x)
Information-Theoretic-Security – are we biased?
![Page 5: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/5.jpg)
5
Main Questions in this Tutorial
W
hat are the fundamental security limits at the physical layer?
W
hich notions of security are we talking about?
I
s information-theoretic security practical?
W
hat kind of code constructions can we use?
H
ow do we build protocols based on information-theoretic security?
C
an we combine physical-layer security with classical cryptography?
H
ow can we secure novel networking paradigms?
H
ow can we go beyond confidentiality at the physical layer?
H
ow can we increase our credibility in the security business?
![Page 6: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/6.jpg)
6
Theoretical Foundations Fundamentals of Information-Theoretic Security Strong Secrecy versus Weak Secrecy Secrecy Capacity of Noisy Channels
Practical Techniques Combining Cryptography and Coding Secrecy Capacity Achieving Codes Secret Key Agreement at the Physical Layer
Advanced Topics and Applications Multi-user Secrecy and Network Coding Security Active Attacks on Coded Systems Beyond Secure Communications
Our program for today
10 Open Issues
![Page 7: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/7.jpg)
7
What we will not do
Provide an exhaustive review of related work
Elaborate on the details of the proofs
Cover all the topics in depth
Adress quantum information theory
Say bad things about modern cryptography
![Page 8: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/8.jpg)
8
Theoretical Foundations
![Page 9: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/9.jpg)
9
Notions of Security
Computational Security
Alice sends a k-bit message W to Bob using an encryption scheme;
Security schemes are based on (unproven) assumptions of intractability of certain functions;
Typically done at upper layers of the protocol stack
Information-Theoretic (Perfect or unconditional) Security
strictest notion of security, no computability assumption
Prob{W | Eve’s knowledge}=Prob{W}
H(W|X)=H(W) or I(X;W)=0
e.g. One-time pad
[Shannon, 1949] : H(K) ≥ H(M)
Alice
Eve
Bobk-bit
message W
k-bit decoded
message Wb
key K
X X
X key K
![Page 10: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/10.jpg)
10
Eve
Keyk-bit message W Xk
k bits Key
k bits
k-bit decoded message Wb
Alice
Bob
If Eve does not know the key and P(Key=k-tuple)=1/2k
then we have p(w|xk) = p(w).
Xk
Xk
One-time Pad
![Page 11: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/11.jpg)
11
This model is somewhat pessimistic, because most communications channels are actually noisy.
Alice
Eve
Bobk-bit message W
k-bit decoded message Wb
key K key K
X X
X
Shannon’s Model
![Page 12: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/12.jpg)
12
Reliability & Security
For Bob and Alice,
Prob{W≠Wb| Y n} → 0
With respect to Eve,
(1/n) I(W; Zn) → 0
as n → ∞
Secrecy Capacity:
Largest transmission rate at which both conditions can be satisfied.
Positive secrecy capacity only in the degraded case.
Wyner’s Wiretap Channel (I)[Wyner, 1975]
BobAliceX n
p(y|x)Y n
p(z|y)
Eve
Zn
sends W decodes Wb
![Page 13: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/13.jpg)
13
Wyner’s Wiretap Channel (II)
BobAliceX n
p(y|x)Y n
p(z|x)
Eve
Zn
Proof Idea:A
lice assigns multiple codewords to each message, picks one at random and thus exhausts Eve’s capacity.C
onverse uses Fano’s inequality and classical arguments.
Rate-equivocation region:T
wo critical corner points (CM , D) and (CS , H(W))
Unusual shape (not convex)
H(W)
CS CM
D
Transmission rate
equivocation rate
[Wyner, 1975]
![Page 14: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/14.jpg)
14
Because the transmission range is so short, NFC-enabled transactions are inherently
secure. Also, physical proximity of the device to the reader gives users the reassurance
of being in control of the process.
![Page 15: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/15.jpg)
15
Broadcast Channel with Confidential Messages
Bob
AliceX n
p(yz|x)
Y n
EveZn
Secrecy capacity is strictly positive if Bob’s channel
is less
noisy than Eve’s, i.e. I(X;Y)>I(X;Z)
));();((max),(
ZUIYUICYZXU
xupS
[Csiszár & Koerner, 1978]
![Page 16: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/16.jpg)
16
Feedback (Public Discussion)
Bob
AliceX n
p(yz|x)
Y n
EveZn
Secret Key agreement scheme
Clever protocol allows Alice and Bob to increase their secrecy capacity by exchanging information over the feedback channel
This requires a public authenticated feedback channel!
public authenticatedfeedbackchannel
[Maurer, 93]
![Page 17: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/17.jpg)
17
Increasing the Secrecy Capacity via Feedback
Suppose Alice, Bob and Eve are connected via binary symmetric channels and a public authenticated feedback channel is available.
Noisy Channel
Error-free public
communication
Computation
Alice X V+X+E V+X+E+X V+E
Bob X+E V+X+E V V
Eve X+D V+X+E V+X+E+X+D V+E+D
Bob and Eve observe different noises (D, E).
Bob feeds back random value V plus what he observed (X+E)
Eve ends up with more noise than Bob (as in the wiretap channel)
![Page 18: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/18.jpg)
18
Source Model
Bob
AliceX n
p(x,y,z)Y n
EveZn
public authenticated
feedbackchannel
Alice and Bob share common randomness.
Eve gets to see a correlated random variable.
Alice and Eve generate a secret key using the public authenticated channel.
[Ahlswede and Csiszar, 93]
![Page 19: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/19.jpg)
19
Notions of Security
W
eak secrecy
S
trong secrecy
1)|(1 nn XUHn
nXUH nn )|(
[Maurer & Wolf, 2000]
The secrecy capacity of the discrete memoryless wiretap channel does not change with strong secrecy.
Proof requires fundamental tools of theoretical computer science (extractors)
![Page 20: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/20.jpg)
20
Example of Weak Secrecy
Un
Kn
Xn
Binary data (n bits)
One-time-pad (n-k bits)
Unprotected data (k bits) Protected data (n-k bits)
This trivial scheme satisfies the weak secrecy condition while disclosing an unbounded number of bits:
Clearly, it does not satisfy the strong secrecy condition:
11)(1
)|(1
n
kkn
nXUH
nnn
nknXUH nn )|(
![Page 21: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/21.jpg)
21
The Wireless Scenario
Wireless Network with Potential Eavesdropping
Can we exploit channel variabilityto help secure the communication?
[Barros, Rodrigues, ISIT06]
![Page 22: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/22.jpg)
22 ITI September 2007
System Model
h
M(i)=hM, i, and hW(i)=hW, i (quasi-static fading model)
h
M and hW independent and complex Gaussian distributed
SNRs M hM2 and W hM2 exponentially distributed
![Page 23: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/23.jpg)
23
General goal is maximization of transmission rate from Alice to Bob
R=(1/n) H(Wk)…
… and minimization of Eve’s information rate about the message,
=(1/n) I(Wk;YWn)
Secrecy capacity is maximum transmission rate R with < ε.
Cautionary Note [Maurer & Wolf, 2000]
Stronger secrecy condition for Discrete Memoryless Channels Not only the rate but the total amount of information leaked to
the eavesdropper decays exponentially fast with n. It is possible to prove strong secrecy results for wireless
channels
[Barros & Bloch, 2008]
Security Characterization
![Page 24: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/24.jpg)
24 ITI September 2007
Instantaneous Secrecy Capacity
The instantaneous secrecy capacity for quasi-static fading channels follows directly from the Gaussian case.
sC ),1log()1log( WM { WM
WM ,0
22/ MMM Ph
22/ WWW Ph
Instantaneous signal-to-noise ratios
![Page 25: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/25.jpg)
25
Secrecy Outage
The outage probability:
sssout RCRP Pr
- Alice chooses a target secrecy rate Rs.
- if Rs<Cs then she can communicate securely.
- otherwise, information-theoretic security is compromised.
![Page 26: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/26.jpg)
26
Outage Probability
Outage probability for normalized target secrecy rate Rs=0.1.
Outage probability for normalized target secrecy rate Rs=0.1.
M
R
WR
M
Msout
s
sRP
12
exp2
1After some maths…
Impact ofDistance
[Barros, Rodrigues, ISIT06]
![Page 27: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/27.jpg)
27
Outage Secrecy Capacity
Normalized outage secrecy capacity for an outage probability Pout=0.10.
Normalized outage secrecy capacity for an outage probability Pout=0.75.
Thicker lines: AWGN case; Thinner lines: Fading case.
-outage secrecy capacity: outout CP 1 outout PC
[Barros, Rodrigues, ISIT06]
Thicker lines: AWGN case; Thinner lines: Fading case.
![Page 28: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/28.jpg)
28
Average Secrecy Capacity
Normalized average outage secrecy capacity.
When it comes to information-theoretic security, fading is really a friend and not a foe.
Thicker lines: AWGN case; Thinner lines: Fading case.
![Page 29: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/29.jpg)
29
Imperfect CSI
Assumptions
Perfect CSI for the main channel Imperfect CSI for the wiretap channel
Proceed as if CSI was correct
Outage probability
In general, Alice underestimates the secrecy capacity
WWW hh ˆMM hh ˆ
)ˆ()ˆ( WWSS PCCP
2/21
1
2
1
2
1)ˆ(
WWP
[Bloch,Barros, Rodrigues, McLaughlin, ITW06]
![Page 30: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/30.jpg)
30 ITI September 2007
Some recent work on (weak) secrecy capacity
S
ecure space-time communications (Hero, 2003)
S
ecrecy rates for the relay channel (Oohama, 2004)
S
ecrecy capacity of SIMO channels (Parada and Blahut, 2005)
S
ecure MlMO with artificial noise (Negi and Goel, 2005)
G
aussian MAC and cooperative jamming (Tekin and Yener, 2005)
S
ecrecy capacity of slow fading channels (Barros and Rodrigues, 2006)
M
ultiple access channel with confidential messages (Liang and Poor, Liu et al., 2006) S
ecure broadcasting with multiuser diversity (Khisti, Tchamkerten, and Wornell, 2006)
E
rgodic secrecy capacity (Gopala, Lai and El Gamal, Liang, Poor and Shamai 2007)
S
trong secrecy for wireless channels (Barros and Bloch, 2008)
… and many more.
![Page 31: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/31.jpg)
31
Strong secrecy for Gaussian and Wireless Channels
Strong secret key agreement from Gaussian random variables Lattice codes Quantization with side information
Strong secrecy capacity for wireless channels Uses tools of [Maurer and Wolf, 2000] Maps messages to secret keys Multiple copies of weakly secure wiretap codes Quantization and Slepian Wolf codes Extractor functions for privacy amplification
[Nitinawarat, Allerton 2007]
[Barros and Bloch, ICITS 2008]
![Page 32: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/32.jpg)
32
Comments
Information Theory provides you with tools to determine
fundamental security limits in particular at the physical layer;
There exist codes which can guarantee both reliability and
information-theoretic security;
Secure communication over wireless channels is possible even
when the eavesdropper has a better channel (on average);
When it comes to security, fading is a friend and not a foe.
![Page 33: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/33.jpg)
33
Practical Techniques
![Page 34: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/34.jpg)
34
Is physical-layer security practical?
Motivating examples
secure error correcting codes and the channel
coding converse
tandem error correction and cryptography
coset codes for an erasure wiretapper
Secret key agreement protocol for wireless channels
![Page 35: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/35.jpg)
35
Secure Communication on two Gaussian channels
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
Practical scenariosRFIDZoned security
Wiretap error control code
Specific error control code needed at Tag side Low complexity encoder - possibly complex decoder
Assume that the attackerhas worse SNR
![Page 36: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/36.jpg)
36
Secure Communication on two Gaussian channels
Assume that the attackerhas worse SNR
Transmit at Cwiretapper<R<Cmain
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
![Page 37: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/37.jpg)
37
Some common sense – use an error control code
Very good error correcting code with simpleencoder
Reader recovers bitsWith good BER
Assume that the attackerhas worse SNR
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
![Page 38: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/38.jpg)
38
Coding
Very good error correcting code with simpleencoder
Eve recovers bitswith worse BER
Assume that the attackerhas worse SNR
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
![Page 39: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/39.jpg)
39
Coding with an advanced code
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
![Page 40: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/40.jpg)
40
Some secrecy rate tradeoffs
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
![Page 41: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/41.jpg)
41
System view
How would we combine this with encryption?
Tag
Attacker
ReaderX Y
Z
C2
C1Encrypt
Key
FEC Decrypt
Key
FEC
Decrypt
FEC
Key
A B
C
![Page 42: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/42.jpg)
42
After FEC decoding
Assume Attacker SNR is ~1.5 - 2.0 dB worse than Bob’s
A A
C
BER~50%
Tag Encrypt
Key
ReaderDecrypt
Key
Attacker
DecryptKey
(e.g. near field communications)
At the encryption level
![Page 43: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/43.jpg)
43
N/2 bits in errorAttacker does not know which onesShe needs to do 2 searchN
Assume all parties have a key -Attacker has somehow figured out the key-e.g. from a weak RFID security protocol
A A
C
BER~50%
Tag Encrypt
Key
ReaderDecrypt
Key
Attacker
DecryptKey
At the encryption level
![Page 44: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/44.jpg)
44
N/2 bits in errorAttacker needs to - guess the N coded bits correctly - guess the M key bits correctlyShe needs to do 2 search
This time: Assume Attacker does not have a key
N+M
A A
C
BER~50%
Tag Encrypt
Key
ReaderDecrypt
Key
Attacker
DecryptKey
At the encryption level
![Page 45: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/45.jpg)
45
Achieving the Secrecy Capacity withError Control Coding
![Page 46: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/46.jpg)
46 46
Achieving secrecy capacity for any DMCs using capacity achieving codes
Special case - C2 is worse than C1, (both DMCs)
Use 2k capacity-approaching codes: C1 , C2 , C3 , ...
To send a message w, set X=random codeword of Cw
If Cw achieves capacity on C2 for each w => Security condition is satisfied!
If union of {C1 , C2 , C3 , ... } is reliable across C1, wb=w is possible => Reliability condition is satisfied!
[Thangaraj et al, 2004] have shown that such a selection of C1 , C2 , C3 , ... is possible.
Alice
Eve
BobX Y
Z
k-bit message
w
k-bit decoded
message wb
C2
C1
C1: Main channel; Pr{Y|X}C2: Wire tapper’s channel; Pr{Z|X}
![Page 47: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/47.jpg)
47 47
Motivating example: BEC wiretapper channel
Main channel is noiseless; wire-tapper’s channel is a BEC with erasure probability e
Eve receives a subset of the transmitted bits (or packets)
Secrecy capacity is e
Alice
Eve
X
Z
ee1-e 1-e
Bob
Xk-bit message w
wb
o
1
1
o ?
[Wyner and Ozarov, Wiretap Channel Type II]
![Page 48: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/48.jpg)
48 48
Conventional Encoding & Decoding
Alice
X
Bob
X
wb=HXT
Conventional encoding: Select the codeword in C with message w
••
•
•
•
•
•
•
Binary codewords of length n
k-bit message w
![Page 49: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/49.jpg)
49 49
Security Encoding & Decoding
Now for security - encode information in coset
••
•
•
•
•
•••
•
•
•
•
Binary codewords + 1 translate (cosets)
Alice
X
Bob
X
wb=HXTk-bit message w
![Page 50: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/50.jpg)
50 50
Security Encoding & Decoding
(n,n-k) code C with parity-check matrix H
Make C and H public
C has 2k cosets
Encoding: Select the coset of C with message w, select codeword in coset at random
••
•
•
•
•
•••
•
•
•
•
••
•
•
•
•••
•
•
•
•
Binary codewords + 3 translates (cosets)
Secrecy rate = k/n
Alice
X
Bob
X
wb=HXTk-bit message w
![Page 51: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/51.jpg)
51 51
Security
Alice
X = x1 x2... xn
Bob wb=HXT
BEC(e)
Eve
Z = x1…xs e e e...e (e: erasure)
If each coset of C has a vector of the form x1...xs??...?, Pr{m|Z}=Pr{m} ••
•
•
•
•
•••
•
•
•
•
••
•
•
•
•••
•
•
•
•
k-bit message w
![Page 52: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/52.jpg)
52 52
Security Property of Codes
nknsknsknsknkn
nsss
nsss
ggggg
ggggg
ggggg
G
,2,1,,1,
22,21,2221
12,11,1111
Z = x1 ... xs ? ? ... ?
If the submatrix of G corresponding to revealed positions has full column rank, all cosets of C have a vector of the form x1...xs??...?
![Page 53: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/53.jpg)
53 53
U
rbanke and Richardson
C
onsider a (3,6)-regular LDPC matrix H; BEC threshold = 0.42
T
hreshold Interpretation: columns of H corresponding to the erased positions have full column rank if the
erasure probability is less than 0.42
H
Urbanke and Richardson, 2001
h h h h h
h h h h h
h h h h h
LDPC Codes over a BEC
![Page 54: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/54.jpg)
54 54
LDPC Matrix Connection
LDPC Codes over a Wire Tap Channel
Let G = (3,6)-regular LDPC matrix The columns of G corresponding to the revealed
positions have full column rank if 1-e < 0.42 or the erasure probability is greater than 0.58
Z = x1 ... xs ? ? ... ?
![Page 55: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/55.jpg)
55 55
LDPC codes over a BEC-noiseless wire tap channel
C : dual of an LDPC code with threshold e rate R; k=(1 – R)n; secrecy rate=1-R
Security guaranteed whenever 1-e < or e > 1 –
As e tends to 1 – R, we approach secrecy capacity
Capacity achieving codes for the erasure channel provide perfect security on the erasure wiretap channel
Alice
X = x1 x2... xnBob wb=HXTk-bit
message w
BEC(e)
Eve
Z
X : randomly chosen from coset of C with syndrome m
![Page 56: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/56.jpg)
56 56
Comments
Positive Aspects First practical codes to achieve perfect secrecy - encoder and decoder are public Connection between coding threshold and security
Negative Aspects Channels C1 and C2 must be known Coding scheme above works if C1 is less noisy than C2
Other cases: BEC-BEC wire tap channel, BSC-Noiseless See:
Thangaraj, Dihidar,Calderbank, McLaughlin, and Merolla “Applications of LDPC Codes to the Wiretap Channel,” IEEE Trans IT Aug 2007
![Page 57: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/57.jpg)
57
BREAK
![Page 58: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/58.jpg)
58
Practical Secret Key Agreement
for Wireless Networks
![Page 59: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/59.jpg)
59
How do we make this practical?
To fully exploit the randomness of the channel for
security purposes we need secrecy capacity-achieving
channel codes.
Unfortunately, it seems very difficult to design near-to-
optimal codes for the Gaussian wiretap channel....
BUT fortunately secret key agreement is a somewhat
“easier” problem (learn from quantum key
distribution)! Alice and Bob only have to agree on a key based on common
randomness and not to transmit a particular message.
![Page 60: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/60.jpg)
60
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
Assume Eve has worse channel
![Page 61: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/61.jpg)
61
Two steps1. Reconciliation2. Privacy amplification
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
![Page 62: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/62.jpg)
62
Two steps1. Reconciliation2. Privacy amplification
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
![Page 63: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/63.jpg)
63
Two steps1. Reconciliation2. Privacy amplification
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
![Page 64: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/64.jpg)
64
Two steps1. Reconciliation2. Privacy amplification
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
![Page 65: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/65.jpg)
65
Two steps1. Reconciliation2. Privacy amplification
Secret Key Agreement
k-bit message
Alice
Q
Z
QY
+
+Nwt
Nm
Q
Bob
me
Eve
X
10110
10101
11011
![Page 66: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/66.jpg)
66
Two steps1. Reconciliation2. Privacy amplification
011
011
XXX
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
![Page 67: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/67.jpg)
67
TransmissionAlice codes n random symbols X with quantum states
Bob measures received states to obtain correlated symbols Y
AnalysisEvaluation of information intercepted based by Eve based on simple statistical
measures (bit error rate, variance)
ReconciliationCorrection of errors
Minimum number of bits to transmit :
Privacy AmplificationChoice of key size
Random choice of compression function
Secret informationafter transmission
Information exchangedduring reconciliation
securityparameter
We can learn from Quantum Key Distribution
AB E
)|( YXHI rec
));()(( 0rIZXIXHnk rec
02),|( rkGZKkH
![Page 68: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/68.jpg)
68
• Goal: Exploit channel variability to secure information
With fading the instantaneous secrecy capacity can be strictly positive
How about wireless security? [Barros, Rodrigues, ISIT06]
![Page 69: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/69.jpg)
69
Opportunistic Secret Key Agreement
Cs>0
share common randomness
Cs=0
generate secret key
Cs=0
communicate securely (e.g one-time pad)
[Bloch, Barros, Rodrigues, McLaughlin ’06]
![Page 70: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/70.jpg)
70
Opportunistic secret key agreement
![Page 71: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/71.jpg)
71
Reconciliation•Correct discrepancies between A and B using reconciliation information.
• In practice small overhead ǫ (10%), thus you have to transmit (1 + ǫ)H(X|YM) bits per symbols.
• Assign binary labels to each of the transmitted symbol and use multilevel coding. The syndromes are used as reconciliation information.
• Very similar to source coding with side information.
![Page 72: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/72.jpg)
72
Two Modes of Operation
Perfect Information-theoretic Security: Generate a secret key and use it as a one-time pad (perfect security at very low rates)
Combined physical layer and cryptography: Generate a secret key and use a symmetric cipher such as AES (very high rates are possible)
Example: with fraction of time dedicated to secret key generation as small as 1%, we can renew a 256-bit encryption key every 25kbits, i.e. with SNR(M)=10dB and SNR(W)=20 dB, at an average rate of 2Mbps, this would renew a key every 16 milliseconds.
![Page 73: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/73.jpg)
73
Average secure communication rate
Case of perfect CSI - communication with one-time pad
Protocol optimal
![Page 74: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/74.jpg)
74
Practical Considerations
It is possible to exploit
the noise of fading channels to generate
secret keys, even with
imperfect CSI:
R
econciliation efficiency ~90% over wide range of SNRs
S
ome latency and complexity (long block length of LDPC code)
C
ombine physical layer and standard cryptography
Ex: AES with high key regeneration rate
We require a small
shared key for authentication.M. Bloch, J. Barros, M. R. D. Rodrigues and S. W. McLaughlin,Wireless Information-Theoretic Security, IEEE Transactions on Information Theory, June 2008.
![Page 75: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/75.jpg)
75
Advanced Topics and Applications
![Page 76: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/76.jpg)
76
Network Security
Interference
Cooperation
Feedback
Network
X1
X3
X4
X2
Y1
Y2
?
What happens when we have multiple parties communicating over unreliable noisy networks with multiple eavesdroppers and jammers?
![Page 77: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/77.jpg)
77
M users communicate messages F and agree on secret key K
common secret key
secrecy against eavesdropper
uniformity
secret key (SK) capacity is the largest entropy rate of K
Multi-user Secrecy Generation
1)...( 21 MKKKKP
0);( FKI
||log)( spacekeyKH
![Page 78: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/78.jpg)
78
Example with three users and two-bit sequences
Bob
Alice
Charlie
1211BB
2221BB
3231BB
Bob and Charlie observe sequences of Bernoulli (1/2) symbols. Alice observes the symbolwise XOR of their sequences.
Optimal Secret Key Agreement
Alice sends
Bob sends
Charlie sends
All are able to recover
11B
22B
3231 BB
31B
0);,,( 3132312211 BBBBBI
2
1)(
2
131 BH
Eavesdropper is in the dark: SK rate:
[Csiszár and Narayan, 2006]
![Page 79: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/79.jpg)
79
Encoding Correlated Sources
Decoder
Source 1 Encoder 1U1
U2
R1
R2
Û1
Û2Encoder 2
Sink
R1+R2 > H(U1U2)
R1 > H(U1|U2)
R2
R1
SlepianWolf1973
H(U1|U2) H(U1)
H(U2)
H(U2|U1)
H(U1U2)
H(U1U2)
R2 > H(U2|U1)
Encoder
Shannon1948
Source 2
p(u1,u2)
![Page 80: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/80.jpg)
80
Many correlated sources
1
2
0
U1
U2
R10
R20
MUM
RM0
))(|)((0c
Sii SUSUHR
for all sets
Perfect reconstruction is
possible if and only if
0
,0
},,....,2,1{
S
SS
MSc
![Page 81: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/81.jpg)
81
Secret Key Capacity for Two Terminals
[Maurer ‘93, Ahlswede and Csizár, ‘93]
BobAlice U2
R1
U1
R1 > H(U1|U2)
R2 > H(U2|U1)R2
)]|()|([),( 122121 UUHUUHUUHCSK
);( 21 UUI
non-interactive communication
![Page 82: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/82.jpg)
82
Secret Key Capacity for Multiple Terminals
[Csiszár and Narayan, 2006]
min21 ),...,,( RUUUHC MSK
is the minimum sum rate required for all terminals to be able to reconstruct all sources with arbitrarily small probability of error.
minRNetwork
U1
U4
U6
U3
U2
U5
Notice that in this case the eavesdropper observes only the communication between the nodes and not one of the correlated sources.
![Page 83: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/83.jpg)
83
Extensions and Variations
S
ecret key agreement with helpers [Csizár, Narayan, 2005]
M
ultiple group keys with secrecy with respect to a prescribed
subset of users [Ye,
Narayan, 2005]
S
atellite Channel Model [Csizár, Narayan, 2005]
S
ecret key capacity when eavesdropper observes a
correlated source of
randomness remains unsolved.
![Page 84: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/84.jpg)
84
Active Attacker
Adversary has access to the communications channel used by the legitimate parties and can do the following:
Send / Receive; Read; Replay; Forge; Block; Modify; Insert;
84
![Page 85: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/85.jpg)
85
Secret Key Agreement with Public Discussion
Bob
AliceX n
p(yz|x)
Y n
EveZn
Alice and Bob want to increase their secrecy capacity by exchanging information over the feedback channel and generate a secret key.
But what if Eve is allowed to read and write on the public channel? Adversary with infinite computing power; Adversary with complete control over public channel.
public unauthenticatedchannel
[Maurer, 93][Maurer, Wolf, 03]
![Page 86: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/86.jpg)
86
Source Model
Bob
AliceX n
p(x,y,z)Y n
EveZn
publicauthenticated
channel
Alice and Bob see X n and Y n and exchange messages C:=(C1, C2, C3, . . .Ct)
Outcome of the key generation process: H(SA|CX) = 0 or H(SB|CY ) = 0
Alice sends (C1, C3, . . . , C2k+1, . . .), Bob sends (C2, C4, . . ., C2k, . . .)
Eve gets to see a correlated random variable Zn and can read and write on
the public channel.
SA
SB
![Page 87: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/87.jpg)
87
Impossibility Results
Simulatability Condition
To generate a key, Alice and Bob must have advantage over Eve in terms of the distribution PXYZ;
Eve cannot be able to generate from Z a random variable X’ which Bob, knowing Y, is unable to distinguish from X (and vice versa).
Secret Key Capacity with Active Adversary
Either a secret key can be generated at the same rate as in the (well-studied) passive-adversary case, or such secret key agreement is completely impossible;
if Eve can use Z to simulate X or to simulate Y the secret key capacity is zero.
![Page 88: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/88.jpg)
88
Information-theoretically Secure Message Authentication
We assume opponent has unlimited computing power and knows
everything about the system – except for a secret key.
Can we provide bounds on an opponent´s cheating probability for a
given tolerable probability of rejecting a valid message?
Hypothesis testing problem: decide whether a received message is
authentic or not:
Either the message was generated by the legitimate sender knowing the
secret key;
Or by an opponent without a priori knowledge of secret key.
[Maurer, 2000]
![Page 89: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/89.jpg)
89
Problem Setup
Sender and receiver share a secret key K
Sender: sequence of plaintext messages
Each is authenticated by sending an encoded message which depends on K,Xi and encoded possibly also using the previous plaintext messages and
Receiver:
based on , and possibly also on and ,decides to either reject the message or accept it as authentic
if case of acceptance: decodes to a message
1 2, ,..., nX X X
iX
iY
1 1,..., iX X 1 1,..., iY Y
,iY Z1 1,..., iX X
1 1,..., iY Y
iY ˆiX
![Page 90: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/90.jpg)
90
Possible Attacks
The opponent with read and write access to communication channel can use either of two different strategies for cheating
Impersonation attack at time : the opponent waits until he has seen the encoded messages and then sends a fraudulent message which he hopes to be accepted by the receiver as the message
Substitution attack at time : the opponents lets pass messages ,intercepts , and replaces it by a different message which he hopes to be accepted by the receiver
i
i
1 1,..., iY Y
iYith
1 1,..., iY Y iY
iY
![Page 91: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/91.jpg)
91
Results
When a sequence of messages is to be authenticated, an opponent can choose the type of attack with the highest success probability;
A secret key K is used optimally when the maximum of the success probability is minimal;
When it is required that a legitimate message is always accepted α=0 in all of these possible attacks,
n1,..., nX X
1
)(
,,,,....,1, 2)max(
n
KH
nSnII PPP
![Page 92: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/92.jpg)
92
PHY-Based Authentication
Spoofing detection
Verify if a transmission came from a particular transmitter
Location information can be extracted to authenticate a
transmitter relative to its previous location.
Probe Pulse u(t)
Alice
Eve
1. Estimates channel h = hAB (t,)2. Compares against h’ = hAB (t-1,)3. Accepts transmission if
h = h’ Spoof Alice:
Probe Pulse u(t)
1. Estimates channel hEB (t,)2. Verification fails!!! 3. Does not accept Eve
as Alice!
Bob
[Trappe et al, 2007]
![Page 93: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/93.jpg)
93
Spread Spectrum Communications and Jamming
Direct Sequence / Frequency Hopping use pseudo-random sequences to
spread the narrowband signal over a wide band of frequencies;
Effective against narrow-band jamming; lowers probability of intercept; can
provide privacy if spreading sequence is kept secret;
Used in Code Division Multiple Access (CDMA) systems.
1
1 0 1 1 0 1 0 0 1 1 1 0 1 0 1 1 0 0 1 0 1 0 1 1 0 1 0 1 0
0
0 1 0 0 1 0 1 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 1 1 0 1 0 1 0
![Page 94: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/94.jpg)
94
BobAliceX Y
Eve
Z
+
+
NM
NW
Repeat-back jamming in wireless networks (e.g. amplification, modification
retransmission of intercepted signals, inducing errors in radars and receivers).
Jammer can cause a lot of harm even with access to only a noisy version of the
sent signal, with phase or timing jitter and with limited processing capabilities.
Not detectable via the received power at Bob.
Extended to Multiple Access Channels by [Shafiee and Ulukus, 2005]
[Médard, 1997]
+
Capacity of Channels with Correlated Jamming
![Page 95: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/95.jpg)
95
Cooperative Jamming in the Gaussian Multiple Access Channel
[Tekin and Yener, 2006]
DecoderAlice Encoder 1
Charlie
U1
U2 Encoder 2
X1
X2
Y
p(yz|x1 x2)
Bob
EveDecoderZ
Secrecy conditions can be individual or collective yielding different results for each case.
Alice and Charlie can cooperate to increase Eve’s uncertainty about the sent messages.
![Page 96: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/96.jpg)
96
General Broadcast Channel with Multiple Secrecy Conditions
[Csiszár and Koerner, 1978] considered one secrecy condition.
[Liu et al. , 2006] provided inner bound for two secrecy conditions, and also for interference channels.
Decoder 1
Alice Encoder
BobX
p( y1 y2 |x)
Y1
Y2Decoder 2 Eve
U2,U1
Û1
Û2
![Page 97: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/97.jpg)
97
Multiple Access Channel with confidential messages
Cooperative jamming over the Gaussian MAC
[Tekin and Yener, 2006]W
ith channel outputs at the encoders + individual secrecy conditions [Liang and Poor, 2006]
DecoderAlice Encoder 1
Charlie
U1
U2
Encoder 2
p(u1) p(u2)
X1
X2
Y
p(y1 y2 yz|x1 x2)
Bob
EveDecoderZ
Y1
Y2
U0
![Page 98: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/98.jpg)
98
Relay Channel with confidential messages
Discrete Memoryless Case [Oohama, 2004] Randomization helps to increase the rate-equivocation region.
BobAliceX n
p(yz|xs) Y n
Eve
ZnSn
![Page 99: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/99.jpg)
99
Exploiting MIMO
Alice can leverage multiple antennas by transmitting artificial noise into the null space of Bob
This approach can be used effectively, even when position of Eve is unknown.
Alice
Bob
Eve
[Goel and Negi, 2005]
![Page 100: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/100.jpg)
100
Jamming to increase the secrecy capacity
BobAliceX Y
Eve
Z
+
+
NM
NW
WMWMS
PPCCC
2222 1log2
11log
2
1
Can we increase the noise in Eve’s channel without affecting Bob?
![Page 101: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/101.jpg)
101
Increasing the Secrecy Capacity with Jammers
![Page 102: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/102.jpg)
102
Jammer Impact on Outage Secrecy Capacity in Fading Environment
![Page 103: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/103.jpg)
103
Multiple Jammers in Fading Environment
![Page 104: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/104.jpg)
104
Store-and-Forward versus Network Coding
In today’s networks, information is viewed as a commodity, which is transmitted in packets and forwarded from router to router pretty much as water in pipes or cars in highways.
In contrast, network coding allows intermediate nodes to mix different information flows by combining different input packets into one or more output packets.
[Ahlswede, Cai, Li and Yeung, 2000]
![Page 105: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/105.jpg)
105
A simple three-node example
AB
C
a a
b b
In the current networking paradigm we require 4 transmissions.
![Page 106: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/106.jpg)
106
Network Coding
AB
C
a b
With network coding we require only 3 transmissions.
a+b
![Page 107: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/107.jpg)
107
Algebraic Framework for Network Coding
Binary vector of length m: element in
Random processes at nodes
Transfer matrix
Generalized MIN-CUT MAX-FLOW Condition
F2m
Y (e3) iX(v,i) jY (e j )j1,2
i
z xM
M A(I F) 1BT
M 0
[Koetter and Médard, 2003]
![Page 108: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/108.jpg)
108
Packetized Network Coding
Assume each packet carries L bits
s consecutive bits can be viewed as a symbol in
Fq
Ls
Perform network coding on a symbol by symbol basis.
Output packet also has length L.
Send the coefficients (the “encoding vector”) in the header.
Information is spread over multiple packets.
enc. vector
![Page 109: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/109.jpg)
109
Practical Considerations
E
ncoding: Elementary linear operations which can be implemented in a straightforward manner
(with shifts and additions).
D
ecoding: Once a receiver has enough linearly independent packets, it can decode the data
using Gaussian elimination, which requires operations.
G
enerations: To manage the complexity and memory requirements, we mix only generations
with fixed number of packets and limit the field size. Each keeps a buffer sorted by generation
number. Non-innovative packets are discarded.
D
elay: Since we must wait until we have enough packets to decode, there is some delay (not
very significant, since we require less transmissions in many relevant scenarios)
![Page 110: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/110.jpg)
110
Benefits beyond throughput
Reliability: Network Coding can achieve optimal delay and rate in the presence of
erasures and errors.
Simpler Optimization: The multicast routing problem is NP-hard (packing Steiner
trees), however with network coding there exist polynomial time algorithms.
Robustness: Random network coding is completely decentralized and preserves
the information in the network, even in highly volatile networking scenarios.
![Page 111: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/111.jpg)
111
Applications of Network Coding
D
istributed Storage and Peer-to-Peer: robustness against failures in highly volatile networks;
W
ireless Networks: Information dissemination using opportunistic transmission;
S
ensor Networks: Data gathering with extremely unreliable sensing devices;
N
etwork Management: Assessing critical network parameters (e.g. topology changes and link
quality)
First real-life application in July 2007:
Microsoft Secure Content Downloader (a.k.a. Avalanche)
![Page 112: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/112.jpg)
112
Classes of Network Coding Protocols
We distinguish between two types of protocols:
stateless network coding protocols, which do not rely on network state information (e.g. topology or link costs) to decide when to mix different packets (e.g. Random Linear Network Coding);
state-aware network coding protocols, which rely on partial or full network state information to compute a network code or determine opportunities to perform network coding in a dynamic fashion (e.g. COPE).
![Page 113: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/113.jpg)
113
Secret Key Dist.[Oliveira, Barros, ’07]
SPOC[Vilela, Lima, Barros, ’08]
Cooperative Security[Gkantsidis, Rodriguez, ’06]
Network Coding Security Taxonomy
Network Coding Protocols
State information
Security Infrastructure
Stateless
RLNC[Ho et al, ’04]
State-aware
COPE[Katti et al, ’06]
Polynomial time[Jaggi et al, ’05]
CooperativeKey
Management
some intrinsic security (no state information)
Prone to Byzantine attacks
Prone to Byzantine attacks
Network state information
- Extra redundancy- Hash symbols included in packets
- Cooperative security schemes- Homomorphic hash functions
-Signatures- Key distribution- Confidentiality
Signatures Content Dist.[Zhao et al, ’07]
Detection Byzantine[Ho et al, ’04]
Resilient codes[Jaggi et al, ’06][Koetter, Kschischang, ’07]
Network codes
![Page 114: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/114.jpg)
114
Network Coding: A Free Cipher?
Nodes are assumed to be “nice but
curious” (comply with protocol but could
be malicious eavesdroppers)
Intermediate nodes have different levels
of confidentiality;
Nodes T and U have partial information
about the data;
Node W has full access to the data;
Node X cannot decode any useful data –
a free cypher!
S
T U
W
Y Z
X
a b
a
a
b
ba+b
a+b a+b
Previous work considered wiretapping attacks on multiple links,
e.g. [Cai and Yeung,’02], [Feldman et al,’04] [Bhattad et al,’05]
[Lima, Médard and Barros, ISIT’07]
![Page 115: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/115.jpg)
115
Secure Network Coding
S
T U
a b c d
e f g h
S
T U
a+b+c+d+e+f+g3a+b+c+d+5fa+2b+c+d+4ga+b+c+3d+5h
5a+b+5h6b+c+4gb+7c+3ab+c+9e
R R
Nodes T and U have access to half of the sent data.
NodesT and U need to decode to obtain partial data.
![Page 116: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/116.jpg)
116
Algebraic Security Criterion
Definition (Algebraic Security Criterion): The level of security provided by random linear network coding is measured by the number of symbols that an intermediate node v has to guess in order to decode one of the transmitted symbols.
In other words, we compute the difference between the global rank of the code and the local rank in each intermediate node.
![Page 117: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/117.jpg)
117
Results
Theorem 1:The
probability P(ld > 0) of recovering a strictly positive number of symbols ld at the intermediate nodes (by
Gaussian elimination) goes to zero for sufficiently large number of nodes and alphabet size
Proof Idea:
An intermediate
node can gain access to relevant information
1)w
hen the partial transfer matrix has full rank
2)w
hen the partial transfer matrix has diagonalizable parts.
Carry out
independent analyzes in terms of rank and in terms of partially diagonalizable matrices.
Show that the
probability of having partially diagonizable matrices goes to zero for sufficiently large number of nodes and
alphabet size.
![Page 118: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/118.jpg)
118
SPOC - Secure Practical netwOrk Coding
Assured confidentiality against attacker with access to all the links.
Two types of coefficients:
Locked
Unlocked
Same operations
Requirements:
Key management mechanism
![Page 119: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/119.jpg)
119
SPOC - Secure Practical netwOrk Coding - Results
Number of AES encryption operations according to the payload size, for SPOC (encryption of locked coefficients) versus traditional encryption mechanism (encryption of the whole payload).
![Page 120: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/120.jpg)
120
SPOC - Secure Practical netwOrk Coding - Results
Packet size overhead of including the locked coefficients, per packet.
![Page 121: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/121.jpg)
121
Mutual Information between Payload and Coding Coefficients
[Lima, Vilela, Barros, Médard, 2008]
![Page 122: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/122.jpg)
122
Detection of Byzantine Modification
Hash symbols, calculated as simple polynomial functions of the source data, are included in each source packet.
Receiver nodes check if decoded packets are consistent, i.e. have matching data and hash values.
Additional computation is minimal as no other cryptographic functions are involved.
Detection probability can be traded off against communication overhead, field size (complexity) of the network code and the time taken to detect an attack.
[Ho et al, ISIT 2004]
Ls
enc. vectorhash
![Page 123: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/123.jpg)
123
[Gkantsidis, Rodriguez, Infocom 2006]
Cooperation to achieve on-the-fly detection of malicious packets.
Homomorphic hash functions: a hash of an encoded packet is easily derived from the hashes of the previously encoded packets.
However, these hash functions are computationally expensive.
To increase efficiency every node performs block checks with a certain probability and alerts its neighbors upon detection.
In addition, there exist techniques to prevent Denial of Service (DoS) attacks aimed at the dissemination of alarms.
Cooperative security for network coding
![Page 124: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/124.jpg)
124
Resilient Network Codes
Use the error correction capabilities of linear network coding.
An active attacker can be viewed as a second source of data.
Add enough redundancy to allow the destination to distinguish
between valid and erroneous packets.
Some information may have to be protected by a shared secret key.
[Jaggi et al. , Infocom 2006]
[Koetter and Kschischang, 2007]
![Page 125: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/125.jpg)
125
How can each pair of neighboring nodes share a secret key?
Sensor Networks
Task: Collect and transmit data through secure links
Data confidentiality
Constraints: Energy
Limited Data Rate
Processing Power
Memory Secret Key Distribution
![Page 126: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/126.jpg)
126
Key Pre-distribution
Goal: Store keys into the memory of the sensor nodes for them to share a secret with their neighbors after the deployment.
Challenges: Minimize the impact of compromised nodes; Efficient use of the resources; Scalability in dynamic environments; Avoid single points of attack.
![Page 127: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/127.jpg)
127
Secret Key Distribution using Network Coding
Our approach:
Key pre-distribution scheme; Efficient use of resources; Uses a mobile node to “blindly” complete the key distribution process; Designed for dynamic scenarios.
Prior to sensor node deployment:
Generate a large pool of keys and their identifiers; Load different keys and the corresponding identifiers into the memory of
each sensor node; Store in the memory of the mobile node all the keys encrypted with the
same one-time pad and their corresponding identifiers.
[Oliveira and Barros, 2007]
![Page 128: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/128.jpg)
128
Secret Key Distribution in WSNs
After sensor node deployment:
BSA
Hello Hello
)()( BiAi KK )()( BiAi KK
)()( BAK mE
Ai
)()( ABK mE
Bi
)(Ai )(Bi
RKRK BiAi )()(
)()()( BiBiAi KKK )()()( AiBiAi KKK
)(BiK)( AiK
)(BiK)( AiK
RK
RK
RK
i
Bi
Ai
(.)
)(
)(
...
[Oliveira and Barros, 2007]
![Page 129: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/129.jpg)
129
One-Time Pad Security
One-time pad is secure if the key is:Truly random;Never reused;Kept secret.
The knowledge of does not increase the information that the attacker has about any one key
},...,,{ 21 RKRKRK m
mixKPyRKyRKxKPnimmi ,...,1,
2
1,...,| 11
[Oliveira, Costa and Barros, 2007]
![Page 130: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/130.jpg)
130
Extensions and Variations
Mobile key distribution for many nodes
Group and cluster keys
Key revocation
Key renewal
Authentication
![Page 131: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/131.jpg)
131
Millionaires- problem
Suppose 2 millionaires want to determine which one is richer, without revealing the precise amount of their wealth.
In the general secure multi-party computation problem, users u1, u2, ..., un possess data d1, d2, ..., dn and want to compute the outcome of a public function F(d1, d2, ..., dn ) without revealing d1, d2, ..., dn .
![Page 132: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/132.jpg)
132
Other Problems beyond Secure Communication
Communicating securely is not the only problem in cryptography.
Problem: Suppose Alice and Bob are linked through a network and want to flip a coin. How can they ensure that the coin flip is fair?
Network
$
$
Solution: Alice and Bob send one bit each in separate envelopes. They open the envelopes simultaneously and take the XOR of the two bits.
The protocol works if and only if
Bob knows nothing about Alice’s bit before he sends his envelope;
Alice cannot change her bit once the envelope is sealed.
...and vice versa (for Bob’s bit).
![Page 133: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/133.jpg)
133
Alice puts a bit bin a strong box
b
Alice gives this box to Bob. She cannot change b
Later Alice can unveil b to Bob
b
A commitment scheme is said to be secure if it is:
• Binding: the probability that Alice can successfully open two
different commitments is negligible.
• Concealing: Bob gets at most negligible information on b
before the opening phase.
• Correct: The probability that honest Alice fails to open
a commitment is negligible.
Commit Open
Bit Commitment
![Page 134: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/134.jpg)
134
Bit Commitment over the erasure channel
Commit Phase:
• Alice selects a random codeword with parity equal to the value she
wants to commit to and sends it to Bob through the erasure channel.
Open Phase:
• Alice sends the codeword she has sent in the commit phase over a
noiseless channel. Bob rejects if the codeword he receives differs in
at least one position from the codeword he received through the noisy
channel.
p-Erasure Channel
n n
Xn Yn
b = parity(X)
![Page 135: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/135.jpg)
135
Protocol Analysis:
• Bob learns the commitment with probability
• Alice unveils a bit different than the one she committed
to and is not detected with probability
Bit Commitment over the erasure channel
nB pP )1(
pPA
p-Erasure Channel
n n
Xn Yn
b = parity(X)
Problems:
•Non-negligible error probability (binding condition)
•The channel is used n times to commit to a single bit.
![Page 136: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/136.jpg)
136
Binary string
Bob learns b with probability
Alice cheats successfully with probability
Commitment rate
Commitment capacity
Commitment Rate and Capacity
If we commit to a string of length k, what is the maximum commitment rate k/n of a secure protocol we can achieve (i.e., capacity)?
kb }1,0{
n
kR
RCXP
com max
0 nAP
0 nBP
![Page 137: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/137.jpg)
137
The Commitment Capacity of DMC’s
Define a “redundant” channel (a channel is called non-redundant if none of its output distributions is a convex combination of its other output distributions).
Redundancy can be “cut” from a channel, by removing all input symbols which are convex combinations of others.
If after removing the redundancy of a channel, its equivocation becomes zero, the channel is called trivial.
The commitment capacity of a DMC equals its equivocation H(X|Y) after its redundancy is removed.
[Winter, Nascimento, Imai ’03]
![Page 138: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/138.jpg)
138
Motivation:
- more realistic channel model (e.g. wireless medium)
- commitment capacity for continuous channels unknown
- techniques differ from the discrete case
How about the Gaussian Channel?
+iX iY
iZAverage Power Constraint:
Channel Capacity:
21log
2
1
P
C
iii ZXY
n
ii Px
n 1
21
),0( 2NZ i
![Page 139: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/139.jpg)
139
Caveat: practical wiretap codes are hard to design!
How about the Gaussian Channel?
![Page 140: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/140.jpg)
140
Using a wiretap interpretation of commitment, we can prove that
22*
1log2
11log
2
1
GCcom
PPC
Any positive will give us a binding protocol, by making it arbitrarily small, we get that the maximum achievable rate can be made arbitrarily large
*C
Commitment rate
The commitment capacity of the Gaussian channel is infinite.
![Page 141: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/141.jpg)
141
[Bloch, Barros and McLaughlin, 2007]
Commitment from Secret Key Agreement
![Page 142: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/142.jpg)
142
Cryptographic protocols
based on noisy channels,
Crépeau, 1997
Commitment Capacity of
Discrete Memoryless Channels,
Winter, Nascimento,
Imai, 2003
Oblivious Transfer using
noisy channels,
Crépeau. Morozov,
Wolf, 2004
Pseudo-signatures,
Broadcast, and Multi-party Computation,
M. Fitzi, S. Wolf, and
J. Wullschleger, 2004
Commitment Capacity of
Gaussian Channels,
Barros, Imai,
Nascimento and Skudlarek 2006
Practical Information-
Theoretic Commitment
Bloch, Barros and
McLaughlin, 2007
Beyond secure communication
![Page 143: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/143.jpg)
143
Physical-Layer Security:
10 Open Issues
![Page 144: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/144.jpg)
144
#1 How can we provide rigorous descriptions of security primitives?
Computational Security
Security schemes are based on (unproven) assumptions of intractability of certain functions;
Typically done at upper layers of the protocol stack
Information-Theoretic (Perfect or unconditional) Security
strictest notion of security, no computability assumption
H(M|X)=H(M) or I(X;M)=0
Implementable at the physical layer
Alice
Eve
Bobk-bit message W
k-bit decoded message Wb
key I
X X
Xkey K
![Page 145: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/145.jpg)
145
BobAliceX n
p(y|x)Y n
p(z|x)
Eve
Zn
Theoretical results from the seventies (Wyner, Csiszár and Koerner)
Caveat: eavesdropper must have a worse channel.
Renaissance of information-theoretic security in the last 2 years.
Most results are based on weak secrecy conditions (equivocation rate)
Strong secrecy is possible (requires CS techniques)
#2 What are the fundamental limits of security for strong secrecy?
![Page 146: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/146.jpg)
146
Tag
Attacker
X
Z
Reader
Yk-bit message w
w’ +
+Nw
Nm
#3 How can we leverage state-of-the art channel coding to enhance security at the physical layer?
![Page 147: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/147.jpg)
147
Main channel is noiseless; wire-tapper’s channel is a BEC with erasure probability e
Eve receives a subset of the transmitted bits (or packets)
For this instance (only), we have secrecy capacity achieving codes.
Alice
Eve
X
Z
ee1-e 1-e
Bob
Xk-bit message w
wb
o
1
1
o ?
#4 How do we construct secrecy achieving codes for wireless channels?
![Page 148: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/148.jpg)
148
Common Randomness: Alice and Bob share correlated
random sequences.
Reconciliation: Alice sends Bob enough side information
for Bob to reconstruct Alice’s sequence.
Privacy Amplification: Alice and Bob use hash functions
to maximize Eve’s equivocation.
#5 How can we borrow from quantum cryptography?
![Page 149: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/149.jpg)
149
Wireless Network with Potential Eavesdropping
•Goal: Exploit channel variability to secure information at the physical-layer.
#6 How can we leverage fading?
![Page 150: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/150.jpg)
150
Intermediate nodes have different
levels of confidentiality;
Nodes T and U have partial
information about the data;
Node W has full access to the data;
Node X cannot decode any useful
data – a free cypher?
Active attacks can compromise the
information flow.
S
T U
W
Y Z
X
a b
a
a
b
ba+b
a+b a+b
a b a b
a b
#7 How can we provide security for network coding?
![Page 151: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/151.jpg)
151
Problem: How can each pair of sensor nodes agree on a secret key?
Our approach: Key pre-distribution scheme; Uses a mobile node to complete
the key distribution process blindly using network coding;
Reduced memory requirements;
#8 How can we use coding ideas to distribute secret keys?
![Page 152: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/152.jpg)
152
Cryptography is not only concerned with communicating securely.
Based on noisy channels and state-of-the-art error correction codes
we can implement bit commitment and oblivious transfer, which are
the building stones of secure multi-party computation.
Authentication is a vital issue and could potentially be carried out
over noisy channels possibly without initial shared secret.
[Wolf and Maurer’98], [Trappe et al’07 ]
How about anonymity? How about non-repudiation?
#9 How can we use physical-layer techniques to go beyond secure communication?
![Page 153: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/153.jpg)
153
Classical Cryptography under the Computational Model
Advantages
no publicly-known, efficient attacks on public-key systems
security is provided on a block-to-block basis
if cryptographic primitive is secure then every encoded block is secure
systems are widely deployed, technology is readily available, inexpensive
Disadvantages
Security is based on unproven assumptions
No precise metrics trade off between reliability and
security as a function of the block length is unknown
security of the cryptographic protocol is measured by whether it survives a set of attacks or not.
Conventional model (error free channel) secrecy capacity of these systems is zero
can’t guarantee reliable and perfectly secure system
![Page 154: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/154.jpg)
154
Physical layer security under the information-theoretic (perfect) security model
Advantages: No computational restrictions
placed on eavesdropper Very precise statements can be
made about the information that is leaked
Quantum key distribution implemented
Wireless solutions appear Suitably long codes get
exponentially close to perfect secrecy
Disadvantages: Information-theoretic security
is an average-information measure.
Requires assumptions about the communication channels that may not be accurate in practice.
Limits its application A few systems (e.g QKD) are
deployed but the technology is not as widely available and is expensive.
![Page 155: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/155.jpg)
155
#10 It may well be worth rethinking our security architecture.
Application
Link
Transport
Network
Physical
Application
Link
Transport
Network
Physical Bottom-up Security?
How can we combine physical-layer security and cryptographic protocols?
![Page 156: Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT Information-Theoretic Security IEEE International Symposium](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697c0121a28abf838ccbfb3/html5/thumbnails/156.jpg)
156
Acknowledgements and credits
M
atthieu Bloch, Georgia Tech
M
iguel Rodrigues, University of Porto
A
ndrew Thangaraj, IIT Madras
R
ob Calderbank, Princeton
A
nderson Nascimento, University of Brasilia
M
uriel Medard, MIT
L
uísa Lima, University of Porto
J
oão Paulo Vilela, University of Porto
P
aulo Oliveira, University of Porto
R
ui Costa, University of Porto
D
emijan Klinc, Georgia Tech