Title: Information-Theoretic Security
1Information-Theoretic Security
- IEEE International Symposium on Information
Theory - Toronto, Canada, July 2008
Theory and Practice
João Barros Instituto de Telecomunicações Univers
idade do Porto and EECS/MIT
Steven W. McLaughlin School of Electrical and
Computer Engineering Georgia Institute of
Technology
2Todays Layered Architecture
Programs and applications
End-to-end reliability, cong. control
Routing and forwarding
Medium access control
Channel coding and modulation
Where is security ?
3Security a patchwork of add-ons
End-to-end cryptography
Secure Sockets Layer (SSL)
Virtual private networks (IPSec)
Admission control (e.g.WPA)
Physical-layer security ?
4Information-Theoretic-Security are we biased?
- A typical graduate course in cryptography and
security always starts by discussing Shannon's
notion of perfect secrecy (widely accepted as the
strictest notion of security) - Then, it emphasizes its conceptual beauty.
- Then, it states that it is basically useless
for any practical application.
p(wx)p(x)
Computational Security
5Main Questions in this Tutorial
- What are the fundamental security limits at the
physical layer? - Which notions of security are we talking about?
- Is information-theoretic security practical?
- What kind of code constructions can we use?
- How do we build protocols based on
information-theoretic security? - Can we combine physical-layer security with
classical cryptography? - How can we secure novel networking paradigms?
- How can we go beyond confidentiality at the
physical layer? - How can we increase our credibility in the
security business?
6Our program for today
- Theoretical Foundations
- Fundamentals of Information-Theoretic Security
- Strong Secrecy versus Weak Secrecy
- Secrecy Capacity of Noisy Channels
- Practical Techniques
- Combining Cryptography and Coding
- Secrecy Capacity Achieving Codes
- Secret Key Agreement at the Physical Layer
- Advanced Topics and Applications
- Multi-user Secrecy and Network Coding Security
- Active Attacks on Coded Systems
- Beyond Secure Communications
7What we will not do
- Provide an exhaustive review of related work
- Elaborate on the details of the proofs
- Cover all the topics in depth
- Adress quantum information theory
- Say bad things about modern cryptography
8Theoretical Foundations
9Notions of Security
- Information-Theoretic (Perfect or unconditional)
Security - strictest notion of security, no computability
assumption - ProbW Eves knowledgeProbW
- H(WX)H(W) or I(XW)0
- e.g. One-time pad
- Shannon, 1949 H(K) H(M)
- Computational Security
- Alice sends a k-bit message W to Bob using an
encryption scheme - Security schemes are based on (unproven)
assumptions of intractability of certain
functions - Typically done at upper layers of the protocol
stack
10One-time Pad
Alice
Bob
k bits
k bits
Key
Key
k-bit message W
k-bit decoded message Wb
Xk
Xk
Xk
Eve
- If Eve does not know the key and
P(Keyk-tuple)1/2k - then we have p(wxk) p(w).
11Shannons Model
This model is somewhat pessimistic, because most
communications channels are actually noisy.
12Wyners Wiretap Channel (I)
Wyner, 1975
- Reliability Security
- For Bob and Alice,
- ProbW?Wb Y n ? 0
- With respect to Eve,
- (1/n) I(W Zn) ? 0
- as n ? 8
- Secrecy Capacity
- Largest transmission rate at which both
conditions can be satisfied. - Positive secrecy capacity only in the degraded
case.
13Wyners Wiretap Channel (II)
Wyner, 1975
equivocation rate
H(W)
D
Transmission rate
CS
CM
- Proof Idea
- Alice assigns multiple codewords to each message,
picks one at random and thus exhausts Eves
capacity. - Converse uses Fanos inequality and classical
arguments. - Rate-equivocation region
- Two critical corner points (CM , D) and (CS ,
H(W)) - Unusual shape (not convex)
14Because the transmission range is so short,
NFC-enabled transactions are inherently secure.
Also, physical proximity of the device to the
reader gives users the reassurance of being in
control of the process.
15Broadcast Channel with Confidential Messages
Y n
Bob
X n
Alice
p(yzx)
Zn
Eve
Csiszár Koerner, 1978
- Secrecy capacity is strictly positive if Bobs
channel - is less noisy than Eves, i.e. I(XY)gtI(XZ)
16Feedback (Public Discussion)
Maurer, 93
Y n
Bob
X n
Alice
p(yzx)
public authenticated feedback channel
Zn
Eve
- Secret Key agreement scheme
- Clever protocol allows Alice and Bob to increase
their secrecy capacity by exchanging information
over the feedback channel - This requires a public authenticated feedback
channel!
17Increasing the Secrecy Capacity via Feedback
- Suppose Alice, Bob and Eve are connected via
binary symmetric channels and a public
authenticated feedback channel is available.
Noisy Channel Error-free public communication Computation Computation
Alice X VXE VXEX VE
Bob XE VXE V V
Eve XD VXE VXEXD VED
- Bob and Eve observe different noises (D, E).
- Bob feeds back random value V plus what he
observed (XE) - Eve ends up with more noise than Bob (as in the
wiretap channel)
18Source Model
Ahlswede and Csiszar, 93
X n
Alice
public authenticated feedback channel
Y n
Bob
p(x,y,z)
Zn
Eve
- Alice and Bob share common randomness.
- Eve gets to see a correlated random variable.
- Alice and Eve generate a secret key using the
public authenticated channel.
19Notions of Security
Maurer Wolf, 2000
- Weak secrecy
- Strong secrecy
- The secrecy capacity of the discrete memoryless
wiretap channel does not change with strong
secrecy. - Proof requires fundamental tools of theoretical
computer science (extractors)
20Example of Weak Secrecy
Un
Kn
Xn
Binary data (n bits)
One-time-pad (n-k bits)
Unprotected data (k bits)
Protected data (n-k bits)
- This trivial scheme satisfies the weak secrecy
condition while disclosing an unbounded number
of bits - Clearly, it does not satisfy the strong secrecy
condition
21The Wireless Scenario
Barros, Rodrigues, ISIT06
Wireless Network with Potential Eavesdropping
Can we exploit channel variability to help secure
the communication?
22System Model
- hM(i)hM, ?i, and hW(i)hW, ?i (quasi-static
fading model) - hM and hW independent and complex Gaussian
distributed - SNRs ?M ??hM?2 and ?W ??hM?2 exponentially
distributed
23Security Characterization
- General goal is maximization of transmission rate
from Alice to Bob - R(1/n) H(Wk)
- and minimization of Eves information rate
about the message, - ?(1/n) I(WkYWn)
- Secrecy capacity is maximum transmission rate R
with ? lt e. - Cautionary Note Maurer Wolf, 2000
- Stronger secrecy condition for Discrete
Memoryless Channels - Not only the rate but the total amount of
information leaked to the eavesdropper decays
exponentially fast with n. - It is possible to prove strong secrecy results
for wireless channels - Barros Bloch, 2008
24Instantaneous Secrecy Capacity
Instantaneous signal-to-noise ratios
- The instantaneous secrecy capacity for
quasi-static fading channels follows directly
from the Gaussian case.
25Secrecy Outage
- Alice chooses a target secrecy rate Rs. - if
RsltCs then she can communicate securely. -
otherwise, information-theoretic security is
compromised.
26Outage Probability
Barros, Rodrigues, ISIT06
After some maths
Impact of Distance
Outage probability for normalized
target secrecy rate Rs0.1.
Outage probability for normalized
target secrecy rate Rs0.1.
27Outage Secrecy Capacity
Barros, Rodrigues, ISIT06
?-outage secrecy capacity
Normalized outage secrecy capacity for an outage
probability Pout0.10.
Normalized outage secrecy capacity for an outage
probability Pout0.75.
Thicker lines AWGN case Thinner lines Fading
case.
Thicker lines AWGN case Thinner lines Fading
case.
28Average Secrecy Capacity
When it comes to information-theoretic
security, fading is really a friend and not a foe.
Normalized average outage secrecy capacity.
Thicker lines AWGN case Thinner lines Fading
case.
29Imperfect CSI
Bloch,Barros, Rodrigues, McLaughlin, ITW06
- Assumptions
- Perfect CSI for the main channel
- Imperfect CSI for the wiretap channel
- Proceed as if CSI was correct
- Outage probability
- In general, Alice underestimates the secrecy
capacity
30Some recent work on (weak) secrecy capacity
- Secure space-time communications (Hero, 2003)
- Secrecy rates for the relay channel (Oohama,
2004) - Secrecy capacity of SIMO channels (Parada and
Blahut, 2005) - Secure MlMO with artificial noise (Negi and Goel,
2005) - Gaussian MAC and cooperative jamming (Tekin and
Yener, 2005) - Secrecy capacity of slow fading channels (Barros
and Rodrigues, 2006) - Multiple access channel with confidential
messages (Liang and Poor, Liu et al., 2006) - Secure broadcasting with multiuser diversity
(Khisti, Tchamkerten, and Wornell, 2006) - Ergodic secrecy capacity (Gopala, Lai and El
Gamal, Liang, Poor and Shamai 2007) - Strong secrecy for wireless channels (Barros and
Bloch, 2008) - and many more.
31Strong secrecy for Gaussian and Wireless Channels
Nitinawarat, Allerton 2007
- Strong secret key agreement from Gaussian random
variables - Lattice codes
- Quantization with side information
- Strong secrecy capacity for wireless channels
- Uses tools of Maurer and Wolf, 2000
- Maps messages to secret keys
- Multiple copies of weakly secure wiretap codes
- Quantization and Slepian Wolf codes
- Extractor functions for privacy amplification
Barros and Bloch, ICITS 2008
32Comments
- Information Theory provides you with tools to
determine fundamental security limits in
particular at the physical layer - There exist codes which can guarantee both
reliability and information-theoretic security - Secure communication over wireless channels is
possible even when the eavesdropper has a better
channel (on average) - When it comes to security, fading is a friend and
not a foe.
33Practical Techniques
34Is physical-layer security practical?
- Motivating examples
- secure error correcting codes and the channel
- coding converse
- tandem error correction and cryptography
- coset codes for an erasure wiretapper
- Secret key agreement protocol for wireless
channels
35Secure Communication on two Gaussian channels
Assume that the attacker has worse SNR
Practical scenarios RFID Zoned security
Wiretap error control code Specific error
control code needed at Tag side Low complexity
encoder - possibly complex decoder
36Secure Communication on two Gaussian channels
Transmit at CwiretapperltRltCmain
Assume that the attacker has worse SNR
37Some common sense use an error control code
Assume that the attacker has worse SNR
Very good error correcting code with
simple encoder
Reader recovers bits With good BER
38Coding
Assume that the attacker has worse SNR
Very good error correcting code with
simple encoder
Eve recovers bits with worse BER
39Coding with an advanced code
40Some secrecy rate tradeoffs
41System view
How would we combine this with encryption?
42After FEC decoding
At the encryption level
Assume Attacker SNR is 1.5 - 2.0 dB worse than
Bobs
(e.g. near field communications)
43At the encryption level
N/2 bits in error Attacker does not know which
ones She needs to do 2 search
N
- Assume all parties have a key
- Attacker has somehow figured out the key
- e.g. from a weak RFID security protocol
44At the encryption level
N/2 bits in error Attacker needs to - guess
the N coded bits correctly - guess the M key
bits correctly She needs to do 2 search
NM
This time Assume Attacker does not have a key
45Achieving the Secrecy Capacity withError Control
Coding
46Achieving secrecy capacity for any DMCs using
capacity achieving codes
X
Y
k-bit decoded message wb
k-bit message w
Alice
Bob
C1
C2
C1 Main channel PrYX C2 Wire tappers
channel PrZX
Z
Eve
- Special case - C2 is worse than C1, (both DMCs)
- Use 2k capacity-approaching codes C1 , C2 , C3 ,
... - To send a message w, set Xrandom codeword of Cw
- If Cw achieves capacity on C2 for each w gt
Security condition is satisfied! - If union of C1 , C2 , C3 , ... is reliable
across C1, wbw is possible gt Reliability
condition is satisfied! - Thangaraj et al, 2004 have shown that such a
selection of C1 , C2 , C3 , ... is possible.
47Motivating example BEC wiretapper channel
X
X
k-bit message w
Alice
Bob
wb
o
1
e
e
1-e
1-e
1
o
?
Z
Eve
- Main channel is noiseless wire-tappers channel
is a BEC with erasure probability e - Eve receives a subset of the transmitted bits (or
packets) - Secrecy capacity is e
Wyner and Ozarov, Wiretap Channel Type II
48Conventional Encoding Decoding
X
X
k-bit message w
Alice
Bob
wbHXT
- Conventional encoding Select the codeword in C
with message w
Binary codewords of length n
49Security Encoding Decoding
X
X
k-bit message w
Alice
Bob
wbHXT
- Now for security - encode information in coset
Binary codewords 1 translate (cosets)
50Security Encoding Decoding
X
X
k-bit message w
Alice
Bob
wbHXT
- (n,n-k) code C with parity-check matrix H
- Make C and H public
- C has 2k cosets
- Encoding Select the coset of C with message w,
select codeword in coset at random
Binary codewords 3 translates (cosets) Secrecy
rate k/n
51Security
X x1 x2... xn
k-bit message w
Alice
Bob
wbHXT
BEC(e)
Z x1xs e e e...e (e erasure)
Eve
- If each coset of C has a vector of the form
x1...xs??...?, - PrmZPrm
52Security Property of Codes
Z x1 ... xs
? ? ... ?
If the submatrix of G corresponding to revealed
positions has full column rank, all cosets of C
have a vector of the form x1...xs??...?
53LDPC Codes over a BEC
- Urbanke and Richardson
- Consider a (3,6)-regular LDPC matrix H BEC
threshold 0.42 - Threshold Interpretation columns of H
corresponding to the erased positions have full
column rank if the erasure probability is less
than 0.42
Urbanke and Richardson, 2001
h
h
h
h
h
h
h
h
h
h
H
h
h
h
h
h
54LDPC Matrix Connection
- LDPC Codes over a Wire Tap Channel
- Let G (3,6)-regular LDPC matrix
- The columns of G corresponding to the revealed
positions have full column rank if 1-e lt 0.42 or
the erasure probability is greater than 0.58
Z x1 ... xs ?
? ... ?
55LDPC codes over a BEC-noiseless wire tap channel
X x1 x2... xn
k-bit message w
Alice
Bob
wbHXT
BEC(e)
X randomly chosen from coset of C with syndrome
m
Z
Eve
- C dual of an LDPC code with
- threshold e
- rate R k(1 R)n secrecy rate1-R
- Security guaranteed whenever 1-e lt e or e gt 1 e
- As e tends to 1 R, we approach secrecy capacity
- Capacity achieving codes for the erasure channel
provide perfect security on the erasure wiretap
channel
56Comments
- Positive Aspects
- First practical codes to achieve perfect secrecy
- encoder and decoder are public - Connection between coding threshold and security
- Negative Aspects
- Channels C1 and C2 must be known
- Coding scheme above works if C1 is less noisy
than C2 - Other cases
- BEC-BEC wire tap channel, BSC-Noiseless
- See
- Thangaraj, Dihidar,Calderbank, McLaughlin, and
Merolla Applications of LDPC Codes to the
Wiretap Channel, IEEE Trans IT Aug 2007
57BREAK
58Practical Secret Key Agreementfor Wireless
Networks
59How do we make this practical?
- To fully exploit the randomness of the channel
for security purposes we need secrecy
capacity-achieving channel codes. - Unfortunately, it seems very difficult to design
near-to-optimal codes for the Gaussian wiretap
channel.... - BUT fortunately secret key agreement is a
somewhat easier problem (learn from quantum key
distribution)! - Alice and Bob only have to agree on a key based
on common randomness and not to transmit a
particular message.
60Secret Key Agreement
Assume Eve has worse channel
61Secret Key Agreement
- Two steps
- Reconciliation
- Privacy amplification
62Secret Key Agreement
- Two steps
- Reconciliation
- Privacy amplification
63Secret Key Agreement
- Two steps
- Reconciliation
- Privacy amplification
64Secret Key Agreement
- Two steps
- Reconciliation
- Privacy amplification
65Secret Key Agreement
- Two steps
- Reconciliation
- Privacy amplification
66Secret Key Agreement
011
011
- Two steps
- Reconciliation
- Privacy amplification
XXX
67We can learn from Quantum Key Distribution
A
B
E
- Transmission
- Alice codes n random symbols X with quantum
states - Bob measures received states to obtain correlated
symbols Y - Analysis
- Evaluation of information intercepted based by
Eve based on simple statistical - measures (bit error rate, variance)
- Reconciliation
- Correction of errors
- Minimum number of bits to transmit
- Privacy Amplification
- Choice of key size
- Random choice of compression function
security parameter
Secret information after transmission
Information exchanged during reconciliation
68How about wireless security?
Barros, Rodrigues, ISIT06
With fading the instantaneous secrecy capacity
can be strictly positive
- Goal Exploit channel variability to secure
information
69Opportunistic Secret Key Agreement
Bloch, Barros, Rodrigues, McLaughlin 06
- Csgt0
- share common randomness
Cs0 communicate securely (e.g one-time pad)
Cs0 generate secret key
70Opportunistic secret key agreement
71Reconciliation
- Correct discrepancies between A and B using
reconciliation information. - In practice small overhead o (10), thus you
have to transmit - (1 o)H(XYM) bits per symbols.
- Assign binary labels to each of the transmitted
symbol and use multilevel coding. The syndromes
are used as reconciliation information. - Very similar to source coding with side
information.
72 Two Modes of Operation
- Perfect Information-theoretic Security Generate
a secret key and use it as a one-time pad
(perfect security at very low rates) - Combined physical layer and cryptography
Generate a secret key and use a symmetric cipher
such as AES (very high rates are possible) - Example with fraction of time dedicated to
secret key generation as small as 1, we can
renew a 256-bit encryption key every 25kbits,
i.e. with SNR(M)10dB and SNR(W)20 dB, at an
average rate of 2Mbps, this would renew a key
every 16 milliseconds.
73Average secure communication rate
- Case of perfect CSI - communication with one-time
pad
Protocol optimal
74Practical Considerations
- It is possible to exploit the noise of fading
channels to generate - secret keys, even with imperfect CSI
- Reconciliation efficiency 90 over wide range of
SNRs - Some latency and complexity (long block length of
LDPC code) - Combine physical layer and standard cryptography
- Ex AES with high key regeneration rate
- We require a small shared key for authentication.
M. Bloch, J. Barros, M. R. D. Rodrigues and S. W.
McLaughlin,Wireless Information-Theoretic
Security, IEEE Transactions on Information
Theory, June 2008.
75Advanced Topics and Applications
76Network Security
What happens when we have multiple parties
communicating over unreliable noisy networks with
multiple eavesdroppers and jammers?
?
- Interference
- Cooperation
- Feedback
77Multi-user Secrecy Generation
M users communicate messages F and agree on
secret key K
- common secret key
- secrecy against eavesdropper
- uniformity
- secret key (SK) capacity is the largest entropy
rate of K
78Example with three users and two-bit sequences
Csiszár and Narayan, 2006
- Bob and Charlie observe sequences of Bernoulli
(1/2) symbols. - Alice observes the symbolwise XOR of their
sequences.
- Optimal Secret Key Agreement
- Alice sends
- Bob sends
- Charlie sends
- All are able to recover
- Eavesdropper is in the dark
- SK rate
79Encoding Correlated Sources
U1
Û1
R1
Decoder
Source 1
Encoder 1
Sink
Encoder
R2
U2
Û2
Encoder 2
Source 2
p(u1,u2)
R2
H(U1U2)
R1 gt H(U1U2)
Slepian Wolf 1973
R2 gt H(U2U1)
H(U2)
H(U2U1)
Shannon 1948
R1R2 gt H(U1U2)
R1
H(U1U2)
H(U1U2)
H(U1)
80Many correlated sources
Perfect reconstruction is possible if and only if
R10
1
U1
R20
2
U2
0
for all sets
RM0
M
UM
81Secret Key Capacity for Two Terminals
Maurer 93, Ahlswede and Csizár, 93
R1
R1 gt H(U1U2)
Bob
Alice
U2
U1
R2 gt H(U2U1)
R2
non-interactive communication
82Secret Key Capacity for Multiple Terminals
Csiszár and Narayan, 2006
is the minimum sum rate required for all
terminals to be able to reconstruct all sources
with arbitrarily small probability of error.
Notice that in this case the eavesdropper
observes only the communication between the nodes
and not one of the correlated sources.
83Extensions and Variations
- Secret key agreement with helpers Csizár,
Narayan, 2005 - Multiple group keys with secrecy with respect to
a prescribed - subset of users Ye, Narayan, 2005
- Satellite Channel Model Csizár, Narayan, 2005
- Secret key capacity when eavesdropper observes a
- correlated source of randomness remains
unsolved.
84Active Attacker
- Adversary has access to the communications
channel used by the legitimate parties and can do
the following - Send / Receive
- Read
- Replay
- Forge
- Block
- Modify
- Insert
84
85Secret Key Agreement with Public Discussion
Maurer, 93 Maurer, Wolf, 03
Y n
Bob
X n
Alice
p(yzx)
public unauthenticated channel
Zn
Eve
- Alice and Bob want to increase their secrecy
capacity by exchanging information over the
feedback channel and generate a secret key. - But what if Eve is allowed to read and write on
the public channel? - Adversary with infinite computing power
- Adversary with complete control over public
channel.
86Source Model
X n
SA
Alice
public authenticated channel
Y n
Bob
SB
p(x,y,z)
Zn
Eve
- Alice and Bob see X n and Y n and exchange
messages C(C1, C2, C3, . . .Ct) - Outcome of the key generation process H(SACX)
0 or H(SBCY ) 0 - Alice sends (C1, C3, . . . , C2k1, . . .), Bob
sends (C2, C4, . . ., C2k, . . .) - Eve gets to see a correlated random variable Zn
and can read and write on the public channel.
87Impossibility Results
- Simulatability Condition
- To generate a key, Alice and Bob must have
advantage over Eve in terms of the distribution
PXYZ - Eve cannot be able to generate from Z a random
variable X which Bob, knowing Y, is unable to
distinguish from X (and vice versa). - Secret Key Capacity with Active Adversary
- Either a secret key can be generated at the same
rate as in the (well-studied) passive-adversary
case, or such secret key agreement is completely
impossible - if Eve can use Z to simulate X or to simulate Y
the secret key capacity is zero.
88Information-theoretically Secure Message
Authentication
Maurer, 2000
- We assume opponent has unlimited computing power
and knows everything about the system except
for a secret key. - Can we provide bounds on an opponents cheating
probability for a given tolerable probability of
rejecting a valid message? - Hypothesis testing problem decide whether a
received message is authentic or not - Either the message was generated by the
legitimate sender knowing the secret key - Or by an opponent without a priori knowledge of
secret key.
89Problem Setup
- Sender and receiver share a secret key K
- Sender sequence of plaintext messages
- Each is authenticated by sending an encoded
message which depends on K,Xi and
encoded possibly also using the previous
plaintext messages and - Receiver
- based on , and possibly also on and
,decides to either reject the message or
accept it as authentic - if case of acceptance decodes to a message
90Possible Attacks
- The opponent with read and write access to
communication channel can use either of two
different strategies for cheating - Impersonation attack at time the opponent
waits until he has seen the encoded messages
and then sends a fraudulent message
which he hopes to be accepted by the receiver as
the message - Substitution attack at time the opponents
lets pass messages ,intercepts ,
and replaces it by a different message which
he hopes to be accepted by the receiver
91Results
- When a sequence of messages is
to be authenticated, an opponent can choose the
type of attack with the highest success
probability - A secret key K is used optimally when the maximum
of the success probability is minimal - When it is required that a legitimate message is
always accepted a0 in all of these possible
attacks,
92PHY-Based Authentication
Trappe et al, 2007
- Spoofing detection
- Verify if a transmission came from a particular
transmitter - Location information can be extracted to
authenticate a transmitter relative to its
previous location. -
- Estimates channel
- h hAB (t,t)
- Compares against
- h hAB (t-1,t)
- Accepts transmission if h h
-
Bob
Alice
- Estimates channel
- hEB (t,t)
- Verification fails!!!
- Does not accept Eve as Alice!
-
Eve
93Spread Spectrum Communications and Jamming
0
1
1 0 1 1 0 1 0 0 1 1 1 0 1 0 1 1 0
0 1 0 1 0 1 1 0 1 0 1 0
0 1 0 0 1 0 1 1 0 0 0 1 0 1 0 1 0 0
1 0 1 0 1 1 0 1 0 1 0
- Direct Sequence / Frequency Hopping use
pseudo-random sequences to spread the narrowband
signal over a wide band of frequencies - Effective against narrow-band jamming lowers
probability of intercept can provide privacy if
spreading sequence is kept secret - Used in Code Division Multiple Access (CDMA)
systems.
94 Médard, 1997
Capacity of Channels with Correlated Jamming
NM
Y
X
Bob
Alice
NW
Z
Eve
- Repeat-back jamming in wireless networks (e.g.
amplification, modification retransmission of
intercepted signals, inducing errors in radars
and receivers). - Jammer can cause a lot of harm even with access
to only a noisy version of the sent signal, with
phase or timing jitter and with limited
processing capabilities. - Not detectable via the received power at Bob.
- Extended to Multiple Access Channels by Shafiee
and Ulukus, 2005
95Cooperative Jamming in the Gaussian Multiple
Access Channel
Tekin and Yener, 2006
X1
U1
Y
Decoder
Alice
Encoder 1
p(yzx1 x2)
Bob
X2
U2
Z
Charlie
Encoder 2
Decoder
Eve
- Secrecy conditions can be individual or
collective yielding different results for each
case. - Alice and Charlie can cooperate to increase Eves
uncertainty about the sent messages.
96General Broadcast Channel with Multiple Secrecy
Conditions
Û1
Y1
U2,U1
Decoder 1
Bob
p( y1 y2 x)
X
Alice
Encoder
Û2
Y2
Decoder 2
Eve
- Csiszár and Koerner, 1978 considered one
secrecy condition. - Liu et al. , 2006 provided inner bound for two
secrecy conditions, and also for interference
channels.
97Multiple Access Channel with confidential messages
Y1
X1
U1
Y
Decoder
Alice
Encoder 1
p(y1 y2 yzx1 x2)
Bob
U0
p(u1) p(u2)
X2
Z
Charlie
Encoder 2
Decoder
Eve
U2
Y2
- Cooperative jamming over the Gaussian MAC
Tekin and Yener, 2006 - With channel outputs at the encoders individual
secrecy conditions Liang and Poor, 2006
98Relay Channel with confidential messages
- Discrete Memoryless Case Oohama, 2004
- Randomization helps to increase the
rate-equivocation region.
Eve
Zn
Sn
X n
Alice
p(yzxs)
Y n
Bob
99Exploiting MIMO
Goel and Negi, 2005
Bob
Alice
Eve
- Alice can leverage multiple antennas by
transmitting artificial noise into the null space
of Bob - This approach can be used effectively, even when
position of Eve is unknown.
100Jamming to increase the secrecy capacity
NM
Y
X
Bob
Alice
NW
Z
Eve
- Can we increase the noise in Eves channel
without affecting Bob?
101Increasing the Secrecy Capacity with Jammers
102Jammer Impact on Outage Secrecy Capacity in
Fading Environment
103Multiple Jammers in Fading Environment
104Store-and-Forward versus Network Coding
Ahlswede, Cai, Li and Yeung, 2000
- In todays networks, information is viewed as a
commodity, which is transmitted in packets and
forwarded from router to router pretty much as
water in pipes or cars in highways. - In contrast, network coding allows intermediate
nodes to mix different information flows by
combining different input packets into one or
more output packets.
105A simple three-node example
a
a
B
C
A
b
b
In the current networking paradigm we require 4
transmissions.
106Network Coding
a
b
B
C
A
ab
With network coding we require only 3
transmissions.
107Algebraic Framework for Network Coding
Koetter and Médard, 2003
- Binary vector of length m element in
- Random processes at nodes
- Transfer matrix
- Generalized MIN-CUT MAX-FLOW Condition
108Packetized Network Coding
- Assume each packet carries L bits
- s consecutive bits can be viewed as a symbol in
enc. vector
L
s
- Perform network coding on a symbol by symbol
basis. - Output packet also has length L.
- Send the coefficients (the encoding vector) in
the header. - Information is spread over multiple packets.
109Practical Considerations
- Encoding Elementary linear operations which can
be implemented in a straightforward manner (with
shifts and additions). - Decoding Once a receiver has enough linearly
independent packets, it can decode the data using
Gaussian elimination, which requires
operations. - Generations To manage the complexity and memory
requirements, we mix only generations with fixed
number of packets and limit the field size. Each
keeps a buffer sorted by generation number.
Non-innovative packets are discarded. - Delay Since we must wait until we have enough
packets to decode, there is some delay (not very
significant, since we require less transmissions
in many relevant scenarios)
110Benefits beyond throughput
- Reliability Network Coding can achieve optimal
delay and rate in the presence of erasures and
errors. - Simpler Optimization The multicast routing
problem is NP-hard (packing Steiner trees),
however with network coding there exist
polynomial time algorithms. - Robustness Random network coding is completely
decentralized and preserves the information in
the network, even in highly volatile networking
scenarios.
111Applications of Network Coding
First real-life application in July 2007
Microsoft Secure Content Downloader (a.k.a.
Avalanche)
- Distributed Storage and Peer-to-Peer robustness
against failures in highly volatile networks - Wireless Networks Information dissemination
using opportunistic transmission - Sensor Networks Data gathering with extremely
unreliable sensing devices - Network Management Assessing critical network
parameters (e.g. topology changes and link
quality)
112Classes of Network Coding Protocols
- We distinguish between two types of protocols
- stateless network coding protocols, which do not
rely on network state information (e.g. topology
or link costs) to decide when to mix different
packets (e.g. Random Linear Network Coding) - state-aware network coding protocols, which rely
on partial or full network state information to
compute a network code or determine opportunities
to perform network coding in a dynamic fashion
(e.g. COPE).
113Network Coding Security Taxonomy
Network Coding Protocols
State information
Security Infrastructure
Cooperative
Key Management
Cooperative Security Gkantsidis, Rodriguez, 06
Signatures Content Dist. Zhao et al, 07
Secret Key Dist. Oliveira, Barros, 07
SPOC Vilela, Lima, Barros, 08
some intrinsic security (no state information) Prone to Byzantine attacks Prone to Byzantine attacks Network state information
- Extra redundancy - Hash symbols included in packets - Cooperative security schemes - Homomorphic hash functions Signatures Key distribution Confidentiality
114Network Coding A Free Cipher?
Lima, Médard and Barros, ISIT07
- Nodes are assumed to be nice but curious
(comply with protocol but could be malicious
eavesdroppers) - Intermediate nodes have different levels of
confidentiality - Nodes T and U have partial information about the
data - Node W has full access to the data
- Node X cannot decode any useful data a free
cypher!
S
a
b
T
U
a
b
W
a
b
ab
X
ab
ab
Y
Z
Previous work considered wiretapping attacks on
multiple links, e.g. Cai and Yeung,02,
Feldman et al,04 Bhattad et al,05
115Secure Network Coding
a b c d
e f g h
abcdefg 3abcd5f a2bcd4g abc3d5h
5ab5h 6bc4g b7c3a bc9e
S
S
T
U
T
U
R
R
- Nodes T and U have access to half of the sent
data.
- NodesT and U need to decode to obtain partial
data.
116Algebraic Security Criterion
- Definition (Algebraic Security Criterion) The
level of security provided by random linear
network coding is measured by the number of
symbols that an intermediate node v has to guess
in order to decode one of the transmitted
symbols. - In other words, we compute the difference between
the global rank of the code and the local rank in
each intermediate node.
117Results
- Theorem 1The probability P(ld gt 0) of recovering
a strictly positive number of symbols ld at the
intermediate nodes (by Gaussian elimination) goes
to zero for sufficiently large number of nodes
and alphabet size - Proof Idea
- An intermediate node can gain access to relevant
information - when the partial transfer matrix has full rank
- when the partial transfer matrix has
diagonalizable parts. - Carry out independent analyzes in terms of rank
and in terms of partially diagonalizable
matrices. - Show that the probability of having partially
diagonizable matrices goes to zero for
sufficiently large number of nodes and alphabet
size.
118SPOC - Secure Practical netwOrk Coding
- Assured confidentiality against attacker with
access to all the links. - Two types of coefficients
- Locked
- Unlocked
- Same operations
- Requirements
- Key management mechanism
119SPOC - Secure Practical netwOrk Coding - Results
Number of AES encryption operations according to
the payload size, for SPOC (encryption of locked
coefficients) versus traditional encryption
mechanism (encryption of the whole payload).
120SPOC - Secure Practical netwOrk Coding - Results
Packet size overhead of including the locked
coefficients, per packet.
121Mutual Information between Payload and Coding
Coefficients
Lima, Vilela, Barros, Médard, 2008
122Detection of Byzantine Modification
Ho et al, ISIT 2004
- Hash symbols, calculated as simple polynomial
functions of the source data, are included in
each source packet. - Receiver nodes check if decoded packets are
consistent, i.e. have matching data and hash
values. - Additional computation is minimal as no other
cryptographic functions are involved. - Detection probability can be traded off against
communication overhead, field size (complexity)
of the network code and the time taken to detect
an attack.
enc. vector
hash
L
s
123Gkantsidis, Rodriguez, Infocom 2006
Cooperative security for network coding
- Cooperation to achieve on-the-fly detection of
malicious packets. - Homomorphic hash functions a hash of an encoded
packet is easily derived from the hashes of the
previously encoded packets. - However, these hash functions are computationally
expensive. - To increase efficiency every node performs block
checks with a certain probability and alerts its
neighbors upon detection. - In addition, there exist techniques to prevent
Denial of Service (DoS) attacks aimed at the
dissemination of alarms.
124Resilient Network Codes
Jaggi et al. , Infocom 2006
Koetter and Kschischang, 2007
- Use the error correction capabilities of linear
network coding. - An active attacker can be viewed as a second
source of data. - Add enough redundancy to allow the destination to
distinguish between valid and erroneous packets. - Some information may have to be protected by a
shared secret key.
125Sensor Networks
Task Collect and transmit data
through secure links
Data confidentiality
- Energy
- Limited Data Rate
- Processing Power
- Memory
Constraints
Secret Key Distribution
How can each pair of neighboring nodes share a
secret key?
126Key Pre-distribution
- Goal Store keys into the memory of the sensor
nodes for them to share a secret with their
neighbors after the deployment. - Challenges
- Minimize the impact of compromised nodes
- Efficient use of the resources
- Scalability in dynamic environments
- Avoid single points of attack.
127Secret Key Distribution using Network Coding
Oliveira and Barros, 2007
- Our approach
- Key pre-distribution scheme
- Efficient use of resources
- Uses a mobile node to blindly complete the key
distribution process - Designed for dynamic scenarios.
- Prior to sensor node deployment
- Generate a large pool of keys and their
identifiers - Load different keys and the corresponding
identifiers into the memory of each sensor node - Store in the memory of the mobile node all the
keys encrypted with the same one-time pad and
their corresponding identifiers.
128Secret Key Distribution in WSNs
Oliveira and Barros, 2007
- After sensor node deployment
B
S
A
Hello
Hello
129One-Time Pad Security
Oliveira, Costa and Barros, 2007
- One-time pad is secure if the key is
- Truly random
- Never reused
- Kept secret.
- The knowledge of
does not increase the information that
the attacker has about any one key
130Extensions and Variations
- Mobile key distribution for many nodes
- Group and cluster keys
- Key revocation
- Key renewal
- Authentication
131Millionaires- problem
- Suppose 2 millionaires want to determine which
one is richer, without revealing the precise
amount of their wealth.
In the general secure multi-party computation
problem, users u1, u2, ..., un possess data d1,
d2, ..., dn and want to compute the outcome of a
public function F(d1, d2, ..., dn ) without
revealing d1, d2, ..., dn .
132Other Problems beyond Secure Communication
- Communicating securely is not the only problem in
cryptography. - Problem Suppose Alice and Bob are linked through
a network and want to flip a coin. How can they
ensure that the coin flip is fair?
Network
- Solution Alice and Bob send one bit each in
separate envelopes. They open the envelopes
simultaneously and take the XOR of the two bits. - The protocol works if and only if
- Bob knows nothing about Alices bit before he
sends his envelope - Alice cannot change her bit once the envelope is
sealed. - ...and vice versa (for Bobs bit).
133Bit Commitment
b
b
Commit
Open
Alice puts a bit b in a strong box
Alice gives this box to Bob. She cannot change b
Later Alice can unveil b to Bob
- A commitment scheme is said to be secure if it
is - Binding the probability that Alice can
successfully open two different commitments is
negligible. - Concealing Bob gets at most negligible
information on b before the opening phase. - Correct The probability that honest Alice fails
to opena commitment is negligible.
134Bit Commitment over the erasure channel
b parity(X)
- Commit Phase
- Alice selects a random codeword with parity
equal to the value she wants to commit to and
sends it to Bob through the erasure channel. - Open Phase
- Alice sends the codeword she has sent in the
commit phase over a noiseless channel. Bob
rejects if the codeword he receives differs in at
least one position from the codeword he received
through the noisy channel.
135Bit Commitment over the erasure channel
b parity(X)
- Protocol Analysis
- Bob learns the commitment with probability
- Alice unveils a bit different than the one she
committed to and is not detected with probability
- Problems
- Non-negligible error probability (binding
condition) - The channel is used n times to commit to a single
bit.
136Commitment Rate and Capacity
If we commit to a string of length k, what is the
maximum commitment rate k/n of a secure protocol
we can achieve (i.e., capacity)?
Binary string Bob learns b with probability Alice
cheats successfully with probability Commitment
rate Commitment capacity
137The Commitment Capacity of DMCs
- Define a redundant channel (a channel is called
non-redundant if none of its output distributions
is a convex combination of its other output
distributions). - Redundancy can be cut from a channel, by
removing all input symbols which are convex
combinations of others. - If after removing the redundancy of a channel,
its equivocation becomes zero, the channel is
called trivial.
The commitment capacity of a DMC equals its
equivocation H(XY) after its redundancy is
removed.
Winter, Nascimento, Imai 03
138How about the Gaussian Channel?
Motivation - more realistic channel model (e.g.
wireless medium)- commitment capacity for
continuous channels unknown- techniques differ
from the discrete case
Average Power ConstraintChannel Capacity
139How about the Gaussian Channel?
Caveat practical wiretap codes are hard to
design!
140Commitment rate
- Using a wiretap interpretation of commitment, we
can prove that
- Any positive will give us a binding
protocol, by making it arbitrarily small, we get
that the maximum achievable rate can be made
arbitrarily large
The commitment capacity of the Gaussian channel
is infinite.
141Commitment from Secret Key Agreement
Bloch, Barros and McLaughlin, 2007
142Beyond secure communication
- Cryptographic protocols based on noisy channels,
- Crépeau, 1997
- Commitment Capacity of Discrete Memoryless
Channels, - Winter, Nascimento, Imai, 2003
- Oblivious Transfer using noisy channels,
- Crépeau. Morozov, Wolf, 2004
- Pseudo-signatures, Broadcast, and Multi-party
Computation, - M. Fitzi, S. Wolf, and J. Wullschleger, 2004
- Commitment Capacity of Gaussian Channels,
- Barros, Imai, Nascimento and Skudlarek 2006
- Practical Information-Theoretic Commitment
- Bloch, Barros and McLaughlin, 2007
143Physical-Layer Security10 Open Issues
1441 How can we provide rigorous descriptions of
security primitives?
- Information-Theoretic (Perfect or unconditional)
Security - strictest notion of security, no computability
assumption - H(MX)H(M) or I(XM)0
- Implementable at the physical layer
- Computational Security
- Security schemes are based on (unproven)
assumptions of intractability of certain
functions - Typically done at upper layers of the protocol
stack
1452 What are the fundamental limits of security
for strong secrecy?
- Theoretical results from the seventies (Wyner,
Csiszár and Koerner) - Caveat eavesdropper must have a worse channel.
- Renaissance of information-theoretic security in
the last 2 years. - Most results are based on weak secrecy conditions
(equivocation rate) - Strong secrecy is possible (requires CS
techniques)
1463 How can we leverage state-of-the art channel
coding to enhance security at the
physical layer?
1474 How do we construct secrecy achieving codes
for wireless channels?
X
X
k-bit message w
Alice
Bob
wb
o
1
e
e
1-e
1-e
1
o
?
Z
Eve
- Main channel is noiseless wire-tappers channel
is a BEC with erasure probability e - Eve receives a subset of the transmitted bits (or
packets) - For this instance (only), we have secrecy
capacity achieving codes.
1485 How can we borrow from quantum cryptography?
- Common Randomness Alice and Bob share correlated
random sequences. - Reconciliation Alice sends Bob enough side
information for Bob to reconstruct Alices
sequence. - Privacy Amplification Alice and Bob use hash
functions to maximize Eves equivocation.
1496 How can we leverage fading?
Wireless Network with Potential Eavesdropping
- Goal Exploit channel variability to secure
information at the physical-layer.
1507 How can we provide security for network coding?
a b
S
- Intermediate nodes have different levels of
confidentiality - Nodes T and U have partial information about the
data - Node W has full access to the data
- Node X cannot decode any useful data a free
cypher? - Active attacks can compromise the information
flow.
T
U
W
ab
X
ab
ab
Y
Z
a b
a b
1518 How can we use coding ideas to distribute
secret keys?
- Problem
- How can each pair
- of sensor nodes agree
- on a secret key?
- Our approach
- Key pre-distribution scheme
- Uses a mobile node to complete the key
distribution process blindly using network
coding - Reduced memory requirements
1529 How can we use physical-layer techniques to
go beyond secure communication?
- Cryptography is not only concerned with
communicating securely. - Based on noisy channels and state-of-the-art
error correction codes we can implement bit
commitment and oblivious transfer, which are the
building stones of secure multi-party
computation. - Authentication is a vital issue and could
potentially be carried out over noisy channels
possibly without initial shared secret. - Wolf and Maurer98, Trappe et al07
- How about anonymity?
- How about non-repudiation?
153Classical Cryptography under the Computational
Model
- Advantages
- no publicly-known, efficient attacks on
public-key systems - security is provided on a block-to-block basis
- if cryptographic primitive is secure then every
encoded block is secure - systems are widely deployed, technology is
readily available, inexpensive
- Disadvantages
- Security is based on unproven assumptions
- No precise metrics
- trade off between reliability and security as a
function of the block length is unknown - security of the cryptographic protocol is
measured by whether it survives a set of attacks
or not. - Conventional model (error free channel) secrecy
capacity of these systems is zero - cant guarantee reliable and perfectly secure
system
154Physical layer security under the
information-theoretic (perfect) security model
- Disadvantages
- Information-theoretic security is an
average-information measure. - Requires assumptions about the communication
channels that may not be accurate in practice. - Limits its application
- A few systems (e.g QKD) are deployed but the
technology is not as widely available and is
expensive.
- Advantages
- No computational restrictions placed on
eavesdropper - Very precise statements can be made about the
information that is leaked - Quantum key distribution implemented
- Wireless solutions appear
- Suitably long codes get exponentially close to
perfect secrecy
15510 It may well be worth rethinking our security
architecture.
Bottom-up Security?
- How can we combine physical-layer security and
cryptographic protocols?
156Acknowledgements and credits
- Matthieu Bloch, Georgia Tech
- Miguel Rodrigues, University of Porto
- Andrew Thangaraj, IIT Madras
- Rob Calderbank, Princeton
- Anderson Nascimento, University of Brasilia
- Muriel Medard, MIT
- Luísa Lima, University of Porto
- João Paulo Vilela, University of Porto
- Paulo Oliveira, University of Porto
- Rui Costa, University of Porto
- Demijan Klinc, Georgia Tech