Loading...

PPT – Information-Theoretic Security PowerPoint presentation | free to download - id: 1c6d80-ZDc1Z

The Adobe Flash plugin is needed to view this content

Information-Theoretic Security

- IEEE International Symposium on Information

Theory - Toronto, Canada, July 2008

Theory and Practice

João Barros Instituto de Telecomunicações Univers

idade do Porto and EECS/MIT

Steven W. McLaughlin School of Electrical and

Computer Engineering Georgia Institute of

Technology

Todays Layered Architecture

- Standard Protocol Stack

Programs and applications

End-to-end reliability, cong. control

Routing and forwarding

Medium access control

Channel coding and modulation

Where is security ?

Security a patchwork of add-ons

End-to-end cryptography

Secure Sockets Layer (SSL)

Virtual private networks (IPSec)

Admission control (e.g.WPA)

Physical-layer security ?

Information-Theoretic-Security are we biased?

- A typical graduate course in cryptography and

security always starts by discussing Shannon's

notion of perfect secrecy (widely accepted as the

strictest notion of security) - Then, it emphasizes its conceptual beauty.
- Then, it states that it is basically useless

for any practical application.

p(wx)p(x)

Computational Security

Main Questions in this Tutorial

- What are the fundamental security limits at the

physical layer? - Which notions of security are we talking about?
- Is information-theoretic security practical?
- What kind of code constructions can we use?
- How do we build protocols based on

information-theoretic security? - Can we combine physical-layer security with

classical cryptography? - How can we secure novel networking paradigms?
- How can we go beyond confidentiality at the

physical layer? - How can we increase our credibility in the

security business?

Our program for today

- Theoretical Foundations
- Fundamentals of Information-Theoretic Security
- Strong Secrecy versus Weak Secrecy
- Secrecy Capacity of Noisy Channels
- Practical Techniques
- Combining Cryptography and Coding
- Secrecy Capacity Achieving Codes
- Secret Key Agreement at the Physical Layer
- Advanced Topics and Applications
- Multi-user Secrecy and Network Coding Security
- Active Attacks on Coded Systems
- Beyond Secure Communications

- 10 Open Issues

What we will not do

- Provide an exhaustive review of related work
- Elaborate on the details of the proofs
- Cover all the topics in depth
- Adress quantum information theory
- Say bad things about modern cryptography

Theoretical Foundations

Notions of Security

- Information-Theoretic (Perfect or unconditional)

Security - strictest notion of security, no computability

assumption - ProbW Eves knowledgeProbW
- H(WX)H(W) or I(XW)0
- e.g. One-time pad
- Shannon, 1949 H(K) H(M)

- Computational Security
- Alice sends a k-bit message W to Bob using an

encryption scheme - Security schemes are based on (unproven)

assumptions of intractability of certain

functions - Typically done at upper layers of the protocol

stack

One-time Pad

Alice

Bob

k bits

k bits

Key

Key

k-bit message W

k-bit decoded message Wb

Xk

Xk

Xk

Eve

- If Eve does not know the key and

P(Keyk-tuple)1/2k - then we have p(wxk) p(w).

Shannons Model

This model is somewhat pessimistic, because most

communications channels are actually noisy.

Wyners Wiretap Channel (I)

Wyner, 1975

- Reliability Security
- For Bob and Alice,
- ProbW?Wb Y n ? 0
- With respect to Eve,
- (1/n) I(W Zn) ? 0
- as n ? 8
- Secrecy Capacity
- Largest transmission rate at which both

conditions can be satisfied. - Positive secrecy capacity only in the degraded

case.

Wyners Wiretap Channel (II)

Wyner, 1975

equivocation rate

H(W)

D

Transmission rate

CS

CM

- Proof Idea
- Alice assigns multiple codewords to each message,

picks one at random and thus exhausts Eves

capacity. - Converse uses Fanos inequality and classical

arguments. - Rate-equivocation region
- Two critical corner points (CM , D) and (CS ,

H(W)) - Unusual shape (not convex)

Because the transmission range is so short,

NFC-enabled transactions are inherently secure.

Also, physical proximity of the device to the

reader gives users the reassurance of being in

control of the process.

Broadcast Channel with Confidential Messages

Y n

Bob

X n

Alice

p(yzx)

Zn

Eve

Csiszár Koerner, 1978

- Secrecy capacity is strictly positive if Bobs

channel - is less noisy than Eves, i.e. I(XY)gtI(XZ)

Feedback (Public Discussion)

Maurer, 93

Y n

Bob

X n

Alice

p(yzx)

public authenticated feedback channel

Zn

Eve

- Secret Key agreement scheme
- Clever protocol allows Alice and Bob to increase

their secrecy capacity by exchanging information

over the feedback channel - This requires a public authenticated feedback

channel!

Increasing the Secrecy Capacity via Feedback

- Suppose Alice, Bob and Eve are connected via

binary symmetric channels and a public

authenticated feedback channel is available.

Noisy Channel Error-free public communication Computation Computation

Alice X VXE VXEX VE

Bob XE VXE V V

Eve XD VXE VXEXD VED

- Bob and Eve observe different noises (D, E).
- Bob feeds back random value V plus what he

observed (XE) - Eve ends up with more noise than Bob (as in the

wiretap channel)

Source Model

Ahlswede and Csiszar, 93

X n

Alice

public authenticated feedback channel

Y n

Bob

p(x,y,z)

Zn

Eve

- Alice and Bob share common randomness.
- Eve gets to see a correlated random variable.
- Alice and Eve generate a secret key using the

public authenticated channel.

Notions of Security

Maurer Wolf, 2000

- Weak secrecy
- Strong secrecy

- The secrecy capacity of the discrete memoryless

wiretap channel does not change with strong

secrecy. - Proof requires fundamental tools of theoretical

computer science (extractors)

Example of Weak Secrecy

Un

Kn

Xn

Binary data (n bits)

One-time-pad (n-k bits)

Unprotected data (k bits)

Protected data (n-k bits)

- This trivial scheme satisfies the weak secrecy

condition while disclosing an unbounded number

of bits - Clearly, it does not satisfy the strong secrecy

condition

The Wireless Scenario

Barros, Rodrigues, ISIT06

Wireless Network with Potential Eavesdropping

Can we exploit channel variability to help secure

the communication?

System Model

- hM(i)hM, ?i, and hW(i)hW, ?i (quasi-static

fading model) - hM and hW independent and complex Gaussian

distributed - SNRs ?M ??hM?2 and ?W ??hM?2 exponentially

distributed

Security Characterization

- General goal is maximization of transmission rate

from Alice to Bob - R(1/n) H(Wk)
- and minimization of Eves information rate

about the message, - ?(1/n) I(WkYWn)
- Secrecy capacity is maximum transmission rate R

with ? lt e. - Cautionary Note Maurer Wolf, 2000
- Stronger secrecy condition for Discrete

Memoryless Channels - Not only the rate but the total amount of

information leaked to the eavesdropper decays

exponentially fast with n. - It is possible to prove strong secrecy results

for wireless channels - Barros Bloch, 2008

Instantaneous Secrecy Capacity

Instantaneous signal-to-noise ratios

- The instantaneous secrecy capacity for

quasi-static fading channels follows directly

from the Gaussian case.

Secrecy Outage

- The outage probability

- Alice chooses a target secrecy rate Rs. - if

RsltCs then she can communicate securely. -

otherwise, information-theoretic security is

compromised.

Outage Probability

Barros, Rodrigues, ISIT06

After some maths

Impact of Distance

Outage probability for normalized

target secrecy rate Rs0.1.

Outage probability for normalized

target secrecy rate Rs0.1.

Outage Secrecy Capacity

Barros, Rodrigues, ISIT06

?-outage secrecy capacity

Normalized outage secrecy capacity for an outage

probability Pout0.10.

Normalized outage secrecy capacity for an outage

probability Pout0.75.

Thicker lines AWGN case Thinner lines Fading

case.

Thicker lines AWGN case Thinner lines Fading

case.

Average Secrecy Capacity

When it comes to information-theoretic

security, fading is really a friend and not a foe.

Normalized average outage secrecy capacity.

Thicker lines AWGN case Thinner lines Fading

case.

Imperfect CSI

Bloch,Barros, Rodrigues, McLaughlin, ITW06

- Assumptions
- Perfect CSI for the main channel
- Imperfect CSI for the wiretap channel
- Proceed as if CSI was correct
- Outage probability
- In general, Alice underestimates the secrecy

capacity

Some recent work on (weak) secrecy capacity

- Secure space-time communications (Hero, 2003)
- Secrecy rates for the relay channel (Oohama,

2004) - Secrecy capacity of SIMO channels (Parada and

Blahut, 2005) - Secure MlMO with artificial noise (Negi and Goel,

2005) - Gaussian MAC and cooperative jamming (Tekin and

Yener, 2005) - Secrecy capacity of slow fading channels (Barros

and Rodrigues, 2006) - Multiple access channel with confidential

messages (Liang and Poor, Liu et al., 2006) - Secure broadcasting with multiuser diversity

(Khisti, Tchamkerten, and Wornell, 2006) - Ergodic secrecy capacity (Gopala, Lai and El

Gamal, Liang, Poor and Shamai 2007) - Strong secrecy for wireless channels (Barros and

Bloch, 2008) - and many more.

Strong secrecy for Gaussian and Wireless Channels

Nitinawarat, Allerton 2007

- Strong secret key agreement from Gaussian random

variables - Lattice codes
- Quantization with side information
- Strong secrecy capacity for wireless channels
- Uses tools of Maurer and Wolf, 2000
- Maps messages to secret keys
- Multiple copies of weakly secure wiretap codes
- Quantization and Slepian Wolf codes
- Extractor functions for privacy amplification

Barros and Bloch, ICITS 2008

Comments

- Information Theory provides you with tools to

determine fundamental security limits in

particular at the physical layer - There exist codes which can guarantee both

reliability and information-theoretic security - Secure communication over wireless channels is

possible even when the eavesdropper has a better

channel (on average) - When it comes to security, fading is a friend and

not a foe.

Practical Techniques

Is physical-layer security practical?

- Motivating examples
- secure error correcting codes and the channel
- coding converse
- tandem error correction and cryptography
- coset codes for an erasure wiretapper
- Secret key agreement protocol for wireless

channels

Secure Communication on two Gaussian channels

Assume that the attacker has worse SNR

Practical scenarios RFID Zoned security

Wiretap error control code Specific error

control code needed at Tag side Low complexity

encoder - possibly complex decoder

Secure Communication on two Gaussian channels

Transmit at CwiretapperltRltCmain

Assume that the attacker has worse SNR

Some common sense use an error control code

Assume that the attacker has worse SNR

Very good error correcting code with

simple encoder

Reader recovers bits With good BER

Coding

Assume that the attacker has worse SNR

Very good error correcting code with

simple encoder

Eve recovers bits with worse BER

Coding with an advanced code

Some secrecy rate tradeoffs

System view

How would we combine this with encryption?

After FEC decoding

At the encryption level

Assume Attacker SNR is 1.5 - 2.0 dB worse than

Bobs

(e.g. near field communications)

At the encryption level

N/2 bits in error Attacker does not know which

ones She needs to do 2 search

N

- Assume all parties have a key
- Attacker has somehow figured out the key
- e.g. from a weak RFID security protocol

At the encryption level

N/2 bits in error Attacker needs to - guess

the N coded bits correctly - guess the M key

bits correctly She needs to do 2 search

NM

This time Assume Attacker does not have a key

Achieving the Secrecy Capacity withError Control

Coding

Achieving secrecy capacity for any DMCs using

capacity achieving codes

X

Y

k-bit decoded message wb

k-bit message w

Alice

Bob

C1

C2

C1 Main channel PrYX C2 Wire tappers

channel PrZX

Z

Eve

- Special case - C2 is worse than C1, (both DMCs)
- Use 2k capacity-approaching codes C1 , C2 , C3 ,

... - To send a message w, set Xrandom codeword of Cw
- If Cw achieves capacity on C2 for each w gt

Security condition is satisfied! - If union of C1 , C2 , C3 , ... is reliable

across C1, wbw is possible gt Reliability

condition is satisfied! - Thangaraj et al, 2004 have shown that such a

selection of C1 , C2 , C3 , ... is possible.

Motivating example BEC wiretapper channel

X

X

k-bit message w

Alice

Bob

wb

o

1

e

e

1-e

1-e

1

o

?

Z

Eve

- Main channel is noiseless wire-tappers channel

is a BEC with erasure probability e - Eve receives a subset of the transmitted bits (or

packets) - Secrecy capacity is e

Wyner and Ozarov, Wiretap Channel Type II

Conventional Encoding Decoding

X

X

k-bit message w

Alice

Bob

wbHXT

- Conventional encoding Select the codeword in C

with message w

Binary codewords of length n

Security Encoding Decoding

X

X

k-bit message w

Alice

Bob

wbHXT

- Now for security - encode information in coset

Binary codewords 1 translate (cosets)

Security Encoding Decoding

X

X

k-bit message w

Alice

Bob

wbHXT

- (n,n-k) code C with parity-check matrix H
- Make C and H public
- C has 2k cosets
- Encoding Select the coset of C with message w,

select codeword in coset at random

Binary codewords 3 translates (cosets) Secrecy

rate k/n

Security

X x1 x2... xn

k-bit message w

Alice

Bob

wbHXT

BEC(e)

Z x1xs e e e...e (e erasure)

Eve

- If each coset of C has a vector of the form

x1...xs??...?, - PrmZPrm

Security Property of Codes

Z x1 ... xs

? ? ... ?

If the submatrix of G corresponding to revealed

positions has full column rank, all cosets of C

have a vector of the form x1...xs??...?

LDPC Codes over a BEC

- Urbanke and Richardson
- Consider a (3,6)-regular LDPC matrix H BEC

threshold 0.42 - Threshold Interpretation columns of H

corresponding to the erased positions have full

column rank if the erasure probability is less

than 0.42

Urbanke and Richardson, 2001

h

h

h

h

h

h

h

h

h

h

H

h

h

h

h

h

LDPC Matrix Connection

- LDPC Codes over a Wire Tap Channel
- Let G (3,6)-regular LDPC matrix
- The columns of G corresponding to the revealed

positions have full column rank if 1-e lt 0.42 or

the erasure probability is greater than 0.58

Z x1 ... xs ?

? ... ?

LDPC codes over a BEC-noiseless wire tap channel

X x1 x2... xn

k-bit message w

Alice

Bob

wbHXT

BEC(e)

X randomly chosen from coset of C with syndrome

m

Z

Eve

- C dual of an LDPC code with
- threshold e
- rate R k(1 R)n secrecy rate1-R
- Security guaranteed whenever 1-e lt e or e gt 1 e
- As e tends to 1 R, we approach secrecy capacity

- Capacity achieving codes for the erasure channel

provide perfect security on the erasure wiretap

channel

Comments

- Positive Aspects
- First practical codes to achieve perfect secrecy

- encoder and decoder are public - Connection between coding threshold and security
- Negative Aspects
- Channels C1 and C2 must be known
- Coding scheme above works if C1 is less noisy

than C2 - Other cases
- BEC-BEC wire tap channel, BSC-Noiseless
- See
- Thangaraj, Dihidar,Calderbank, McLaughlin, and

Merolla Applications of LDPC Codes to the

Wiretap Channel, IEEE Trans IT Aug 2007

BREAK

Practical Secret Key Agreementfor Wireless

Networks

How do we make this practical?

- To fully exploit the randomness of the channel

for security purposes we need secrecy

capacity-achieving channel codes. - Unfortunately, it seems very difficult to design

near-to-optimal codes for the Gaussian wiretap

channel.... - BUT fortunately secret key agreement is a

somewhat easier problem (learn from quantum key

distribution)! - Alice and Bob only have to agree on a key based

on common randomness and not to transmit a

particular message.

Secret Key Agreement

Assume Eve has worse channel

Secret Key Agreement

- Two steps
- Reconciliation
- Privacy amplification

Secret Key Agreement

- Two steps
- Reconciliation
- Privacy amplification

Secret Key Agreement

- Two steps
- Reconciliation
- Privacy amplification

Secret Key Agreement

- Two steps
- Reconciliation
- Privacy amplification

Secret Key Agreement

- Two steps
- Reconciliation
- Privacy amplification

Secret Key Agreement

011

011

- Two steps
- Reconciliation
- Privacy amplification

XXX

We can learn from Quantum Key Distribution

A

B

E

- Transmission
- Alice codes n random symbols X with quantum

states - Bob measures received states to obtain correlated

symbols Y - Analysis
- Evaluation of information intercepted based by

Eve based on simple statistical - measures (bit error rate, variance)
- Reconciliation
- Correction of errors
- Minimum number of bits to transmit
- Privacy Amplification
- Choice of key size
- Random choice of compression function

security parameter

Secret information after transmission

Information exchanged during reconciliation

How about wireless security?

Barros, Rodrigues, ISIT06

With fading the instantaneous secrecy capacity

can be strictly positive

- Goal Exploit channel variability to secure

information

Opportunistic Secret Key Agreement

Bloch, Barros, Rodrigues, McLaughlin 06

- Csgt0
- share common randomness

Cs0 communicate securely (e.g one-time pad)

Cs0 generate secret key

Opportunistic secret key agreement

Reconciliation

- Correct discrepancies between A and B using

reconciliation information. - In practice small overhead o (10), thus you

have to transmit - (1 o)H(XYM) bits per symbols.
- Assign binary labels to each of the transmitted

symbol and use multilevel coding. The syndromes

are used as reconciliation information. - Very similar to source coding with side

information.

Two Modes of Operation

- Perfect Information-theoretic Security Generate

a secret key and use it as a one-time pad

(perfect security at very low rates) - Combined physical layer and cryptography

Generate a secret key and use a symmetric cipher

such as AES (very high rates are possible) - Example with fraction of time dedicated to

secret key generation as small as 1, we can

renew a 256-bit encryption key every 25kbits,

i.e. with SNR(M)10dB and SNR(W)20 dB, at an

average rate of 2Mbps, this would renew a key

every 16 milliseconds.

Average secure communication rate

- Case of perfect CSI - communication with one-time

pad

Protocol optimal

Practical Considerations

- It is possible to exploit the noise of fading

channels to generate - secret keys, even with imperfect CSI
- Reconciliation efficiency 90 over wide range of

SNRs - Some latency and complexity (long block length of

LDPC code) - Combine physical layer and standard cryptography
- Ex AES with high key regeneration rate
- We require a small shared key for authentication.

M. Bloch, J. Barros, M. R. D. Rodrigues and S. W.

McLaughlin,Wireless Information-Theoretic

Security, IEEE Transactions on Information

Theory, June 2008.

Advanced Topics and Applications

Network Security

What happens when we have multiple parties

communicating over unreliable noisy networks with

multiple eavesdroppers and jammers?

?

- Interference
- Cooperation
- Feedback

Multi-user Secrecy Generation

M users communicate messages F and agree on

secret key K

- common secret key
- secrecy against eavesdropper
- uniformity
- secret key (SK) capacity is the largest entropy

rate of K

Example with three users and two-bit sequences

Csiszár and Narayan, 2006

- Bob and Charlie observe sequences of Bernoulli

(1/2) symbols. - Alice observes the symbolwise XOR of their

sequences.

- Optimal Secret Key Agreement
- Alice sends
- Bob sends
- Charlie sends
- All are able to recover

- Eavesdropper is in the dark
- SK rate

Encoding Correlated Sources

U1

Û1

R1

Decoder

Source 1

Encoder 1

Sink

Encoder

R2

U2

Û2

Encoder 2

Source 2

p(u1,u2)

R2

H(U1U2)

R1 gt H(U1U2)

Slepian Wolf 1973

R2 gt H(U2U1)

H(U2)

H(U2U1)

Shannon 1948

R1R2 gt H(U1U2)

R1

H(U1U2)

H(U1U2)

H(U1)

Many correlated sources

Perfect reconstruction is possible if and only if

R10

1

U1

R20

2

U2

0

for all sets

RM0

M

UM

Secret Key Capacity for Two Terminals

Maurer 93, Ahlswede and Csizár, 93

R1

R1 gt H(U1U2)

Bob

Alice

U2

U1

R2 gt H(U2U1)

R2

non-interactive communication

Secret Key Capacity for Multiple Terminals

Csiszár and Narayan, 2006

is the minimum sum rate required for all

terminals to be able to reconstruct all sources

with arbitrarily small probability of error.

Notice that in this case the eavesdropper

observes only the communication between the nodes

and not one of the correlated sources.

Extensions and Variations

- Secret key agreement with helpers Csizár,

Narayan, 2005 - Multiple group keys with secrecy with respect to

a prescribed - subset of users Ye, Narayan, 2005
- Satellite Channel Model Csizár, Narayan, 2005
- Secret key capacity when eavesdropper observes a
- correlated source of randomness remains

unsolved.

Active Attacker

- Adversary has access to the communications

channel used by the legitimate parties and can do

the following - Send / Receive
- Read
- Replay
- Forge
- Block
- Modify
- Insert

84

Secret Key Agreement with Public Discussion

Maurer, 93 Maurer, Wolf, 03

Y n

Bob

X n

Alice

p(yzx)

public unauthenticated channel

Zn

Eve

- Alice and Bob want to increase their secrecy

capacity by exchanging information over the

feedback channel and generate a secret key. - But what if Eve is allowed to read and write on

the public channel? - Adversary with infinite computing power
- Adversary with complete control over public

channel.

Source Model

X n

SA

Alice

public authenticated channel

Y n

Bob

SB

p(x,y,z)

Zn

Eve

- Alice and Bob see X n and Y n and exchange

messages C(C1, C2, C3, . . .Ct) - Outcome of the key generation process H(SACX)

0 or H(SBCY ) 0 - Alice sends (C1, C3, . . . , C2k1, . . .), Bob

sends (C2, C4, . . ., C2k, . . .) - Eve gets to see a correlated random variable Zn

and can read and write on the public channel.

Impossibility Results

- Simulatability Condition
- To generate a key, Alice and Bob must have

advantage over Eve in terms of the distribution

PXYZ - Eve cannot be able to generate from Z a random

variable X which Bob, knowing Y, is unable to

distinguish from X (and vice versa). - Secret Key Capacity with Active Adversary
- Either a secret key can be generated at the same

rate as in the (well-studied) passive-adversary

case, or such secret key agreement is completely

impossible - if Eve can use Z to simulate X or to simulate Y

the secret key capacity is zero.

Information-theoretically Secure Message

Authentication

Maurer, 2000

- We assume opponent has unlimited computing power

and knows everything about the system except

for a secret key. - Can we provide bounds on an opponents cheating

probability for a given tolerable probability of

rejecting a valid message? - Hypothesis testing problem decide whether a

received message is authentic or not - Either the message was generated by the

legitimate sender knowing the secret key - Or by an opponent without a priori knowledge of

secret key.

Problem Setup

- Sender and receiver share a secret key K
- Sender sequence of plaintext messages
- Each is authenticated by sending an encoded

message which depends on K,Xi and

encoded possibly also using the previous

plaintext messages and - Receiver
- based on , and possibly also on and

,decides to either reject the message or

accept it as authentic - if case of acceptance decodes to a message

Possible Attacks

- The opponent with read and write access to

communication channel can use either of two

different strategies for cheating - Impersonation attack at time the opponent

waits until he has seen the encoded messages

and then sends a fraudulent message

which he hopes to be accepted by the receiver as

the message - Substitution attack at time the opponents

lets pass messages ,intercepts ,

and replaces it by a different message which

he hopes to be accepted by the receiver

Results

- When a sequence of messages is

to be authenticated, an opponent can choose the

type of attack with the highest success

probability - A secret key K is used optimally when the maximum

of the success probability is minimal - When it is required that a legitimate message is

always accepted a0 in all of these possible

attacks,

PHY-Based Authentication

Trappe et al, 2007

- Spoofing detection
- Verify if a transmission came from a particular

transmitter - Location information can be extracted to

authenticate a transmitter relative to its

previous location.

- Estimates channel
- h hAB (t,t)
- Compares against
- h hAB (t-1,t)
- Accepts transmission if h h

Bob

Alice

- Estimates channel
- hEB (t,t)
- Verification fails!!!
- Does not accept Eve as Alice!

Eve

Spread Spectrum Communications and Jamming

0

1

1 0 1 1 0 1 0 0 1 1 1 0 1 0 1 1 0

0 1 0 1 0 1 1 0 1 0 1 0

0 1 0 0 1 0 1 1 0 0 0 1 0 1 0 1 0 0

1 0 1 0 1 1 0 1 0 1 0

- Direct Sequence / Frequency Hopping use

pseudo-random sequences to spread the narrowband

signal over a wide band of frequencies - Effective against narrow-band jamming lowers

probability of intercept can provide privacy if

spreading sequence is kept secret - Used in Code Division Multiple Access (CDMA)

systems.

Médard, 1997

Capacity of Channels with Correlated Jamming

NM

Y

X

Bob

Alice

NW

Z

Eve

- Repeat-back jamming in wireless networks (e.g.

amplification, modification retransmission of

intercepted signals, inducing errors in radars

and receivers). - Jammer can cause a lot of harm even with access

to only a noisy version of the sent signal, with

phase or timing jitter and with limited

processing capabilities. - Not detectable via the received power at Bob.
- Extended to Multiple Access Channels by Shafiee

and Ulukus, 2005

Cooperative Jamming in the Gaussian Multiple

Access Channel

Tekin and Yener, 2006

X1

U1

Y

Decoder

Alice

Encoder 1

p(yzx1 x2)

Bob

X2

U2

Z

Charlie

Encoder 2

Decoder

Eve

- Secrecy conditions can be individual or

collective yielding different results for each

case. - Alice and Charlie can cooperate to increase Eves

uncertainty about the sent messages.

General Broadcast Channel with Multiple Secrecy

Conditions

Û1

Y1

U2,U1

Decoder 1

Bob

p( y1 y2 x)

X

Alice

Encoder

Û2

Y2

Decoder 2

Eve

- Csiszár and Koerner, 1978 considered one

secrecy condition. - Liu et al. , 2006 provided inner bound for two

secrecy conditions, and also for interference

channels.

Multiple Access Channel with confidential messages

Y1

X1

U1

Y

Decoder

Alice

Encoder 1

p(y1 y2 yzx1 x2)

Bob

U0

p(u1) p(u2)

X2

Z

Charlie

Encoder 2

Decoder

Eve

U2

Y2

- Cooperative jamming over the Gaussian MAC

Tekin and Yener, 2006 - With channel outputs at the encoders individual

secrecy conditions Liang and Poor, 2006

Relay Channel with confidential messages

- Discrete Memoryless Case Oohama, 2004
- Randomization helps to increase the

rate-equivocation region.

Eve

Zn

Sn

X n

Alice

p(yzxs)

Y n

Bob

Exploiting MIMO

Goel and Negi, 2005

Bob

Alice

Eve

- Alice can leverage multiple antennas by

transmitting artificial noise into the null space

of Bob - This approach can be used effectively, even when

position of Eve is unknown.

Jamming to increase the secrecy capacity

NM

Y

X

Bob

Alice

NW

Z

Eve

- Can we increase the noise in Eves channel

without affecting Bob?

Increasing the Secrecy Capacity with Jammers

Jammer Impact on Outage Secrecy Capacity in

Fading Environment

Multiple Jammers in Fading Environment

Store-and-Forward versus Network Coding

Ahlswede, Cai, Li and Yeung, 2000

- In todays networks, information is viewed as a

commodity, which is transmitted in packets and

forwarded from router to router pretty much as

water in pipes or cars in highways. - In contrast, network coding allows intermediate

nodes to mix different information flows by

combining different input packets into one or

more output packets.

A simple three-node example

a

a

B

C

A

b

b

In the current networking paradigm we require 4

transmissions.

Network Coding

a

b

B

C

A

ab

With network coding we require only 3

transmissions.

Algebraic Framework for Network Coding

Koetter and Médard, 2003

- Binary vector of length m element in
- Random processes at nodes
- Transfer matrix
- Generalized MIN-CUT MAX-FLOW Condition

Packetized Network Coding

- Assume each packet carries L bits
- s consecutive bits can be viewed as a symbol in

enc. vector

L

s

- Perform network coding on a symbol by symbol

basis. - Output packet also has length L.
- Send the coefficients (the encoding vector) in

the header. - Information is spread over multiple packets.

Practical Considerations

- Encoding Elementary linear operations which can

be implemented in a straightforward manner (with

shifts and additions). - Decoding Once a receiver has enough linearly

independent packets, it can decode the data using

Gaussian elimination, which requires

operations. - Generations To manage the complexity and memory

requirements, we mix only generations with fixed

number of packets and limit the field size. Each

keeps a buffer sorted by generation number.

Non-innovative packets are discarded. - Delay Since we must wait until we have enough

packets to decode, there is some delay (not very

significant, since we require less transmissions

in many relevant scenarios)

Benefits beyond throughput

- Reliability Network Coding can achieve optimal

delay and rate in the presence of erasures and

errors. - Simpler Optimization The multicast routing

problem is NP-hard (packing Steiner trees),

however with network coding there exist

polynomial time algorithms. - Robustness Random network coding is completely

decentralized and preserves the information in

the network, even in highly volatile networking

scenarios.

Applications of Network Coding

First real-life application in July 2007

Microsoft Secure Content Downloader (a.k.a.

Avalanche)

- Distributed Storage and Peer-to-Peer robustness

against failures in highly volatile networks - Wireless Networks Information dissemination

using opportunistic transmission - Sensor Networks Data gathering with extremely

unreliable sensing devices - Network Management Assessing critical network

parameters (e.g. topology changes and link

quality)

Classes of Network Coding Protocols

- We distinguish between two types of protocols
- stateless network coding protocols, which do not

rely on network state information (e.g. topology

or link costs) to decide when to mix different

packets (e.g. Random Linear Network Coding) - state-aware network coding protocols, which rely

on partial or full network state information to

compute a network code or determine opportunities

to perform network coding in a dynamic fashion

(e.g. COPE).

Network Coding Security Taxonomy

Network Coding Protocols

State information

Security Infrastructure

Cooperative

Key Management

Cooperative Security Gkantsidis, Rodriguez, 06

Signatures Content Dist. Zhao et al, 07

Secret Key Dist. Oliveira, Barros, 07

SPOC Vilela, Lima, Barros, 08

some intrinsic security (no state information) Prone to Byzantine attacks Prone to Byzantine attacks Network state information

- Extra redundancy - Hash symbols included in packets - Cooperative security schemes - Homomorphic hash functions Signatures Key distribution Confidentiality

Network Coding A Free Cipher?

Lima, Médard and Barros, ISIT07

- Nodes are assumed to be nice but curious

(comply with protocol but could be malicious

eavesdroppers) - Intermediate nodes have different levels of

confidentiality - Nodes T and U have partial information about the

data - Node W has full access to the data
- Node X cannot decode any useful data a free

cypher!

S

a

b

T

U

a

b

W

a

b

ab

X

ab

ab

Y

Z

Previous work considered wiretapping attacks on

multiple links, e.g. Cai and Yeung,02,

Feldman et al,04 Bhattad et al,05

Secure Network Coding

a b c d

e f g h

abcdefg 3abcd5f a2bcd4g abc3d5h

5ab5h 6bc4g b7c3a bc9e

S

S

T

U

T

U

R

R

- Nodes T and U have access to half of the sent

data.

- NodesT and U need to decode to obtain partial

data.

Algebraic Security Criterion

- Definition (Algebraic Security Criterion) The

level of security provided by random linear

network coding is measured by the number of

symbols that an intermediate node v has to guess

in order to decode one of the transmitted

symbols. - In other words, we compute the difference between

the global rank of the code and the local rank in

each intermediate node.

Results

- Theorem 1The probability P(ld gt 0) of recovering

a strictly positive number of symbols ld at the

intermediate nodes (by Gaussian elimination) goes

to zero for sufficiently large number of nodes

and alphabet size - Proof Idea
- An intermediate node can gain access to relevant

information - when the partial transfer matrix has full rank
- when the partial transfer matrix has

diagonalizable parts. - Carry out independent analyzes in terms of rank

and in terms of partially diagonalizable

matrices. - Show that the probability of having partially

diagonizable matrices goes to zero for

sufficiently large number of nodes and alphabet

size.

SPOC - Secure Practical netwOrk Coding

- Assured confidentiality against attacker with

access to all the links. - Two types of coefficients
- Locked
- Unlocked
- Same operations
- Requirements
- Key management mechanism

SPOC - Secure Practical netwOrk Coding - Results

Number of AES encryption operations according to

the payload size, for SPOC (encryption of locked

coefficients) versus traditional encryption

mechanism (encryption of the whole payload).

SPOC - Secure Practical netwOrk Coding - Results

Packet size overhead of including the locked

coefficients, per packet.

Mutual Information between Payload and Coding

Coefficients

Lima, Vilela, Barros, Médard, 2008

Detection of Byzantine Modification

Ho et al, ISIT 2004

- Hash symbols, calculated as simple polynomial

functions of the source data, are included in

each source packet. - Receiver nodes check if decoded packets are

consistent, i.e. have matching data and hash

values. - Additional computation is minimal as no other

cryptographic functions are involved. - Detection probability can be traded off against

communication overhead, field size (complexity)

of the network code and the time taken to detect

an attack.

enc. vector

hash

L

s

Gkantsidis, Rodriguez, Infocom 2006

Cooperative security for network coding

- Cooperation to achieve on-the-fly detection of

malicious packets. - Homomorphic hash functions a hash of an encoded

packet is easily derived from the hashes of the

previously encoded packets. - However, these hash functions are computationally

expensive. - To increase efficiency every node performs block

checks with a certain probability and alerts its

neighbors upon detection. - In addition, there exist techniques to prevent

Denial of Service (DoS) attacks aimed at the

dissemination of alarms.

Resilient Network Codes

Jaggi et al. , Infocom 2006

Koetter and Kschischang, 2007

- Use the error correction capabilities of linear

network coding. - An active attacker can be viewed as a second

source of data. - Add enough redundancy to allow the destination to

distinguish between valid and erroneous packets. - Some information may have to be protected by a

shared secret key.

Sensor Networks

Task Collect and transmit data

through secure links

Data confidentiality

- Energy
- Limited Data Rate
- Processing Power
- Memory

Constraints

Secret Key Distribution

How can each pair of neighboring nodes share a

secret key?

Key Pre-distribution

- Goal Store keys into the memory of the sensor

nodes for them to share a secret with their

neighbors after the deployment. - Challenges
- Minimize the impact of compromised nodes
- Efficient use of the resources
- Scalability in dynamic environments
- Avoid single points of attack.

Secret Key Distribution using Network Coding

Oliveira and Barros, 2007

- Our approach
- Key pre-distribution scheme
- Efficient use of resources
- Uses a mobile node to blindly complete the key

distribution process - Designed for dynamic scenarios.
- Prior to sensor node deployment
- Generate a large pool of keys and their

identifiers - Load different keys and the corresponding

identifiers into the memory of each sensor node - Store in the memory of the mobile node all the

keys encrypted with the same one-time pad and

their corresponding identifiers.

Secret Key Distribution in WSNs

Oliveira and Barros, 2007

- After sensor node deployment

B

S

A

Hello

Hello

One-Time Pad Security

Oliveira, Costa and Barros, 2007

- One-time pad is secure if the key is
- Truly random
- Never reused
- Kept secret.
- The knowledge of

does not increase the information that

the attacker has about any one key

Extensions and Variations

- Mobile key distribution for many nodes
- Group and cluster keys
- Key revocation
- Key renewal
- Authentication

Millionaires- problem

- Suppose 2 millionaires want to determine which

one is richer, without revealing the precise

amount of their wealth.

In the general secure multi-party computation

problem, users u1, u2, ..., un possess data d1,

d2, ..., dn and want to compute the outcome of a

public function F(d1, d2, ..., dn ) without

revealing d1, d2, ..., dn .

Other Problems beyond Secure Communication

- Communicating securely is not the only problem in

cryptography. - Problem Suppose Alice and Bob are linked through

a network and want to flip a coin. How can they

ensure that the coin flip is fair?

Network

- Solution Alice and Bob send one bit each in

separate envelopes. They open the envelopes

simultaneously and take the XOR of the two bits. - The protocol works if and only if
- Bob knows nothing about Alices bit before he

sends his envelope - Alice cannot change her bit once the envelope is

sealed. - ...and vice versa (for Bobs bit).

Bit Commitment

b

b

Commit

Open

Alice puts a bit b in a strong box

Alice gives this box to Bob. She cannot change b

Later Alice can unveil b to Bob

- A commitment scheme is said to be secure if it

is - Binding the probability that Alice can

successfully open two different commitments is

negligible. - Concealing Bob gets at most negligible

information on b before the opening phase. - Correct The probability that honest Alice fails

to opena commitment is negligible.

Bit Commitment over the erasure channel

b parity(X)

- Commit Phase
- Alice selects a random codeword with parity

equal to the value she wants to commit to and

sends it to Bob through the erasure channel. - Open Phase
- Alice sends the codeword she has sent in the

commit phase over a noiseless channel. Bob

rejects if the codeword he receives differs in at

least one position from the codeword he received

through the noisy channel.

Bit Commitment over the erasure channel

b parity(X)

- Protocol Analysis
- Bob learns the commitment with probability
- Alice unveils a bit different than the one she

committed to and is not detected with probability

- Problems
- Non-negligible error probability (binding

condition) - The channel is used n times to commit to a single

bit.

Commitment Rate and Capacity

If we commit to a string of length k, what is the

maximum commitment rate k/n of a secure protocol

we can achieve (i.e., capacity)?

Binary string Bob learns b with probability Alice

cheats successfully with probability Commitment

rate Commitment capacity

The Commitment Capacity of DMCs

- Define a redundant channel (a channel is called

non-redundant if none of its output distributions

is a convex combination of its other output

distributions). - Redundancy can be cut from a channel, by

removing all input symbols which are convex

combinations of others. - If after removing the redundancy of a channel,

its equivocation becomes zero, the channel is

called trivial.

The commitment capacity of a DMC equals its

equivocation H(XY) after its redundancy is

removed.

Winter, Nascimento, Imai 03

How about the Gaussian Channel?

Motivation - more realistic channel model (e.g.

wireless medium)- commitment capacity for

continuous channels unknown- techniques differ

from the discrete case

Average Power ConstraintChannel Capacity

How about the Gaussian Channel?

Caveat practical wiretap codes are hard to

design!

Commitment rate

- Using a wiretap interpretation of commitment, we

can prove that

- Any positive will give us a binding

protocol, by making it arbitrarily small, we get

that the maximum achievable rate can be made

arbitrarily large

The commitment capacity of the Gaussian channel

is infinite.

Commitment from Secret Key Agreement

Bloch, Barros and McLaughlin, 2007

Beyond secure communication

- Cryptographic protocols based on noisy channels,
- Crépeau, 1997
- Commitment Capacity of Discrete Memoryless

Channels, - Winter, Nascimento, Imai, 2003
- Oblivious Transfer using noisy channels,
- Crépeau. Morozov, Wolf, 2004
- Pseudo-signatures, Broadcast, and Multi-party

Computation, - M. Fitzi, S. Wolf, and J. Wullschleger, 2004
- Commitment Capacity of Gaussian Channels,
- Barros, Imai, Nascimento and Skudlarek 2006
- Practical Information-Theoretic Commitment
- Bloch, Barros and McLaughlin, 2007

Physical-Layer Security10 Open Issues

1 How can we provide rigorous descriptions of

security primitives?

- Information-Theoretic (Perfect or unconditional)

Security - strictest notion of security, no computability

assumption - H(MX)H(M) or I(XM)0
- Implementable at the physical layer

- Computational Security
- Security schemes are based on (unproven)

assumptions of intractability of certain

functions - Typically done at upper layers of the protocol

stack

2 What are the fundamental limits of security

for strong secrecy?

- Theoretical results from the seventies (Wyner,

Csiszár and Koerner) - Caveat eavesdropper must have a worse channel.
- Renaissance of information-theoretic security in

the last 2 years. - Most results are based on weak secrecy conditions

(equivocation rate) - Strong secrecy is possible (requires CS

techniques)

3 How can we leverage state-of-the art channel

coding to enhance security at the

physical layer?

4 How do we construct secrecy achieving codes

for wireless channels?

X

X

k-bit message w

Alice

Bob

wb

o

1

e

e

1-e

1-e

1

o

?

Z

Eve

- Main channel is noiseless wire-tappers channel

is a BEC with erasure probability e - Eve receives a subset of the transmitted bits (or

packets) - For this instance (only), we have secrecy

capacity achieving codes.

5 How can we borrow from quantum cryptography?

- Common Randomness Alice and Bob share correlated

random sequences. - Reconciliation Alice sends Bob enough side

information for Bob to reconstruct Alices

sequence. - Privacy Amplification Alice and Bob use hash

functions to maximize Eves equivocation.

6 How can we leverage fading?

Wireless Network with Potential Eavesdropping

- Goal Exploit channel variability to secure

information at the physical-layer.

7 How can we provide security for network coding?

a b

S

- Intermediate nodes have different levels of

confidentiality - Nodes T and U have partial information about the

data - Node W has full access to the data
- Node X cannot decode any useful data a free

cypher? - Active attacks can compromise the information

flow.

T

U

W

ab

X

ab

ab

Y

Z

a b

a b

8 How can we use coding ideas to distribute

secret keys?

- Problem
- How can each pair
- of sensor nodes agree
- on a secret key?
- Our approach
- Key pre-distribution scheme
- Uses a mobile node to complete the key

distribution process blindly using network

coding - Reduced memory requirements

9 How can we use physical-layer techniques to

go beyond secure communication?

- Cryptography is not only concerned with

communicating securely. - Based on noisy channels and state-of-the-art

error correction codes we can implement bit

commitment and oblivious transfer, which are the

building stones of secure multi-party

computation. - Authentication is a vital issue and could

potentially be carried out over noisy channels

possibly without initial shared secret. - Wolf and Maurer98, Trappe et al07
- How about anonymity?
- How about non-repudiation?

Classical Cryptography under the Computational

Model

- Advantages
- no publicly-known, efficient attacks on

public-key systems - security is provided on a block-to-block basis
- if cryptographic primitive is secure then every

encoded block is secure - systems are widely deployed, technology is

readily available, inexpensive

- Disadvantages
- Security is based on unproven assumptions
- No precise metrics
- trade off between reliability and security as a

function of the block length is unknown - security of the cryptographic protocol is

measured by whether it survives a set of attacks

or not. - Conventional model (error free channel) secrecy

capacity of these systems is zero - cant guarantee reliable and perfectly secure

system

Physical layer security under the

information-theoretic (perfect) security model

- Disadvantages
- Information-theoretic security is an

average-information measure. - Requires assumptions about the communication

channels that may not be accurate in practice. - Limits its application
- A few systems (e.g QKD) are deployed but the

technology is not as widely available and is

expensive.

- Advantages
- No computational restrictions placed on

eavesdropper - Very precise statements can be made about the

information that is leaked - Quantum key distribution implemented
- Wireless solutions appear
- Suitably long codes get exponentially close to

perfect secrecy

10 It may well be worth rethinking our security

architecture.

Bottom-up Security?

- How can we combine physical-layer security and

cryptographic protocols?

Acknowledgements and credits

- Matthieu Bloch, Georgia Tech
- Miguel Rodrigues, University of Porto
- Andrew Thangaraj, IIT Madras
- Rob Calderbank, Princeton
- Anderson Nascimento, University of Brasilia
- Muriel Medard, MIT
- Luísa Lima, University of Porto
- João Paulo Vilela, University of Porto
- Paulo Oliveira, University of Porto
- Rui Costa, University of Porto
- Demijan Klinc, Georgia Tech