Rei Safavi-Naini

1
iCORE Information Security
Secret key agreement over noisy channel

• Rei Safavi-Naini
• University of Calgary
• Joint work with Hadi Ahmadi

2
Secret key agreement

• Alice and Bob want to share a secret over a
  channel that is eavesdropped by Eve.
• A fundamental problem in cryptography.
• No solution if no other assumption is made.
• Assumptions
• Computational assumption
• Diffie-Hellman key agreement
• Non computational assumption unlimited
  adversary
• Noisy channel
• ?The key questions
• Is it possible?
• What is the secrecy capacity?
• This talk increasing secrecy capacity through
  interaction over noisy channels

3
Outline

• Message transmission Key agreement
• Exiting noisy channel models
• Wiretap
• Noisy broadcast
• Public discussion
• A new model two-way noisy broadcast
• Lower bounds
• Interactive Channel Coding
• Comparing Key Agreement Protocols
• Discussion Concluding Remarks

4
Preliminaries
5
Message transmission Key agreement

• Assume eavesdropping adversary
• If Alice can send a message securely to Bob,
• She may choose the message to be a key
• ? secure message transmission protocol gives a
  secure key agreement
• Protocols for secret key agreement

6
Secure message transmissionover noisy channel

• Model 1 Wyner Wy75 Wiretap channel
• Channels are noisy DMCs.
• Eves channel is a degraded version of Bobs.
• No shared key

• Secure message transmission is possible if the
  wiretap channel is not noise-free.
• There exists a randomized coding
• CsC(PYZX) maxp(x)(I(XY)-I(XZ))

Z
7
Secure message transmission

• Model 2 Csiszár and Körner CK78 noisy
  broadcast channel
• A generalization of Wyners work.
• Eves channel can be better than Bobs

• Secure message transmission is possible, if Eves
  channel is noisier.
• CsC(PYZX) maxp(x)(I(XY)-I(XZ))

8
Secure key agreement

• MaurerMa93, Ahlswede Csiszár AC93
• Noisy broadcast
• Public discussion channel
• error-free -insecure

• Secure key agreement is possible if, Eves
  channel is not noise-free and Bobs channel is
  not fully noisy.
• ? no requirement on Eves channel be more noisy!
• Established key can be used to encrypt a message
• Send over public channel
• ? secure message transmission
• In practice
• Implement public discussion channel using
  channel coding BBRM08

9
Secure key agreementA new model

• Secret key agreement over two-way (noisy)
  broadcast channels.
• No public discussion only noisy communication
• Natural model
• Secrecy capacity?

• The rest of the talk
• Define two-way noisy channel secrecy capacity
• Give three protocols for key agreement
• compare the protocols and derive a lower-bound
  for two-way secrecy capacity.

10
2-way broadcast

• Two one-way broadcast channels
• A forward broadcast channel Xf?YfZf specified
  by
• A backward Xb ?YbZb specified by
• Alice and Bob send messages multiple times.
• Alice, Bob and Eve view RVs ViewA, ViewB,
  ViewE.
• Either Alice or Bob calculates S the other
  calculates S.

ViewB
ViewB
S
S
ViewE
11
Secrecy capacity of 2-way broadcast

• Secrecy capacity
• The maximum real number R0, such that
• for every egt0 and sufficiently large N, there
  exist a protocol that uses the two-way broadcast
  channel N times, and results in viewed RVs MA,
  MB, ME and calculated RVs S and S which satisfy

12
Lower bound 1 one pass communication

• 1. One-way key agreement
• Use forward or backward noisy broadcast channel
  for sending a secure key
• The first lower-bound is
• CsA and CsB are one-way secrecy capacities of
  forward and backward channels.

13
Lower bound 2 1-round communication

• 2- Virtual Cascade Channel (VCC) protocol
• Inspired by Maurers technique used for public
  discussion model
• Alice (Bob) starts the protocol
• Alice sends Xf
• Bob selects uniformly S, encodes it to Vb, and
  sends XbYfVb

14
Lower bound 2

• Theorem
• secrecy capacity is equal to half of the 1-way
  secrecy capacity of the virtual broadcast
  channel, Vb?VbVb, i.e.
• When Bob starts the protocol, the secrecy
  capacity is
• The second lower-bound is

15
Lower bound 3 1-round communication

• Interactive channel coding
• Alice sends Xfn
• Bob and Eve receive Yfn and Zfn. Xf is such that
  Yf has uniform distribution.
• Bob encodes Yfn to MBNe(Yfn)(YfnXbd) and
  sends Xbd
• Alice and Eve receive Ybd and Zbd.
• Alice decodes MAN(XfnYbd) to
• Bob and Alice calculate secrets as

16
Lower bound from interactive coding

• The third lower bound is

17
The best lower bound so far

• Theorem
• Secrecy capacity of 2-way noisy broadcast
  channel is lower bounded by

18
Secrecy capacity with ICC

• Average mutual information between Bob and Alice
• Average mutual information between Bob and Eve
• The two-way secrecy capacity with ICC is
• if Alice initiates
• if Bob initiates
• Hence

19
Secrecy capacity with ICC

• Theorem
• Let Yfn be an i.i.d. n-vector over set Un with
  entropy H(Yf)?, where ?logU, and Sk
  g-1(Yfn). For rates,
• by choosing N large enough, there exist a
  suitable partitioning set Gn and a pair of
  (2?k,N) encoding/decoding algorithms that
  communicate Yfn reliably from Bob to Alice, while

20
A comparison BSC channels

• Channels are binary symmetric
• bit error probabilities p1, p2, p3, p4, where
  p1p4.

21
1-rnd and 2-rnd communication
Note h(p) - plog p -(1-p) log (1-p)
22
ICC vs. VCC
23
Discussion

• Types of key agreement protocols
• One-party Key Generation First two protocols
• Participatory Key Generation ICC
• Secrecy capacity of message transmission vs. key
  agreement
• Equal if public discussion channel exists.
• Equality for two-way broadcast model is an open
  question.
• Strong vs. weak secrecy capacity
• Weak to maximize Eves uncertainty rate Wy75,
  CK78, Ma93.
• Strong to maximize Eves absolute uncertainty
  MW00.
• We consider weak secrecy capacity.
• Strengthening the security requirement is direct
  MW00

24
Concluding remarks

• Two-way broadcast model is a natural model
• Fits in particular in wireless settings
• Results are of practical significance
• Secrecy capacity of 2-way broadcast channel for
  key agreement is defined in analogy to one-way
  secrecy capacity
• Three key agreement protocols in 2-way broadcast
  setting
• One-way key agreement
• VCC protocol
• ICC protocol
• Each protocol will provide the best (highest)
  capacity for certain channels
• The best lower-bound is maximum of the three in
  each case

25
Concluding remarks

• Secrecy capacity will be positive in surprising
  cases
• the main channels are much worse than the
  eavesdroppers channel
• ICC protocol provides a novel approach to channel
  coding, using interaction during the encoding
  phase.
• Open questions
• Can ICC be extended to multi-round?
• Relationship among secrecy capacities of the
  three protocols
• Relation between secrecy capacities of key
  agreement and message transmission

26
Thank you questions!