Message Transmission and Key Establishment: Conditions for Equality - - PowerPoint PPT Presentation

Message Transmission and Key Establishment: Conditions for Equality of Weak and Strong Capacities

Hadi Ahmadi

University of Calgary (joint work with Reihaneh Safavi-Naini)

October 25, 2012

1 / 20

Overview

Secrecy capacity

◮ Secure message transmission (SMT) over wiretap channel

[Wy75,CK78].

◮ Discrete memoryless channels from Alice to Bob and Eve. ◮ Alice wants to send Bob a message that stays private from Eve. ◮ SMT is possible when Eve’s channel is noisier. 2 / 20

Overview

Secrecy capacity

◮ Secure message transmission (SMT) over wiretap channel

[Wy75,CK78].

◮ Discrete memoryless channels from Alice to Bob and Eve. ◮ Alice wants to send Bob a message that stays private from Eve. ◮ SMT is possible when Eve’s channel is noisier. ◮ But how many message bits can be sent? 3 / 20

Overview

Secrecy capacity

◮ Secure message transmission (SMT) over wiretap channel

[Wy75,CK78].

◮ Discrete memoryless channels from Alice to Bob and Eve. ◮ Alice wants to send Bob a message that stays private from Eve. ◮ SMT is possible when Eve’s channel is noisier. ◮ But how many message bits can be sent? infinite! 4 / 20

Overview

Secrecy capacity

◮ Secure message transmission (SMT) over wiretap channel

[Wy75,CK78].

◮ Discrete memoryless channels from Alice to Bob and Eve. ◮ Alice wants to send Bob a message that stays private from Eve. ◮ SMT is possible when Eve’s channel is noisier. ◮ But how many message bits can be sent? infinite! ◮ Say how may message bits per channel use? That is secrecy

capacity!

5 / 20

Overview

Secrecy capacity

◮ Secure message transmission (SMT) over wiretap channel

[Wy75,CK78].

◮ Discrete memoryless channels from Alice to Bob and Eve. ◮ Alice wants to send Bob a message that stays private from Eve. ◮ SMT is possible when Eve’s channel is noisier. ◮ Secrecy capacity (the highest transmission rate) is derived as

C wc

ws =

max

U↔X↔(Y ,Z) I(U; Y ) − I(U; Z).

6 / 20

Overview

SK capacity

◮ Secret key agreement (SKE) over noisy channels

[Ma93,AC93].

◮ Alice and Bob want to share a key that stays private from Eve. ◮ Secret key (SK) capacity: highest key rate in bits/channel use. ◮ SKE is like SMT in the wiretap channel setting.

C wc

wsk = C wc ws

7 / 20

Overview

SK capacity

◮ Secret key agreement (SKE) over noisy channels

[Ma93,AC93].

◮ Alice and Bob want to share a key that stays private from Eve. ◮ Secret key (SK) capacity: highest key rate in bits/channel use. ◮ SKE is like SMT in the wiretap channel setting.

C wc

wsk = C wc ws

◮ By adding public discussion SK capacity increases.

C wc+pdc

wsk

≥ C wc

wsk

8 / 20

Overview

weak/strong SK capacity

◮ From weak to strong security in SKE [MW00].

◮ Motivation: use of weak security (negligible leakage rate). ◮ Proposal: define strong security (negligible absolute leakage). ◮ Problem: relation between the two.

Definition (Weak SK capacity)

Requiring SA ≈ SB such that weak secrecy: I(SA; ViewE) ≤ H(SA)δ.

Definition (Strong SK capacity)

Requiring uniform SA ≈ SB such that strong secrecy: I(SA; ViewE) ≤ δ.

Note:

Similarly one can define weak and strong secercy capacities.

9 / 20

Motivation to our work

◮ Maurer and Wolf [MW00] prove strengthening security is

doable without sacrificing the key rate: C wc

wsk = C wc ssk,

C wc+pdc

wsk

= C wc+pdc

ssk ◮ Followup research studied weakly secure SKE in new setups. ◮ Not clear whether these results also holds for strong security.

Question1:

What are general conditions for the equality of weak and strong SK capacities?

Question2:

What about weak and strong secrecy capacities (for message transmission)?

10 / 20

Part 1: Equality conditions for SK capacity

The MW approach

◮ For equality conditions of SK capacity, we revisit the MW

proof.

◮ The proof is quite generic: slight modification makes it work

for many other setups.

◮ But it does not apply to ALL existing setups

◮ The MW approach has two phases:

Ph1 Equality of weak and uniform SK capacities.

◮ This is general: works for any DM setup.

Ph2 Construction of strong protocols from uniform ones.

◮ Relies on implicit assumptions...

Let’s see what is inside this phase!

11 / 20

Part 1: Equality conditions for SK capacity

Phase 2 of the MW approach

◮ Four steps to make a strong protocol from a uniform one:

S1 Independent repetition of uniform protocol n times: SA, SB

◮ Cost is n times that of the uniform protocol.

S2 Information reconciliation by universal hashing: SA ≈ SB

◮ Resources to send function description, say l bits.

S3 Privacy amplification by a seeded extractor: S = Ext(R, SA)

◮ Resources to generate random seed, say r bits. ◮ Resources to send r-bit random seed.

S4 Uniformization to make key uniform: H(S) = log |S|.

◮ Free: does not require resource. 12 / 20

Part 1: Equality conditions for SK capacity

Phase 2 of the MW approach

◮ Four steps to make a strong protocol from a uniform one:

S1 Independent repetition of uniform protocol n times: SA, SB

◮ Cost is n times that of the uniform protocol.

S2 Information reconciliation by universal hashing: SA ≈ SB

◮ Resources to send function description, say l bits.

S3 Privacy amplification by a seeded extractor: S = Ext(R, SA)

◮ Resources to generate random seed, say r bits. ◮ Resources to send r-bit random seed.

S4 Uniformization to make key uniform: H(S) = log |S|.

◮ Free: does not require resource.

◮ Proof sketch: By choosing n sufficiently large,

◮ the parameters l and r become negligible in cost, and ◮ The key size is close to n time that of uniform protocol. ◮ hence the key rate stays the same. 13 / 20

Part 1: Equality conditions for SK capacity

Modified proof sketch

◮ Assumptions made by the MW approach:

◮ Channel with positive (reliability) capacity. ◮ Free local source of randomness.

◮ The assumptions do not hold in all setups, e.g.,

◮ Two-way wiretap channels [AS11] with zero reliability capacity. ◮ Secret key from noise [AS11*] with no random source.

◮ Are both assumptions necessary conditions?

◮ We remove the first assumption, i.e., need for randomness. ◮ Trick: using a two-source extractor for privacy amplification. 14 / 20

Part 1: Equality conditions for SK capacity

Modified proof sketch

◮ Our steps to make a strong protocol from a uniform one.

S1 Independent repetition of uniform protocol 2n times:

◮ Alice has (SA,1, SA,2) and Bob has (SB,1, SB,2). ◮ Cost is 2n times that of the uniform protocol.

S2 Information reconciliation by universal hashing: SA ≈ SB

◮ Gives (SA,1, SA,2) ≈ (SB,1, SB,2). ◮ Resources to send function description, say 2l bits.

S3 Privacy amplification by a two-source extractor:

◮ Gives S = TExt(SA,1, SA,2). ◮ Free: does not require resource.

S4 Uniformization to make key uniform: H(S) = log |S|.

◮ Free: does not require resource.

◮ Reliable transmission however is still needed.

15 / 20

Part 1: Equality conditions for SK capacity

Modified proof sketch

◮ Our steps to make a strong protocol from a uniform one.

S1 Independent repetition of uniform protocol 2n times:

◮ Alice has (SA,1, SA,2) and Bob has (SB,1, SB,2). ◮ Cost is 2n times that of the uniform protocol.

S2 Information reconciliation by universal hashing: SA ≈ SB

◮ Gives (SA,1, SA,2) ≈ (SB,1, SB,2). ◮ Resources to send function description, say 2l bits.

S3 Privacy amplification by a two-source extractor:

◮ Gives S = TExt(SA,1, SA,2). ◮ Free: does not require resource.

S4 Uniformization to make key uniform: H(S) = log |S|.

◮ Free: does not require resource.

◮ Reliable transmission however is still needed.

Conclusion:

Weak and strong SK capacities equal in any discrete memoryless setup that allows reliable transmission.

16 / 20

Part 2: Equality conditions for secrecy capacity

Proof sketch

◮ Steps for strong transmission protocol from weak one.

S1 Expansion of message by extractor inversion.

◮ Resources to generate random bits for expansion, say r bits.

S2 Split: message in to pieces and send by weak protocol.

◮ Cost equals that of weak protocol.

S3 Information reconciliation: to make key uniform.

◮ Resources to send function description, say l bits.

S4 Extraction: of message by two-source extractor.

◮ Free: does not require resource.

◮ Reliable transmission requirement can be removed: A setup

with weak secrecy capacity always allows reliable transmission.

◮ Randomness generation however is needed.

Conclusion:

Weak and strong secrecy capacities equal in any discrete memoryless setup that lets sender generate randomness.

17 / 20

Conclusion

◮ SMT vs. SKE: duality

Requirement MW approach Our approach Our approach

(SK) (SK) (Secrecy)

Randomness access required

• required

Reliable transmission required required

• ◮ Equality conditions: Sufficient but not necessary, e.g.,

◮ Noisy two-way two-way channel YA = YB = XA + XB + N and

YE = f (YA) where N is uniform.

◮ Secure channel YB = XA + N′ and YE = ⊥, and no

randomness.

18 / 20

References

Ahlswede, R., Csisz´ ar, I.: Common randomness in information theory and cryptography. Part I: secret sharing. IEEE-IT (1993) Ahmadi, H., Safavi-Naini, R.: Common randomness and secret key capacities of two-way channels. ICITS (2011) Ahmadi, H., Safavi-Naini, R.: Secret Keys from Channel Noise. Eurocrypt (2011) Csisz´ ar, I., K¨

• rner, J.: Broadcast channels with confidential
• messages. IEEE-IT (1978)

Maurer, U.: Secret key agreement by public discussion from common information. IEEE-IT (1993) Maurer, U., Wolf, S.: Information-theoretic key agreement: from weak to strong secrecy for free. Eurocrypt (2000) Wyner, A.D.: The wire-tap channel. Bell Sys Tech Journal (1975)

19 / 20