Information-Theoretic Security - PowerPoint PPT Presentation

1 / 156
About This Presentation
Title:

Information-Theoretic Security

Description:

k-bit decoded message Wb. Alice. Bob. If Eve does not know the key and P(Key=k-tuple)=1/2k ... k-bit decoded message Wb. key K. key K. X. X. X. Shannon's Model ... – PowerPoint PPT presentation

Number of Views:195
Avg rating:3.0/5.0
Slides: 157
Provided by: institutod54
Category:

less

Transcript and Presenter's Notes

Title: Information-Theoretic Security


1
Information-Theoretic Security
  • IEEE International Symposium on Information
    Theory
  • Toronto, Canada, July 2008

Theory and Practice
João Barros Instituto de Telecomunicações Univers
idade do Porto and EECS/MIT
Steven W. McLaughlin School of Electrical and
Computer Engineering Georgia Institute of
Technology
2
Todays Layered Architecture
  • Standard Protocol Stack

Programs and applications
End-to-end reliability, cong. control
Routing and forwarding
Medium access control
Channel coding and modulation
Where is security ?
3
Security a patchwork of add-ons
End-to-end cryptography
Secure Sockets Layer (SSL)
Virtual private networks (IPSec)
Admission control (e.g.WPA)
Physical-layer security ?
4
Information-Theoretic-Security are we biased?
  • A typical graduate course in cryptography and
    security always starts by discussing Shannon's
    notion of perfect secrecy (widely accepted as the
    strictest notion of security)
  • Then, it emphasizes its conceptual beauty.
  • Then, it states that it is basically useless
    for any practical application.

p(wx)p(x)
Computational Security
5
Main Questions in this Tutorial
  • What are the fundamental security limits at the
    physical layer?
  • Which notions of security are we talking about?
  • Is information-theoretic security practical?
  • What kind of code constructions can we use?
  • How do we build protocols based on
    information-theoretic security?
  • Can we combine physical-layer security with
    classical cryptography?
  • How can we secure novel networking paradigms?
  • How can we go beyond confidentiality at the
    physical layer?
  • How can we increase our credibility in the
    security business?

6
Our program for today
  • Theoretical Foundations
  • Fundamentals of Information-Theoretic Security
  • Strong Secrecy versus Weak Secrecy
  • Secrecy Capacity of Noisy Channels
  • Practical Techniques
  • Combining Cryptography and Coding
  • Secrecy Capacity Achieving Codes
  • Secret Key Agreement at the Physical Layer
  • Advanced Topics and Applications
  • Multi-user Secrecy and Network Coding Security
  • Active Attacks on Coded Systems
  • Beyond Secure Communications
  • 10 Open Issues

7
What we will not do
  • Provide an exhaustive review of related work
  • Elaborate on the details of the proofs
  • Cover all the topics in depth
  • Adress quantum information theory
  • Say bad things about modern cryptography

8
Theoretical Foundations
9
Notions of Security
  • Information-Theoretic (Perfect or unconditional)
    Security
  • strictest notion of security, no computability
    assumption
  • ProbW Eves knowledgeProbW
  • H(WX)H(W) or I(XW)0
  • e.g. One-time pad
  • Shannon, 1949 H(K) H(M)
  • Computational Security
  • Alice sends a k-bit message W to Bob using an
    encryption scheme
  • Security schemes are based on (unproven)
    assumptions of intractability of certain
    functions
  • Typically done at upper layers of the protocol
    stack

10
One-time Pad
Alice
Bob
k bits
k bits
Key
Key
k-bit message W
k-bit decoded message Wb
Xk
Xk
Xk
Eve
  • If Eve does not know the key and
    P(Keyk-tuple)1/2k
  • then we have p(wxk) p(w).

11
Shannons Model
This model is somewhat pessimistic, because most
communications channels are actually noisy.
12
Wyners Wiretap Channel (I)
Wyner, 1975
  • Reliability Security
  • For Bob and Alice,
  • ProbW?Wb Y n ? 0
  • With respect to Eve,
  • (1/n) I(W Zn) ? 0
  • as n ? 8
  • Secrecy Capacity
  • Largest transmission rate at which both
    conditions can be satisfied.
  • Positive secrecy capacity only in the degraded
    case.

13
Wyners Wiretap Channel (II)
Wyner, 1975
equivocation rate
H(W)
D
Transmission rate
CS
CM
  • Proof Idea
  • Alice assigns multiple codewords to each message,
    picks one at random and thus exhausts Eves
    capacity.
  • Converse uses Fanos inequality and classical
    arguments.
  • Rate-equivocation region
  • Two critical corner points (CM , D) and (CS ,
    H(W))
  • Unusual shape (not convex)

14
Because the transmission range is so short,
NFC-enabled transactions are inherently secure.
Also, physical proximity of the device to the
reader gives users the reassurance of being in
control of the process.
15
Broadcast Channel with Confidential Messages
Y n
Bob
X n
Alice
p(yzx)
Zn
Eve
Csiszár Koerner, 1978
  • Secrecy capacity is strictly positive if Bobs
    channel
  • is less noisy than Eves, i.e. I(XY)gtI(XZ)

16
Feedback (Public Discussion)
Maurer, 93
Y n
Bob
X n
Alice
p(yzx)
public authenticated feedback channel
Zn
Eve
  • Secret Key agreement scheme
  • Clever protocol allows Alice and Bob to increase
    their secrecy capacity by exchanging information
    over the feedback channel
  • This requires a public authenticated feedback
    channel!

17
Increasing the Secrecy Capacity via Feedback
  • Suppose Alice, Bob and Eve are connected via
    binary symmetric channels and a public
    authenticated feedback channel is available.

Noisy Channel Error-free public communication Computation Computation
Alice X VXE VXEX VE
Bob XE VXE V V
Eve XD VXE VXEXD VED
  • Bob and Eve observe different noises (D, E).
  • Bob feeds back random value V plus what he
    observed (XE)
  • Eve ends up with more noise than Bob (as in the
    wiretap channel)

18
Source Model
Ahlswede and Csiszar, 93
X n
Alice
public authenticated feedback channel
Y n
Bob
p(x,y,z)
Zn
Eve
  • Alice and Bob share common randomness.
  • Eve gets to see a correlated random variable.
  • Alice and Eve generate a secret key using the
    public authenticated channel.

19
Notions of Security
Maurer Wolf, 2000
  • Weak secrecy
  • Strong secrecy
  • The secrecy capacity of the discrete memoryless
    wiretap channel does not change with strong
    secrecy.
  • Proof requires fundamental tools of theoretical
    computer science (extractors)

20
Example of Weak Secrecy
Un
Kn
Xn
Binary data (n bits)
One-time-pad (n-k bits)
Unprotected data (k bits)
Protected data (n-k bits)
  • This trivial scheme satisfies the weak secrecy
    condition while disclosing an unbounded number
    of bits
  • Clearly, it does not satisfy the strong secrecy
    condition

21
The Wireless Scenario
Barros, Rodrigues, ISIT06
Wireless Network with Potential Eavesdropping
Can we exploit channel variability to help secure
the communication?
22
System Model
  • hM(i)hM, ?i, and hW(i)hW, ?i (quasi-static
    fading model)
  • hM and hW independent and complex Gaussian
    distributed
  • SNRs ?M ??hM?2 and ?W ??hM?2 exponentially
    distributed

23
Security Characterization
  • General goal is maximization of transmission rate
    from Alice to Bob
  • R(1/n) H(Wk)
  • and minimization of Eves information rate
    about the message,
  • ?(1/n) I(WkYWn)
  • Secrecy capacity is maximum transmission rate R
    with ? lt e.
  • Cautionary Note Maurer Wolf, 2000
  • Stronger secrecy condition for Discrete
    Memoryless Channels
  • Not only the rate but the total amount of
    information leaked to the eavesdropper decays
    exponentially fast with n.
  • It is possible to prove strong secrecy results
    for wireless channels
  • Barros Bloch, 2008

24
Instantaneous Secrecy Capacity
Instantaneous signal-to-noise ratios
  • The instantaneous secrecy capacity for
    quasi-static fading channels follows directly
    from the Gaussian case.

25
Secrecy Outage
  • The outage probability

- Alice chooses a target secrecy rate Rs. - if
RsltCs then she can communicate securely. -
otherwise, information-theoretic security is
compromised.
26
Outage Probability
Barros, Rodrigues, ISIT06
After some maths
Impact of Distance
Outage probability for normalized
target secrecy rate Rs0.1.
Outage probability for normalized
target secrecy rate Rs0.1.
27
Outage Secrecy Capacity
Barros, Rodrigues, ISIT06
?-outage secrecy capacity
Normalized outage secrecy capacity for an outage
probability Pout0.10.
Normalized outage secrecy capacity for an outage
probability Pout0.75.
Thicker lines AWGN case Thinner lines Fading
case.
Thicker lines AWGN case Thinner lines Fading
case.
28
Average Secrecy Capacity
When it comes to information-theoretic
security, fading is really a friend and not a foe.
Normalized average outage secrecy capacity.
Thicker lines AWGN case Thinner lines Fading
case.
29
Imperfect CSI
Bloch,Barros, Rodrigues, McLaughlin, ITW06
  • Assumptions
  • Perfect CSI for the main channel
  • Imperfect CSI for the wiretap channel
  • Proceed as if CSI was correct
  • Outage probability
  • In general, Alice underestimates the secrecy
    capacity

30
Some recent work on (weak) secrecy capacity
  • Secure space-time communications (Hero, 2003)
  • Secrecy rates for the relay channel (Oohama,
    2004)
  • Secrecy capacity of SIMO channels (Parada and
    Blahut, 2005)
  • Secure MlMO with artificial noise (Negi and Goel,
    2005)
  • Gaussian MAC and cooperative jamming (Tekin and
    Yener, 2005)
  • Secrecy capacity of slow fading channels (Barros
    and Rodrigues, 2006)
  • Multiple access channel with confidential
    messages (Liang and Poor, Liu et al., 2006)
  • Secure broadcasting with multiuser diversity
    (Khisti, Tchamkerten, and Wornell, 2006)
  • Ergodic secrecy capacity (Gopala, Lai and El
    Gamal, Liang, Poor and Shamai 2007)
  • Strong secrecy for wireless channels (Barros and
    Bloch, 2008)
  • and many more.

31
Strong secrecy for Gaussian and Wireless Channels
Nitinawarat, Allerton 2007
  • Strong secret key agreement from Gaussian random
    variables
  • Lattice codes
  • Quantization with side information
  • Strong secrecy capacity for wireless channels
  • Uses tools of Maurer and Wolf, 2000
  • Maps messages to secret keys
  • Multiple copies of weakly secure wiretap codes
  • Quantization and Slepian Wolf codes
  • Extractor functions for privacy amplification

Barros and Bloch, ICITS 2008
32
Comments
  • Information Theory provides you with tools to
    determine fundamental security limits in
    particular at the physical layer
  • There exist codes which can guarantee both
    reliability and information-theoretic security
  • Secure communication over wireless channels is
    possible even when the eavesdropper has a better
    channel (on average)
  • When it comes to security, fading is a friend and
    not a foe.

33
Practical Techniques
34
Is physical-layer security practical?
  • Motivating examples
  • secure error correcting codes and the channel
  • coding converse
  • tandem error correction and cryptography
  • coset codes for an erasure wiretapper
  • Secret key agreement protocol for wireless
    channels

35
Secure Communication on two Gaussian channels
Assume that the attacker has worse SNR
Practical scenarios RFID Zoned security
Wiretap error control code Specific error
control code needed at Tag side Low complexity
encoder - possibly complex decoder
36
Secure Communication on two Gaussian channels
Transmit at CwiretapperltRltCmain
Assume that the attacker has worse SNR
37
Some common sense use an error control code
Assume that the attacker has worse SNR
Very good error correcting code with
simple encoder
Reader recovers bits With good BER
38
Coding
Assume that the attacker has worse SNR
Very good error correcting code with
simple encoder
Eve recovers bits with worse BER
39
Coding with an advanced code
40
Some secrecy rate tradeoffs
41
System view
How would we combine this with encryption?
42
After FEC decoding
At the encryption level
Assume Attacker SNR is 1.5 - 2.0 dB worse than
Bobs
(e.g. near field communications)
43
At the encryption level
N/2 bits in error Attacker does not know which
ones She needs to do 2 search
N
  • Assume all parties have a key
  • Attacker has somehow figured out the key
  • e.g. from a weak RFID security protocol

44
At the encryption level
N/2 bits in error Attacker needs to - guess
the N coded bits correctly - guess the M key
bits correctly She needs to do 2 search
NM
This time Assume Attacker does not have a key
45
Achieving the Secrecy Capacity withError Control
Coding
46
Achieving secrecy capacity for any DMCs using
capacity achieving codes
X
Y
k-bit decoded message wb
k-bit message w
Alice
Bob
C1
C2
C1 Main channel PrYX C2 Wire tappers
channel PrZX
Z
Eve
  • Special case - C2 is worse than C1, (both DMCs)
  • Use 2k capacity-approaching codes C1 , C2 , C3 ,
    ...
  • To send a message w, set Xrandom codeword of Cw
  • If Cw achieves capacity on C2 for each w gt
    Security condition is satisfied!
  • If union of C1 , C2 , C3 , ... is reliable
    across C1, wbw is possible gt Reliability
    condition is satisfied!
  • Thangaraj et al, 2004 have shown that such a
    selection of C1 , C2 , C3 , ... is possible.

47
Motivating example BEC wiretapper channel
X
X
k-bit message w
Alice
Bob
wb
o
1
e
e
1-e
1-e
1
o
?
Z
Eve
  • Main channel is noiseless wire-tappers channel
    is a BEC with erasure probability e
  • Eve receives a subset of the transmitted bits (or
    packets)
  • Secrecy capacity is e

Wyner and Ozarov, Wiretap Channel Type II
48
Conventional Encoding Decoding
X
X
k-bit message w
Alice
Bob
wbHXT
  • Conventional encoding Select the codeword in C
    with message w

Binary codewords of length n
49
Security Encoding Decoding
X
X
k-bit message w
Alice
Bob
wbHXT
  • Now for security - encode information in coset

Binary codewords 1 translate (cosets)
50
Security Encoding Decoding
X
X
k-bit message w
Alice
Bob
wbHXT
  • (n,n-k) code C with parity-check matrix H
  • Make C and H public
  • C has 2k cosets
  • Encoding Select the coset of C with message w,
    select codeword in coset at random

Binary codewords 3 translates (cosets) Secrecy
rate k/n
51
Security
X x1 x2... xn
k-bit message w
Alice
Bob
wbHXT
BEC(e)
Z x1xs e e e...e (e erasure)
Eve
  • If each coset of C has a vector of the form
    x1...xs??...?,
  • PrmZPrm

52
Security Property of Codes
Z x1 ... xs
? ? ... ?
If the submatrix of G corresponding to revealed
positions has full column rank, all cosets of C
have a vector of the form x1...xs??...?
53
LDPC Codes over a BEC
  • Urbanke and Richardson
  • Consider a (3,6)-regular LDPC matrix H BEC
    threshold 0.42
  • Threshold Interpretation columns of H
    corresponding to the erased positions have full
    column rank if the erasure probability is less
    than 0.42

Urbanke and Richardson, 2001



h
h
h
h
h





h
h
h
h
h


H



h
h
h
h
h


54
LDPC Matrix Connection
  • LDPC Codes over a Wire Tap Channel
  • Let G (3,6)-regular LDPC matrix
  • The columns of G corresponding to the revealed
    positions have full column rank if 1-e lt 0.42 or
    the erasure probability is greater than 0.58

Z x1 ... xs ?
? ... ?
55
LDPC codes over a BEC-noiseless wire tap channel
X x1 x2... xn
k-bit message w
Alice
Bob
wbHXT
BEC(e)
X randomly chosen from coset of C with syndrome
m
Z
Eve
  • C dual of an LDPC code with
  • threshold e
  • rate R k(1 R)n secrecy rate1-R
  • Security guaranteed whenever 1-e lt e or e gt 1 e
  • As e tends to 1 R, we approach secrecy capacity
  • Capacity achieving codes for the erasure channel
    provide perfect security on the erasure wiretap
    channel

56
Comments
  • Positive Aspects
  • First practical codes to achieve perfect secrecy
    - encoder and decoder are public
  • Connection between coding threshold and security
  • Negative Aspects
  • Channels C1 and C2 must be known
  • Coding scheme above works if C1 is less noisy
    than C2
  • Other cases
  • BEC-BEC wire tap channel, BSC-Noiseless
  • See
  • Thangaraj, Dihidar,Calderbank, McLaughlin, and
    Merolla Applications of LDPC Codes to the
    Wiretap Channel, IEEE Trans IT Aug 2007

57
BREAK
58
Practical Secret Key Agreementfor Wireless
Networks
59
How do we make this practical?
  • To fully exploit the randomness of the channel
    for security purposes we need secrecy
    capacity-achieving channel codes.
  • Unfortunately, it seems very difficult to design
    near-to-optimal codes for the Gaussian wiretap
    channel....
  • BUT fortunately secret key agreement is a
    somewhat easier problem (learn from quantum key
    distribution)!
  • Alice and Bob only have to agree on a key based
    on common randomness and not to transmit a
    particular message.

60
Secret Key Agreement
Assume Eve has worse channel
61
Secret Key Agreement
  • Two steps
  • Reconciliation
  • Privacy amplification

62
Secret Key Agreement
  • Two steps
  • Reconciliation
  • Privacy amplification

63
Secret Key Agreement
  • Two steps
  • Reconciliation
  • Privacy amplification

64
Secret Key Agreement
  • Two steps
  • Reconciliation
  • Privacy amplification

65
Secret Key Agreement
  • Two steps
  • Reconciliation
  • Privacy amplification

66
Secret Key Agreement
011
011
  • Two steps
  • Reconciliation
  • Privacy amplification

XXX
67
We can learn from Quantum Key Distribution
A
B
E
  • Transmission
  • Alice codes n random symbols X with quantum
    states
  • Bob measures received states to obtain correlated
    symbols Y
  • Analysis
  • Evaluation of information intercepted based by
    Eve based on simple statistical
  • measures (bit error rate, variance)
  • Reconciliation
  • Correction of errors
  • Minimum number of bits to transmit
  • Privacy Amplification
  • Choice of key size
  • Random choice of compression function

security parameter
Secret information after transmission
Information exchanged during reconciliation
68
How about wireless security?
Barros, Rodrigues, ISIT06
With fading the instantaneous secrecy capacity
can be strictly positive
  • Goal Exploit channel variability to secure
    information

69
Opportunistic Secret Key Agreement
Bloch, Barros, Rodrigues, McLaughlin 06
  • Csgt0
  • share common randomness

Cs0 communicate securely (e.g one-time pad)
Cs0 generate secret key
70
Opportunistic secret key agreement
71
Reconciliation
  • Correct discrepancies between A and B using
    reconciliation information.
  • In practice small overhead o (10), thus you
    have to transmit
  • (1 o)H(XYM) bits per symbols.
  • Assign binary labels to each of the transmitted
    symbol and use multilevel coding. The syndromes
    are used as reconciliation information.
  • Very similar to source coding with side
    information.

72
Two Modes of Operation
  • Perfect Information-theoretic Security Generate
    a secret key and use it as a one-time pad
    (perfect security at very low rates)
  • Combined physical layer and cryptography
    Generate a secret key and use a symmetric cipher
    such as AES (very high rates are possible)
  • Example with fraction of time dedicated to
    secret key generation as small as 1, we can
    renew a 256-bit encryption key every 25kbits,
    i.e. with SNR(M)10dB and SNR(W)20 dB, at an
    average rate of 2Mbps, this would renew a key
    every 16 milliseconds.

73
Average secure communication rate
  • Case of perfect CSI - communication with one-time
    pad

Protocol optimal
74
Practical Considerations
  • It is possible to exploit the noise of fading
    channels to generate
  • secret keys, even with imperfect CSI
  • Reconciliation efficiency 90 over wide range of
    SNRs
  • Some latency and complexity (long block length of
    LDPC code)
  • Combine physical layer and standard cryptography
  • Ex AES with high key regeneration rate
  • We require a small shared key for authentication.

M. Bloch, J. Barros, M. R. D. Rodrigues and S. W.
McLaughlin,Wireless Information-Theoretic
Security, IEEE Transactions on Information
Theory, June 2008.
75
Advanced Topics and Applications
76
Network Security
What happens when we have multiple parties
communicating over unreliable noisy networks with
multiple eavesdroppers and jammers?
?
  • Interference
  • Cooperation
  • Feedback

77
Multi-user Secrecy Generation
M users communicate messages F and agree on
secret key K
  • common secret key
  • secrecy against eavesdropper
  • uniformity
  • secret key (SK) capacity is the largest entropy
    rate of K

78
Example with three users and two-bit sequences
Csiszár and Narayan, 2006
  • Bob and Charlie observe sequences of Bernoulli
    (1/2) symbols.
  • Alice observes the symbolwise XOR of their
    sequences.
  • Optimal Secret Key Agreement
  • Alice sends
  • Bob sends
  • Charlie sends
  • All are able to recover
  • Eavesdropper is in the dark
  • SK rate

79
Encoding Correlated Sources
U1
Û1
R1
Decoder
Source 1
Encoder 1
Sink
Encoder
R2
U2
Û2
Encoder 2
Source 2
p(u1,u2)
R2
H(U1U2)
R1 gt H(U1U2)
Slepian Wolf 1973
R2 gt H(U2U1)
H(U2)
H(U2U1)
Shannon 1948
R1R2 gt H(U1U2)
R1
H(U1U2)
H(U1U2)
H(U1)
80
Many correlated sources
Perfect reconstruction is possible if and only if
R10
1
U1
R20
2
U2
0
for all sets
RM0
M
UM
81
Secret Key Capacity for Two Terminals
Maurer 93, Ahlswede and Csizár, 93
R1
R1 gt H(U1U2)
Bob
Alice
U2
U1
R2 gt H(U2U1)
R2
non-interactive communication
82
Secret Key Capacity for Multiple Terminals
Csiszár and Narayan, 2006
is the minimum sum rate required for all
terminals to be able to reconstruct all sources
with arbitrarily small probability of error.
Notice that in this case the eavesdropper
observes only the communication between the nodes
and not one of the correlated sources.
83
Extensions and Variations
  • Secret key agreement with helpers Csizár,
    Narayan, 2005
  • Multiple group keys with secrecy with respect to
    a prescribed
  • subset of users Ye, Narayan, 2005
  • Satellite Channel Model Csizár, Narayan, 2005
  • Secret key capacity when eavesdropper observes a
  • correlated source of randomness remains
    unsolved.

84
Active Attacker
  • Adversary has access to the communications
    channel used by the legitimate parties and can do
    the following
  • Send / Receive
  • Read
  • Replay
  • Forge
  • Block
  • Modify
  • Insert

84
85
Secret Key Agreement with Public Discussion
Maurer, 93 Maurer, Wolf, 03
Y n
Bob
X n
Alice
p(yzx)
public unauthenticated channel
Zn
Eve
  • Alice and Bob want to increase their secrecy
    capacity by exchanging information over the
    feedback channel and generate a secret key.
  • But what if Eve is allowed to read and write on
    the public channel?
  • Adversary with infinite computing power
  • Adversary with complete control over public
    channel.

86
Source Model
X n
SA
Alice
public authenticated channel
Y n
Bob
SB
p(x,y,z)
Zn
Eve
  • Alice and Bob see X n and Y n and exchange
    messages C(C1, C2, C3, . . .Ct)
  • Outcome of the key generation process H(SACX)
    0 or H(SBCY ) 0
  • Alice sends (C1, C3, . . . , C2k1, . . .), Bob
    sends (C2, C4, . . ., C2k, . . .)
  • Eve gets to see a correlated random variable Zn
    and can read and write on the public channel.

87
Impossibility Results
  • Simulatability Condition
  • To generate a key, Alice and Bob must have
    advantage over Eve in terms of the distribution
    PXYZ
  • Eve cannot be able to generate from Z a random
    variable X which Bob, knowing Y, is unable to
    distinguish from X (and vice versa).
  • Secret Key Capacity with Active Adversary
  • Either a secret key can be generated at the same
    rate as in the (well-studied) passive-adversary
    case, or such secret key agreement is completely
    impossible
  • if Eve can use Z to simulate X or to simulate Y
    the secret key capacity is zero.

88
Information-theoretically Secure Message
Authentication
Maurer, 2000
  • We assume opponent has unlimited computing power
    and knows everything about the system except
    for a secret key.
  • Can we provide bounds on an opponents cheating
    probability for a given tolerable probability of
    rejecting a valid message?
  • Hypothesis testing problem decide whether a
    received message is authentic or not
  • Either the message was generated by the
    legitimate sender knowing the secret key
  • Or by an opponent without a priori knowledge of
    secret key.

89
Problem Setup
  • Sender and receiver share a secret key K
  • Sender sequence of plaintext messages
  • Each is authenticated by sending an encoded
    message which depends on K,Xi and
    encoded possibly also using the previous
    plaintext messages and
  • Receiver
  • based on , and possibly also on and
    ,decides to either reject the message or
    accept it as authentic
  • if case of acceptance decodes to a message

90
Possible Attacks
  • The opponent with read and write access to
    communication channel can use either of two
    different strategies for cheating
  • Impersonation attack at time the opponent
    waits until he has seen the encoded messages
    and then sends a fraudulent message
    which he hopes to be accepted by the receiver as
    the message
  • Substitution attack at time the opponents
    lets pass messages ,intercepts ,
    and replaces it by a different message which
    he hopes to be accepted by the receiver

91
Results
  • When a sequence of messages is
    to be authenticated, an opponent can choose the
    type of attack with the highest success
    probability
  • A secret key K is used optimally when the maximum
    of the success probability is minimal
  • When it is required that a legitimate message is
    always accepted a0 in all of these possible
    attacks,

92
PHY-Based Authentication
Trappe et al, 2007
  • Spoofing detection
  • Verify if a transmission came from a particular
    transmitter
  • Location information can be extracted to
    authenticate a transmitter relative to its
    previous location.
  • Estimates channel
  • h hAB (t,t)
  • Compares against
  • h hAB (t-1,t)
  • Accepts transmission if h h

Bob
Alice
  • Estimates channel
  • hEB (t,t)
  • Verification fails!!!
  • Does not accept Eve as Alice!

Eve
93
Spread Spectrum Communications and Jamming
0
1
1 0 1 1 0 1 0 0 1 1 1 0 1 0 1 1 0
0 1 0 1 0 1 1 0 1 0 1 0
0 1 0 0 1 0 1 1 0 0 0 1 0 1 0 1 0 0
1 0 1 0 1 1 0 1 0 1 0
  • Direct Sequence / Frequency Hopping use
    pseudo-random sequences to spread the narrowband
    signal over a wide band of frequencies
  • Effective against narrow-band jamming lowers
    probability of intercept can provide privacy if
    spreading sequence is kept secret
  • Used in Code Division Multiple Access (CDMA)
    systems.

94
Médard, 1997
Capacity of Channels with Correlated Jamming
NM
Y
X
Bob
Alice



NW
Z
Eve
  • Repeat-back jamming in wireless networks (e.g.
    amplification, modification retransmission of
    intercepted signals, inducing errors in radars
    and receivers).
  • Jammer can cause a lot of harm even with access
    to only a noisy version of the sent signal, with
    phase or timing jitter and with limited
    processing capabilities.
  • Not detectable via the received power at Bob.
  • Extended to Multiple Access Channels by Shafiee
    and Ulukus, 2005

95
Cooperative Jamming in the Gaussian Multiple
Access Channel
Tekin and Yener, 2006
X1
U1
Y
Decoder
Alice
Encoder 1
p(yzx1 x2)
Bob
X2
U2
Z
Charlie
Encoder 2
Decoder
Eve
  • Secrecy conditions can be individual or
    collective yielding different results for each
    case.
  • Alice and Charlie can cooperate to increase Eves
    uncertainty about the sent messages.

96
General Broadcast Channel with Multiple Secrecy
Conditions
Û1
Y1
U2,U1
Decoder 1
Bob
p( y1 y2 x)
X
Alice
Encoder
Û2
Y2
Decoder 2
Eve
  • Csiszár and Koerner, 1978 considered one
    secrecy condition.
  • Liu et al. , 2006 provided inner bound for two
    secrecy conditions, and also for interference
    channels.

97
Multiple Access Channel with confidential messages
Y1
X1
U1
Y
Decoder
Alice
Encoder 1
p(y1 y2 yzx1 x2)
Bob
U0
p(u1) p(u2)
X2
Z
Charlie
Encoder 2
Decoder
Eve
U2
Y2
  • Cooperative jamming over the Gaussian MAC
    Tekin and Yener, 2006
  • With channel outputs at the encoders individual
    secrecy conditions Liang and Poor, 2006

98
Relay Channel with confidential messages
  • Discrete Memoryless Case Oohama, 2004
  • Randomization helps to increase the
    rate-equivocation region.

Eve
Zn
Sn
X n
Alice
p(yzxs)
Y n
Bob
99
Exploiting MIMO
Goel and Negi, 2005
Bob
Alice
Eve
  • Alice can leverage multiple antennas by
    transmitting artificial noise into the null space
    of Bob
  • This approach can be used effectively, even when
    position of Eve is unknown.

100
Jamming to increase the secrecy capacity
NM
Y
X
Bob
Alice


NW
Z
Eve
  • Can we increase the noise in Eves channel
    without affecting Bob?

101
Increasing the Secrecy Capacity with Jammers
102
Jammer Impact on Outage Secrecy Capacity in
Fading Environment
103
Multiple Jammers in Fading Environment
104
Store-and-Forward versus Network Coding
Ahlswede, Cai, Li and Yeung, 2000
  • In todays networks, information is viewed as a
    commodity, which is transmitted in packets and
    forwarded from router to router pretty much as
    water in pipes or cars in highways.
  • In contrast, network coding allows intermediate
    nodes to mix different information flows by
    combining different input packets into one or
    more output packets.

105
A simple three-node example
a
a
B
C
A
b
b
In the current networking paradigm we require 4
transmissions.
106
Network Coding
a
b
B
C
A
ab
With network coding we require only 3
transmissions.
107
Algebraic Framework for Network Coding
Koetter and Médard, 2003
  • Binary vector of length m element in
  • Random processes at nodes
  • Transfer matrix
  • Generalized MIN-CUT MAX-FLOW Condition


108
Packetized Network Coding
  • Assume each packet carries L bits
  • s consecutive bits can be viewed as a symbol in

enc. vector
L
s
  • Perform network coding on a symbol by symbol
    basis.
  • Output packet also has length L.
  • Send the coefficients (the encoding vector) in
    the header.
  • Information is spread over multiple packets.

109
Practical Considerations
  • Encoding Elementary linear operations which can
    be implemented in a straightforward manner (with
    shifts and additions).
  • Decoding Once a receiver has enough linearly
    independent packets, it can decode the data using
    Gaussian elimination, which requires
    operations.
  • Generations To manage the complexity and memory
    requirements, we mix only generations with fixed
    number of packets and limit the field size. Each
    keeps a buffer sorted by generation number.
    Non-innovative packets are discarded.
  • Delay Since we must wait until we have enough
    packets to decode, there is some delay (not very
    significant, since we require less transmissions
    in many relevant scenarios)

110
Benefits beyond throughput
  • Reliability Network Coding can achieve optimal
    delay and rate in the presence of erasures and
    errors.
  • Simpler Optimization The multicast routing
    problem is NP-hard (packing Steiner trees),
    however with network coding there exist
    polynomial time algorithms.
  • Robustness Random network coding is completely
    decentralized and preserves the information in
    the network, even in highly volatile networking
    scenarios.

111
Applications of Network Coding
First real-life application in July 2007
Microsoft Secure Content Downloader (a.k.a.
Avalanche)
  • Distributed Storage and Peer-to-Peer robustness
    against failures in highly volatile networks
  • Wireless Networks Information dissemination
    using opportunistic transmission
  • Sensor Networks Data gathering with extremely
    unreliable sensing devices
  • Network Management Assessing critical network
    parameters (e.g. topology changes and link
    quality)

112
Classes of Network Coding Protocols
  • We distinguish between two types of protocols
  • stateless network coding protocols, which do not
    rely on network state information (e.g. topology
    or link costs) to decide when to mix different
    packets (e.g. Random Linear Network Coding)
  • state-aware network coding protocols, which rely
    on partial or full network state information to
    compute a network code or determine opportunities
    to perform network coding in a dynamic fashion
    (e.g. COPE).

113
Network Coding Security Taxonomy
Network Coding Protocols
State information
Security Infrastructure
Cooperative
Key Management
Cooperative Security Gkantsidis, Rodriguez, 06
Signatures Content Dist. Zhao et al, 07
Secret Key Dist. Oliveira, Barros, 07
SPOC Vilela, Lima, Barros, 08
some intrinsic security (no state information) Prone to Byzantine attacks Prone to Byzantine attacks Network state information
- Extra redundancy - Hash symbols included in packets - Cooperative security schemes - Homomorphic hash functions Signatures Key distribution Confidentiality
114
Network Coding A Free Cipher?
Lima, Médard and Barros, ISIT07
  • Nodes are assumed to be nice but curious
    (comply with protocol but could be malicious
    eavesdroppers)
  • Intermediate nodes have different levels of
    confidentiality
  • Nodes T and U have partial information about the
    data
  • Node W has full access to the data
  • Node X cannot decode any useful data a free
    cypher!

S
a
b
T
U
a
b
W
a
b
ab
X
ab
ab
Y
Z
Previous work considered wiretapping attacks on
multiple links, e.g. Cai and Yeung,02,
Feldman et al,04 Bhattad et al,05
115
Secure Network Coding
a b c d
e f g h
abcdefg 3abcd5f a2bcd4g abc3d5h
5ab5h 6bc4g b7c3a bc9e
S
S
T
U
T
U
R
R
  • Nodes T and U have access to half of the sent
    data.
  • NodesT and U need to decode to obtain partial
    data.

116
Algebraic Security Criterion
  • Definition (Algebraic Security Criterion) The
    level of security provided by random linear
    network coding is measured by the number of
    symbols that an intermediate node v has to guess
    in order to decode one of the transmitted
    symbols.
  • In other words, we compute the difference between
    the global rank of the code and the local rank in
    each intermediate node.

117
Results
  • Theorem 1The probability P(ld gt 0) of recovering
    a strictly positive number of symbols ld at the
    intermediate nodes (by Gaussian elimination) goes
    to zero for sufficiently large number of nodes
    and alphabet size
  • Proof Idea
  • An intermediate node can gain access to relevant
    information
  • when the partial transfer matrix has full rank
  • when the partial transfer matrix has
    diagonalizable parts.
  • Carry out independent analyzes in terms of rank
    and in terms of partially diagonalizable
    matrices.
  • Show that the probability of having partially
    diagonizable matrices goes to zero for
    sufficiently large number of nodes and alphabet
    size.

118
SPOC - Secure Practical netwOrk Coding
  • Assured confidentiality against attacker with
    access to all the links.
  • Two types of coefficients
  • Locked
  • Unlocked
  • Same operations
  • Requirements
  • Key management mechanism

119
SPOC - Secure Practical netwOrk Coding - Results
Number of AES encryption operations according to
the payload size, for SPOC (encryption of locked
coefficients) versus traditional encryption
mechanism (encryption of the whole payload).
120
SPOC - Secure Practical netwOrk Coding - Results
Packet size overhead of including the locked
coefficients, per packet.
121
Mutual Information between Payload and Coding
Coefficients
Lima, Vilela, Barros, Médard, 2008
122
Detection of Byzantine Modification
Ho et al, ISIT 2004
  • Hash symbols, calculated as simple polynomial
    functions of the source data, are included in
    each source packet.
  • Receiver nodes check if decoded packets are
    consistent, i.e. have matching data and hash
    values.
  • Additional computation is minimal as no other
    cryptographic functions are involved.
  • Detection probability can be traded off against
    communication overhead, field size (complexity)
    of the network code and the time taken to detect
    an attack.

enc. vector
hash
L
s
123
Gkantsidis, Rodriguez, Infocom 2006
Cooperative security for network coding
  • Cooperation to achieve on-the-fly detection of
    malicious packets.
  • Homomorphic hash functions a hash of an encoded
    packet is easily derived from the hashes of the
    previously encoded packets.
  • However, these hash functions are computationally
    expensive.
  • To increase efficiency every node performs block
    checks with a certain probability and alerts its
    neighbors upon detection.
  • In addition, there exist techniques to prevent
    Denial of Service (DoS) attacks aimed at the
    dissemination of alarms.

124
Resilient Network Codes
Jaggi et al. , Infocom 2006
Koetter and Kschischang, 2007
  • Use the error correction capabilities of linear
    network coding.
  • An active attacker can be viewed as a second
    source of data.
  • Add enough redundancy to allow the destination to
    distinguish between valid and erroneous packets.
  • Some information may have to be protected by a
    shared secret key.

125
Sensor Networks
Task Collect and transmit data
through secure links
Data confidentiality
  • Energy
  • Limited Data Rate
  • Processing Power
  • Memory

Constraints
Secret Key Distribution
How can each pair of neighboring nodes share a
secret key?
126
Key Pre-distribution
  • Goal Store keys into the memory of the sensor
    nodes for them to share a secret with their
    neighbors after the deployment.
  • Challenges
  • Minimize the impact of compromised nodes
  • Efficient use of the resources
  • Scalability in dynamic environments
  • Avoid single points of attack.

127
Secret Key Distribution using Network Coding
Oliveira and Barros, 2007
  • Our approach
  • Key pre-distribution scheme
  • Efficient use of resources
  • Uses a mobile node to blindly complete the key
    distribution process
  • Designed for dynamic scenarios.
  • Prior to sensor node deployment
  • Generate a large pool of keys and their
    identifiers
  • Load different keys and the corresponding
    identifiers into the memory of each sensor node
  • Store in the memory of the mobile node all the
    keys encrypted with the same one-time pad and
    their corresponding identifiers.

128
Secret Key Distribution in WSNs
Oliveira and Barros, 2007
  • After sensor node deployment

B
S
A
Hello
Hello
129
One-Time Pad Security
Oliveira, Costa and Barros, 2007
  • One-time pad is secure if the key is
  • Truly random
  • Never reused
  • Kept secret.
  • The knowledge of
    does not increase the information that
    the attacker has about any one key

130
Extensions and Variations
  • Mobile key distribution for many nodes
  • Group and cluster keys
  • Key revocation
  • Key renewal
  • Authentication

131
Millionaires- problem
  • Suppose 2 millionaires want to determine which
    one is richer, without revealing the precise
    amount of their wealth.

In the general secure multi-party computation
problem, users u1, u2, ..., un possess data d1,
d2, ..., dn and want to compute the outcome of a
public function F(d1, d2, ..., dn ) without
revealing d1, d2, ..., dn .
132
Other Problems beyond Secure Communication
  • Communicating securely is not the only problem in
    cryptography.
  • Problem Suppose Alice and Bob are linked through
    a network and want to flip a coin. How can they
    ensure that the coin flip is fair?


Network
  • Solution Alice and Bob send one bit each in
    separate envelopes. They open the envelopes
    simultaneously and take the XOR of the two bits.
  • The protocol works if and only if
  • Bob knows nothing about Alices bit before he
    sends his envelope
  • Alice cannot change her bit once the envelope is
    sealed.
  • ...and vice versa (for Bobs bit).

133
Bit Commitment
b
b
Commit
Open
Alice puts a bit b in a strong box
Alice gives this box to Bob. She cannot change b
Later Alice can unveil b to Bob
  • A commitment scheme is said to be secure if it
    is
  • Binding the probability that Alice can
    successfully open two different commitments is
    negligible.
  • Concealing Bob gets at most negligible
    information on b before the opening phase.
  • Correct The probability that honest Alice fails
    to opena commitment is negligible.

134
Bit Commitment over the erasure channel
b parity(X)
  • Commit Phase
  • Alice selects a random codeword with parity
    equal to the value she wants to commit to and
    sends it to Bob through the erasure channel.
  • Open Phase
  • Alice sends the codeword she has sent in the
    commit phase over a noiseless channel. Bob
    rejects if the codeword he receives differs in at
    least one position from the codeword he received
    through the noisy channel.

135
Bit Commitment over the erasure channel
b parity(X)
  • Protocol Analysis
  • Bob learns the commitment with probability
  • Alice unveils a bit different than the one she
    committed to and is not detected with probability
  • Problems
  • Non-negligible error probability (binding
    condition)
  • The channel is used n times to commit to a single
    bit.

136
Commitment Rate and Capacity
If we commit to a string of length k, what is the
maximum commitment rate k/n of a secure protocol
we can achieve (i.e., capacity)?
Binary string Bob learns b with probability Alice
cheats successfully with probability Commitment
rate Commitment capacity
137
The Commitment Capacity of DMCs
  • Define a redundant channel (a channel is called
    non-redundant if none of its output distributions
    is a convex combination of its other output
    distributions).
  • Redundancy can be cut from a channel, by
    removing all input symbols which are convex
    combinations of others.
  • If after removing the redundancy of a channel,
    its equivocation becomes zero, the channel is
    called trivial.

The commitment capacity of a DMC equals its
equivocation H(XY) after its redundancy is
removed.
Winter, Nascimento, Imai 03
138
How about the Gaussian Channel?
Motivation - more realistic channel model (e.g.
wireless medium)- commitment capacity for
continuous channels unknown- techniques differ
from the discrete case

Average Power ConstraintChannel Capacity
139
How about the Gaussian Channel?
Caveat practical wiretap codes are hard to
design!
140
Commitment rate
  • Using a wiretap interpretation of commitment, we
    can prove that
  • Any positive will give us a binding
    protocol, by making it arbitrarily small, we get
    that the maximum achievable rate can be made
    arbitrarily large

The commitment capacity of the Gaussian channel
is infinite.
141
Commitment from Secret Key Agreement
Bloch, Barros and McLaughlin, 2007
142
Beyond secure communication
  • Cryptographic protocols based on noisy channels,
  • Crépeau, 1997
  • Commitment Capacity of Discrete Memoryless
    Channels,
  • Winter, Nascimento, Imai, 2003
  • Oblivious Transfer using noisy channels,
  • Crépeau. Morozov, Wolf, 2004
  • Pseudo-signatures, Broadcast, and Multi-party
    Computation,
  • M. Fitzi, S. Wolf, and J. Wullschleger, 2004
  • Commitment Capacity of Gaussian Channels,
  • Barros, Imai, Nascimento and Skudlarek 2006
  • Practical Information-Theoretic Commitment
  • Bloch, Barros and McLaughlin, 2007

143
Physical-Layer Security10 Open Issues
144
1 How can we provide rigorous descriptions of
security primitives?
  • Information-Theoretic (Perfect or unconditional)
    Security
  • strictest notion of security, no computability
    assumption
  • H(MX)H(M) or I(XM)0
  • Implementable at the physical layer
  • Computational Security
  • Security schemes are based on (unproven)
    assumptions of intractability of certain
    functions
  • Typically done at upper layers of the protocol
    stack

145
2 What are the fundamental limits of security
for strong secrecy?
  • Theoretical results from the seventies (Wyner,
    Csiszár and Koerner)
  • Caveat eavesdropper must have a worse channel.
  • Renaissance of information-theoretic security in
    the last 2 years.
  • Most results are based on weak secrecy conditions
    (equivocation rate)
  • Strong secrecy is possible (requires CS
    techniques)

146
3 How can we leverage state-of-the art channel
coding to enhance security at the
physical layer?
147
4 How do we construct secrecy achieving codes
for wireless channels?
X
X
k-bit message w
Alice
Bob
wb
o
1
e
e
1-e
1-e
1
o
?
Z
Eve
  • Main channel is noiseless wire-tappers channel
    is a BEC with erasure probability e
  • Eve receives a subset of the transmitted bits (or
    packets)
  • For this instance (only), we have secrecy
    capacity achieving codes.

148
5 How can we borrow from quantum cryptography?
  • Common Randomness Alice and Bob share correlated
    random sequences.
  • Reconciliation Alice sends Bob enough side
    information for Bob to reconstruct Alices
    sequence.
  • Privacy Amplification Alice and Bob use hash
    functions to maximize Eves equivocation.

149
6 How can we leverage fading?
Wireless Network with Potential Eavesdropping
  • Goal Exploit channel variability to secure
    information at the physical-layer.

150
7 How can we provide security for network coding?
a b
S
  • Intermediate nodes have different levels of
    confidentiality
  • Nodes T and U have partial information about the
    data
  • Node W has full access to the data
  • Node X cannot decode any useful data a free
    cypher?
  • Active attacks can compromise the information
    flow.

T
U
W
ab
X
ab
ab
Y
Z
a b
a b
151
8 How can we use coding ideas to distribute
secret keys?
  • Problem
  • How can each pair
  • of sensor nodes agree
  • on a secret key?
  • Our approach
  • Key pre-distribution scheme
  • Uses a mobile node to complete the key
    distribution process blindly using network
    coding
  • Reduced memory requirements

152
9 How can we use physical-layer techniques to
go beyond secure communication?
  • Cryptography is not only concerned with
    communicating securely.
  • Based on noisy channels and state-of-the-art
    error correction codes we can implement bit
    commitment and oblivious transfer, which are the
    building stones of secure multi-party
    computation.
  • Authentication is a vital issue and could
    potentially be carried out over noisy channels
    possibly without initial shared secret.
  • Wolf and Maurer98, Trappe et al07
  • How about anonymity?
  • How about non-repudiation?

153
Classical Cryptography under the Computational
Model
  • Advantages
  • no publicly-known, efficient attacks on
    public-key systems
  • security is provided on a block-to-block basis
  • if cryptographic primitive is secure then every
    encoded block is secure
  • systems are widely deployed, technology is
    readily available, inexpensive
  • Disadvantages
  • Security is based on unproven assumptions
  • No precise metrics
  • trade off between reliability and security as a
    function of the block length is unknown
  • security of the cryptographic protocol is
    measured by whether it survives a set of attacks
    or not.
  • Conventional model (error free channel) secrecy
    capacity of these systems is zero
  • cant guarantee reliable and perfectly secure
    system

154
Physical layer security under the
information-theoretic (perfect) security model
  • Disadvantages
  • Information-theoretic security is an
    average-information measure.
  • Requires assumptions about the communication
    channels that may not be accurate in practice.
  • Limits its application
  • A few systems (e.g QKD) are deployed but the
    technology is not as widely available and is
    expensive.
  • Advantages
  • No computational restrictions placed on
    eavesdropper
  • Very precise statements can be made about the
    information that is leaked
  • Quantum key distribution implemented
  • Wireless solutions appear
  • Suitably long codes get exponentially close to
    perfect secrecy

155
10 It may well be worth rethinking our security
architecture.
Bottom-up Security?
  • How can we combine physical-layer security and
    cryptographic protocols?

156
Acknowledgements and credits
  • Matthieu Bloch, Georgia Tech
  • Miguel Rodrigues, University of Porto
  • Andrew Thangaraj, IIT Madras
  • Rob Calderbank, Princeton
  • Anderson Nascimento, University of Brasilia
  • Muriel Medard, MIT
  • Luísa Lima, University of Porto
  • João Paulo Vilela, University of Porto
  • Paulo Oliveira, University of Porto
  • Rui Costa, University of Porto
  • Demijan Klinc, Georgia Tech
Write a Comment
User Comments (0)
About PowerShow.com