Efficient One-Way Secret-Key Agreement and Private Channel Coding - - PowerPoint PPT Presentation

Efficient One-Way Secret-Key Agreement and Private Channel Coding via Polarization

Joseph M. Renes, Renato Renner, David Sutter Institute for Theoretical Physics ASIACRYPT 2013, Bangalore

1 / 13

Information Theoretic Cryptography

Alice Bob authentic channel Goal: information-theoretically secure private communication

• impossible [Shannon’48]
• possible when assuming correlated randomness [Maurer’93]
• one-way secret key agreement
• private channel coding over a wiretap channel

2 / 13

One-Way Secret-Key Agreement (SKA)

τAp¨q SJ

A

X N Y N τBp¨q SJ

B

Z N pPXYZqN C

• reliability

lim

JÑ8 Pr

“ SJ

A ‰ SJ B

‰ =0

• (strong) secrecy

lim

NÑ8 }PSJ

A,Z N,C´ PSJ A ˆPZ N,C}1 “ 0

Alice Bob Eve uniformly distributed resources

3 / 13

One-Way Secret-Key Agreement (SKA)

τAp¨q SJ

A

X N Y N τBp¨q SJ

B

Z N pPXYZqN C

• reliability

lim

JÑ8 Pr

“ SJ

A ‰ SJ B

‰ =0

• (strong) secrecy

lim

NÑ8 }PSJ

A,Z N,C´ PSJ A ˆPZ N,C}1 “ 0

Historically

• (weak) secrecy

lim

NÑ8 1 N I

` SJ

A; Z N, C

˘ “ 0

• (strong) secrecy

lim

NÑ8 I

` SJ

A; Z N, C

˘ “ 0 lim

NÑ8 δ

´ PSJ

A, PSJ A

¯ “ 0 insufficient [Maurer&Wolf’00] Alice Bob Eve uniformly distributed resources

3 / 13

One-Way Secret-Key Agreement (SKA)

τAp¨q SJ

A

X N Y N τBp¨q SJ

B

Z N pPXYZqN C

• reliability

lim

JÑ8 Pr

“ SJ

A ‰ SJ B

‰ =0

• (strong) secrecy

lim

NÑ8 }PSJ

A,Z N,C´ PSJ A ˆPZ N,C}1 “ 0

Thm[Csisz´ ar&K¨

• rner’78]: One-way secret-key rate

SÑpX; Y |Z q “ $ ’ & ’ % max

PU,V

HpU|Z, V q ´ HpU|Y , V q s.t. V ´˝´U´˝´X´˝´pY , Zq, |V| ď |X|, |U| ď |X|2. Alice Bob Eve uniformly distributed resources

3 / 13

Private Channel Coding (PCC)

enc MJ X N WN

1

WN

2

WN Y N Z N dec ˆ MJ

• reliability

lim

JÑ8 Pr

” MJ ‰ ˆ MJı =0

• (strong) secrecy

lim

NÑ8 }PMJ,Z N,C ´ PMJ ˆ PZ N,C}1 “ 0

Thm[Csisz´ ar&K¨

• rner’78]: Secrecy capacity

Cs “ $ ’ & ’ % max

PV ,X

HpV |Z q ´ HpV |Y q s.t. V ´˝´X´˝´pY , Zq, |V| ď |X|. Alice Bob Eve

4 / 13

Efficient, Optimal Protocols

• efficient ‰ practically efficient
• optimal “ achieve the highest possible rate
• (practically) efficient one-way secret-key agreement
• only weak secrecy, degradability assumptions [Abbe’12]
• shared key, degradability assumptions [Chou et al.’13]
• (practically) efficient private channel coding
• only weak secrecy, degradability assumptions

[Mahdavifar&Vardy’11]

• binary symmetric wiretap channels (degradablity?!) [Bellare et

al.’12]

• degraded wiretap channels [Sasoglu&Vardy’13]

essentially linear complexity

5 / 13

Efficient, Optimal Protocols

• efficient ‰ practically efficient
• optimal “ achieve the highest possible rate
• (practically) efficient one-way secret-key agreement
• only weak secrecy, degradability assumptions [Abbe’12]
• shared key, degradability assumptions [Chou et al.’13]
• (practically) efficient private channel coding
• only weak secrecy, degradability assumptions

[Mahdavifar&Vardy’11]

• binary symmetric wiretap channels (degradablity?!) [Bellare et

al.’12]

• degraded wiretap channels [Sasoglu&Vardy’13]

getting rid of these assumptions

essentially linear complexity

5 / 13

Polarization Phenomenon - Polar Codes

• let pX N, Y Nq „ pPX,Y qN

let UN “ GNX N, where GN :“ p 1 1

0 1 qb log N

• For ǫ P p0, 1q, define a high- and a low-entropy set

RN

ǫ pX|Y q :“

! i P rNs : H ´ Ui ˇ ˇ ˇUi´1, Y N ¯ ě 1 ´ ǫ ) DN

ǫ pX|Y q :“

! i P rNs : H ´ Ui ˇ ˇ ˇUi´1, Y N ¯ ď ǫ ) polar transform

6 / 13

Polarization Phenomenon - Polar Codes

• let pX N, Y Nq „ pPX,Y qN

let UN “ GNX N, where GN :“ p 1 1

0 1 qb log N

• For ǫ P p0, 1q, define a high- and a low-entropy set

RN

ǫ pX|Y q :“

! i P rNs : H ´ Ui ˇ ˇ ˇUi´1, Y N ¯ ě 1 ´ ǫ ) DN

ǫ pX|Y q :“

! i P rNs : H ´ Ui ˇ ˇ ˇUi´1, Y N ¯ ď ǫ ) Thm[Arıkan’09]: Polarization Phenomenon: For any ǫ P p0, 1q lim

NÑ8

|RN

ǫ pX|Y q|

N “ HpX|Y q and lim

NÑ8

|DN

ǫ pX|Y q|

N “ 1´HpX|Y q

• Heart of polar codes (for source and channel coding)

polar transform

6 / 13

Optimal Lossless Source Coding Using Polar Codes

Task: compress X N w.r.t. side information Y N X N compressor UrRN

ǫ pX|Y qs

compressor decompressor ˆ X N Y N

7 / 13

Optimal Lossless Source Coding Using Polar Codes

Task: compress X N w.r.t. side information Y N X N compressor UrRN

ǫ pX|Y qs

compressor decompressor ˆ X N Y N ‚ compression

‚ UN “ GNX N ‚ take only UrRN

ǫ pX|Y qs

‚ decompression

‚ Likelihood estimation using side information Y N

7 / 13

Optimal Lossless Source Coding Using Polar Codes

Task: compress X N w.r.t. side information Y N X N compressor UrRN

ǫ pX|Y qs

compressor decompressor ˆ X N Y N ‚ compression

‚ UN “ GNX N ‚ take only UrRN

ǫ pX|Y qs

‚ decompression

‚ Likelihood estimation using side information Y N

• reliable[Arıkan’10] Pr

” X N ‰ ˆ X Nı “ Op2´Nβq for β ă 1

2

• optimal [Slepian&Wolf’73], HpX|Y q “ lim

NÑ8 1 N |RN ǫ pX|Y q|

OpN log Nq

7 / 13

One-Way Secret-Key Agreement Protocol (M=2, L=4)

PA r G K

M

IR GL IR GL dec dec r G K

M

SJ

B

SJ

A

Source X N pY N, Z Nq τA τB C1 C2

Privacy Amplification Information Reconcilliation

8 / 13

One-Way Secret-Key Agreement Protocol (M=2, L=4)

PA r G K

M

IR GL IR GL dec dec r G K

M

SJ

B

SJ

A

Source X N pY N, Z Nq τA τB C1 C2

• no degradability assumptions
• no shared key needed

Privacy Amplification Information Reconcilliation

8 / 13

One-Way Secret-Key Agreement Characteristics

For any β ă 1

2

• Reliability: Pr

“ SJ

A ‰ SJ B

‰ “ O ´ M2´Lβ¯

• Secrecy:
• PSJ

A,Z N,C ´ PSJ A ˆ PZ N,C

• 1 “ O

ˆ? N2´ Nβ

2

˙

• Rate: R :“ J

N ě max

! 0, HpX|Z q ´ HpX|Y q ´ opNq

N

)

• Complexity: OpN log Nq

M = # inner blocks L = # inputs per inner block N = ML (blocklength)

9 / 13

Private Channel Coding (L = 4, M = 2)

PA r G K

M

IR GL IR GL dec dec r G K

M

SJ

B

SJ

A

Source C1 C2

• uter

enc inner enc W W W W inner enc W W W W inner dec inner dec

• uter

dec ˆ MJ MJ C1 C2

s

Source Secret-key agreement Private channel coding W Wiretap channel

10 / 13

Private Channel Coding (L = 4, M = 2)

• uter

enc inner enc W W W W inner enc W W W W inner dec inner dec

• uter

dec ˆ MJ MJ X N pY N, Z Nq T M ˆ T M C1 C2

• Run secret-key agreement scheme in reverse
• Mimic redundant bits
• Approx. of the secret-key agreement scenario (shaping) Ñ

same decoder can be used concept introduced in [arXiv:1205.3756] generate bits as in [Honda&Yam.’12] generate bits as in [arXiv:1205.3756]

10 / 13

Private Channel Coding: Characteristics

For any β ă 1

2

• Reliability: Pr

” MJ ‰ ˆ MJı “ O ´ M2´Lβ¯

• Secrecy: }PMJ,Z N,C ´ ¯

PMJ ˆ PZ N,C}1 “ O ˆ? N2´ Nβ

2

˙

• Rate: R ě max

! 0, HpX|Z q ´ HpX|Y q ´ opNq

N

)

• Complexity: OpN log Nq

M = # inner blocks L = # inputs per inner block N = ML (blocklength)

11 / 13

Summary

One-way secret-key agreement and private channel coding

• at the optimal rate
• strong secrecy
• OpN log Nq computational complexity
• no degradability assumptions
• no preshared key

a r X i v : 1 3 4 . 3 6 5 8

12 / 13

Code Construction

PA r G K

M

IR GL IR GL dec dec r G K

M

SJ

B

SJ

A

Source X N pY N, Z Nq τA τB C1 C2

Find index set at IR and PA layer ‚ IR: can be done in linear time [Tal&Vardy’11] ‚ PA: not fully solved yet

13 / 13