Rei Safavi-Naini University of Calgary Joint work with: Hadi Ahmadi iCORE Information Security.

Rei Safavi-NainiUniversity of Calgary

Joint work with: Hadi Ahmadi

iCORE Information Security

Secret key agreement• Alice and Bob want to share a secret over a channel that is

eavesdropped by Eve.– A fundamental problem in cryptography.

• No solution if no other assumption is made.

• Assumptions:– Computational assumption

• Diffie-Hellman key agreement– Non computational assumption – unlimited adversary

• Noisy channel

The key questions:– Is it possible?– What is the “secrecy capacity”?

• This talk: increasing “secrecy capacity” through interaction over noisy channels

2iCIS Lab, University of Calgary

• Message transmission& Key agreement

• Exiting noisy channel models – Wiretap

– Noisy broadcast

– Public discussion

• A new model: two-way noisy broadcast– Lower bounds

– Interactive Channel Coding

– Comparing Key Agreement Protocols

• Discussion & Concluding Remarks

Outline


Preliminaries

(BSC) Channel SymmetricBinary 3.

)|()();(

P with Y and X :ninformatio Mutual 2.

log

,P with X variablerandom :Entropy 1.

XY

X

YXHXHYXI

p(x)p(x) -H(X) Xx

0

1 1

01-p

1-pp

p

Message transmission & Key agreement

• Assume eavesdropping adversary– If Alice can send a message ‘securely’ to Bob,– She may choose the message to be a ‘key’

secure message transmission protocol gives a secure key agreement

• Protocols for secret key agreement

Secure message transmissionover noisy channel

• Model 1 : Wyner [Wy75] Wiretap channel:

• Channels are noisy DMCs.• Eve’s channel is a degraded

version of Bob’s.• No shared key

• Secure message transmission is possible if the wiretap channel is not noise-free.– There exists a randomized

coding

Cs=C(PYZ|X)= maxp(x)(I(X;Y)-I(X;Z))

Main Channel

X

Wiretap channel

Y

Z


Secure message transmission

• Model 2: Csiszár and Körner [CK78] noisy broadcast channel:

• A generalization of Wyner’s

work.• Eve’s channel can be better

than Bob’s

• Secure message transmission is possible, if Eve’s channel is noisier.

Cs=C(PYZ|X)= maxp(x)(I(X;Y)-I(X;Z))Main

ChannelX

Wiretap channel

Y

Z


Secure key agreement

• Maurer[Ma93], Ahlswede &Csiszár [AC93]

– Noisy broadcast:– Public discussion channel

• error-free -insecure

• Secure key agreement is possible if, Eve’s channel is not noise-free and Bob’s channel is not fully noisy. no requirement on Eve’s

channel be more noisy!

• Established key can be used to encrypt a message

– Send over public channel secure message transmission

• In practice: – Implement public discussion

channel: using channel coding [BBRM08]

Main Channel

X

Wiretap channel

Y

Z

Public discussion


Secure key agreement:A new model

• Secret key agreement over “two-way” (noisy) broadcast channels.– No public discussion: only

noisy communication• Natural model

• Secrecy capacity?

• The rest of the talk:– Define two-way noisy channel

secrecy capacity – Give three protocols for key

agreement – compare the protocols and

derive a lower-bound for two-way secrecy capacity.

Main forward channel (Chmf)

Eve

Xf

Eavesdropper's backward channel (Cheb)

BobAliceXb

Eavesdropper's forward channel (Chef)

Main backward channel (Chmb)

Zf

Yf

Yb

Zb


2-way broadcast

• Two one-way broadcast channels – A forward broadcast channel: Xf→YfZf specified by– A backward: Xb →YbZb specified by

• Alice and Bob send messages multiple times.• Alice, Bob and Eve “view” RVs: ViewA, ViewB, ViewE.• Either Alice or Bob calculates S; the other calculates S’.

fff XZYP |

bbb XZYP |

S S’


ViewBViewB

ViewE

Secrecy capacity of 2-way broadcast

• Secrecy capacity :The maximum real number R≥0, such that: for every ε>0 and sufficiently large N, there exist a protocol that uses the two-way broadcast channel N times, and results in viewed RVs MA, MB, ME and calculated RVs S and S’ which satisfy:

),( ||2

bbbfff XZYXZYs PPC

1)|(1

)'Pr(

)(

EMSHk

SS

RN

SH


Lower bound 1: one pass communication

1. One-way key agreementUse forward or backward noisy broadcast channel for sending a secure key

• The first lower-bound is:

CsA and Cs

B are one-way secrecy capacities of forward and backward channels.

},,max{),( ||2 B

sAsXZYXZYs CCPPC

bbbfff

)};();({max)( | ffffP

XZYsAs ZXIYXIPCC

fXfff

)};();({max)( | bbbbP

XZYsBs ZXIYXIPCC

bXbbb


Lower bound 2: 1-round communication

2- Virtual Cascade Channel (VCC) protocol• Inspired by Maurer’s technique used for public discussion model

• Alice (Bob) starts the protocol:– Alice sends Xf; – Bob selects uniformly S, encodes it to Vb, and sends Xb=Yf+Vb;

Xf

Zf

Yf

Xb=Yf+Vb

Zb

V’’b=Zb-Zf

Yb

V’b=Yb-Xf


Lower bound 2

• Theorem:secrecy capacity is equal to half of the 1-way secrecy capacity of the virtual broadcast channel, Vb→V’bV’’b, i.e.:

When Bob starts the protocol, the secrecy capacity is

• The second lower-bound is:

)( '|''21

bbb VVVs PC

)( '|''21

fff VVVs PC

)}(),(max{),( '|'''|''21

||2

bbbfffbbbfff VVVsVVVsVsXZYXZYs PCPCCPPC


Lower bound 3: 1-round communication

• Interactive channel coding:– Alice: sends Xf

n; • Bob and Eve receive Yf

n and Zfn. Xf is such that Yf has uniform distribution.

– Bob: encodes Yfn to MB

N=e(Yfn)=(Yf

n||Xbd) and sends Xb

d; • Alice and Eve receive Yb

d and Zbd.

– Alice decodes MAN=(Xf

n||Ybd) to ;

– Bob and Alice calculate secrets as

Eve

BobAlice

nfX

SystematicEncoder

)||( db

nf

NB XYM

dbX

nfY

1g

kS

1g

kS

SystematicDecoder

)||( db

nf

NA YXM

nfY

NEM

Chmf

Chef

nfZ

nfY

Cheb

Chmb

dbZ

dbY

nfY

).ˆ(ˆ),( 11 nf

knf

k YgSYgS

15

Lower bound from interactive coding

• The third lower bound is:

)},(),,(max{ |||| bbbfff

B

bbbfff

A

XZYXZYIsXZYXZY

Is

Is PPCPPCC

The best lower bound so far:

• Theorem:

Secrecy capacity of 2-way noisy broadcast channel is lower bounded by

},,,max{),( ||2 B

sAs

Vs

IsXZYXZYs CCCCPPC

bbbfff


Secrecy capacity with ICC

• Average mutual information between Bob and Alice:

• Average mutual information between Bob and Eve:

• The two-way secrecy capacity with ICC is:

– if Alice initiates

– if Bob initiates

• Hence:

dn

YXdIXYnI

N

YXXYI

N

MMII bbff

db

nf

db

nf

NA

NBA

m

);();()||;||();(

dn

ZXdIZYnI

N

ZZXYI

N

MMII bbff

db

nf

db

nf

NE

NBA

w

);();()||;||();(

**

}s.t.,{max,

Aw

Am

Am

Aw

Am

Aw

Am

Pd

Is III

N

nIIIIC

X

A

**

}s.t.,{max,

Bw

Bm

Bm

Bw

Bm

Bw

Bm

Pd

Is III

N

nIIIIC

X

B

},max{BA I

sIs

Is CCC


Secrecy capacity with ICC

• Theorem:

Let Yfn be an i.i.d. n-vector over set Un with entropy

H(Yf)=ζ, where ζ=log|U|, and Sk =g−1(Yfn). For rates,

by choosing N large enough, there exist a suitable partitioning set Gn and a pair of (2ζk,N) encoding/decoding algorithms that communicate Yf

n reliably from Bob to Alice, while

**

and, Aws

Amt I

N

kRI

N

nR

1)|(

k

MSH NE

k

s


A comparison: BSC channels

• Channels are binary symmetric– bit error probabilities p1, p2, p3, p4, where p1=p4.

Main forward channel (Chmf)

Eve

Xf

Eavesdropper's backward channel (Cheb)

BobAliceXb

Eavesdropper's forward channel (Chef)

Main backward channel (Chmb)

Zf

Yf

Yb

Zb


1-rnd and 2-rnd communication

21

Note: h(p) =- plog p -(1-p) log (1-p)

ICC vs. VCC


Discussion• Types of key agreement protocols:

– One-party Key Generation: First two protocols– Participatory Key Generation: ICC

• Secrecy capacity of message transmission vs. key agreement:– Equal : if public discussion channel exists.– Equality for two-way broadcast model is an open question.

• Strong vs. weak secrecy capacity:– Weak: to maximize Eve’s uncertainty rate [Wy75, CK78, Ma93].– Strong: to maximize Eve’s absolute uncertainty [MW00].

• We consider weak secrecy capacity.• Strengthening the security requirement is direct [MW00]


Concluding remarks

• Two-way broadcast model is a natural model– Fits in particular in wireless settings– Results are of practical significance

• Secrecy capacity of 2-way broadcast channel for key agreement is defined in analogy to one-way secrecy capacity

• Three key agreement protocols in 2-way broadcast setting– One-way key agreement– VCC protocol– ICC protocol

• Each protocol will provide the best (highest) capacity for certain channels

– The best lower-bound is maximum of the three in each case


Concluding remarks

• Secrecy capacity will be positive in surprising cases:– the main channels are much worse than the eavesdropper’s

channel

• ICC protocol provides a novel approach to channel coding, using interaction during the encoding phase.

• Open questions:– Can ICC be extended to multi-round? – Relationship among secrecy capacities of the three protocols– Relation between secrecy capacities of key agreement and

message transmission


Rei Safavi-Naini University of Calgary Joint work with: Hadi Ahmadi iCORE Information Security.

Documents

Transcript of Rei Safavi-Naini University of Calgary Joint work with: Hadi Ahmadi iCORE Information Security.