Loading in 2 Seconds...
Loading in 2 Seconds...
JOINT SCHEMES FOR PHYSICAL LAYER SECURITY AND ERROR CORRECTION Murali Varanasi April 9, 2012
What makes more sense and why? ERROR DETECTION OR CORRECTION CYPHERTEXT COMPRESSION PLAINTEXT CHANNE L IS THIS THE BEST ORDER OF DOING THINGS? THE CLOUD USER DETECT/ CORRECT CYPHERTEXT-1 PLAINTEXT DECOMPRESSION-1
Outline • Introduction • Error Correction Based Cipher I (ECBC I) • Error Correction Based Cipher II (ECBC II) • AMH Cipher • Joint Error Correction, Encryption and Modulation Scheme (JEEM) • Summary • References
Introduction – Motivation I • Rapid increase in the number of application on wireless devices. • High cost of Upper layer encryption in wireless sensor networks. • Evidence of the existence of secrecy achieving codes. • Issues with wireless channels • noisy in nature: Error correction is an integral part of the physical layer of modern day communication system. • Data are susceptible to eavesdropping and tampering: Encryption is employed to provide secrecy. • Challenging to efficiently transmit data since random errors that occur during transmission need to be removed before decryption. • Major challenges facing resource constraint wireless devices are error resilience, security, and speed
Introduction - Goal • To combine encryption and channel coding as one process at the physical layer to facilitate reliable, secure and efficient communication. • Exploit secrecy achieving characteristics of channel codes. • lead to improved efficiency, speed and savings in hardware usage because of hardware reuse. • give flexibility in terms of design and technology used for fabrication. • difficult to build lower layer analyzers in terms of attacks.
Introduction - Contribution • Joint schemes that provide both the security and reliability: • Potential of reducing hardware usage due to hardware reuse. • Increases power savings since power consumption is of utmost importance in modern wireless communication. • Joint schemes with no tradeoff between reliability and security in ECBC as opposed to previous schemes. • We show: • cryptanalysis of ECBC, • Result of randomization tests on ECBC, and • Result of hardware implementation of ECBC.
Related Research • McEliece introduced the use of error correcting code as a public key cryptosystem: • Based on algebraic coding theory using t-error correcting Goppa code (MG’ + Z). • Requires large block length (n = 1000 bits) to correct large number of errors (t = 50 bits). • Results in very large computational overhead. • Rao proposed a private key cryptosystem based on algebraic-code using McEliece scheme: • Suggested G’ be made private. • Provided better security with simpler error correcting code. • Less computational intensive compared to McEliece scheme. • Broken by a chosen-plaintext attack. • Later introduced a private key cryptosystem which had a tradeoff between reliability and security. • Hwang et. al proposed Secret Error Correcting Code (SECC) using preparata code • Did not use error vector originally introduced in the original McEliece scheme.
Related Research • Mathur et al. presented a joint scheme for error correction and cryptography using High Diffusion (HD) codes: • Based on the structure of Advanced Encryption Standard (AES). • Replaced high diffusion layer of the AES with HD code. • Higher in complexity compared to McEliece based schemes and AES. • Confirmed in their literature that McEliece based schemes has low power consumption advantage.
Our Work • Error Correction Based Cipher (ECBC) and AMH Cipher (AMHC) • ECBC is based on McEliece scheme • AMHC is based on AES structure • Provides data reliability, integrity and security • Full error correcting capability of the error correcting code is preserved
Error Correction Based Cipher I (ECBC I) • ECBC I is a private key algebraic based system. • It is based on Block Chaining Technique. • We utilize a non-linear function and linear error correcting code.
ECBC I - Encryption • Same plaintext will be encrypted to different ciphertext • Cryptanalyst cannot cannot construct equivalent generator matrix combinatorially. • Errors cannot be corrected systematically since ciphertexts are not codewords. • Detailed analysis in the Cryptanalysis section.
ECBC I - Decryption • The transmitter and receiver have to agree on initial Q0and X0vector (initialization vectors)
Decryption in a Noiseless Channel • Apply decryption : Qi = Ci + Zi • Multiplying with the transpose of permutation matrix: • Applying decoding algorithm: • Adding error vector:
Decryption – Noisy Channel • Noisy channel with error vector Zc : • Applying Decryption process: • Multiply by transpose of permutation matrix : • After applying decoding algorithm
Decryption – Noisy Channel • Applying the inverse of nonlinear function f-1 : • Adding the error vector Q*i-1 to di : • This shows that the error correction ability of the code is fully preserved for error due to the channel. • Error intentionally introduced at the transmitter can be removed at the receiver. • The scheme could be used as a checksum to detect illegal tampering or modification
Cryptanalysis • Analysing: • If Xi is fed forward and Qi-1 is not fed back
Cryptanalysis • A chosen plaintext attack will break GP if the expansion function g is a linear function that has a left inverse based on the equation • To illustrate, let Mi = Mi+1 and Mi+2 = Mi+3 : • If g is linear : • GP can be derived if the cryptanalyst could obtain k such distinct pair. • Since GP is a permuted version of G, the work factor of deriving G is increased. • If g is non-linear, the attack will not work.
Cryptanalysis • If Xi is not fed forward but Qi-1 is fed back • Cryptanalyst would have to search for equivalent ciphertextCi = Cj . • This means that : • If f is linear, FGP could be found by known plaintext attack
Cryptanalysis • However, if f is non-linear, the attack will not work. • The cryptanalyst can collect k linearly independent equivalent codewords to construct G’ = fGP which is combinatorially equivalent to G. • It is computational infeasible to estimate the matrix G if k is large enough. • The ECBC scheme withstands chosen-plaintext(Struik-Tilburg type) attacks because of the non-linear function f that tranforms the plaintext.
Error Correction Based Cipher II (ECBC II) • Based on Nordstrom Robinson (NR) code and McEliece Public Key Cryptosystem (MPKC). • NR code has twice the codewords of any linear code with same minimum distance and length. • NR code is a binary image of the octacode and the octacode is linear. • The non-linear binary code in Z2 could be mapped into a linear octacode in Z4. • We take advantage of the mapping from Z2 to Z4 and vice-versa
Error Correction Based Cipher II (ECBC II) • if Alice wants to send a message to Bob, we can change the symbol mapped to each bit when changing from Z2 to Z4. • If Eve does not know the mapping, more errors will be introduced into the received data. • instead of taking advantage of the octacode, Eve will have to decode the message using the complicated decoder which might not work depending on the number of errors introduced into the message. • Bob can take advantage of decoding the linear code while Eve will have to decode a non-linear code.
ECBC II Encryption • The message m in Z2 is multiplied with a matrix called the scrambler (S) to obtain m’. • The scrambled message m’ in Z2 is mapped into m’’ in Z4 based on a key (k). • The m’’ in Z4 is then multiplied with the Nordstrom-Robinson Generator Matrix (G) to obtain codewordC’’. • The C’’ is then mapped back into Z2 to obtain a different version of the codewordC using a key k. • The codeword C is then multiplied with a permutation matrix (P) to obtain C’. • An Error vector (E) is then added to the permuted codeword (C’) to obtain ciphertext(CT). • The ciphertext CT is then transmitted through the communication channel.
ECBC II Decryption • The received ciphertext (CT) is multiplied with the transpose of the permutation matrix to obtain CT’. This does not tamper with the weight of the error. • The CT’ in Z2 is mapped to Z4 using a key k to obtain CT’’. • The error vector (EPT ) in CT’ is removed using syndrome decoding to obtain m’’. • The m’’ is mapped to Z2 (C) from Z4 using key k to obtain m’. • The m’ is multiplied with the scrambler to obtain m.
ECBC II Cryptanalysis • The cryptanalyst could try to attack this scheme using known-plaintext attack by independently solving matrices for each column of the product SGP (private key). However this requires large pairs of message and ciphertext. • This will be very difficult because of the periodic randomized mapping from Z2 to Z4. • In order to prevent chosen plaintext attack, the multiplication of the message with the scrambler should be replaced with a non-linear function.
ECBC II Cryptanalysis • The cryptanalyst can choose pairs of plaintext that differ by 1 • If ciphertext 1 and 2 in Z2 are expressed as: • If SGP = G’ and a superscript of 2 means the data is in Z2 where g’ is the ith row vector of G’
ECBC II Cryptanalysis • The Hamming weight of the E1 - E2 will be at least 2t. • The cryptanalyst can consider (C1 −C2) as an estimate of g1’ if t << n. The cryptanalyst can then use majority voting to determine for each position which ultimately give G’. • We use a non-linear function (f ) in place of the scrambler as shown below: • G’ cannot just be factorized, since the function f is not linear as the previous case
AMH Cipher - Introduction • Motivation • Degradation in security of most McEliece based schemes. • Tradeoff between error correction and security in most McEliece based schemes. • Construction of new codes in previous AES-like structure. • Increase in complexity of AES-like schemes. • Better efficiency of McEliece-like schemes and strong security of AES-like schemes. • AMH cipher can take advantage of efficency of McEliece-like schemes and the strong security of AES-like schemes .
AMH Cipher - Introduction • Hybrid scheme that combines both AES-like and McEliece-like structure. • An iterative algorithm that is made up of 7 rounds. • A 128-bit plaintext block and produce a 256-bit ciphertext block. • The AMH cipher uses a 128-bit AES key block. • Each round of this cipher is broadly made up of Key Addition layer, Non-Linear (NL) layer and Linear (L) layer.
AMH Cipher - Structure • Key addition : source of randomization (plaintext XORed with key). • Non-linear Layer : ensures that the maximum input-output correlation amplitude and the difference propagation probability is as small as possible. • Utilizes S-Box. • Resistant to difference and linear cryptanalysis • Linear Layer :provides linear transformation on states (diffusion optimal) • Shift-Gen and Mix-Perm • Resistant to differential and saturation attacks
AMH Cipher – Complexity and Security • The propagation ratio (R) of a 10 round AES is 4-9. • The propagation ratio of the first 6 rounds of the AMH Cipher is 4-6. • The propagation ratio of the last round of the AMH cipher (LDPC) is 128-1 < 4-3. • The propagation ratio of the entire AMH cipher is • RAMHC < R1-7 X RLDPC < 4-6 X 4-3 < 4-9. • RAMHC < 4-9.
AMH Cipher - Resistance to Differential Cryptanalysis • If maximum possible propagation ratio over all rounds is significantly greater than 2-127, • Differential cryptanalyst will break the cipher with complexity less than O(2128) • The non linear layer (S-Box) has a maximum propagation ratio of 2−6. • It has maximum input-output correlation of 2-3. • the propagation ratio of the first 6 rounds is 2−6*(6*4) = 2−144. • With the use of LDPC code in the last round, whose propagation ratio is 128-1, complexity will be greater than O(2128)
AMH Cipher - Resistance to Linear Cryptanalysis • Linear cryptanalysis can break the cipher with complexity less than O(2128) if the maximum possible correlation over all the rounds is significantly larger than 2−64. • the maximum input-output correlation for the S-box is 2−3, then • the maximum input-output correlation for the first 6 rounds of the AMH cipher is 2(4*6*−3) = 2−72 which is less than 2−64. • The input-output correlation of AMHC with the LDPC encoding at the last round will have input-output correlation far less than 2−64. • We can then conclude that the complexity of the linear cryptanalysis is greater than O(2128)
Complexity based on the LDPC code • The number of ways that three ones could be placed in the first column: • Ageneralized equation for the number of ways of placing three ones in the Nth column is: • The time complexity that the attacker guesses the H matrix of a random LDPC code is 103289 • This is greater than 2128 - Shows the advantage of the random LDPC code utilized in this system.
Joint Encryption, Error Correction and Modulation • The conventional modulation scheme are modified to provide random mapping of encoded information. • This design is able to cater for speed, security and has the potential of reducing the key in situation whereby the security scheme is serving as a reinforcement of security in the upper layer. • Instead of fixed mapping of bits (information) to waveform, we present the design of a randomized mapping scheme with purpose of degrading the communication channel of the eavesdropper (Eve)
The mapping process of the modulation is controlled by the error vectors • The modulation scheme is able to provide both randomization and modulation without compromising the structure of the McEliece-like scheme.
Summary • We have presented two groups of joint schemes : Error Correction based and Cipher based. • Error Correction based : ECBC I and II • Cipher Based: AMH cipher • We show the resistance of the joint scheme to well known attacks. • We also demonstrated the proof of concept through software and hardware implementation
Reference • Oluwayomi Adamo and M. R. Varanasi, “Joint Scheme for Physical Layer Error Correction and Security,” ISRN Journal of Communications and Networking, vol. 2011, Article ID 502987, 2011 • Oluwayomi Adamo and Murali Varanasi, "'Hardware based Encryption for Wireless Networks," in Proceedings of IEEE Military Communication Conference (MILCOM),pp. 1800–1805, 2010. • Oluwayomi Adamo, Shengli Fu, and Murali Varanasi, "Physical Layer Error Correction Based Cipher," Accepted in IEEE Global Communications Conference (GLOBECOM 2010), 2010 • O. B. Adamo, S. Fu, and M. Varanasi, "Hardware-Efficent Encryption Encoder and Decoder Unit", in IEEE Military Communication Conference (MILCOM), pp. 1-6, 2008
Reference (Contd) • Oluwayomi Adamo, Afrin Naz, Krishna Kavi, and Tommislav Janjusic, "Smaller split L-1 data caches for multi-core processing systems," Accepted in 10th International Symposium on Pervasive Systems, Algorithms and Networks, August, 2009 • Afrin Naz, Oluwayomi Adamo, Krishna Kavi, and Tommislav Janjusic, "Improving Uniformity of Cache Access Pattern using Split Data Caches," Accepted in ISCA 22nd International Conference on Parallel and Distributed Computing and Communications System, July, 2009 • Y. Morita, E. Ayeh, O. B. Adamo, and P. Guturu, "Hardware/Software Co-design Approach for a DCT-Based Watermarking Algorithm," Accepted in 52nd IEEE International Midwest Symposium on Circuits and Systems (MWSCAS), May, 2009
Reference (Contd) • Oluwayomi Adamo, Parthasarathy Guturu, and Murali. Varanasi, "An Innovative Method of Teaching Digital System Design in an Electrical and Computer Engineering Curriculum", Accepted in IEEE Microelectronic System Education (MSE), 2009. • J. N. Resendiz, R. Nelson, O. B. Adamo, P. Guturu and M. R. Varanasi, "Smart Sprinkler System Controller based on Field Programmable Gate Array," accepted in IEEE Green Technology Conference 2009. • E. Ayeh, Y. Morita, K. Agbedanu, O. Adamo, and P. Guturu, "FPGA Implementation of 8-bit Simple Processor", in Proceedings of the IEEE Region 5 Technical, professional and Student Conference, pp. 1-5, 2008
Reference (Contd) • O. B. Adamo, S. P. Mohanty, E. Kougianos, W. Cai, and M. Varanasi, "VLSI Architecture and FPGA Prototyping of a Digital Camera for Image Security and Authentication", in Proceedings of the IEEE Region 5 Technology and Science Conference, pp. 154-158, 2006 • O. B. Adamo, S. P. Mohanty, E. Kougianos, and M. Varanasi, "VLSI Architecture for Encryption and Watermarking Units Towards the Making of a Secure Digital Camera", in Proceedings of the IEEE International SOC Conference (SOCC), pp. 141-144, 2006 • S. P. Mohanty, O. B. Adamo, and E. Kougianos, "VLSI Architecture of an Invisible Watermarking Unit for a Biometric-Based Security System in a Digital Camera", in Proceedings of the 25th IEEE International Conference on Consumer Electronics (ICCE), pp. 485-486, 2007.