Information Theoretical Security and Secure Network Coding
38
Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University
-
Upload
lazzaro-murphy -
Category
Documents
-
view
41 -
download
3
description
Information Theoretical Security and Secure Network Coding. NCIS11 Ning Cai May 14, 2011 Xidian University. The Outline. Two Approaches to Security ; -computational security -information theoretical security - PowerPoint PPT Presentation
Transcript of Information Theoretical Security and Secure Network Coding
Information Theoretical Security and Secure Network Coding
NCIS11 Ning Cai
May 14, 2011 Xidian University
The Outline Two Approaches to Security ; -computational security
-information theoretical security Measurements of Information Theoretical
Security; Examples for Information Theoretical
Security; A Basic Idea in Secure Network Coding More About Resource Based on Secure
Network Coding
Two Approaches to Security
Computational Security (CS) vs Information Theoretical Security (ITS)
Assumptions (CS): wiretapper—limited computational ability (ITS): wiretapper—unlimited computational ability Security (CS): relatively secure (ITS): absolutely secure Resources (Random key, throughput etc) (CS): less (ITS): more
Two Approaches to Security
Computational Security – very popular, especially in commercial systems;
Information Theoretical Security – not so popular but received more and more attention:
Example :European Telecommunications Standards Institute (ETSI): new secure standard (for q systems) – Information theoretical security.
Measurements of Information Theoretical Security
Shannon Entropy or Mutual Information -source message, -wiretapped message Perfect security: or i.e., and are independent. Imperfect security: or
for Other Information Quantities e.g., Renyi
entropy, von Neumann Entropy or Holevo Quantity for Quantum, etc.
S WY
( ; ) 0WI S Y ( | ) ( )WH S Y H S
S WY
( ; )WI S Y i ( | )WH S Y h(0, ( )].h H S
Examples for ITS
Random message and
key are generated from the same set
-output of the message -output of key
{0,1,..., 1}.p m
k(mod )y m k p
M
K
M
K
Shannon cipher system
Examples for ITSSecret Sharing (SS)(Blakley 1979, Shamir 1979) A dealer observes a secret message and
chooses random “sharings” and distributes them to participates.
A subset of participates try to recover the message by pooling their sharings.
They can recover it if the subset is legal (i.e. in “access structure”).
Otherwise they should have absolutely no information about it from their sharings.
Examples for ITS
Secret Sharing (continue) threshold secret sharing scheme:
participates, all sets with sizes are legal Given the amounts of sharings distributed to the
participates, we want to maximize the amount of message sharing by them.
The optimal threshold secret sharing scheme is known. (R-S code)
To find optimal secret sharing schemes for general (“non- threshold) access structures is a very hard open problem.
( , )r n n r
Examples for ITSThe wiretap channel II (Ozarow-Wyner 1984) Message is encoded into a codeword of length A legal user receives the whole codeword A wtiretapper accesses any components of the
codeword The legal user can decode correctly The illegal user has no information about the
message (perfect security), more general the “equivocation” (conditional entropy) is lower bounded (imperfect security).
The optimal code is known (R-S code) Denote the code by WCII.
n
t
( , )n t
Examples for ITS
Wiretap network (Single source acyclic) communication network A (directed) Graph nodes-users, edges-
channels (noiseless); A single source node access to source with
message set ; Sinks , accessed by receivers; Acyclic network i.e., has no directed cycle.
( , ) :G V E
,s V
U VG
Examples for ITS Wiretap network (continue) Coding for a network Denote by incoming channels of outgoing channels of Acyclic partial order on total order such that if Assume all channles have the same alphabet define a code
if (“local”) if Introduce a set of functions for recursively. (“global”)
, ( ) {( , ) : ( , ) },v V In v u v u v E ;v( ) {( , ) : ( , ) },Out v v u v u E .v
,d e
,E
, ( ), ( ).v V d In v e Out v
, :e e E : ,e F ( ), ;e Out s s S
( ): ,In ve F F ( ), .e Out v v S
: , ,e F e E
,F
))(),(()( vIndmm dee )(vOute
Examples for ITS
Wiretap network (continue)An NC is linear if all local encoding functions are
linear. The global encoding functions of a linear NC are linear because a linear function of linear functions is linear.
Theorem (Li-Yeung-C.,2003) For single source networks (multicasts), maxflow bound is achievable by linear codes if the coding field is sufficiently large.
Examples for ITS
Wiretap network (continue)Wiretap network (C. and Yeung 2002, 2011) Communication network; A collection of subsets of wiretap channels :
i.e., is a collection of subsets of the channels such that all may be fully accessed by a wiretapper, but no wiretapper may access more than one wiretap subsets
For security randomness is necessary.
B
K
Examples for ITS
Wiretap network (continue)
secure Code for WN Fix a network code. Let be the random message
and be the outputs of the randomness. For denote by the output of channels in Then the code is secure if
for all , where is the message received by sink Decodable Condition;
Security Condition.
M,B
BY .B
,k k, , ( , ) ( , )u um m u U m k m k u
,k k
( | ) ( ),BH M Y H M
,u
Examples for ITS
Wiretap network (continue) We call the wiretap network WN and its secure
code a secure network code if consists of
subsets of channels i.e., for a WN, the wiretapper may access any channels.
Imperfect security :The secure condition can be release to
r r
r r r
( | ) .BH M Y h
Examples for ITS
SS is equivalent to a special class of WN’s. Given an SS with access structure , we construct a 3 layer WN as follows:Top layer: source node ( the dealer)Middle layer: intermediate nodes (participates); a channel with capacity connects and the node
if the node gets bits sharing.Bottom layer: Receivers labeled by members in (legal subsets); The intermediate node connect to receiver if
s
n
.
ir s
i i ir
At .i A
Examples for ITS
SS is equivalent to a special class of WN’s (continue)A wiretap set of channels corresponds an illegal subset and has membersA secure code for the WN exists iff an SS scheme exists. A threshold secret sharing scheme “is” a
secure network code.
B ( , ), .s b b B
( , )r n
( 1)r
Examples for ITS
Formulating secret sharing schemes to WN
1At
1v
….
….
….
….
s
2v
2A1A mA
1At 2At mAt
s
A1 A2Am
2At mA
t……
Examples for ITS
Similarly, WCII is equivalent to a 3 layer
WN with a sink and intermediate nodes.
( , )n t n-t
S
4321 5 n
T
Examples for ITS
Shannon Cipher System is a threshold SS and a WCII and therefore a secure network code.
2,1) (2,2 -( )
1
Examples for ITS
Private Computations in NetworksA communication networkA subset of nodes usersEach user accesses a information sourceThe sources are mutual independentThe users cooperate to compute the value of a function by exchanging information over the network
1,2,..., :uj jX
1 2, ,..., uX X X
1 2( , ,..., )uf X X X
Examples for ITS
Private Computations in Networks (continue)The users do not trust each others and they want the others to know no additional information about their own source. That is, the remaining uncertainty of the sources for the user must be
after the communicationRandomization is necessaryThe goal is minimizing the randomnessThe topology of the network play an important role.
j
1( , | , ( ,..., ))i j uH X i j X f X X
Examples for ITS
Wiretap channel (Wyner 1975)A sender send a secret message via a noisy channelA legal receiver and a wiretapper access different outputs of the channel resp.Want: the legal receiver may correctly decode with a high probability and the wiretapper has no (or limited) information about the messageThe goal: maximizing the transmission rate.
Examples for ITSKey agreement (KA), (distribution)A set of (legal) users try to generate a (common) secret random key A wiretapper try to have as much as possible information about the keyThe legal users share certain resource (e.g., different components of correlated source, private channels, parts of an entanglement q-state...)The wiretapper possibly may or may not have certain related resource (r.v. correlated to the source, outputs of the private channels, part of entanglement state…
Examples for ITSKey agreement (continue)By combining actions on their resources (e.g., observation of the outputs of the source, communication via the private channels, measure the q-state….), the legal users exchange messages via a public channelThe wiretapper may observe the output of the public channel by combining to use his resourceRequirement: at the end all legal users have the same key and the wiretapper has no (or limited) information about the keyGoal: maximizing the size of the key
Examples for ITSAn example of KA (Maurer 1993, Ahlswede-Csiszar 1993)A correlated memoryless sourceLegal users A, B and a wiretapper access resp.
A and B exchange message publicly according to their received message and outputs of At end of communication A and B share a random keyThe wiretapper can obtain no (or limited) information about the key from the output of public channel and
, , )n n nX Y Z(, ,n n nX Y Z
,n nX Y
.nZ
A Basic Idea in Secure Network Coding
Assume the input alphabet of a WN is the input of the WN is and the message obtained by the wiretapper from wiretap subset is
Then is a function of To protect the secret message, the sender partitions
according to the size of the message set and randomly chooses a element from the th subset and sends it via the network if he wants to send the th message, (the territory of the th message)
x
B By( )B By g x x
i
ii
A Basic Idea in Secure Network Coding
Denote by (i.e., ) the inverse image of mapping Then for a given
is a partition of The wiretapper knows the input of WN must be in if he receives Thus his best strategy is “to guess” the message with the largest intersection of territory to
Consequently a code is perfectly secure iff all territories equally intersect to all
1Bg
.Bg
1( )B Bg y
.By
1( ).B Bg y
1( ), , .B B Bg y y B
1( ) { : ( ) }B Bg y x g x y
1,{ ( )}BB B yB g y .
A Basic Idea in Secure Network Coding
A Basic Idea in Secure Network Coding
Assume the network code is linear, row vector Then for input and a (known)
matrix is the solution set of linear function
or a coset of the solution subspace of Further suppose we use the cosets of a linear code
with parity check matrix as territories of the messages. I.e., the territory of message is the solution of the function The intersection of the territory and the inverse image is the solution of the function
( )B B By g x xM xBM
B BxM y1( )B Bg y
0BxM
H
x
m.xH m
( , ) ( , ).B Bx H M m y
A Basic Idea in Secure Network Coding
Notice for all row vector in a finite field with size the function either has no solution or solutions, where is numbers of rows of and
Thus our problem is reduced to find matrix
such that all have solutions whenever has solutions.
,q xA
n rq nA [ ].r rank a
H ( , ) ( , )B Bx H M m y
B BxM y
A Basic Idea in Secure Network Coding This condition holds if
A such always can be found if the coding field is sufficiently large (C.-Yeung 2002, 2011)
A random generated matrix with a high probability has the property provided the field is sufficiently large (C.-Chan 2011)
Random network code is secure with a high probability if coding field is sufficiently large (C. 2009)
Similarly for imperfect security So far all secure NC’s are constructed in this way.
[( , )] [ ] [ ]B Brank H M rank H rank M
H
More About Resource
secure network codes constructed in the above way are optimal. For perfect security an optimal secure NC needs resource (Yeung C. 2008):
-- units of randomness (“random key”)
-- unites of throughput
Too much but may not be improved
r
rr
r
More About Resource
Perfect security may not be necessary In the general case there are more than one
sources and more than one wiretappers. A particular wiretapper may be interested only in particular sources or some parts of the source.
In the both cases often less resource is needed and sometimes no additional resource is needed.
More About Resource
Imperfect security, allow the wiretapper to get (at most) units of information, i.e.,
we need less resource (C.-Yeung 2011):
--Randomness reduced unites
--Gain unites of throughput
i
( ; ) ,WI S Y i
ii
More About Resource
Weak security: Release the security to not allowing the wiretapper to decode any part of source, no resource is needed (Bhattad and Narayanan 2005)
Strong security: in the case the wiretapper only interested parts of source (unknown for the communicator), less or even no resource is needed (Harada and Yamamoto 2008)
More About Resource
Multiple-source and multiple-wiretapper: a particular wiretapper is interested in special subset of sources: sometimes no resource is needed (C.-Chan 2001)
The Reason: Other sources or other parts of the sources serve as randomness.
Thus we may believed information security possibly has good application in the future.
Thank You!
