Information-Theoretic Security

About This Presentation

Title:

Information-Theoretic Security

Description:

k-bit decoded message Wb. Alice. Bob. If Eve does not know the key and P(Key=k-tuple)=1/2k ... k-bit decoded message Wb. key K. key K. X. X. X. Shannon's Model ... – PowerPoint PPT presentation

Number of Views:194

Avg rating:3.0/5.0

Slides: 157

Provided by: institutod54

Category:

more less

Transcript and Presenter's Notes

Title: Information-Theoretic Security

1
Information-Theoretic Security

IEEE International Symposium on Information
Theory
Toronto, Canada, July 2008

Theory and Practice
João Barros Instituto de Telecomunicações Univers
idade do Porto and EECS/MIT
Steven W. McLaughlin School of Electrical and
Computer Engineering Georgia Institute of
Technology
2
Todays Layered Architecture

Standard Protocol Stack

Programs and applications
End-to-end reliability, cong. control
Routing and forwarding
Medium access control
Channel coding and modulation
Where is security ?
3
Security a patchwork of add-ons
End-to-end cryptography
Secure Sockets Layer (SSL)
Virtual private networks (IPSec)
Admission control (e.g.WPA)
Physical-layer security ?
4
Information-Theoretic-Security are we biased?

A typical graduate course in cryptography and
security always starts by discussing Shannon's
notion of perfect secrecy (widely accepted as the
strictest notion of security)
Then, it emphasizes its conceptual beauty.
Then, it states that it is basically useless
for any practical application.

p(wx)p(x)
Computational Security
5
Main Questions in this Tutorial

What are the fundamental security limits at the
physical layer?
Which notions of security are we talking about?
Is information-theoretic security practical?
What kind of code constructions can we use?
How do we build protocols based on
information-theoretic security?
Can we combine physical-layer security with
classical cryptography?
How can we secure novel networking paradigms?
How can we go beyond confidentiality at the
physical layer?
How can we increase our credibility in the
security business?

6
Our program for today

Theoretical Foundations
Fundamentals of Information-Theoretic Security
Strong Secrecy versus Weak Secrecy
Secrecy Capacity of Noisy Channels
Practical Techniques
Combining Cryptography and Coding
Secrecy Capacity Achieving Codes
Secret Key Agreement at the Physical Layer
Advanced Topics and Applications
Multi-user Secrecy and Network Coding Security
Active Attacks on Coded Systems
Beyond Secure Communications

10 Open Issues

7
What we will not do

Provide an exhaustive review of related work
Elaborate on the details of the proofs
Cover all the topics in depth
Adress quantum information theory
Say bad things about modern cryptography

8
Theoretical Foundations
9
Notions of Security

Information-Theoretic (Perfect or unconditional)
Security
strictest notion of security, no computability
assumption
ProbW Eves knowledgeProbW
H(WX)H(W) or I(XW)0
e.g. One-time pad
Shannon, 1949 H(K) H(M)

Computational Security
Alice sends a k-bit message W to Bob using an
encryption scheme
Security schemes are based on (unproven)
assumptions of intractability of certain
functions
Typically done at upper layers of the protocol
stack

10
One-time Pad
Alice
Bob
k bits
k bits
Key
Key
k-bit message W
k-bit decoded message Wb
Xk
Xk
Xk
Eve

If Eve does not know the key and
P(Keyk-tuple)1/2k
then we have p(wxk) p(w).

11
Shannons Model
This model is somewhat pessimistic, because most
communications channels are actually noisy.
12
Wyners Wiretap Channel (I)
Wyner, 1975

Reliability Security
For Bob and Alice,
ProbW?Wb Y n ? 0
With respect to Eve,
(1/n) I(W Zn) ? 0
as n ? 8
Secrecy Capacity
Largest transmission rate at which both
conditions can be satisfied.
Positive secrecy capacity only in the degraded
case.

13
Wyners Wiretap Channel (II)
Wyner, 1975
equivocation rate
H(W)
D
Transmission rate
CS
CM

Proof Idea
Alice assigns multiple codewords to each message,
picks one at random and thus exhausts Eves
capacity.
Converse uses Fanos inequality and classical
arguments.
Rate-equivocation region
Two critical corner points (CM , D) and (CS ,
H(W))
Unusual shape (not convex)

14
Because the transmission range is so short,
NFC-enabled transactions are inherently secure.
Also, physical proximity of the device to the
reader gives users the reassurance of being in
control of the process.
15
Broadcast Channel with Confidential Messages
Y n
Bob
X n
Alice
p(yzx)
Zn
Eve
Csiszár Koerner, 1978

Secrecy capacity is strictly positive if Bobs
channel
is less noisy than Eves, i.e. I(XY)gtI(XZ)

16
Feedback (Public Discussion)
Maurer, 93
Y n
Bob
X n
Alice
p(yzx)
public authenticated feedback channel
Zn
Eve

Secret Key agreement scheme
Clever protocol allows Alice and Bob to increase
their secrecy capacity by exchanging information
over the feedback channel
This requires a public authenticated feedback
channel!

17
Increasing the Secrecy Capacity via Feedback

Suppose Alice, Bob and Eve are connected via
binary symmetric channels and a public
authenticated feedback channel is available.

Noisy Channel Error-free public communication Computation Computation
Alice X VXE VXEX VE
Bob XE VXE V V
Eve XD VXE VXEXD VED

Bob and Eve observe different noises (D, E).
Bob feeds back random value V plus what he
observed (XE)
Eve ends up with more noise than Bob (as in the
wiretap channel)

18
Source Model
Ahlswede and Csiszar, 93
X n
Alice
public authenticated feedback channel
Y n
Bob
p(x,y,z)
Zn
Eve

Alice and Bob share common randomness.
Eve gets to see a correlated random variable.
Alice and Eve generate a secret key using the
public authenticated channel.

19
Notions of Security
Maurer Wolf, 2000

Weak secrecy
Strong secrecy

The secrecy capacity of the discrete memoryless
wiretap channel does not change with strong
secrecy.
Proof requires fundamental tools of theoretical
computer science (extractors)

20
Example of Weak Secrecy
Un
Kn
Xn
Binary data (n bits)
One-time-pad (n-k bits)
Unprotected data (k bits)
Protected data (n-k bits)

This trivial scheme satisfies the weak secrecy
condition while disclosing an unbounded number
of bits
Clearly, it does not satisfy the strong secrecy
condition

21
The Wireless Scenario
Barros, Rodrigues, ISIT06
Wireless Network with Potential Eavesdropping
Can we exploit channel variability to help secure
the communication?
22
System Model

hM(i)hM, ?i, and hW(i)hW, ?i (quasi-static
fading model)
hM and hW independent and complex Gaussian
distributed
SNRs ?M ??hM?2 and ?W ??hM?2 exponentially
distributed

23
Security Characterization

General goal is maximization of transmission rate
from Alice to Bob
R(1/n) H(Wk)
and minimization of Eves information rate
about the message,
?(1/n) I(WkYWn)
Secrecy capacity is maximum transmission rate R
with ? lt e.
Cautionary Note Maurer Wolf, 2000
Stronger secrecy condition for Discrete
Memoryless Channels
Not only the rate but the total amount of
information leaked to the eavesdropper decays
exponentially fast with n.
It is possible to prove strong secrecy results
for wireless channels
Barros Bloch, 2008

24
Instantaneous Secrecy Capacity
Instantaneous signal-to-noise ratios

The instantaneous secrecy capacity for
quasi-static fading channels follows directly
from the Gaussian case.

25
Secrecy Outage

The outage probability

- Alice chooses a target secrecy rate Rs. - if
RsltCs then she can communicate securely. -
otherwise, information-theoretic security is
compromised.
26
Outage Probability
Barros, Rodrigues, ISIT06
After some maths
Impact of Distance
Outage probability for normalized
target secrecy rate Rs0.1.
Outage probability for normalized
target secrecy rate Rs0.1.
27
Outage Secrecy Capacity
Barros, Rodrigues, ISIT06
?-outage secrecy capacity
Normalized outage secrecy capacity for an outage
probability Pout0.10.
Normalized outage secrecy capacity for an outage
probability Pout0.75.
Thicker lines AWGN case Thinner lines Fading
case.
Thicker lines AWGN case Thinner lines Fading
case.
28
Average Secrecy Capacity
When it comes to information-theoretic
security, fading is really a friend and not a foe.
Normalized average outage secrecy capacity.
Thicker lines AWGN case Thinner lines Fading
case.
29
Imperfect CSI
Bloch,Barros, Rodrigues, McLaughlin, ITW06

Assumptions
Perfect CSI for the main channel
Imperfect CSI for the wiretap channel
Proceed as if CSI was correct
Outage probability
In general, Alice underestimates the secrecy
capacity

30
Some recent work on (weak) secrecy capacity

Secure space-time communications (Hero, 2003)
Secrecy rates for the relay channel (Oohama,
2004)
Secrecy capacity of SIMO channels (Parada and
Blahut, 2005)
Secure MlMO with artificial noise (Negi and Goel,
2005)
Gaussian MAC and cooperative jamming (Tekin and
Yener, 2005)
Secrecy capacity of slow fading channels (Barros
and Rodrigues, 2006)
Multiple access channel with confidential
messages (Liang and Poor, Liu et al., 2006)
Secure broadcasting with multiuser diversity
(Khisti, Tchamkerten, and Wornell, 2006)
Ergodic secrecy capacity (Gopala, Lai and El
Gamal, Liang, Poor and Shamai 2007)
Strong secrecy for wireless channels (Barros and
Bloch, 2008)
and many more.

31
Strong secrecy for Gaussian and Wireless Channels
Nitinawarat, Allerton 2007

Strong secret key agreement from Gaussian random
variables
Lattice codes
Quantization with side information
Strong secrecy capacity for wireless channels
Uses tools of Maurer and Wolf, 2000
Maps messages to secret keys
Multiple copies of weakly secure wiretap codes
Quantization and Slepian Wolf codes
Extractor functions for privacy amplification

Barros and Bloch, ICITS 2008
32
Comments

Information Theory provides you with tools to
determine fundamental security limits in
particular at the physical layer
There exist codes which can guarantee both
reliability and information-theoretic security
Secure communication over wireless channels is
possible even when the eavesdropper has a better
channel (on average)
When it comes to security, fading is a friend and
not a foe.

33
Practical Techniques
34
Is physical-layer security practical?

Motivating examples
secure error correcting codes and the channel
coding converse
tandem error correction and cryptography
coset codes for an erasure wiretapper
Secret key agreement protocol for wireless
channels

35
Secure Communication on two Gaussian channels
Assume that the attacker has worse SNR
Practical scenarios RFID Zoned security
Wiretap error control code Specific error
control code needed at Tag side Low complexity
encoder - possibly complex decoder
36
Secure Communication on two Gaussian channels
Transmit at CwiretapperltRltCmain
Assume that the attacker has worse SNR
37
Some common sense use an error control code
Assume that the attacker has worse SNR
Very good error correcting code with
simple encoder
Reader recovers bits With good BER
38
Coding
Assume that the attacker has worse SNR
Very good error correcting code with
simple encoder
Eve recovers bits with worse BER
39
Coding with an advanced code
40
Some secrecy rate tradeoffs
41
System view
How would we combine this with encryption?
42
After FEC decoding
At the encryption level
Assume Attacker SNR is 1.5 - 2.0 dB worse than
Bobs
(e.g. near field communications)
43
At the encryption level
N/2 bits in error Attacker does not know which
ones She needs to do 2 search
N

Assume all parties have a key
Attacker has somehow figured out the key
e.g. from a weak RFID security protocol

44
At the encryption level
N/2 bits in error Attacker needs to - guess
the N coded bits correctly - guess the M key
bits correctly She needs to do 2 search
NM
This time Assume Attacker does not have a key
45
Achieving the Secrecy Capacity withError Control
Coding
46
Achieving secrecy capacity for any DMCs using
capacity achieving codes
X
Y
k-bit decoded message wb
k-bit message w
Alice
Bob
C1
C2
C1 Main channel PrYX C2 Wire tappers
channel PrZX
Z
Eve

Special case - C2 is worse than C1, (both DMCs)
Use 2k capacity-approaching codes C1 , C2 , C3 ,
...
To send a message w, set Xrandom codeword of Cw
If Cw achieves capacity on C2 for each w gt
Security condition is satisfied!
If union of C1 , C2 , C3 , ... is reliable
across C1, wbw is possible gt Reliability
condition is satisfied!
Thangaraj et al, 2004 have shown that such a
selection of C1 , C2 , C3 , ... is possible.

47
Motivating example BEC wiretapper channel
X
X
k-bit message w
Alice
Bob
wb
o
1
e
e
1-e
1-e
1
o
?
Z
Eve

Main channel is noiseless wire-tappers channel
is a BEC with erasure probability e
Eve receives a subset of the transmitted bits (or
packets)
Secrecy capacity is e

Wyner and Ozarov, Wiretap Channel Type II
48
Conventional Encoding Decoding
X
X
k-bit message w
Alice
Bob
wbHXT

Conventional encoding Select the codeword in C
with message w

Binary codewords of length n
49
Security Encoding Decoding
X
X
k-bit message w
Alice
Bob
wbHXT

Now for security - encode information in coset

Binary codewords 1 translate (cosets)
50
Security Encoding Decoding
X
X
k-bit message w
Alice
Bob
wbHXT

(n,n-k) code C with parity-check matrix H
Make C and H public
C has 2k cosets
Encoding Select the coset of C with message w,
select codeword in coset at random

Binary codewords 3 translates (cosets) Secrecy
rate k/n
51
Security
X x1 x2... xn
k-bit message w
Alice
Bob
wbHXT
BEC(e)
Z x1xs e e e...e (e erasure)
Eve

If each coset of C has a vector of the form
x1...xs??...?,
PrmZPrm

52
Security Property of Codes
Z x1 ... xs
? ? ... ?
If the submatrix of G corresponding to revealed
positions has full column rank, all cosets of C
have a vector of the form x1...xs??...?
53
LDPC Codes over a BEC

Urbanke and Richardson
Consider a (3,6)-regular LDPC matrix H BEC
threshold 0.42
Threshold Interpretation columns of H
corresponding to the erased positions have full
column rank if the erasure probability is less
than 0.42

Urbanke and Richardson, 2001

h
h
h
h
h

h
h
h
h
h

H

h
h
h
h
h

54
LDPC Matrix Connection

LDPC Codes over a Wire Tap Channel
Let G (3,6)-regular LDPC matrix
The columns of G corresponding to the revealed
positions have full column rank if 1-e lt 0.42 or
the erasure probability is greater than 0.58

Z x1 ... xs ?
? ... ?
55
LDPC codes over a BEC-noiseless wire tap channel
X x1 x2... xn
k-bit message w
Alice
Bob
wbHXT
BEC(e)
X randomly chosen from coset of C with syndrome
m
Z
Eve

C dual of an LDPC code with
threshold e
rate R k(1 R)n secrecy rate1-R
Security guaranteed whenever 1-e lt e or e gt 1 e
As e tends to 1 R, we approach secrecy capacity
Capacity achieving codes for the erasure channel
provide perfect security on the erasure wiretap
channel

56
Comments

Positive Aspects
First practical codes to achieve perfect secrecy
- encoder and decoder are public
Connection between coding threshold and security
Negative Aspects
Channels C1 and C2 must be known
Coding scheme above works if C1 is less noisy
than C2
Other cases
BEC-BEC wire tap channel, BSC-Noiseless
See
Thangaraj, Dihidar,Calderbank, McLaughlin, and
Merolla Applications of LDPC Codes to the
Wiretap Channel, IEEE Trans IT Aug 2007

57
BREAK
58
Practical Secret Key Agreementfor Wireless
Networks
59
How do we make this practical?

To fully exploit the randomness of the channel
for security purposes we need secrecy
capacity-achieving channel codes.
Unfortunately, it seems very difficult to design
near-to-optimal codes for the Gaussian wiretap
channel....
BUT fortunately secret key agreement is a
somewhat easier problem (learn from quantum key
distribution)!
Alice and Bob only have to agree on a key based
on common randomness and not to transmit a
particular message.

60
Secret Key Agreement
Assume Eve has worse channel
61
Secret Key Agreement

Two steps
Reconciliation
Privacy amplification

62
Secret Key Agreement

Two steps
Reconciliation
Privacy amplification

63
Secret Key Agreement

Two steps
Reconciliation
Privacy amplification

64
Secret Key Agreement

Two steps
Reconciliation
Privacy amplification

65
Secret Key Agreement

Two steps
Reconciliation
Privacy amplification

66
Secret Key Agreement
011
011

Two steps
Reconciliation
Privacy amplification

XXX
67
We can learn from Quantum Key Distribution
A
B
E

Transmission
Alice codes n random symbols X with quantum
states
Bob measures received states to obtain correlated
symbols Y
Analysis
Evaluation of information intercepted based by
Eve based on simple statistical
measures (bit error rate, variance)
Reconciliation
Correction of errors
Minimum number of bits to transmit
Privacy Amplification
Choice of key size
Random choice of compression function

security parameter
Secret information after transmission
Information exchanged during reconciliation
68
How about wireless security?
Barros, Rodrigues, ISIT06
With fading the instantaneous secrecy capacity
can be strictly positive

Goal Exploit channel variability to secure
information

69
Opportunistic Secret Key Agreement
Bloch, Barros, Rodrigues, McLaughlin 06

Csgt0
share common randomness

Cs0 communicate securely (e.g one-time pad)
Cs0 generate secret key
70
Opportunistic secret key agreement
71
Reconciliation

Correct discrepancies between A and B using
reconciliation information.
In practice small overhead o (10), thus you
have to transmit
(1 o)H(XYM) bits per symbols.
Assign binary labels to each of the transmitted
symbol and use multilevel coding. The syndromes
are used as reconciliation information.
Very similar to source coding with side
information.

72
Two Modes of Operation

Perfect Information-theoretic Security Generate
a secret key and use it as a one-time pad
(perfect security at very low rates)
Combined physical layer and cryptography
Generate a secret key and use a symmetric cipher
such as AES (very high rates are possible)
Example with fraction of time dedicated to
secret key generation as small as 1, we can
renew a 256-bit encryption key every 25kbits,
i.e. with SNR(M)10dB and SNR(W)20 dB, at an
average rate of 2Mbps, this would renew a key
every 16 milliseconds.

73
Average secure communication rate

Case of perfect CSI - communication with one-time
pad

Protocol optimal
74
Practical Considerations

It is possible to exploit the noise of fading
channels to generate
secret keys, even with imperfect CSI
Reconciliation efficiency 90 over wide range of
SNRs
Some latency and complexity (long block length of
LDPC code)
Combine physical layer and standard cryptography
Ex AES with high key regeneration rate
We require a small shared key for authentication.

M. Bloch, J. Barros, M. R. D. Rodrigues and S. W.
McLaughlin,Wireless Information-Theoretic
Security, IEEE Transactions on Information
Theory, June 2008.
75
Advanced Topics and Applications
76
Network Security
What happens when we have multiple parties
communicating over unreliable noisy networks with
multiple eavesdroppers and jammers?
?

Interference
Cooperation
Feedback

77
Multi-user Secrecy Generation
M users communicate messages F and agree on
secret key K

common secret key
secrecy against eavesdropper
uniformity
secret key (SK) capacity is the largest entropy
rate of K

78
Example with three users and two-bit sequences
Csiszár and Narayan, 2006

Bob and Charlie observe sequences of Bernoulli
(1/2) symbols.
Alice observes the symbolwise XOR of their
sequences.

Optimal Secret Key Agreement
Alice sends
Bob sends
Charlie sends
All are able to recover

Eavesdropper is in the dark
SK rate

79
Encoding Correlated Sources
U1
Û1
R1
Decoder
Source 1
Encoder 1
Sink
Encoder
R2
U2
Û2
Encoder 2
Source 2
p(u1,u2)
R2
H(U1U2)
R1 gt H(U1U2)
Slepian Wolf 1973
R2 gt H(U2U1)
H(U2)
H(U2U1)
Shannon 1948
R1R2 gt H(U1U2)
R1
H(U1U2)
H(U1U2)
H(U1)
80
Many correlated sources
Perfect reconstruction is possible if and only if
R10
1
U1
R20
2
U2
0
for all sets
RM0
M
UM
81
Secret Key Capacity for Two Terminals
Maurer 93, Ahlswede and Csizár, 93
R1
R1 gt H(U1U2)
Bob
Alice
U2
U1
R2 gt H(U2U1)
R2
non-interactive communication
82
Secret Key Capacity for Multiple Terminals
Csiszár and Narayan, 2006
is the minimum sum rate required for all
terminals to be able to reconstruct all sources
with arbitrarily small probability of error.
Notice that in this case the eavesdropper
observes only the communication between the nodes
and not one of the correlated sources.
83
Extensions and Variations

Secret key agreement with helpers Csizár,
Narayan, 2005
Multiple group keys with secrecy with respect to
a prescribed
subset of users Ye, Narayan, 2005
Satellite Channel Model Csizár, Narayan, 2005
Secret key capacity when eavesdropper observes a
correlated source of randomness remains
unsolved.

84
Active Attacker

Adversary has access to the communications
channel used by the legitimate parties and can do
the following
Send / Receive
Read
Replay
Forge
Block
Modify
Insert

84
85
Secret Key Agreement with Public Discussion
Maurer, 93 Maurer, Wolf, 03
Y n
Bob
X n
Alice
p(yzx)
public unauthenticated channel
Zn
Eve

Alice and Bob want to increase their secrecy
capacity by exchanging information over the
feedback channel and generate a secret key.
But what if Eve is allowed to read and write on
the public channel?
Adversary with infinite computing power
Adversary with complete control over public
channel.

86
Source Model
X n
SA
Alice
public authenticated channel
Y n
Bob
SB
p(x,y,z)
Zn
Eve

Alice and Bob see X n and Y n and exchange
messages C(C1, C2, C3, . . .Ct)
Outcome of the key generation process H(SACX)
0 or H(SBCY ) 0
Alice sends (C1, C3, . . . , C2k1, . . .), Bob
sends (C2, C4, . . ., C2k, . . .)
Eve gets to see a correlated random variable Zn
and can read and write on the public channel.

87
Impossibility Results

Simulatability Condition
To generate a key, Alice and Bob must have
advantage over Eve in terms of the distribution
PXYZ
Eve cannot be able to generate from Z a random
variable X which Bob, knowing Y, is unable to
distinguish from X (and vice versa).
Secret Key Capacity with Active Adversary
Either a secret key can be generated at the same
rate as in the (well-studied) passive-adversary
case, or such secret key agreement is completely
impossible
if Eve can use Z to simulate X or to simulate Y
the secret key capacity is zero.

88
Information-theoretically Secure Message
Authentication
Maurer, 2000

We assume opponent has unlimited computing power
and knows everything about the system except
for a secret key.
Can we provide bounds on an opponents cheating
probability for a given tolerable probability of
rejecting a valid message?
Hypothesis testing problem decide whether a
received message is authentic or not
Either the message was generated by the
legitimate sender knowing the secret key
Or by an opponent without a priori knowledge of
secret key.

89
Problem Setup

Sender and receiver share a secret key K
Sender sequence of plaintext messages
Each is authenticated by sending an encoded
message which depends on K,Xi and
encoded possibly also using the previous
plaintext messages and
Receiver
based on , and possibly also on and
,decides to either reject the message or
accept it as authentic
if case of acceptance decodes to a message

90
Possible Attacks

The opponent with read and write access to
communication channel can use either of two
different strategies for cheating
Impersonation attack at time the opponent
waits until he has seen the encoded messages
and then sends a fraudulent message
which he hopes to be accepted by the receiver as
the message
Substitution attack at time the opponents
lets pass messages ,intercepts ,
and replaces it by a different message which
he hopes to be accepted by the receiver

91
Results

When a sequence of messages is
to be authenticated, an opponent can choose the
type of attack with the highest success
probability
A secret key K is used optimally when the maximum
of the success probability is minimal
When it is required that a legitimate message is
always accepted a0 in all of these possible
attacks,

92
PHY-Based Authentication
Trappe et al, 2007

Spoofing detection
Verify if a transmission came from a particular
transmitter
Location information can be extracted to
authenticate a transmitter relative to its
previous location.

Estimates channel
h hAB (t,t)
Compares against
h hAB (t-1,t)
Accepts transmission if h h

Bob
Alice

Estimates channel
hEB (t,t)
Verification fails!!!
Does not accept Eve as Alice!

Eve
93
Spread Spectrum Communications and Jamming
0
1
1 0 1 1 0 1 0 0 1 1 1 0 1 0 1 1 0
0 1 0 1 0 1 1 0 1 0 1 0
0 1 0 0 1 0 1 1 0 0 0 1 0 1 0 1 0 0
1 0 1 0 1 1 0 1 0 1 0

Direct Sequence / Frequency Hopping use
pseudo-random sequences to spread the narrowband
signal over a wide band of frequencies
Effective against narrow-band jamming lowers
probability of intercept can provide privacy if
spreading sequence is kept secret
Used in Code Division Multiple Access (CDMA)
systems.

94
Médard, 1997
Capacity of Channels with Correlated Jamming
NM
Y
X
Bob
Alice

NW
Z
Eve

Repeat-back jamming in wireless networks (e.g.
amplification, modification retransmission of
intercepted signals, inducing errors in radars
and receivers).
Jammer can cause a lot of harm even with access
to only a noisy version of the sent signal, with
phase or timing jitter and with limited
processing capabilities.
Not detectable via the received power at Bob.
Extended to Multiple Access Channels by Shafiee
and Ulukus, 2005

95
Cooperative Jamming in the Gaussian Multiple
Access Channel
Tekin and Yener, 2006
X1
U1
Y
Decoder
Alice
Encoder 1
p(yzx1 x2)
Bob
X2
U2
Z
Charlie
Encoder 2
Decoder
Eve

Secrecy conditions can be individual or
collective yielding different results for each
case.
Alice and Charlie can cooperate to increase Eves
uncertainty about the sent messages.

96
General Broadcast Channel with Multiple Secrecy
Conditions
Û1
Y1
U2,U1
Decoder 1
Bob
p( y1 y2 x)
X
Alice
Encoder
Û2
Y2
Decoder 2
Eve

Csiszár and Koerner, 1978 considered one
secrecy condition.
Liu et al. , 2006 provided inner bound for two
secrecy conditions, and also for interference
channels.

97
Multiple Access Channel with confidential messages
Y1
X1
U1
Y
Decoder
Alice
Encoder 1
p(y1 y2 yzx1 x2)
Bob
U0
p(u1) p(u2)
X2
Z
Charlie
Encoder 2
Decoder
Eve
U2
Y2

Cooperative jamming over the Gaussian MAC
Tekin and Yener, 2006
With channel outputs at the encoders individual
secrecy conditions Liang and Poor, 2006

98
Relay Channel with confidential messages

Discrete Memoryless Case Oohama, 2004
Randomization helps to increase the
rate-equivocation region.

Eve
Zn
Sn
X n
Alice
p(yzxs)
Y n
Bob
99
Exploiting MIMO
Goel and Negi, 2005
Bob
Alice
Eve

Alice can leverage multiple antennas by
transmitting artificial noise into the null space
of Bob
This approach can be used effectively, even when
position of Eve is unknown.

100
Jamming to increase the secrecy capacity
NM
Y
X
Bob
Alice

NW
Z
Eve

Can we increase the noise in Eves channel
without affecting Bob?

101
Increasing the Secrecy Capacity with Jammers
102
Jammer Impact on Outage Secrecy Capacity in
Fading Environment
103
Multiple Jammers in Fading Environment
104
Store-and-Forward versus Network Coding
Ahlswede, Cai, Li and Yeung, 2000

In todays networks, information is viewed as a
commodity, which is transmitted in packets and
forwarded from router to router pretty much as
water in pipes or cars in highways.
In contrast, network coding allows intermediate
nodes to mix different information flows by
combining different input packets into one or
more output packets.

105
A simple three-node example
a
a
B
C
A
b
b
In the current networking paradigm we require 4
transmissions.
106
Network Coding
a
b
B
C
A
ab
With network coding we require only 3
transmissions.
107
Algebraic Framework for Network Coding
Koetter and Médard, 2003

Binary vector of length m element in
Random processes at nodes
Transfer matrix
Generalized MIN-CUT MAX-FLOW Condition

108
Packetized Network Coding

Assume each packet carries L bits
s consecutive bits can be viewed as a symbol in

enc. vector
L
s

Perform network coding on a symbol by symbol
basis.
Output packet also has length L.
Send the coefficients (the encoding vector) in
the header.
Information is spread over multiple packets.

109
Practical Considerations

Encoding Elementary linear operations which can
be implemented in a straightforward manner (with
shifts and additions).
Decoding Once a receiver has enough linearly
independent packets, it can decode the data using
Gaussian elimination, which requires
operations.
Generations To manage the complexity and memory
requirements, we mix only generations with fixed
number of packets and limit the field size. Each
keeps a buffer sorted by generation number.
Non-innovative packets are discarded.
Delay Since we must wait until we have enough
packets to decode, there is some delay (not very
significant, since we require less transmissions
in many relevant scenarios)

110
Benefits beyond throughput

Reliability Network Coding can achieve optimal
delay and rate in the presence of erasures and
errors.
Simpler Optimization The multicast routing
problem is NP-hard (packing Steiner trees),
however with network coding there exist
polynomial time algorithms.
Robustness Random network coding is completely
decentralized and preserves the information in
the network, even in highly volatile networking
scenarios.

111
Applications of Network Coding
First real-life application in July 2007
Microsoft Secure Content Downloader (a.k.a.
Avalanche)

Distributed Storage and Peer-to-Peer robustness
against failures in highly volatile networks
Wireless Networks Information dissemination
using opportunistic transmission
Sensor Networks Data gathering with extremely
unreliable sensing devices
Network Management Assessing critical network
parameters (e.g. topology changes and link
quality)

112
Classes of Network Coding Protocols

We distinguish between two types of protocols
stateless network coding protocols, which do not
rely on network state information (e.g. topology
or link costs) to decide when to mix different
packets (e.g. Random Linear Network Coding)
state-aware network coding protocols, which rely
on partial or full network state information to
compute a network code or determine opportunities
to perform network coding in a dynamic fashion
(e.g. COPE).

113
Network Coding Security Taxonomy
Network Coding Protocols
State information
Security Infrastructure
Cooperative
Key Management
Cooperative Security Gkantsidis, Rodriguez, 06
Signatures Content Dist. Zhao et al, 07
Secret Key Dist. Oliveira, Barros, 07
SPOC Vilela, Lima, Barros, 08
some intrinsic security (no state information) Prone to Byzantine attacks Prone to Byzantine attacks Network state information
- Extra redundancy - Hash symbols included in packets - Cooperative security schemes - Homomorphic hash functions Signatures Key distribution Confidentiality
114
Network Coding A Free Cipher?
Lima, Médard and Barros, ISIT07

Nodes are assumed to be nice but curious
(comply with protocol but could be malicious
eavesdroppers)
Intermediate nodes have different levels of
confidentiality
Nodes T and U have partial information about the
data
Node W has full access to the data
Node X cannot decode any useful data a free
cypher!

S
a
b
T
U
a
b
W
a
b
ab
X
ab
ab
Y
Z
Previous work considered wiretapping attacks on
multiple links, e.g. Cai and Yeung,02,
Feldman et al,04 Bhattad et al,05
115
Secure Network Coding
a b c d
e f g h
abcdefg 3abcd5f a2bcd4g abc3d5h
5ab5h 6bc4g b7c3a bc9e
S
S
T
U
T
U
R
R

Nodes T and U have access to half of the sent
data.

NodesT and U need to decode to obtain partial
data.

116
Algebraic Security Criterion

Definition (Algebraic Security Criterion) The
level of security provided by random linear
network coding is measured by the number of
symbols that an intermediate node v has to guess
in order to decode one of the transmitted
symbols.
In other words, we compute the difference between
the global rank of the code and the local rank in
each intermediate node.

117
Results

Theorem 1The probability P(ld gt 0) of recovering
a strictly positive number of symbols ld at the
intermediate nodes (by Gaussian elimination) goes
to zero for sufficiently large number of nodes
and alphabet size
Proof Idea
An intermediate node can gain access to relevant
information
when the partial transfer matrix has full rank
when the partial transfer matrix has
diagonalizable parts.
Carry out independent analyzes in terms of rank
and in terms of partially diagonalizable
matrices.
Show that the probability of having partially
diagonizable matrices goes to zero for
sufficiently large number of nodes and alphabet
size.

118
SPOC - Secure Practical netwOrk Coding

Assured confidentiality against attacker with
access to all the links.
Two types of coefficients
Locked
Unlocked
Same operations
Requirements
Key management mechanism

119
SPOC - Secure Practical netwOrk Coding - Results
Number of AES encryption operations according to
the payload size, for SPOC (encryption of locked
coefficients) versus traditional encryption
mechanism (encryption of the whole payload).
120
SPOC - Secure Practical netwOrk Coding - Results
Packet size overhead of including the locked
coefficients, per packet.
121
Mutual Information between Payload and Coding
Coefficients
Lima, Vilela, Barros, Médard, 2008
122
Detection of Byzantine Modification
Ho et al, ISIT 2004

Hash symbols, calculated as simple polynomial
functions of the source data, are included in
each source packet.
Receiver nodes check if decoded packets are
consistent, i.e. have matching data and hash
values.
Additional computation is minimal as no other
cryptographic functions are involved.
Detection probability can be traded off against
communication overhead, field size (complexity)
of the network code and the time taken to detect
an attack.

enc. vector
hash
L
s
123
Gkantsidis, Rodriguez, Infocom 2006
Cooperative security for network coding

Cooperation to achieve on-the-fly detection of
malicious packets.
Homomorphic hash functions a hash of an encoded
packet is easily derived from the hashes of the
previously encoded packets.
However, these hash functions are computationally
expensive.
To increase efficiency every node performs block
checks with a certain probability and alerts its
neighbors upon detection.
In addition, there exist techniques to prevent
Denial of Service (DoS) attacks aimed at the
dissemination of alarms.

124
Resilient Network Codes
Jaggi et al. , Infocom 2006
Koetter and Kschischang, 2007

Use the error correction capabilities of linear
network coding.
An active attacker can be viewed as a second
source of data.
Add enough redundancy to allow the destination to
distinguish between valid and erroneous packets.
Some information may have to be protected by a
shared secret key.

125
Sensor Networks
Task Collect and transmit data
through secure links
Data confidentiality

Energy
Limited Data Rate
Processing Power
Memory

Constraints
Secret Key Distribution
How can each pair of neighboring nodes share a
secret key?
126
Key Pre-distribution

Goal Store keys into the memory of the sensor
nodes for them to share a secret with their
neighbors after the deployment.
Challenges
Minimize the impact of compromised nodes
Efficient use of the resources
Scalability in dynamic environments
Avoid single points of attack.

127
Secret Key Distribution using Network Coding
Oliveira and Barros, 2007

Our approach
Key pre-distribution scheme
Efficient use of resources
Uses a mobile node to blindly complete the key
distribution process
Designed for dynamic scenarios.
Prior to sensor node deployment
Generate a large pool of keys and their
identifiers
Load different keys and the corresponding
identifiers into the memory of each sensor node
Store in the memory of the mobile node all the
keys encrypted with the same one-time pad and
their corresponding identifiers.

128
Secret Key Distribution in WSNs
Oliveira and Barros, 2007

After sensor node deployment

B
S
A
Hello
Hello
129
One-Time Pad Security
Oliveira, Costa and Barros, 2007

One-time pad is secure if the key is
Truly random
Never reused
Kept secret.
The knowledge of
does not increase the information that
the attacker has about any one key

130
Extensions and Variations

Mobile key distribution for many nodes
Group and cluster keys
Key revocation
Key renewal
Authentication

131
Millionaires- problem

Suppose 2 millionaires want to determine which
one is richer, without revealing the precise
amount of their wealth.

In the general secure multi-party computation
problem, users u1, u2, ..., un possess data d1,
d2, ..., dn and want to compute the outcome of a
public function F(d1, d2, ..., dn ) without
revealing d1, d2, ..., dn .
132
Other Problems beyond Secure Communication

Communicating securely is not the only problem in
cryptography.
Problem Suppose Alice and Bob are linked through
a network and want to flip a coin. How can they
ensure that the coin flip is fair?

Network

Solution Alice and Bob send one bit each in
separate envelopes. They open the envelopes
simultaneously and take the XOR of the two bits.
The protocol works if and only if
Bob knows nothing about Alices bit before he
sends his envelope
Alice cannot change her bit once the envelope is
sealed.
...and vice versa (for Bobs bit).

133
Bit Commitment
b
b
Commit
Open
Alice puts a bit b in a strong box
Alice gives this box to Bob. She cannot change b
Later Alice can unveil b to Bob

A commitment scheme is said to be secure if it
is
Binding the probability that Alice can
successfully open two different commitments is
negligible.
Concealing Bob gets at most negligible
information on b before the opening phase.
Correct The probability that honest Alice fails
to opena commitment is negligible.

134
Bit Commitment over the erasure channel
b parity(X)

Commit Phase
Alice selects a random codeword with parity
equal to the value she wants to commit to and
sends it to Bob through the erasure channel.
Open Phase
Alice sends the codeword she has sent in the
commit phase over a noiseless channel. Bob
rejects if the codeword he receives differs in at
least one position from the codeword he received
through the noisy channel.

135
Bit Commitment over the erasure channel
b parity(X)

Protocol Analysis
Bob learns the commitment with probability
Alice unveils a bit different than the one she
committed to and is not detected with probability

Problems
Non-negligible error probability (binding
condition)
The channel is used n times to commit to a single
bit.

136
Commitment Rate and Capacity
If we commit to a string of length k, what is the
maximum commitment rate k/n of a secure protocol
we can achieve (i.e., capacity)?
Binary string Bob learns b with probability Alice
cheats successfully with probability Commitment
rate Commitment capacity
137
The Commitment Capacity of DMCs

Define a redundant channel (a channel is called
non-redundant if none of its output distributions
is a convex combination of its other output
distributions).
Redundancy can be cut from a channel, by
removing all input symbols which are convex
combinations of others.
If after removing the redundancy of a channel,
its equivocation becomes zero, the channel is
called trivial.

The commitment capacity of a DMC equals its
equivocation H(XY) after its redundancy is
removed.
Winter, Nascimento, Imai 03
138
How about the Gaussian Channel?
Motivation - more realistic channel model (e.g.
wireless medium)- commitment capacity for
continuous channels unknown- techniques differ
from the discrete case

Average Power ConstraintChannel Capacity
139
How about the Gaussian Channel?
Caveat practical wiretap codes are hard to
design!
140
Commitment rate

Using a wiretap interpretation of commitment, we
can prove that

Any positive will give us a binding
protocol, by making it arbitrarily small, we get
that the maximum achievable rate can be made
arbitrarily large

The commitment capacity of the Gaussian channel
is infinite.
141
Commitment from Secret Key Agreement
Bloch, Barros and McLaughlin, 2007
142
Beyond secure communication

Cryptographic protocols based on noisy channels,
Crépeau, 1997
Commitment Capacity of Discrete Memoryless
Channels,
Winter, Nascimento, Imai, 2003
Oblivious Transfer using noisy channels,
Crépeau. Morozov, Wolf, 2004
Pseudo-signatures, Broadcast, and Multi-party
Computation,
M. Fitzi, S. Wolf, and J. Wullschleger, 2004
Commitment Capacity of Gaussian Channels,
Barros, Imai, Nascimento and Skudlarek 2006
Practical Information-Theoretic Commitment
Bloch, Barros and McLaughlin, 2007

143
Physical-Layer Security10 Open Issues
144
1 How can we provide rigorous descriptions of
security primitives?

Information-Theoretic (Perfect or unconditional)
Security
strictest notion of security, no computability
assumption
H(MX)H(M) or I(XM)0
Implementable at the physical layer

Computational Security
Security schemes are based on (unproven)
assumptions of intractability of certain
functions
Typically done at upper layers of the protocol
stack

145
2 What are the fundamental limits of security
for strong secrecy?

Theoretical results from the seventies (Wyner,
Csiszár and Koerner)
Caveat eavesdropper must have a worse channel.
Renaissance of information-theoretic security in
the last 2 years.
Most results are based on weak secrecy conditions
(equivocation rate)
Strong secrecy is possible (requires CS
techniques)

146
3 How can we leverage state-of-the art channel
coding to enhance security at the
physical layer?
147
4 How do we construct secrecy achieving codes
for wireless channels?
X
X
k-bit message w
Alice
Bob
wb
o
1
e
e
1-e
1-e
1
o
?
Z
Eve

Main channel is noiseless wire-tappers channel
is a BEC with erasure probability e
Eve receives a subset of the transmitted bits (or
packets)
For this instance (only), we have secrecy
capacity achieving codes.

148
5 How can we borrow from quantum cryptography?

Common Randomness Alice and Bob share correlated
random sequences.
Reconciliation Alice sends Bob enough side
information for Bob to reconstruct Alices
sequence.
Privacy Amplification Alice and Bob use hash
functions to maximize Eves equivocation.

149
6 How can we leverage fading?
Wireless Network with Potential Eavesdropping

Goal Exploit channel variability to secure
information at the physical-layer.

150
7 How can we provide security for network coding?
a b
S

Intermediate nodes have different levels of
confidentiality
Nodes T and U have partial information about the
data
Node W has full access to the data
Node X cannot decode any useful data a free
cypher?
Active attacks can compromise the information
flow.

T
U
W
ab
X
ab
ab
Y
Z
a b
a b
151
8 How can we use coding ideas to distribute
secret keys?

Problem
How can each pair
of sensor nodes agree
on a secret key?
Our approach
Key pre-distribution scheme
Uses a mobile node to complete the key
distribution process blindly using network
coding
Reduced memory requirements

152
9 How can we use physical-layer techniques to
go beyond secure communication?

Cryptography is not only concerned with
communicating securely.
Based on noisy channels and state-of-the-art
error correction codes we can implement bit
commitment and oblivious transfer, which are the
building stones of secure multi-party
computation.
Authentication is a vital issue and could
potentially be carried out over noisy channels
possibly without initial shared secret.
Wolf and Maurer98, Trappe et al07
How about anonymity?
How about non-repudiation?

153
Classical Cryptography under the Computational
Model

Advantages
no publicly-known, efficient attacks on
public-key systems
security is provided on a block-to-block basis
if cryptographic primitive is secure then every
encoded block is secure
systems are widely deployed, technology is
readily available, inexpensive

Disadvantages
Security is based on unproven assumptions
No precise metrics
trade off between reliability and security as a
function of the block length is unknown
security of the cryptographic protocol is
measured by whether it survives a set of attacks
or not.
Conventional model (error free channel) secrecy
capacity of these systems is zero
cant guarantee reliable and perfectly secure
system

154
Physical layer security under the
information-theoretic (perfect) security model

Disadvantages
Information-theoretic security is an
average-information measure.
Requires assumptions about the communication
channels that may not be accurate in practice.
Limits its application
A few systems (e.g QKD) are deployed but the
technology is not as widely available and is
expensive.