Semantic Security for the Wiretap Channel Stefano Tessaro MIT - - PowerPoint PPT Presentation

β–Ά
semantic security for the
SMART_READER_LITE
LIVE PREVIEW

Semantic Security for the Wiretap Channel Stefano Tessaro MIT - - PowerPoint PPT Presentation

Jan 07, 2024 40 likes β€’297 views

Semantic Security for the Wiretap Channel Stefano Tessaro MIT Joint work with Mihir Bellare (UCSD) Alexander Vardy (UCSD) Cryptography today is (mainly) based on computational assumptions. We wish instead to base cryptography on a physical

slide-1
SLIDE 1

Semantic Security for the Wiretap Channel

Joint work with Mihir Bellare (UCSD) Alexander Vardy (UCSD) Stefano Tessaro MIT

slide-2
SLIDE 2

Cryptography today is (mainly) based on computational assumptions. We wish instead to base cryptography on a physical assumption.

Presence of channel noise

slide-3
SLIDE 3

Noisy channel assumption has been used previously to achieve oblivious transfer, commitments [CK88,C97] But we return to an older and more basic setting …

slide-4
SLIDE 4

Wyner’s Wiretap Model [W75,CK78] ChR ChA

π‘Ž(𝑁)

𝐄𝐅𝐃

𝑁′

π…πŽπƒ

𝑁 𝐷

Goals: Message privacy + correctness Assumption: ChA is β€œnoisier” than ChR Encryption is keyless Security is information-theoretic Additional goal: Maximize rate 𝑆 = |𝑁|/|𝐷|

𝐷′

slide-5
SLIDE 5

Channels

𝑦1 , 𝑧4, …

Ch

A channel is a randomized map Ch: 0,1 β†’ 0,1 We extend the domain of Ch to {0,1}βˆ— via Ch 𝑦1𝑦2 … π‘¦π‘œ = Ch 𝑦1 Ch 𝑦2 … Ch π‘¦π‘œ

𝑧1 = Ch(𝑦1) 𝑧2 = Ch(𝑦2) 𝑧3 = Ch(𝑦3) 𝑧4 = Ch(𝑦4)

Ch 𝑐 = 𝑐

… , 𝑦4, 𝑦2, 𝑦3, 𝑧1 , 𝑧2 , 𝑧3

Clear channel: BSCπ‘ž 𝑐 = 𝑐 with prob. 1 βˆ’ π‘ž 1 βˆ’ 𝑐 with prob. π‘ž Binary symmetric channel with error probability 𝒒:

slide-6
SLIDE 6

Wyner’s Wiretap Model – More concretely BSCπ‘ž BSCπ‘Ÿ

π‘Ž(𝑁)

𝐄𝐅𝐃

𝑁′

π…πŽπƒ

𝑁 𝐷

Assumption: π‘ž < π‘Ÿ ≀ 1 2

slide-7
SLIDE 7

Wiretap channel – Realization Increasing practical interest: Physical-layer security

010110 … . Very short distance Very low power Large distance Degraded signal e.g. credit card #

slide-8
SLIDE 8

Wiretap Channel – Previous work Two major drawbacks:

  • 1. Improper privacy notions

Entropy-based notions Only consider random messages

  • 2. No polynomial-time schemes with optimal rate

Non-explicit decryption algorithms Weaker security 35 years of previous work: Hundreds of papers/books on wiretap security within the information theory & coding community This work: We fill both gaps

slide-9
SLIDE 9

Our contributions

  • 1. New security notions for the wiretap channel model:
  • Semantic security, distinguishing security

following [GM82]

  • Mutual-information security
  • Equivalence among the three
  • 2. Polynomial-time encryption scheme:
  • Semantically secure
  • Optimal rate
slide-10
SLIDE 10

Outline

  • 1. Security notions
  • 2. Polynomial-time scheme
slide-11
SLIDE 11

Prior work – Mutual-information security BSCπ‘ž BSCπ‘Ÿ

π‘Ž(𝑁)

𝐄𝐅𝐃

𝑁′

π…πŽπƒ

𝑁 𝐷

Uniformly distributed!

Definition: 𝐉 𝑁; π‘Ž(𝑁) = 𝐈 𝑁 βˆ’ 𝐈 𝑁|π‘Ž(𝑁) Random Mutual-Information Security (MIS-R): 𝐉 𝑁; π‘Ž(𝑁) = 𝐨𝐟𝐑𝐦 𝐈 𝑁 = P

𝑁(𝑛) βˆ™ log 1 P 𝑁(𝑛) 𝑛

𝐈 𝑁|π‘Ž(𝑁) = 𝐈 𝑁 π‘Ž(𝑁) βˆ’ 𝐈 π‘Ž(𝑁)

slide-12
SLIDE 12

Critique – Random messages BSCπ‘ž BSCπ‘Ÿ

π‘Ž(𝑁)

𝐄𝐅𝐃

𝑁′

π…πŽπƒ

𝑁 𝐷

We want security for arbitrary message distributions, following [GM82]!

Common misconception: c.f. e.g. [CDS11]

β€œ[…] the particular choice of the distribution on 𝑁 as a uniformly random sequence will cause no loss of generality. […] the transmitter can use a suitable source-coding scheme to compress the source to its entropy prior to the transmission, and ensure that from the intruder’s point of view, 𝑁 is uniformly distributed.”

Wrong! No universal (source-independent) compression algorithm exists!

Uniformly distributed!

slide-13
SLIDE 13

Mutual-information security, revisited New: Mutual-Information Security (MIS)

max

P𝑁 𝐉 𝑁; π‘Ž(𝑁) = 𝐨𝐟𝐑𝐦

Random Mutual-Information Security (MIS-R) 𝐉 𝑁; π‘Ž(𝑁) = 𝐨𝐟𝐑𝐦

Maximize over all message distributions

Critique: Mutual information is hard to work with / interpret!

slide-14
SLIDE 14

Semantic security Semantic Security (SS)

max

𝑔,P𝑁 max 𝑩

Pr [𝑩(π‘Ž(𝑁)) = 𝑔(𝑁)] βˆ’ max

𝑻

Pr [𝑻 = 𝑔(𝑁)] = 𝐨𝐟𝐑𝐦

Maximize over all functions + message distributions

BSCπ‘Ÿ π‘Ž(𝑁) π…πŽπƒ

𝑁

𝑔

𝑍 𝑔(𝑁)

=

0/1 𝑩 𝑁

𝑔

𝑍 𝑔(𝑁)

=

0/1 𝑻

slide-15
SLIDE 15

Distinguishing security Distinguishing Security (DS)

max

𝑩,𝑁0,𝑁1 Pr[𝑩 𝑁0, 𝑁1, π‘Ž 𝑁B

= B] = 1/2 + 𝐨𝐟𝐑𝐦

Uniform random bit 𝐢

Fact: max

𝐡,𝑁0,𝑁1 Pr[A 𝑁0, 𝑁1, π‘Ž 𝑁B

= B] = 1 2 + 𝐨𝐟𝐑𝐦 ⇔ max

𝑁0,𝑁1 𝐓𝐄 π‘Ž 𝑁0 ; π‘Ž 𝑁1

= 𝐨𝐟𝐑𝐦.

𝐓𝐄 π‘Œ; 𝑍 = 1 2 P

π‘Œ 𝑀 βˆ’ P 𝑍 𝑀 𝑀

slide-16
SLIDE 16

Relations

MIS DS SS MIS-R

  • Theorem. MIS, DS, SS are equivalent.
slide-17
SLIDE 17

Outline

  • 1. Security notions
  • 2. Polynomial-time scheme
slide-18
SLIDE 18

Polynomial-time scheme BSCπ‘ž BSCπ‘Ÿ

π‘Ž(𝑁)

𝐄𝐅𝐃

𝑁′

π…πŽπƒ

𝑁 𝐷

Goal: Polynomial-time π…πŽπƒ and 𝐄𝐅𝐃 which satisfy: 1) Correctness: Pr 𝑁 β‰  𝑁′ = 𝐨𝐟𝐑𝐦 2) Semantic security 3) Optimal rate

  • We observe that fuzzy extractors of [DORS08] can be

used to achieve 1 + 2. (Also: [M92,…])

  • [HM10,MV11] Constructions achieving 1 + 3 or 2 + 3.

This work: First polynomial-time scheme achieving 1 + 2 + 3

slide-19
SLIDE 19

What is the optimal rate? BSCπ‘ž BSCπ‘Ÿ

π‘Ž(𝑁)

𝐄𝐅𝐃

𝑁′

π…πŽπƒ

𝑁 𝐷

Definition: Rate 𝑆 = 𝑁 /|𝐷| Previous work: [L77] No MIS-R secure scheme can have rate higher than β„Ž π‘Ÿ βˆ’ β„Ž(π‘ž) βˆ’ 𝑝(1). Our scheme: Rate β„Ž π‘Ÿ βˆ’ β„Ž π‘ž βˆ’ 𝑝(1) Hence, β„Ž π‘Ÿ βˆ’ β„Ž(π‘ž) βˆ’ 𝑝(1) is the optimal rate for all security notions!

β„Ž 𝑦 = βˆ’π‘¦ log 𝑦 βˆ’ (1 βˆ’ 𝑦) log(1 βˆ’ 𝑦)

slide-20
SLIDE 20

Our encryption scheme

𝑁 𝑛 bits π‘Œ 𝑇 β‰  0𝑙 𝑙 bits

𝐅

𝐷 π‘œ bits

π…πŽπƒπ‘‡(𝑁)

𝑙 βˆ’ 𝑛 bits GF 2𝑙 multiplication Poly-time + injective + linear 𝑛 ≀ 𝑙 βˆ’ 1 βˆ’ β„Ž π‘Ÿ + 𝑝(1) π‘œ Public seed

slide-21
SLIDE 21

Our encryption scheme – Security

  • Theorem. π…πŽπƒ is semantically secure.

Challenge: Ciphertext distribution depends on combinatorial properties of E. Two steps:

  • 1. Reduce semantic security to random-message security.
  • 2. Prove random-message security.

𝑁 π‘Œ 𝑇 β‰  0

𝐅

𝐷

slide-22
SLIDE 22

Our encryption scheme – Decryptability and rate

𝑁 π‘Œ 𝑇 β‰  0

𝐅

𝐷 𝐷′

𝐄

π‘Œβ€² π‘‡βˆ’1 𝑁′

π…πŽπƒπ‘‡(𝑁): 𝐄𝐅𝐃𝑇(𝐷′):

  • Observation. If (𝐅, 𝐄) are encoder/decoder of ECC for

BSCπ‘ž, then correctness holds. Optimal choice: Concatenated codes [F66], polar codes [A09]: 𝑙 = 1 βˆ’ β„Ž π‘ž βˆ’ 𝑝(1) π‘œ

𝑙 βˆ’ 𝑛 𝑛 π‘œ 𝑛 = 𝑙 βˆ’ 1 βˆ’ β„Ž π‘Ÿ + 𝑝(1) π‘œ

Optimal rate:

𝑛 π‘œ = β„Ž π‘Ÿ βˆ’ β„Ž π‘ž βˆ’ 𝑝(1)

slide-23
SLIDE 23

Concluding remarks Summary:

  • New equivalent security notions for the wiretap setting:

DS, SS, MIS.

  • First polynomial-time scheme achieving these security

notions with optimal rate.

  • Our scheme is simple, modular, and efficient.
slide-24
SLIDE 24

Concluding remarks Summary:

  • New equivalent security notions for the wiretap setting:

DS, SS, MIS.

  • First polynomial-time scheme achieving these security

notions with optimal rate.

  • Our scheme is simple, modular, and efficient.

Additional remarks:

  • We provide a general and concrete treatment.
  • Scheme can be used on larger set of channels.
slide-25
SLIDE 25

Concluding remarks Summary:

  • New equivalent security notions for the wiretap setting:

DS, SS, MIS.

  • First polynomial-time scheme achieving these security

notions with optimal rate.

  • Our scheme is simple, modular, and efficient.

Additional remarks:

  • We provide a general and concrete treatment.
  • Scheme can be used on larger set of channels.

Thank you!