Rei safavi naini university of calgary joint work with hadi ahmadi
Download
1 / 26

Rei Safavi-Naini University of Calgary Joint work with: Hadi Ahmadi - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

iCORE Information Security. Secret key agreement over noisy channel. Rei Safavi-Naini University of Calgary Joint work with: Hadi Ahmadi. Secret key agreement. Alice and Bob want to share a secret over a channel that is eavesdropped by Eve. A fundamental problem in cryptography.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Rei Safavi-Naini University of Calgary Joint work with: Hadi Ahmadi' - baina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Rei safavi naini university of calgary joint work with hadi ahmadi

iCORE Information Security

Secret key agreement over noisy channel

Rei Safavi-Naini

University of Calgary

Joint work with: Hadi Ahmadi


Secret key agreement
Secret key agreement

  • Alice and Bob want to share a secret over a channel that is eavesdropped by Eve.

    • A fundamental problem in cryptography.

  • No solution if no other assumption is made.

  • Assumptions:

    • Computational assumption

      • Diffie-Hellman key agreement

    • Non computational assumption – unlimited adversary

      • Noisy channel

        The key questions:

        • Is it possible?

        • What is the “secrecy capacity”?

  • This talk: increasing “secrecy capacity” through interaction over noisy channels

iCIS Lab, University of Calgary


Outline

  • Message transmission& Key agreement

  • Exiting noisy channel models

    • Wiretap

    • Noisy broadcast

    • Public discussion

  • A new model: two-way noisy broadcast

    • Lower bounds

    • Interactive Channel Coding

    • Comparing Key Agreement Protocols

  • Discussion & Concluding Remarks

iCIS Lab, University of Calgary


Preliminaries
Preliminaries

1-p

0

0

p

p

1

1

1-p


Message transmission key agreement
Message transmission & Key agreement

Assume eavesdropping adversary

If Alice can send a message ‘securely’ to Bob,

She may choose the message to be a ‘key’

 secure message transmission protocol gives a secure key agreement

Protocols for secret key agreement


Secure message transmission over noisy channel

Model 1 : Wyner [Wy75] Wiretap channel:

Channels are noisy DMCs.

Eve’s channel is a degraded version of Bob’s.

No shared key

Secure message transmission is possible if the wiretap channel is not noise-free.

There exists a randomized coding

Cs=C(PYZ|X)= maxp(x)(I(X;Y)-I(X;Z))

Secure message transmissionover noisy channel

Main

Channel

Y

X

Wiretap

channel

Z

iCIS Lab, University of Calgary


Secure message transmission

Model 2: Csiszár and Körner [CK78] noisy broadcast channel:

A generalization of Wyner’s work.

Eve’s channel can be better than Bob’s

Secure message transmission is possible, if Eve’s channel is noisier.

Cs=C(PYZ|X)= maxp(x)(I(X;Y)-I(X;Z))

Secure message transmission

Main

Channel

X

Y

Wiretap

channel

Z

iCIS Lab, University of Calgary


Secure key agreement

Maurer[Ma93], Ahlswede &Csiszár [AC93]

Noisy broadcast:

Public discussion channel

error-free -insecure

Secure key agreement is possible if, Eve’s channel is not noise-free and Bob’s channel is not fully noisy.

 no requirement on Eve’s channel be more noisy!

Established key can be used to encrypt a message

Send over public channel

 secure message transmission

In practice:

Implement public discussion channel: using channel coding [BBRM08]

Secure key agreement

Public discussion

Main

Channel

Y

X

Wiretap

channel

Z

iCIS Lab, University of Calgary


Secure key agreement a new model

Secret key agreement over “two-way” (noisy) broadcast channels.

No public discussion: only noisy communication

Natural model

Secrecy capacity?

The rest of the talk:

Define two-way noisy channel secrecy capacity

Give three protocols for key agreement

compare the protocols and derive a lower-bound for two-way secrecy capacity.

Secure key agreement:A new model

Main forward channel (Chmf)

Xf

Yf

Bob

Alice

Main backward channel (Chmb)

Yb

Xb

Eavesdropper's forward channel (Chef)

Zf

Zb

Eavesdropper's backward channel (Cheb)

Eve

iCIS Lab, University of Calgary


2 way broadcast
2-way broadcast channels.

  • Two one-way broadcast channels

    • A forward broadcast channel: Xf→YfZfspecified by

    • A backward: Xb →YbZbspecified by

  • Alice and Bob send messages multiple times.

  • Alice, Bob and Eve “view” RVs: ViewA, ViewB, ViewE.

  • Either Alice or Bob calculates S; the other calculates S’.

ViewB

ViewB

S

S’

ViewE

iCIS Lab, University of Calgary


Secrecy capacity of 2 way broadcast
Secrecy capacity of 2-way broadcast channels.

  • Secrecy capacity :

    The maximum real number R≥0, such that:

    for every ε>0 and sufficiently large N, there exist a protocol that uses the two-way broadcast channel N times, and results in viewed RVs MA, MB, ME and calculated RVs S and S’ which satisfy:

iCIS Lab, University of Calgary


Lower bound 1 one pass communication
Lower bound 1: channels.one pass communication

1. One-way key agreement

Use forward or backward noisy broadcast channel for sending a secure key

  • The first lower-bound is:

    CsA and CsB are one-way secrecy capacities of forward and backward channels.

iCIS Lab, University of Calgary


Lower bound 2 1 round communication
Lower bound 2: channels.1-round communication

2- Virtual Cascade Channel (VCC) protocol

  • Inspired by Maurer’s technique used for public discussion model

  • Alice (Bob) starts the protocol:

    • Alice sends Xf;

    • Bob selects uniformly S, encodes it to Vb, and sends Xb=Yf+Vb;

Yf

Xf

Zf

Yb

V’b=Yb-Xf

Xb=Yf+Vb

Zb

V’’b=Zb-Zf

iCIS Lab, University of Calgary


Lower bound 2
Lower bound 2 channels.

  • Theorem:

    secrecy capacity is equal to half of the 1-way secrecy capacity of the virtual broadcast channel, Vb→V’bV’’b, i.e.:

    When Bob starts the protocol, the secrecy capacity is

  • The second lower-bound is:

iCIS Lab, University of Calgary


Lower bound 3 1 round communication
Lower bound 3: channels.1-round communication

  • Interactive channel coding:

    • Alice: sends Xfn;

      • Bob and Eve receive Yfn and Zfn. Xf is such that Yf has uniform distribution.

    • Bob: encodes Yfn to MBN=e(Yfn)=(Yfn||Xbd) and sends Xbd;

      • Alice and Eve receive Ybd and Zbd.

    • Alice decodes MAN=(Xfn||Ybd) to ;

    • Bob and Alice calculate secrets as

Chmf

Alice

Bob

SystematicEncoder

SystematicDecoder

Chmb

Chef

Cheb

Eve


Lower bound from interactive coding
Lower bound from interactive coding channels.

The third lower bound is:


The best lower bound so far
The best lower bound so far: channels.

  • Theorem:

    Secrecy capacity of 2-way noisy broadcast channel is lower bounded by

iCIS Lab, University of Calgary


Secrecy capacity with icc
Secrecy capacity with ICC channels.

  • Average mutual information between Bob and Alice:

  • Average mutual information between Bob and Eve:

  • The two-way secrecy capacity with ICC is:

    • if Alice initiates

    • if Bob initiates

  • Hence:

iCIS Lab, University of Calgary


Secrecy capacity with icc1
Secrecy capacity with ICC channels.

  • Theorem:

    Let Yfn be an i.i.d. n-vector over set Un with entropy H(Yf)=ζ, where ζ=log|U|, and Sk =g−1(Yfn). For rates,

    by choosing N large enough, there exist a suitable partitioning set Gn and a pair of (2ζk,N) encoding/decoding algorithms that communicate Yfn reliably from Bob to Alice, while

iCIS Lab, University of Calgary


A comparison bsc channels
A comparison: channels.BSC channels

  • Channels are binary symmetric

    • bit error probabilities p1, p2, p3, p4, where p1=p4.

Main forward channel (Chmf)

Xf

Yf

Bob

Alice

Main backward channel (Chmb)

Yb

Xb

Eavesdropper's forward channel (Chef)

Zf

Zb

Eavesdropper's backward channel (Cheb)

Eve

iCIS Lab, University of Calgary


1-rnd and 2-rnd communication channels.

Note: h(p) =- plog p -(1-p) log (1-p)


ICC vs. VCC channels.

iCIS Lab, University of Calgary


Discussion
Discussion channels.

  • Types of key agreement protocols:

    • One-party Key Generation: First two protocols

    • Participatory Key Generation: ICC

  • Secrecy capacity of message transmission vs. key agreement:

    • Equal : if public discussion channel exists.

    • Equality for two-way broadcast model is an open question.

  • Strong vs. weak secrecy capacity:

    • Weak: to maximize Eve’s uncertainty rate [Wy75, CK78, Ma93].

    • Strong: to maximize Eve’s absolute uncertainty [MW00].

  • We consider weak secrecy capacity.

  • Strengthening the security requirement is direct [MW00]

iCIS Lab, University of Calgary


Concluding remarks
Concluding remarks channels.

  • Two-way broadcast model is a natural model

    • Fits in particular in wireless settings

    • Results are of practical significance

  • Secrecy capacity of 2-way broadcast channel for key agreement is defined in analogy to one-way secrecy capacity

  • Three key agreement protocols in 2-way broadcast setting

    • One-way key agreement

    • VCC protocol

    • ICC protocol

  • Each protocol will provide the best (highest) capacity for certain channels

    • The best lower-bound is maximum of the three in each case

iCIS Lab, University of Calgary


Concluding remarks1
Concluding remarks channels.

  • Secrecy capacity will be positive in surprising cases:

    • the main channels are much worse than the eavesdropper’s channel

  • ICC protocol provides a novel approach to channel coding, using interaction during the encoding phase.

  • Open questions:

    • Can ICC be extended to multi-round?

    • Relationship among secrecy capacities of the three protocols

    • Relation between secrecy capacities of key agreement and message transmission

iCIS Lab, University of Calgary



ad