Theory and Practice
João Barros
Instituto de TelecomunicaçõesUniversidade do Porto
and EECS/MIT
Information-Theoretic Security
IEEE International Symposium on Information TheoryToronto, Canada, July 2008
Steven W. McLaughlin
School of Electrical and ComputerEngineeringGeorgia Institute of Technology
2
Today’s Layered Architecture
Standard Protocol Stack
Application
Link
Transport
Network
Physical
Programs and applications
End-to-end reliability, cong. control
Routing and forwarding
Medium access control
Channel coding and modulation
Where is security ?
3
Security: a patchwork of add-ons…
Application
Link
Transport
Network
Physical
End-to-end cryptography
Secure Sockets Layer (SSL)
Virtual private networks (IPSec)
Admission control (e.g.WPA)
Application
Link
Transport
Network
Physical Physical-layer security ?
4
A typical graduate course in cryptography and security always starts by discussing Shannon's notion of perfect secrecy (widely accepted as the strictest notion of security):
Then, it emphasizes its conceptual beauty.
Then, it states that it is basically “useless” for any practical application.
Alice
Eve
BobMessage Wdecoded
message Wb
key K
X X
X key K
Computational Security
p(w|x)=p(x)
Information-Theoretic-Security – are we biased?
5
Main Questions in this Tutorial
W
hat are the fundamental security limits at the physical layer?
W
hich notions of security are we talking about?
I
s information-theoretic security practical?
W
hat kind of code constructions can we use?
H
ow do we build protocols based on information-theoretic security?
C
an we combine physical-layer security with classical cryptography?
H
ow can we secure novel networking paradigms?
H
ow can we go beyond confidentiality at the physical layer?
H
ow can we increase our credibility in the security business?
6
Theoretical Foundations Fundamentals of Information-Theoretic Security Strong Secrecy versus Weak Secrecy Secrecy Capacity of Noisy Channels
Practical Techniques Combining Cryptography and Coding Secrecy Capacity Achieving Codes Secret Key Agreement at the Physical Layer
Advanced Topics and Applications Multi-user Secrecy and Network Coding Security Active Attacks on Coded Systems Beyond Secure Communications
Our program for today
10 Open Issues
7
What we will not do
Provide an exhaustive review of related work
Elaborate on the details of the proofs
Cover all the topics in depth
Adress quantum information theory
Say bad things about modern cryptography
8
Theoretical Foundations
9
Notions of Security
Computational Security
Alice sends a k-bit message W to Bob using an encryption scheme;
Security schemes are based on (unproven) assumptions of intractability of certain functions;
Typically done at upper layers of the protocol stack
Information-Theoretic (Perfect or unconditional) Security
strictest notion of security, no computability assumption
Prob{W | Eve’s knowledge}=Prob{W}
H(W|X)=H(W) or I(X;W)=0
e.g. One-time pad
[Shannon, 1949] : H(K) ≥ H(M)
Alice
Eve
Bobk-bit
message W
k-bit decoded
message Wb
key K
X X
X key K
10
Eve
Keyk-bit message W Xk
k bits Key
k bits
k-bit decoded message Wb
Alice
Bob
If Eve does not know the key and P(Key=k-tuple)=1/2k
then we have p(w|xk) = p(w).
Xk
Xk
One-time Pad
11
This model is somewhat pessimistic, because most communications channels are actually noisy.
Alice
Eve
Bobk-bit message W
k-bit decoded message Wb
key K key K
X X
X
Shannon’s Model
12
Reliability & Security
For Bob and Alice,
Prob{W≠Wb| Y n} → 0
With respect to Eve,
(1/n) I(W; Zn) → 0
as n → ∞
Secrecy Capacity:
Largest transmission rate at which both conditions can be satisfied.
Positive secrecy capacity only in the degraded case.
Wyner’s Wiretap Channel (I)[Wyner, 1975]
BobAliceX n
p(y|x)Y n
p(z|y)
Eve
Zn
sends W decodes Wb
13
Wyner’s Wiretap Channel (II)
BobAliceX n
p(y|x)Y n
p(z|x)
Eve
Zn
Proof Idea:A
lice assigns multiple codewords to each message, picks one at random and thus exhausts Eve’s capacity.C
onverse uses Fano’s inequality and classical arguments.
Rate-equivocation region:T
wo critical corner points (CM , D) and (CS , H(W))
Unusual shape (not convex)
H(W)
CS CM
D
Transmission rate
equivocation rate
[Wyner, 1975]
14
Because the transmission range is so short, NFC-enabled transactions are inherently
secure. Also, physical proximity of the device to the reader gives users the reassurance
of being in control of the process.
15
Broadcast Channel with Confidential Messages
Bob
AliceX n
p(yz|x)
Y n
EveZn
Secrecy capacity is strictly positive if Bob’s channel
is less
noisy than Eve’s, i.e. I(X;Y)>I(X;Z)
));();((max),(
ZUIYUICYZXU
xupS
[Csiszár & Koerner, 1978]
16
Feedback (Public Discussion)
Bob
AliceX n
p(yz|x)
Y n
EveZn
Secret Key agreement scheme
Clever protocol allows Alice and Bob to increase their secrecy capacity by exchanging information over the feedback channel
This requires a public authenticated feedback channel!
public authenticatedfeedbackchannel
[Maurer, 93]
17
Increasing the Secrecy Capacity via Feedback
Suppose Alice, Bob and Eve are connected via binary symmetric channels and a public authenticated feedback channel is available.
Noisy Channel
Error-free public
communication
Computation
Alice X V+X+E V+X+E+X V+E
Bob X+E V+X+E V V
Eve X+D V+X+E V+X+E+X+D V+E+D
Bob and Eve observe different noises (D, E).
Bob feeds back random value V plus what he observed (X+E)
Eve ends up with more noise than Bob (as in the wiretap channel)
18
Source Model
Bob
AliceX n
p(x,y,z)Y n
EveZn
public authenticated
feedbackchannel
Alice and Bob share common randomness.
Eve gets to see a correlated random variable.
Alice and Eve generate a secret key using the public authenticated channel.
[Ahlswede and Csiszar, 93]
19
Notions of Security
W
eak secrecy
S
trong secrecy
1)|(1 nn XUHn
nXUH nn )|(
[Maurer & Wolf, 2000]
The secrecy capacity of the discrete memoryless wiretap channel does not change with strong secrecy.
Proof requires fundamental tools of theoretical computer science (extractors)
20
Example of Weak Secrecy
Un
Kn
Xn
Binary data (n bits)
One-time-pad (n-k bits)
Unprotected data (k bits) Protected data (n-k bits)
This trivial scheme satisfies the weak secrecy condition while disclosing an unbounded number of bits:
Clearly, it does not satisfy the strong secrecy condition:
11)(1
)|(1
n
kkn
nXUH
nnn
nknXUH nn )|(
21
The Wireless Scenario
Wireless Network with Potential Eavesdropping
Can we exploit channel variabilityto help secure the communication?
[Barros, Rodrigues, ISIT06]
22 ITI September 2007
System Model
h
M(i)=hM, i, and hW(i)=hW, i (quasi-static fading model)
h
M and hW independent and complex Gaussian distributed
SNRs M hM2 and W hM2 exponentially distributed
23
General goal is maximization of transmission rate from Alice to Bob
R=(1/n) H(Wk)…
… and minimization of Eve’s information rate about the message,
=(1/n) I(Wk;YWn)
Secrecy capacity is maximum transmission rate R with < ε.
Cautionary Note [Maurer & Wolf, 2000]
Stronger secrecy condition for Discrete Memoryless Channels Not only the rate but the total amount of information leaked to
the eavesdropper decays exponentially fast with n. It is possible to prove strong secrecy results for wireless
channels
[Barros & Bloch, 2008]
Security Characterization
24 ITI September 2007
Instantaneous Secrecy Capacity
The instantaneous secrecy capacity for quasi-static fading channels follows directly from the Gaussian case.
sC ),1log()1log( WM { WM
WM ,0
22/ MMM Ph
22/ WWW Ph
Instantaneous signal-to-noise ratios
25
Secrecy Outage
The outage probability:
sssout RCRP Pr
- Alice chooses a target secrecy rate Rs.
- if Rs<Cs then she can communicate securely.
- otherwise, information-theoretic security is compromised.
26
Outage Probability
Outage probability for normalized target secrecy rate Rs=0.1.
Outage probability for normalized target secrecy rate Rs=0.1.
M
R
WR
M
Msout
s
sRP
12
exp2
1After some maths…
Impact ofDistance
[Barros, Rodrigues, ISIT06]
27
Outage Secrecy Capacity
Normalized outage secrecy capacity for an outage probability Pout=0.10.
Normalized outage secrecy capacity for an outage probability Pout=0.75.
Thicker lines: AWGN case; Thinner lines: Fading case.
-outage secrecy capacity: outout CP 1 outout PC
[Barros, Rodrigues, ISIT06]
Thicker lines: AWGN case; Thinner lines: Fading case.
28
Average Secrecy Capacity
Normalized average outage secrecy capacity.
When it comes to information-theoretic security, fading is really a friend and not a foe.
Thicker lines: AWGN case; Thinner lines: Fading case.
29
Imperfect CSI
Assumptions
Perfect CSI for the main channel Imperfect CSI for the wiretap channel
Proceed as if CSI was correct
Outage probability
In general, Alice underestimates the secrecy capacity
WWW hh ˆMM hh ˆ
)ˆ()ˆ( WWSS PCCP
2/21
1
2
1
2
1)ˆ(
WWP
[Bloch,Barros, Rodrigues, McLaughlin, ITW06]
30 ITI September 2007
Some recent work on (weak) secrecy capacity
S
ecure space-time communications (Hero, 2003)
S
ecrecy rates for the relay channel (Oohama, 2004)
S
ecrecy capacity of SIMO channels (Parada and Blahut, 2005)
S
ecure MlMO with artificial noise (Negi and Goel, 2005)
G
aussian MAC and cooperative jamming (Tekin and Yener, 2005)
S
ecrecy capacity of slow fading channels (Barros and Rodrigues, 2006)
M
ultiple access channel with confidential messages (Liang and Poor, Liu et al., 2006) S
ecure broadcasting with multiuser diversity (Khisti, Tchamkerten, and Wornell, 2006)
E
rgodic secrecy capacity (Gopala, Lai and El Gamal, Liang, Poor and Shamai 2007)
S
trong secrecy for wireless channels (Barros and Bloch, 2008)
… and many more.
31
Strong secrecy for Gaussian and Wireless Channels
Strong secret key agreement from Gaussian random variables Lattice codes Quantization with side information
Strong secrecy capacity for wireless channels Uses tools of [Maurer and Wolf, 2000] Maps messages to secret keys Multiple copies of weakly secure wiretap codes Quantization and Slepian Wolf codes Extractor functions for privacy amplification
[Nitinawarat, Allerton 2007]
[Barros and Bloch, ICITS 2008]
32
Comments
Information Theory provides you with tools to determine
fundamental security limits in particular at the physical layer;
There exist codes which can guarantee both reliability and
information-theoretic security;
Secure communication over wireless channels is possible even
when the eavesdropper has a better channel (on average);
When it comes to security, fading is a friend and not a foe.
33
Practical Techniques
34
Is physical-layer security practical?
Motivating examples
secure error correcting codes and the channel
coding converse
tandem error correction and cryptography
coset codes for an erasure wiretapper
Secret key agreement protocol for wireless channels
35
Secure Communication on two Gaussian channels
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
Practical scenariosRFIDZoned security
Wiretap error control code
Specific error control code needed at Tag side Low complexity encoder - possibly complex decoder
Assume that the attackerhas worse SNR
36
Secure Communication on two Gaussian channels
Assume that the attackerhas worse SNR
Transmit at Cwiretapper<R<Cmain
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
37
Some common sense – use an error control code
Very good error correcting code with simpleencoder
Reader recovers bitsWith good BER
Assume that the attackerhas worse SNR
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
38
Coding
Very good error correcting code with simpleencoder
Eve recovers bitswith worse BER
Assume that the attackerhas worse SNR
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
39
Coding with an advanced code
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
40
Some secrecy rate tradeoffs
Tag
Attacker
X
Z
Reader
Yk-bit
message w
wb+
+Nw
Nm
41
System view
How would we combine this with encryption?
Tag
Attacker
ReaderX Y
Z
C2
C1Encrypt
Key
FEC Decrypt
Key
FEC
Decrypt
FEC
Key
A B
C
42
After FEC decoding
Assume Attacker SNR is ~1.5 - 2.0 dB worse than Bob’s
A A
C
BER~50%
Tag Encrypt
Key
ReaderDecrypt
Key
Attacker
DecryptKey
(e.g. near field communications)
At the encryption level
43
N/2 bits in errorAttacker does not know which onesShe needs to do 2 searchN
Assume all parties have a key -Attacker has somehow figured out the key-e.g. from a weak RFID security protocol
A A
C
BER~50%
Tag Encrypt
Key
ReaderDecrypt
Key
Attacker
DecryptKey
At the encryption level
44
N/2 bits in errorAttacker needs to - guess the N coded bits correctly - guess the M key bits correctlyShe needs to do 2 search
This time: Assume Attacker does not have a key
N+M
A A
C
BER~50%
Tag Encrypt
Key
ReaderDecrypt
Key
Attacker
DecryptKey
At the encryption level
45
Achieving the Secrecy Capacity withError Control Coding
46 46
Achieving secrecy capacity for any DMCs using capacity achieving codes
Special case - C2 is worse than C1, (both DMCs)
Use 2k capacity-approaching codes: C1 , C2 , C3 , ...
To send a message w, set X=random codeword of Cw
If Cw achieves capacity on C2 for each w => Security condition is satisfied!
If union of {C1 , C2 , C3 , ... } is reliable across C1, wb=w is possible => Reliability condition is satisfied!
[Thangaraj et al, 2004] have shown that such a selection of C1 , C2 , C3 , ... is possible.
Alice
Eve
BobX Y
Z
k-bit message
w
k-bit decoded
message wb
C2
C1
C1: Main channel; Pr{Y|X}C2: Wire tapper’s channel; Pr{Z|X}
47 47
Motivating example: BEC wiretapper channel
Main channel is noiseless; wire-tapper’s channel is a BEC with erasure probability e
Eve receives a subset of the transmitted bits (or packets)
Secrecy capacity is e
Alice
Eve
X
Z
ee1-e 1-e
Bob
Xk-bit message w
wb
o
1
1
o ?
[Wyner and Ozarov, Wiretap Channel Type II]
48 48
Conventional Encoding & Decoding
Alice
X
Bob
X
wb=HXT
Conventional encoding: Select the codeword in C with message w
••
•
•
•
•
•
•
Binary codewords of length n
k-bit message w
49 49
Security Encoding & Decoding
Now for security - encode information in coset
••
•
•
•
•
•••
•
•
•
•
Binary codewords + 1 translate (cosets)
Alice
X
Bob
X
wb=HXTk-bit message w
50 50
Security Encoding & Decoding
(n,n-k) code C with parity-check matrix H
Make C and H public
C has 2k cosets
Encoding: Select the coset of C with message w, select codeword in coset at random
••
•
•
•
•
•••
•
•
•
•
••
•
•
•
•••
•
•
•
•
Binary codewords + 3 translates (cosets)
Secrecy rate = k/n
Alice
X
Bob
X
wb=HXTk-bit message w
51 51
Security
Alice
X = x1 x2... xn
Bob wb=HXT
BEC(e)
Eve
Z = x1…xs e e e...e (e: erasure)
If each coset of C has a vector of the form x1...xs??...?, Pr{m|Z}=Pr{m} ••
•
•
•
•
•••
•
•
•
•
••
•
•
•
•••
•
•
•
•
k-bit message w
52 52
Security Property of Codes
nknsknsknsknkn
nsss
nsss
ggggg
ggggg
ggggg
G
,2,1,,1,
22,21,2221
12,11,1111
Z = x1 ... xs ? ? ... ?
If the submatrix of G corresponding to revealed positions has full column rank, all cosets of C have a vector of the form x1...xs??...?
53 53
U
rbanke and Richardson
C
onsider a (3,6)-regular LDPC matrix H; BEC threshold = 0.42
T
hreshold Interpretation: columns of H corresponding to the erased positions have full column rank if the
erasure probability is less than 0.42
H
Urbanke and Richardson, 2001
h h h h h
h h h h h
h h h h h
LDPC Codes over a BEC
54 54
LDPC Matrix Connection
LDPC Codes over a Wire Tap Channel
Let G = (3,6)-regular LDPC matrix The columns of G corresponding to the revealed
positions have full column rank if 1-e < 0.42 or the erasure probability is greater than 0.58
Z = x1 ... xs ? ? ... ?
55 55
LDPC codes over a BEC-noiseless wire tap channel
C : dual of an LDPC code with threshold e rate R; k=(1 – R)n; secrecy rate=1-R
Security guaranteed whenever 1-e < or e > 1 –
As e tends to 1 – R, we approach secrecy capacity
Capacity achieving codes for the erasure channel provide perfect security on the erasure wiretap channel
Alice
X = x1 x2... xnBob wb=HXTk-bit
message w
BEC(e)
Eve
Z
X : randomly chosen from coset of C with syndrome m
56 56
Comments
Positive Aspects First practical codes to achieve perfect secrecy - encoder and decoder are public Connection between coding threshold and security
Negative Aspects Channels C1 and C2 must be known Coding scheme above works if C1 is less noisy than C2
Other cases: BEC-BEC wire tap channel, BSC-Noiseless See:
Thangaraj, Dihidar,Calderbank, McLaughlin, and Merolla “Applications of LDPC Codes to the Wiretap Channel,” IEEE Trans IT Aug 2007
57
BREAK
58
Practical Secret Key Agreement
for Wireless Networks
59
How do we make this practical?
To fully exploit the randomness of the channel for
security purposes we need secrecy capacity-achieving
channel codes.
Unfortunately, it seems very difficult to design near-to-
optimal codes for the Gaussian wiretap channel....
BUT fortunately secret key agreement is a somewhat
“easier” problem (learn from quantum key
distribution)! Alice and Bob only have to agree on a key based on common
randomness and not to transmit a particular message.
60
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
Assume Eve has worse channel
61
Two steps1. Reconciliation2. Privacy amplification
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
62
Two steps1. Reconciliation2. Privacy amplification
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
63
Two steps1. Reconciliation2. Privacy amplification
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
64
Two steps1. Reconciliation2. Privacy amplification
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
65
Two steps1. Reconciliation2. Privacy amplification
Secret Key Agreement
k-bit message
Alice
Q
Z
QY
+
+Nwt
Nm
Q
Bob
me
Eve
X
10110
10101
11011
66
Two steps1. Reconciliation2. Privacy amplification
011
011
XXX
Secret Key Agreement
Alice
Q
Z
QY
+
+Nwt
Nm
Q
k-bit message
Bob
me
Eve
X
10110
10101
11011
67
TransmissionAlice codes n random symbols X with quantum states
Bob measures received states to obtain correlated symbols Y
AnalysisEvaluation of information intercepted based by Eve based on simple statistical
measures (bit error rate, variance)
ReconciliationCorrection of errors
Minimum number of bits to transmit :
Privacy AmplificationChoice of key size
Random choice of compression function
Secret informationafter transmission
Information exchangedduring reconciliation
securityparameter
We can learn from Quantum Key Distribution
AB E
)|( YXHI rec
));()(( 0rIZXIXHnk rec
02),|( rkGZKkH
68
• Goal: Exploit channel variability to secure information
With fading the instantaneous secrecy capacity can be strictly positive
How about wireless security? [Barros, Rodrigues, ISIT06]
69
Opportunistic Secret Key Agreement
Cs>0
share common randomness
Cs=0
generate secret key
Cs=0
communicate securely (e.g one-time pad)
[Bloch, Barros, Rodrigues, McLaughlin ’06]
70
Opportunistic secret key agreement
71
Reconciliation•Correct discrepancies between A and B using reconciliation information.
• In practice small overhead ǫ (10%), thus you have to transmit (1 + ǫ)H(X|YM) bits per symbols.
• Assign binary labels to each of the transmitted symbol and use multilevel coding. The syndromes are used as reconciliation information.
• Very similar to source coding with side information.
72
Two Modes of Operation
Perfect Information-theoretic Security: Generate a secret key and use it as a one-time pad (perfect security at very low rates)
Combined physical layer and cryptography: Generate a secret key and use a symmetric cipher such as AES (very high rates are possible)
Example: with fraction of time dedicated to secret key generation as small as 1%, we can renew a 256-bit encryption key every 25kbits, i.e. with SNR(M)=10dB and SNR(W)=20 dB, at an average rate of 2Mbps, this would renew a key every 16 milliseconds.
73
Average secure communication rate
Case of perfect CSI - communication with one-time pad
Protocol optimal
74
Practical Considerations
It is possible to exploit
the noise of fading channels to generate
secret keys, even with
imperfect CSI:
R
econciliation efficiency ~90% over wide range of SNRs
S
ome latency and complexity (long block length of LDPC code)
C
ombine physical layer and standard cryptography
Ex: AES with high key regeneration rate
We require a small
shared key for authentication.M. Bloch, J. Barros, M. R. D. Rodrigues and S. W. McLaughlin,Wireless Information-Theoretic Security, IEEE Transactions on Information Theory, June 2008.
75
Advanced Topics and Applications
76
Network Security
Interference
Cooperation
Feedback
Network
X1
X3
X4
X2
Y1
Y2
?
What happens when we have multiple parties communicating over unreliable noisy networks with multiple eavesdroppers and jammers?
77
M users communicate messages F and agree on secret key K
common secret key
secrecy against eavesdropper
uniformity
secret key (SK) capacity is the largest entropy rate of K
Multi-user Secrecy Generation
1)...( 21 MKKKKP
0);( FKI
||log)( spacekeyKH
78
Example with three users and two-bit sequences
Bob
Alice
Charlie
1211BB
2221BB
3231BB
Bob and Charlie observe sequences of Bernoulli (1/2) symbols. Alice observes the symbolwise XOR of their sequences.
Optimal Secret Key Agreement
Alice sends
Bob sends
Charlie sends
All are able to recover
11B
22B
3231 BB
31B
0);,,( 3132312211 BBBBBI
2
1)(
2
131 BH
Eavesdropper is in the dark: SK rate:
[Csiszár and Narayan, 2006]
79
Encoding Correlated Sources
Decoder
Source 1 Encoder 1U1
U2
R1
R2
Û1
Û2Encoder 2
Sink
R1+R2 > H(U1U2)
R1 > H(U1|U2)
R2
R1
SlepianWolf1973
H(U1|U2) H(U1)
H(U2)
H(U2|U1)
H(U1U2)
H(U1U2)
R2 > H(U2|U1)
Encoder
Shannon1948
Source 2
p(u1,u2)
80
Many correlated sources
1
2
0
U1
U2
R10
R20
MUM
RM0
))(|)((0c
Sii SUSUHR
for all sets
Perfect reconstruction is
possible if and only if
0
,0
},,....,2,1{
S
SS
MSc
81
Secret Key Capacity for Two Terminals
[Maurer ‘93, Ahlswede and Csizár, ‘93]
BobAlice U2
R1
U1
R1 > H(U1|U2)
R2 > H(U2|U1)R2
)]|()|([),( 122121 UUHUUHUUHCSK
);( 21 UUI
non-interactive communication
82
Secret Key Capacity for Multiple Terminals
[Csiszár and Narayan, 2006]
min21 ),...,,( RUUUHC MSK
is the minimum sum rate required for all terminals to be able to reconstruct all sources with arbitrarily small probability of error.
minRNetwork
U1
U4
U6
U3
U2
U5
Notice that in this case the eavesdropper observes only the communication between the nodes and not one of the correlated sources.
83
Extensions and Variations
S
ecret key agreement with helpers [Csizár, Narayan, 2005]
M
ultiple group keys with secrecy with respect to a prescribed
subset of users [Ye,
Narayan, 2005]
S
atellite Channel Model [Csizár, Narayan, 2005]
S
ecret key capacity when eavesdropper observes a
correlated source of
randomness remains unsolved.
84
Active Attacker
Adversary has access to the communications channel used by the legitimate parties and can do the following:
Send / Receive; Read; Replay; Forge; Block; Modify; Insert;
84
85
Secret Key Agreement with Public Discussion
Bob
AliceX n
p(yz|x)
Y n
EveZn
Alice and Bob want to increase their secrecy capacity by exchanging information over the feedback channel and generate a secret key.
But what if Eve is allowed to read and write on the public channel? Adversary with infinite computing power; Adversary with complete control over public channel.
public unauthenticatedchannel
[Maurer, 93][Maurer, Wolf, 03]
86
Source Model
Bob
AliceX n
p(x,y,z)Y n
EveZn
publicauthenticated
channel
Alice and Bob see X n and Y n and exchange messages C:=(C1, C2, C3, . . .Ct)
Outcome of the key generation process: H(SA|CX) = 0 or H(SB|CY ) = 0
Alice sends (C1, C3, . . . , C2k+1, . . .), Bob sends (C2, C4, . . ., C2k, . . .)
Eve gets to see a correlated random variable Zn and can read and write on
the public channel.
SA
SB
87
Impossibility Results
Simulatability Condition
To generate a key, Alice and Bob must have advantage over Eve in terms of the distribution PXYZ;
Eve cannot be able to generate from Z a random variable X’ which Bob, knowing Y, is unable to distinguish from X (and vice versa).
Secret Key Capacity with Active Adversary
Either a secret key can be generated at the same rate as in the (well-studied) passive-adversary case, or such secret key agreement is completely impossible;
if Eve can use Z to simulate X or to simulate Y the secret key capacity is zero.
88
Information-theoretically Secure Message Authentication
We assume opponent has unlimited computing power and knows
everything about the system – except for a secret key.
Can we provide bounds on an opponent´s cheating probability for a
given tolerable probability of rejecting a valid message?
Hypothesis testing problem: decide whether a received message is
authentic or not:
Either the message was generated by the legitimate sender knowing the
secret key;
Or by an opponent without a priori knowledge of secret key.
[Maurer, 2000]
89
Problem Setup
Sender and receiver share a secret key K
Sender: sequence of plaintext messages
Each is authenticated by sending an encoded message which depends on K,Xi and encoded possibly also using the previous plaintext messages and
Receiver:
based on , and possibly also on and ,decides to either reject the message or accept it as authentic
if case of acceptance: decodes to a message
1 2, ,..., nX X X
iX
iY
1 1,..., iX X 1 1,..., iY Y
,iY Z1 1,..., iX X
1 1,..., iY Y
iY ˆiX
90
Possible Attacks
The opponent with read and write access to communication channel can use either of two different strategies for cheating
Impersonation attack at time : the opponent waits until he has seen the encoded messages and then sends a fraudulent message which he hopes to be accepted by the receiver as the message
Substitution attack at time : the opponents lets pass messages ,intercepts , and replaces it by a different message which he hopes to be accepted by the receiver
i
i
1 1,..., iY Y
iYith
1 1,..., iY Y iY
iY
91
Results
When a sequence of messages is to be authenticated, an opponent can choose the type of attack with the highest success probability;
A secret key K is used optimally when the maximum of the success probability is minimal;
When it is required that a legitimate message is always accepted α=0 in all of these possible attacks,
n1,..., nX X
1
)(
,,,,....,1, 2)max(
n
KH
nSnII PPP
92
PHY-Based Authentication
Spoofing detection
Verify if a transmission came from a particular transmitter
Location information can be extracted to authenticate a
transmitter relative to its previous location.
Probe Pulse u(t)
Alice
Eve
1. Estimates channel h = hAB (t,)2. Compares against h’ = hAB (t-1,)3. Accepts transmission if
h = h’ Spoof Alice:
Probe Pulse u(t)
1. Estimates channel hEB (t,)2. Verification fails!!! 3. Does not accept Eve
as Alice!
Bob
[Trappe et al, 2007]
93
Spread Spectrum Communications and Jamming
Direct Sequence / Frequency Hopping use pseudo-random sequences to
spread the narrowband signal over a wide band of frequencies;
Effective against narrow-band jamming; lowers probability of intercept; can
provide privacy if spreading sequence is kept secret;
Used in Code Division Multiple Access (CDMA) systems.
1
1 0 1 1 0 1 0 0 1 1 1 0 1 0 1 1 0 0 1 0 1 0 1 1 0 1 0 1 0
0
0 1 0 0 1 0 1 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 1 1 0 1 0 1 0
94
BobAliceX Y
Eve
Z
+
+
NM
NW
Repeat-back jamming in wireless networks (e.g. amplification, modification
retransmission of intercepted signals, inducing errors in radars and receivers).
Jammer can cause a lot of harm even with access to only a noisy version of the
sent signal, with phase or timing jitter and with limited processing capabilities.
Not detectable via the received power at Bob.
Extended to Multiple Access Channels by [Shafiee and Ulukus, 2005]
[Médard, 1997]
+
Capacity of Channels with Correlated Jamming
95
Cooperative Jamming in the Gaussian Multiple Access Channel
[Tekin and Yener, 2006]
DecoderAlice Encoder 1
Charlie
U1
U2 Encoder 2
X1
X2
Y
p(yz|x1 x2)
Bob
EveDecoderZ
Secrecy conditions can be individual or collective yielding different results for each case.
Alice and Charlie can cooperate to increase Eve’s uncertainty about the sent messages.
96
General Broadcast Channel with Multiple Secrecy Conditions
[Csiszár and Koerner, 1978] considered one secrecy condition.
[Liu et al. , 2006] provided inner bound for two secrecy conditions, and also for interference channels.
Decoder 1
Alice Encoder
BobX
p( y1 y2 |x)
Y1
Y2Decoder 2 Eve
U2,U1
Û1
Û2
97
Multiple Access Channel with confidential messages
Cooperative jamming over the Gaussian MAC
[Tekin and Yener, 2006]W
ith channel outputs at the encoders + individual secrecy conditions [Liang and Poor, 2006]
DecoderAlice Encoder 1
Charlie
U1
U2
Encoder 2
p(u1) p(u2)
X1
X2
Y
p(y1 y2 yz|x1 x2)
Bob
EveDecoderZ
Y1
Y2
U0
98
Relay Channel with confidential messages
Discrete Memoryless Case [Oohama, 2004] Randomization helps to increase the rate-equivocation region.
BobAliceX n
p(yz|xs) Y n
Eve
ZnSn
99
Exploiting MIMO
Alice can leverage multiple antennas by transmitting artificial noise into the null space of Bob
This approach can be used effectively, even when position of Eve is unknown.
Alice
Bob
Eve
[Goel and Negi, 2005]
100
Jamming to increase the secrecy capacity
BobAliceX Y
Eve
Z
+
+
NM
NW
WMWMS
PPCCC
2222 1log2
11log
2
1
Can we increase the noise in Eve’s channel without affecting Bob?
101
Increasing the Secrecy Capacity with Jammers
102
Jammer Impact on Outage Secrecy Capacity in Fading Environment
103
Multiple Jammers in Fading Environment
104
Store-and-Forward versus Network Coding
In today’s networks, information is viewed as a commodity, which is transmitted in packets and forwarded from router to router pretty much as water in pipes or cars in highways.
In contrast, network coding allows intermediate nodes to mix different information flows by combining different input packets into one or more output packets.
[Ahlswede, Cai, Li and Yeung, 2000]
105
A simple three-node example
AB
C
a a
b b
In the current networking paradigm we require 4 transmissions.
106
Network Coding
AB
C
a b
With network coding we require only 3 transmissions.
a+b
107
Algebraic Framework for Network Coding
Binary vector of length m: element in
Random processes at nodes
Transfer matrix
Generalized MIN-CUT MAX-FLOW Condition
F2m
Y (e3) iX(v,i) jY (e j )j1,2
i
z xM
M A(I F) 1BT
M 0
[Koetter and Médard, 2003]
108
Packetized Network Coding
Assume each packet carries L bits
s consecutive bits can be viewed as a symbol in
Fq
Ls
Perform network coding on a symbol by symbol basis.
Output packet also has length L.
Send the coefficients (the “encoding vector”) in the header.
Information is spread over multiple packets.
enc. vector
109
Practical Considerations
E
ncoding: Elementary linear operations which can be implemented in a straightforward manner
(with shifts and additions).
D
ecoding: Once a receiver has enough linearly independent packets, it can decode the data
using Gaussian elimination, which requires operations.
G
enerations: To manage the complexity and memory requirements, we mix only generations
with fixed number of packets and limit the field size. Each keeps a buffer sorted by generation
number. Non-innovative packets are discarded.
D
elay: Since we must wait until we have enough packets to decode, there is some delay (not
very significant, since we require less transmissions in many relevant scenarios)
110
Benefits beyond throughput
Reliability: Network Coding can achieve optimal delay and rate in the presence of
erasures and errors.
Simpler Optimization: The multicast routing problem is NP-hard (packing Steiner
trees), however with network coding there exist polynomial time algorithms.
Robustness: Random network coding is completely decentralized and preserves
the information in the network, even in highly volatile networking scenarios.
111
Applications of Network Coding
D
istributed Storage and Peer-to-Peer: robustness against failures in highly volatile networks;
W
ireless Networks: Information dissemination using opportunistic transmission;
S
ensor Networks: Data gathering with extremely unreliable sensing devices;
N
etwork Management: Assessing critical network parameters (e.g. topology changes and link
quality)
First real-life application in July 2007:
Microsoft Secure Content Downloader (a.k.a. Avalanche)
112
Classes of Network Coding Protocols
We distinguish between two types of protocols:
stateless network coding protocols, which do not rely on network state information (e.g. topology or link costs) to decide when to mix different packets (e.g. Random Linear Network Coding);
state-aware network coding protocols, which rely on partial or full network state information to compute a network code or determine opportunities to perform network coding in a dynamic fashion (e.g. COPE).
113
Secret Key Dist.[Oliveira, Barros, ’07]
SPOC[Vilela, Lima, Barros, ’08]
Cooperative Security[Gkantsidis, Rodriguez, ’06]
Network Coding Security Taxonomy
Network Coding Protocols
State information
Security Infrastructure
Stateless
RLNC[Ho et al, ’04]
State-aware
COPE[Katti et al, ’06]
Polynomial time[Jaggi et al, ’05]
CooperativeKey
Management
some intrinsic security (no state information)
Prone to Byzantine attacks
Prone to Byzantine attacks
Network state information
- Extra redundancy- Hash symbols included in packets
- Cooperative security schemes- Homomorphic hash functions
-Signatures- Key distribution- Confidentiality
Signatures Content Dist.[Zhao et al, ’07]
Detection Byzantine[Ho et al, ’04]
Resilient codes[Jaggi et al, ’06][Koetter, Kschischang, ’07]
Network codes
114
Network Coding: A Free Cipher?
Nodes are assumed to be “nice but
curious” (comply with protocol but could
be malicious eavesdroppers)
Intermediate nodes have different levels
of confidentiality;
Nodes T and U have partial information
about the data;
Node W has full access to the data;
Node X cannot decode any useful data –
a free cypher!
S
T U
W
Y Z
X
a b
a
a
b
ba+b
a+b a+b
Previous work considered wiretapping attacks on multiple links,
e.g. [Cai and Yeung,’02], [Feldman et al,’04] [Bhattad et al,’05]
[Lima, Médard and Barros, ISIT’07]
115
Secure Network Coding
S
T U
a b c d
e f g h
S
T U
a+b+c+d+e+f+g3a+b+c+d+5fa+2b+c+d+4ga+b+c+3d+5h
5a+b+5h6b+c+4gb+7c+3ab+c+9e
R R
Nodes T and U have access to half of the sent data.
NodesT and U need to decode to obtain partial data.
116
Algebraic Security Criterion
Definition (Algebraic Security Criterion): The level of security provided by random linear network coding is measured by the number of symbols that an intermediate node v has to guess in order to decode one of the transmitted symbols.
In other words, we compute the difference between the global rank of the code and the local rank in each intermediate node.
117
Results
Theorem 1:The
probability P(ld > 0) of recovering a strictly positive number of symbols ld at the intermediate nodes (by
Gaussian elimination) goes to zero for sufficiently large number of nodes and alphabet size
Proof Idea:
An intermediate
node can gain access to relevant information
1)w
hen the partial transfer matrix has full rank
2)w
hen the partial transfer matrix has diagonalizable parts.
Carry out
independent analyzes in terms of rank and in terms of partially diagonalizable matrices.
Show that the
probability of having partially diagonizable matrices goes to zero for sufficiently large number of nodes and
alphabet size.
118
SPOC - Secure Practical netwOrk Coding
Assured confidentiality against attacker with access to all the links.
Two types of coefficients:
Locked
Unlocked
Same operations
Requirements:
Key management mechanism
119
SPOC - Secure Practical netwOrk Coding - Results
Number of AES encryption operations according to the payload size, for SPOC (encryption of locked coefficients) versus traditional encryption mechanism (encryption of the whole payload).
120
SPOC - Secure Practical netwOrk Coding - Results
Packet size overhead of including the locked coefficients, per packet.
121
Mutual Information between Payload and Coding Coefficients
[Lima, Vilela, Barros, Médard, 2008]
122
Detection of Byzantine Modification
Hash symbols, calculated as simple polynomial functions of the source data, are included in each source packet.
Receiver nodes check if decoded packets are consistent, i.e. have matching data and hash values.
Additional computation is minimal as no other cryptographic functions are involved.
Detection probability can be traded off against communication overhead, field size (complexity) of the network code and the time taken to detect an attack.
[Ho et al, ISIT 2004]
Ls
enc. vectorhash
123
[Gkantsidis, Rodriguez, Infocom 2006]
Cooperation to achieve on-the-fly detection of malicious packets.
Homomorphic hash functions: a hash of an encoded packet is easily derived from the hashes of the previously encoded packets.
However, these hash functions are computationally expensive.
To increase efficiency every node performs block checks with a certain probability and alerts its neighbors upon detection.
In addition, there exist techniques to prevent Denial of Service (DoS) attacks aimed at the dissemination of alarms.
Cooperative security for network coding
124
Resilient Network Codes
Use the error correction capabilities of linear network coding.
An active attacker can be viewed as a second source of data.
Add enough redundancy to allow the destination to distinguish
between valid and erroneous packets.
Some information may have to be protected by a shared secret key.
[Jaggi et al. , Infocom 2006]
[Koetter and Kschischang, 2007]
125
How can each pair of neighboring nodes share a secret key?
Sensor Networks
Task: Collect and transmit data through secure links
Data confidentiality
Constraints: Energy
Limited Data Rate
Processing Power
Memory Secret Key Distribution
126
Key Pre-distribution
Goal: Store keys into the memory of the sensor nodes for them to share a secret with their neighbors after the deployment.
Challenges: Minimize the impact of compromised nodes; Efficient use of the resources; Scalability in dynamic environments; Avoid single points of attack.
127
Secret Key Distribution using Network Coding
Our approach:
Key pre-distribution scheme; Efficient use of resources; Uses a mobile node to “blindly” complete the key distribution process; Designed for dynamic scenarios.
Prior to sensor node deployment:
Generate a large pool of keys and their identifiers; Load different keys and the corresponding identifiers into the memory of
each sensor node; Store in the memory of the mobile node all the keys encrypted with the
same one-time pad and their corresponding identifiers.
[Oliveira and Barros, 2007]
128
Secret Key Distribution in WSNs
After sensor node deployment:
BSA
Hello Hello
)()( BiAi KK )()( BiAi KK
)()( BAK mE
Ai
)()( ABK mE
Bi
)(Ai )(Bi
RKRK BiAi )()(
)()()( BiBiAi KKK )()()( AiBiAi KKK
)(BiK)( AiK
)(BiK)( AiK
RK
RK
RK
i
Bi
Ai
(.)
)(
)(
...
[Oliveira and Barros, 2007]
129
One-Time Pad Security
One-time pad is secure if the key is:Truly random;Never reused;Kept secret.
The knowledge of does not increase the information that the attacker has about any one key
},...,,{ 21 RKRKRK m
mixKPyRKyRKxKPnimmi ,...,1,
2
1,...,| 11
[Oliveira, Costa and Barros, 2007]
130
Extensions and Variations
Mobile key distribution for many nodes
Group and cluster keys
Key revocation
Key renewal
Authentication
131
Millionaires- problem
Suppose 2 millionaires want to determine which one is richer, without revealing the precise amount of their wealth.
In the general secure multi-party computation problem, users u1, u2, ..., un possess data d1, d2, ..., dn and want to compute the outcome of a public function F(d1, d2, ..., dn ) without revealing d1, d2, ..., dn .
132
Other Problems beyond Secure Communication
Communicating securely is not the only problem in cryptography.
Problem: Suppose Alice and Bob are linked through a network and want to flip a coin. How can they ensure that the coin flip is fair?
Network
$
$
Solution: Alice and Bob send one bit each in separate envelopes. They open the envelopes simultaneously and take the XOR of the two bits.
The protocol works if and only if
Bob knows nothing about Alice’s bit before he sends his envelope;
Alice cannot change her bit once the envelope is sealed.
...and vice versa (for Bob’s bit).
133
Alice puts a bit bin a strong box
b
Alice gives this box to Bob. She cannot change b
Later Alice can unveil b to Bob
b
A commitment scheme is said to be secure if it is:
• Binding: the probability that Alice can successfully open two
different commitments is negligible.
• Concealing: Bob gets at most negligible information on b
before the opening phase.
• Correct: The probability that honest Alice fails to open
a commitment is negligible.
Commit Open
Bit Commitment
134
Bit Commitment over the erasure channel
Commit Phase:
• Alice selects a random codeword with parity equal to the value she
wants to commit to and sends it to Bob through the erasure channel.
Open Phase:
• Alice sends the codeword she has sent in the commit phase over a
noiseless channel. Bob rejects if the codeword he receives differs in
at least one position from the codeword he received through the noisy
channel.
p-Erasure Channel
n n
Xn Yn
b = parity(X)
135
Protocol Analysis:
• Bob learns the commitment with probability
• Alice unveils a bit different than the one she committed
to and is not detected with probability
Bit Commitment over the erasure channel
nB pP )1(
pPA
p-Erasure Channel
n n
Xn Yn
b = parity(X)
Problems:
•Non-negligible error probability (binding condition)
•The channel is used n times to commit to a single bit.
136
Binary string
Bob learns b with probability
Alice cheats successfully with probability
Commitment rate
Commitment capacity
Commitment Rate and Capacity
If we commit to a string of length k, what is the maximum commitment rate k/n of a secure protocol we can achieve (i.e., capacity)?
kb }1,0{
n
kR
RCXP
com max
0 nAP
0 nBP
137
The Commitment Capacity of DMC’s
Define a “redundant” channel (a channel is called non-redundant if none of its output distributions is a convex combination of its other output distributions).
Redundancy can be “cut” from a channel, by removing all input symbols which are convex combinations of others.
If after removing the redundancy of a channel, its equivocation becomes zero, the channel is called trivial.
The commitment capacity of a DMC equals its equivocation H(X|Y) after its redundancy is removed.
[Winter, Nascimento, Imai ’03]
138
Motivation:
- more realistic channel model (e.g. wireless medium)
- commitment capacity for continuous channels unknown
- techniques differ from the discrete case
How about the Gaussian Channel?
+iX iY
iZAverage Power Constraint:
Channel Capacity:
21log
2
1
P
C
iii ZXY
n
ii Px
n 1
21
),0( 2NZ i
139
Caveat: practical wiretap codes are hard to design!
How about the Gaussian Channel?
140
Using a wiretap interpretation of commitment, we can prove that
22*
1log2
11log
2
1
GCcom
PPC
Any positive will give us a binding protocol, by making it arbitrarily small, we get that the maximum achievable rate can be made arbitrarily large
*C
Commitment rate
The commitment capacity of the Gaussian channel is infinite.
141
[Bloch, Barros and McLaughlin, 2007]
Commitment from Secret Key Agreement
142
Cryptographic protocols
based on noisy channels,
Crépeau, 1997
Commitment Capacity of
Discrete Memoryless Channels,
Winter, Nascimento,
Imai, 2003
Oblivious Transfer using
noisy channels,
Crépeau. Morozov,
Wolf, 2004
Pseudo-signatures,
Broadcast, and Multi-party Computation,
M. Fitzi, S. Wolf, and
J. Wullschleger, 2004
Commitment Capacity of
Gaussian Channels,
Barros, Imai,
Nascimento and Skudlarek 2006
Practical Information-
Theoretic Commitment
Bloch, Barros and
McLaughlin, 2007
Beyond secure communication
143
Physical-Layer Security:
10 Open Issues
144
#1 How can we provide rigorous descriptions of security primitives?
Computational Security
Security schemes are based on (unproven) assumptions of intractability of certain functions;
Typically done at upper layers of the protocol stack
Information-Theoretic (Perfect or unconditional) Security
strictest notion of security, no computability assumption
H(M|X)=H(M) or I(X;M)=0
Implementable at the physical layer
Alice
Eve
Bobk-bit message W
k-bit decoded message Wb
key I
X X
Xkey K
145
BobAliceX n
p(y|x)Y n
p(z|x)
Eve
Zn
Theoretical results from the seventies (Wyner, Csiszár and Koerner)
Caveat: eavesdropper must have a worse channel.
Renaissance of information-theoretic security in the last 2 years.
Most results are based on weak secrecy conditions (equivocation rate)
Strong secrecy is possible (requires CS techniques)
#2 What are the fundamental limits of security for strong secrecy?
146
Tag
Attacker
X
Z
Reader
Yk-bit message w
w’ +
+Nw
Nm
#3 How can we leverage state-of-the art channel coding to enhance security at the physical layer?
147
Main channel is noiseless; wire-tapper’s channel is a BEC with erasure probability e
Eve receives a subset of the transmitted bits (or packets)
For this instance (only), we have secrecy capacity achieving codes.
Alice
Eve
X
Z
ee1-e 1-e
Bob
Xk-bit message w
wb
o
1
1
o ?
#4 How do we construct secrecy achieving codes for wireless channels?
148
Common Randomness: Alice and Bob share correlated
random sequences.
Reconciliation: Alice sends Bob enough side information
for Bob to reconstruct Alice’s sequence.
Privacy Amplification: Alice and Bob use hash functions
to maximize Eve’s equivocation.
#5 How can we borrow from quantum cryptography?
149
Wireless Network with Potential Eavesdropping
•Goal: Exploit channel variability to secure information at the physical-layer.
#6 How can we leverage fading?
150
Intermediate nodes have different
levels of confidentiality;
Nodes T and U have partial
information about the data;
Node W has full access to the data;
Node X cannot decode any useful
data – a free cypher?
Active attacks can compromise the
information flow.
S
T U
W
Y Z
X
a b
a
a
b
ba+b
a+b a+b
a b a b
a b
#7 How can we provide security for network coding?
151
Problem: How can each pair of sensor nodes agree on a secret key?
Our approach: Key pre-distribution scheme; Uses a mobile node to complete
the key distribution process blindly using network coding;
Reduced memory requirements;
#8 How can we use coding ideas to distribute secret keys?
152
Cryptography is not only concerned with communicating securely.
Based on noisy channels and state-of-the-art error correction codes
we can implement bit commitment and oblivious transfer, which are
the building stones of secure multi-party computation.
Authentication is a vital issue and could potentially be carried out
over noisy channels possibly without initial shared secret.
[Wolf and Maurer’98], [Trappe et al’07 ]
How about anonymity? How about non-repudiation?
#9 How can we use physical-layer techniques to go beyond secure communication?
153
Classical Cryptography under the Computational Model
Advantages
no publicly-known, efficient attacks on public-key systems
security is provided on a block-to-block basis
if cryptographic primitive is secure then every encoded block is secure
systems are widely deployed, technology is readily available, inexpensive
Disadvantages
Security is based on unproven assumptions
No precise metrics trade off between reliability and
security as a function of the block length is unknown
security of the cryptographic protocol is measured by whether it survives a set of attacks or not.
Conventional model (error free channel) secrecy capacity of these systems is zero
can’t guarantee reliable and perfectly secure system
154
Physical layer security under the information-theoretic (perfect) security model
Advantages: No computational restrictions
placed on eavesdropper Very precise statements can be
made about the information that is leaked
Quantum key distribution implemented
Wireless solutions appear Suitably long codes get
exponentially close to perfect secrecy
Disadvantages: Information-theoretic security
is an average-information measure.
Requires assumptions about the communication channels that may not be accurate in practice.
Limits its application A few systems (e.g QKD) are
deployed but the technology is not as widely available and is expensive.
155
#10 It may well be worth rethinking our security architecture.
Application
Link
Transport
Network
Physical
Application
Link
Transport
Network
Physical Bottom-up Security?
How can we combine physical-layer security and cryptographic protocols?
156
Acknowledgements and credits
M
atthieu Bloch, Georgia Tech
M
iguel Rodrigues, University of Porto
A
ndrew Thangaraj, IIT Madras
R
ob Calderbank, Princeton
A
nderson Nascimento, University of Brasilia
M
uriel Medard, MIT
L
uísa Lima, University of Porto
J
oão Paulo Vilela, University of Porto
P
aulo Oliveira, University of Porto
R
ui Costa, University of Porto
D
emijan Klinc, Georgia Tech