Embed Size (px)
Citation preview
Semantic Security for the
Wiretap Channel
Joint work with
Mihir Bellare (UCSD)
Alexander Vardy (UCSD)
Stefano Tessaro
MIT
Cryptography today is (mainly) based on computational
assumptions.
We wish instead to base cryptography on a
physical assumption.
Presence of channel noise
Noisy channel assumption has been used previously to
achieve oblivious transfer, commitments [CK88,C97]
But we return to an older and more basic setting β¦
Wynerβs Wiretap Model [W75,CK78]
ChR
ChA π(π)
πππ πβ² πππ π πΆ
Goals: Message privacy + correctness
Assumption: ChA is βnoisierβ than ChR
Encryption is keyless
Security is information-theoretic
Additional goal: Maximize rate π = |π|/|πΆ|
πΆβ²
Channels
π₯1 , π¦4, β¦ Ch
A channel is a randomized map Ch: 0,1 β 0,1
We extend the domain of Ch to {0,1}β via
Ch π₯1π₯2 β¦π₯π = Ch π₯1 Ch π₯2 β¦Ch π₯π
π¦1 = Ch(π₯1)
π¦2 = Ch(π₯2)
π¦3 = Ch(π₯3)
π¦4 = Ch(π₯4)
Ch π = π
β¦ , π₯4, π₯2, π₯3, π¦1 , π¦2 , π¦3
Clear channel:
BSCπ π = π with prob. 1 β π
1 β π with prob. π
Binary symmetric channel with error probability π:
Wynerβs Wiretap Model β More concretely
BSCπ
BSCπ π(π)
πππ πβ² πππ π πΆ
Assumption: π < π β€ 1 2
Wiretap channel β Realization
Increasing practical interest: Physical-layer security
010110β¦ .
Very short distance Very low power
Large distance
Degraded signal
e.g. credit card #
Wiretap Channel β Previous work
Two major drawbacks:
1. Improper privacy notions
Entropy-based notions
Only consider random messages
2. No polynomial-time schemes with optimal rate
Non-explicit decryption algorithms
Weaker security
35 years of previous work:
Hundreds of papers/books on wiretap
security within the information theory &
coding community
This work: We fill both gaps
Our contributions
1. New security notions for the wiretap channel model:
Semantic security, distinguishing security
following [GM82]
Mutual-information security
Equivalence among the three
2. Polynomial-time encryption scheme:
Semantically secure
Optimal rate
Outline
1. Security notions
2. Polynomial-time scheme
Prior work β Mutual-information security
BSCπ
BSCπ π(π)
πππ πβ² πππ π πΆ
Uniformly distributed!
Definition: π π; π(π) = π π β π π|π(π)
Random Mutual-Information Security (MIS-R):
π π; π(π) = π§ππ π₯ π π = Pπ(π) β log 1 Pπ(π)
π
π π|π(π) = π π π(π) β π π(π)
Critique β Random messages
BSCπ
BSCπ π(π)
πππ πβ² πππ π πΆ
We want security for arbitrary message distributions,
following [GM82]!
Common misconception: c.f. e.g. [CDS11] β[β¦] the particular choice of the distribution on π as a uniformly random
sequence will cause no loss of generality. [β¦] the transmitter can use a
suitable source-coding scheme to compress the source to its entropy prior to
the transmission, and ensure that from the intruderβs point of view, π is
uniformly distributed.β
Wrong! No universal (source-independent)
compression algorithm exists!
Uniformly distributed!
Mutual-information security, revisited
New: Mutual-Information Security (MIS)
maxPπ
π π; π(π) = π§ππ π₯
Random Mutual-Information Security (MIS-R)
π π; π(π) = π§ππ π₯
Maximize over all message distributions
Critique: Mutual information is hard to work with / interpret!
Semantic security
Semantic Security (SS)
maxπ,Pπ
maxπ¨
Pr [π¨(π(π)) = π(π)]
β maxπΊ
Pr [πΊ = π(π)] = π§ππ π₯
Maximize over all functions + message distributions
BSCπ π(π)
πππ π
π π π(π)
=
0/1
π¨ π π π π(π)
=
0/1
πΊ
Distinguishing security
Distinguishing Security (DS)
maxπ¨,π0,π1
Pr[π¨ π0, π1, π πB = B] = 1/2 + π§ππ π₯
Uniform random bit π΅
Fact:
maxπ΄,π0,π1
Pr[A π0, π1, π πB = B] =1
2+ π§ππ π₯
β maxπ0,π1
ππ π π0 ; π π1 = π§ππ π₯.
ππ π; π =1
2 Pπ π£ β Pπ π£
π£
Relations
MIS DS
SS MIS-R
Theorem. MIS, DS, SS are equivalent.
Outline
1. Security notions
2. Polynomial-time scheme
Polynomial-time scheme
BSCπ
BSCπ π(π)
πππ πβ² πππ π πΆ
Goal: Polynomial-time πππ and πππ which satisfy:
1) Correctness: Pr π β πβ² = π§ππ π₯ 2) Semantic security
3) Optimal rate
We observe that fuzzy extractors of [DORS08] can be
used to achieve 1 + 2. (Also: [M92,β¦])
[HM10,MV11] Constructions achieving 1 + 3 or 2 + 3.
This work: First polynomial-time scheme achieving 1 + 2 + 3
What is the optimal rate?
BSCπ
BSCπ π(π)
πππ πβ² πππ π πΆ
Definition: Rate π = π /|πΆ|
Previous work: [L77] No MIS-R secure scheme can
have rate higher than β π β β(π) β π(1).
Our scheme: Rate β π β β π β π(1)
Hence, β π β β(π) β π(1) is the optimal rate for all
security notions!
β π₯ = βπ₯ log π₯ β (1 β π₯) log(1 β π₯)
Our encryption scheme
π
π bits
π
π β 0π
π bits
π
πΆ
π bits
ππππ(π) π β π bits
GF 2π multiplication
Poly-time + injective
+ linear
π β€ π β 1 β β π + π(1) π
Public seed
Our encryption scheme β Security
Theorem. πππ is semantically secure.
Challenge:
Ciphertext distribution
depends on combinatorial
properties of E.
Two steps:
1. Reduce semantic security to random-message security.
2. Prove random-message security.
π
π
π β 0
π
πΆ
Our encryption scheme β Decryptability and rate
π
π
π β 0
π
πΆ
πΆβ²
π
πβ²
πβ1
πβ²
ππππ(π): ππππ(πΆβ²):
Observation. If (π, π) are encoder/decoder of ECC for
BSCπ, then correctness holds.
Optimal choice: Concatenated codes [F66],
polar codes [A09]: π = 1 β β π β π(1) π
π β π π
π
π = π β 1 β β π + π(1) π
Optimal rate: π
π= β π β β π β π(1)
Concluding remarks
Summary:
New equivalent security notions for the wiretap setting:
DS, SS, MIS.
First polynomial-time scheme achieving these security
notions with optimal rate.
Our scheme is simple, modular, and efficient.
Concluding remarks
Summary:
New equivalent security notions for the wiretap setting:
DS, SS, MIS.
First polynomial-time scheme achieving these security
notions with optimal rate.
Our scheme is simple, modular, and efficient.
Additional remarks:
We provide a general and concrete treatment.
Scheme can be used on larger set of channels.
Concluding remarks
Summary:
New equivalent security notions for the wiretap setting:
DS, SS, MIS.
First polynomial-time scheme achieving these security
notions with optimal rate.
Our scheme is simple, modular, and efficient.
Additional remarks:
We provide a general and concrete treatment.
Scheme can be used on larger set of channels.
Thank you!
