Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT...

Theory and Practice

João Barros

Instituto de TelecomunicaçõesUniversidade do Porto

and EECS/MIT

Information-Theoretic Security

IEEE International Symposium on Information TheoryToronto, Canada, July 2008

Steven W. McLaughlin

School of Electrical and ComputerEngineeringGeorgia Institute of Technology

2

Today’s Layered Architecture

Standard Protocol Stack

Application

Link

Transport

Network

Physical

Programs and applications

End-to-end reliability, cong. control

Routing and forwarding

Medium access control

Channel coding and modulation

Where is security ?

3

Security: a patchwork of add-ons…

Application

Link

Transport

Network

Physical

End-to-end cryptography

Secure Sockets Layer (SSL)

Virtual private networks (IPSec)

Admission control (e.g.WPA)

Application

Link

Transport

Network

Physical Physical-layer security ?

4

A typical graduate course in cryptography and security always starts by discussing Shannon's notion of perfect secrecy (widely accepted as the strictest notion of security):

Then, it emphasizes its conceptual beauty.

Then, it states that it is basically “useless” for any practical application.

Alice

Eve

BobMessage Wdecoded

message Wb

key K

X X

X key K

Computational Security

p(w|x)=p(x)

Information-Theoretic-Security – are we biased?

5

Main Questions in this Tutorial

W

hat are the fundamental security limits at the physical layer?

W

hich notions of security are we talking about?

I

s information-theoretic security practical?

W

hat kind of code constructions can we use?

H

ow do we build protocols based on information-theoretic security?

C

an we combine physical-layer security with classical cryptography?

H

ow can we secure novel networking paradigms?

H

ow can we go beyond confidentiality at the physical layer?

H

ow can we increase our credibility in the security business?

6

Theoretical Foundations Fundamentals of Information-Theoretic Security Strong Secrecy versus Weak Secrecy Secrecy Capacity of Noisy Channels

Practical Techniques Combining Cryptography and Coding Secrecy Capacity Achieving Codes Secret Key Agreement at the Physical Layer

Advanced Topics and Applications Multi-user Secrecy and Network Coding Security Active Attacks on Coded Systems Beyond Secure Communications

Our program for today

10 Open Issues

7

What we will not do

Provide an exhaustive review of related work

Elaborate on the details of the proofs

Cover all the topics in depth

Adress quantum information theory

Say bad things about modern cryptography

8

Theoretical Foundations

9

Notions of Security


Alice sends a k-bit message W to Bob using an encryption scheme;

Security schemes are based on (unproven) assumptions of intractability of certain functions;

Typically done at upper layers of the protocol stack

Information-Theoretic (Perfect or unconditional) Security

strictest notion of security, no computability assumption

Prob{W | Eve’s knowledge}=Prob{W}

H(W|X)=H(W) or I(X;W)=0

e.g. One-time pad

[Shannon, 1949] : H(K) ≥ H(M)

Alice

Eve

Bobk-bit

message W

k-bit decoded

message Wb

key K

X X

X key K

10

Eve

Keyk-bit message W Xk

k bits Key

k bits

k-bit decoded message Wb

Alice

Bob

If Eve does not know the key and P(Key=k-tuple)=1/2k

then we have p(w|xk) = p(w).

Xk

Xk

One-time Pad

11

This model is somewhat pessimistic, because most communications channels are actually noisy.

Alice

Eve

Bobk-bit message W


key K key K

X X

X

Shannon’s Model

12

Reliability & Security

For Bob and Alice,

Prob{W≠Wb| Y n} → 0

With respect to Eve,

(1/n) I(W; Zn) → 0

as n → ∞

Secrecy Capacity:

Largest transmission rate at which both conditions can be satisfied.

Positive secrecy capacity only in the degraded case.

Wyner’s Wiretap Channel (I)[Wyner, 1975]

BobAliceX n

p(y|x)Y n

p(z|y)

Eve

Zn

sends W decodes Wb

13

Wyner’s Wiretap Channel (II)

BobAliceX n

p(y|x)Y n

p(z|x)

Eve

Zn

Proof Idea:A

lice assigns multiple codewords to each message, picks one at random and thus exhausts Eve’s capacity.C

onverse uses Fano’s inequality and classical arguments.

Rate-equivocation region:T

wo critical corner points (CM , D) and (CS , H(W))

Unusual shape (not convex)

H(W)

CS CM

D

Transmission rate

equivocation rate

[Wyner, 1975]

14

Because the transmission range is so short, NFC-enabled transactions are inherently

secure. Also, physical proximity of the device to the reader gives users the reassurance

of being in control of the process.

15

Broadcast Channel with Confidential Messages

Bob

AliceX n

p(yz|x)

Y n

EveZn

Secrecy capacity is strictly positive if Bob’s channel

is less

noisy than Eve’s, i.e. I(X;Y)>I(X;Z)

));();((max),(

ZUIYUICYZXU

xupS

[Csiszár & Koerner, 1978]

16

Feedback (Public Discussion)

Bob

AliceX n

p(yz|x)

Y n

EveZn

Secret Key agreement scheme

Clever protocol allows Alice and Bob to increase their secrecy capacity by exchanging information over the feedback channel

This requires a public authenticated feedback channel!

public authenticatedfeedbackchannel

[Maurer, 93]

17

Increasing the Secrecy Capacity via Feedback

Suppose Alice, Bob and Eve are connected via binary symmetric channels and a public authenticated feedback channel is available.

Noisy Channel

Error-free public

communication

Computation

Alice X V+X+E V+X+E+X V+E

Bob X+E V+X+E V V

Eve X+D V+X+E V+X+E+X+D V+E+D

Bob and Eve observe different noises (D, E).

Bob feeds back random value V plus what he observed (X+E)

Eve ends up with more noise than Bob (as in the wiretap channel)

18

Source Model

Bob

AliceX n

p(x,y,z)Y n

EveZn

public authenticated

feedbackchannel

Alice and Bob share common randomness.

Eve gets to see a correlated random variable.

Alice and Eve generate a secret key using the public authenticated channel.

[Ahlswede and Csiszar, 93]

19

Notions of Security

W

eak secrecy

S

trong secrecy

1)|(1 nn XUHn

nXUH nn )|(

[Maurer & Wolf, 2000]

The secrecy capacity of the discrete memoryless wiretap channel does not change with strong secrecy.

Proof requires fundamental tools of theoretical computer science (extractors)

20

Example of Weak Secrecy

Un

Kn

Xn

Binary data (n bits)

One-time-pad (n-k bits)

Unprotected data (k bits) Protected data (n-k bits)

This trivial scheme satisfies the weak secrecy condition while disclosing an unbounded number of bits:

Clearly, it does not satisfy the strong secrecy condition:

11)(1

)|(1

n

kkn

nXUH

nnn

nknXUH nn )|(

21

The Wireless Scenario

Wireless Network with Potential Eavesdropping

Can we exploit channel variabilityto help secure the communication?

[Barros, Rodrigues, ISIT06]

22 ITI September 2007

System Model

h

M(i)=hM, i, and hW(i)=hW, i (quasi-static fading model)

h

M and hW independent and complex Gaussian distributed

SNRs M hM2 and W hM2 exponentially distributed

23

General goal is maximization of transmission rate from Alice to Bob

R=(1/n) H(Wk)…

… and minimization of Eve’s information rate about the message,

=(1/n) I(Wk;YWn)

Secrecy capacity is maximum transmission rate R with < ε.

Cautionary Note [Maurer & Wolf, 2000]

Stronger secrecy condition for Discrete Memoryless Channels Not only the rate but the total amount of information leaked to

the eavesdropper decays exponentially fast with n. It is possible to prove strong secrecy results for wireless

channels

[Barros & Bloch, 2008]

Security Characterization


Instantaneous Secrecy Capacity

The instantaneous secrecy capacity for quasi-static fading channels follows directly from the Gaussian case.

sC ),1log()1log( WM { WM

WM ,0

22/ MMM Ph

22/ WWW Ph

Instantaneous signal-to-noise ratios

25

Secrecy Outage

The outage probability:

sssout RCRP Pr

- Alice chooses a target secrecy rate Rs.

- if Rs<Cs then she can communicate securely.

- otherwise, information-theoretic security is compromised.

26

Outage Probability

Outage probability for normalized target secrecy rate Rs=0.1.

Outage probability for normalized target secrecy rate Rs=0.1.

M

R

WR

M

Msout

s

sRP

12

exp2

1After some maths…

Impact ofDistance


27

Outage Secrecy Capacity

Normalized outage secrecy capacity for an outage probability Pout=0.10.

Normalized outage secrecy capacity for an outage probability Pout=0.75.

Thicker lines: AWGN case; Thinner lines: Fading case.

-outage secrecy capacity: outout CP 1 outout PC



28

Average Secrecy Capacity

Normalized average outage secrecy capacity.

When it comes to information-theoretic security, fading is really a friend and not a foe.


29

Imperfect CSI

Assumptions

Perfect CSI for the main channel Imperfect CSI for the wiretap channel

Proceed as if CSI was correct

Outage probability

In general, Alice underestimates the secrecy capacity

WWW hh ˆMM hh ˆ

)ˆ()ˆ( WWSS PCCP

2/21

1

2

1

2

1)ˆ(

WWP

[Bloch,Barros, Rodrigues, McLaughlin, ITW06]


Some recent work on (weak) secrecy capacity

S

ecure space-time communications (Hero, 2003)

S

ecrecy rates for the relay channel (Oohama, 2004)

S

ecrecy capacity of SIMO channels (Parada and Blahut, 2005)

S

ecure MlMO with artificial noise (Negi and Goel, 2005)

G

aussian MAC and cooperative jamming (Tekin and Yener, 2005)

S

ecrecy capacity of slow fading channels (Barros and Rodrigues, 2006)

M

ultiple access channel with confidential messages (Liang and Poor, Liu et al., 2006) S

ecure broadcasting with multiuser diversity (Khisti, Tchamkerten, and Wornell, 2006)

E

rgodic secrecy capacity (Gopala, Lai and El Gamal, Liang, Poor and Shamai 2007)

S

trong secrecy for wireless channels (Barros and Bloch, 2008)

… and many more.

31

Strong secrecy for Gaussian and Wireless Channels

Strong secret key agreement from Gaussian random variables Lattice codes Quantization with side information

Strong secrecy capacity for wireless channels Uses tools of [Maurer and Wolf, 2000] Maps messages to secret keys Multiple copies of weakly secure wiretap codes Quantization and Slepian Wolf codes Extractor functions for privacy amplification

[Nitinawarat, Allerton 2007]

[Barros and Bloch, ICITS 2008]

32

Comments

Information Theory provides you with tools to determine

fundamental security limits in particular at the physical layer;

There exist codes which can guarantee both reliability and

information-theoretic security;

Secure communication over wireless channels is possible even

when the eavesdropper has a better channel (on average);

When it comes to security, fading is a friend and not a foe.

33

Practical Techniques

34

Is physical-layer security practical?

Motivating examples

secure error correcting codes and the channel

coding converse

tandem error correction and cryptography

coset codes for an erasure wiretapper

Secret key agreement protocol for wireless channels

35

Secure Communication on two Gaussian channels

Tag

Attacker

X

Z

Reader

Yk-bit

message w

wb+

+Nw

Nm

Practical scenariosRFIDZoned security

Wiretap error control code

Specific error control code needed at Tag side Low complexity encoder - possibly complex decoder

Assume that the attackerhas worse SNR

36

Secure Communication on two Gaussian channels


Transmit at Cwiretapper<R<Cmain

Tag

Attacker

X

Z

Reader

Yk-bit

message w

wb+

+Nw

Nm

37

Some common sense – use an error control code

Very good error correcting code with simpleencoder

Reader recovers bitsWith good BER


Tag

Attacker

X

Z

Reader

Yk-bit

message w

wb+

+Nw

Nm

38

Coding

Very good error correcting code with simpleencoder

Eve recovers bitswith worse BER


Tag

Attacker

X

Z

Reader

Yk-bit

message w

wb+

+Nw

Nm

39

Coding with an advanced code

Tag

Attacker

X

Z

Reader

Yk-bit

message w

wb+

+Nw

Nm

40

Some secrecy rate tradeoffs

Tag

Attacker

X

Z

Reader

Yk-bit

message w

wb+

+Nw

Nm

41

System view

How would we combine this with encryption?

Tag

Attacker

ReaderX Y

Z

C2

C1Encrypt

Key

FEC Decrypt

Key

FEC

Decrypt

FEC

Key

A B

C

42

After FEC decoding

Assume Attacker SNR is ~1.5 - 2.0 dB worse than Bob’s

A A

C

BER~50%

Tag Encrypt

Key

ReaderDecrypt

Key

Attacker

DecryptKey

(e.g. near field communications)

At the encryption level

43

N/2 bits in errorAttacker does not know which onesShe needs to do 2 searchN

Assume all parties have a key -Attacker has somehow figured out the key-e.g. from a weak RFID security protocol

A A

C

BER~50%

Tag Encrypt

Key

ReaderDecrypt

Key

Attacker

DecryptKey


44

N/2 bits in errorAttacker needs to - guess the N coded bits correctly - guess the M key bits correctlyShe needs to do 2 search

This time: Assume Attacker does not have a key

N+M

A A

C

BER~50%

Tag Encrypt

Key

ReaderDecrypt

Key

Attacker

DecryptKey


45

Achieving the Secrecy Capacity withError Control Coding

46 46

Achieving secrecy capacity for any DMCs using capacity achieving codes

Special case - C2 is worse than C1, (both DMCs)

Use 2k capacity-approaching codes: C1 , C2 , C3 , ...

To send a message w, set X=random codeword of Cw

If Cw achieves capacity on C2 for each w => Security condition is satisfied!

If union of {C1 , C2 , C3 , ... } is reliable across C1, wb=w is possible => Reliability condition is satisfied!

[Thangaraj et al, 2004] have shown that such a selection of C1 , C2 , C3 , ... is possible.

Alice

Eve

BobX Y

Z

k-bit message

w

k-bit decoded

message wb

C2

C1

C1: Main channel; Pr{Y|X}C2: Wire tapper’s channel; Pr{Z|X}

47 47

Motivating example: BEC wiretapper channel

Main channel is noiseless; wire-tapper’s channel is a BEC with erasure probability e

Eve receives a subset of the transmitted bits (or packets)

Secrecy capacity is e

Alice

Eve

X

Z

ee1-e 1-e

Bob

Xk-bit message w

wb

o

1

1

o ?

[Wyner and Ozarov, Wiretap Channel Type II]

48 48

Conventional Encoding & Decoding

Alice

X

Bob

X

wb=HXT

Conventional encoding: Select the codeword in C with message w

••

•

•

•

•

•

•

Binary codewords of length n

k-bit message w

49 49

Security Encoding & Decoding

Now for security - encode information in coset

••

•

•

•

•

•••

•

•

•

•

Binary codewords + 1 translate (cosets)

Alice

X

Bob

X

wb=HXTk-bit message w

50 50

Security Encoding & Decoding

(n,n-k) code C with parity-check matrix H

Make C and H public

C has 2k cosets

Encoding: Select the coset of C with message w, select codeword in coset at random

••

•

•

•

•

•••

•

•

•

•

••

•

•

•

•••

•

•

•

•

Binary codewords + 3 translates (cosets)

Secrecy rate = k/n

Alice

X

Bob

X

wb=HXTk-bit message w

51 51

Security

Alice

X = x1 x2... xn

Bob wb=HXT

BEC(e)

Eve

Z = x1…xs e e e...e (e: erasure)

If each coset of C has a vector of the form x1...xs??...?, Pr{m|Z}=Pr{m} ••

•

•

•

•

•••

•

•

•

•

••

•

•

•

•••

•

•

•

•

k-bit message w

52 52

Security Property of Codes

nknsknsknsknkn

nsss

nsss

ggggg

ggggg

ggggg

G

,2,1,,1,

22,21,2221

12,11,1111

Z = x1 ... xs ? ? ... ?

If the submatrix of G corresponding to revealed positions has full column rank, all cosets of C have a vector of the form x1...xs??...?

53 53

U

rbanke and Richardson

C

onsider a (3,6)-regular LDPC matrix H; BEC threshold = 0.42

T

hreshold Interpretation: columns of H corresponding to the erased positions have full column rank if the

erasure probability is less than 0.42

H

Urbanke and Richardson, 2001

h h h h h

h h h h h

h h h h h

LDPC Codes over a BEC

54 54

LDPC Matrix Connection

LDPC Codes over a Wire Tap Channel

Let G = (3,6)-regular LDPC matrix The columns of G corresponding to the revealed

positions have full column rank if 1-e < 0.42 or the erasure probability is greater than 0.58

Z = x1 ... xs ? ? ... ?

55 55

LDPC codes over a BEC-noiseless wire tap channel

C : dual of an LDPC code with threshold e rate R; k=(1 – R)n; secrecy rate=1-R

Security guaranteed whenever 1-e < or e > 1 –

As e tends to 1 – R, we approach secrecy capacity

Capacity achieving codes for the erasure channel provide perfect security on the erasure wiretap channel

Alice

X = x1 x2... xnBob wb=HXTk-bit

message w

BEC(e)

Eve

Z

X : randomly chosen from coset of C with syndrome m

56 56

Comments

Positive Aspects First practical codes to achieve perfect secrecy - encoder and decoder are public Connection between coding threshold and security

Negative Aspects Channels C1 and C2 must be known Coding scheme above works if C1 is less noisy than C2

Other cases: BEC-BEC wire tap channel, BSC-Noiseless See:

Thangaraj, Dihidar,Calderbank, McLaughlin, and Merolla “Applications of LDPC Codes to the Wiretap Channel,” IEEE Trans IT Aug 2007

57

BREAK

58

Practical Secret Key Agreement

for Wireless Networks

59

How do we make this practical?

To fully exploit the randomness of the channel for

security purposes we need secrecy capacity-achieving

channel codes.

Unfortunately, it seems very difficult to design near-to-

optimal codes for the Gaussian wiretap channel....

BUT fortunately secret key agreement is a somewhat

“easier” problem (learn from quantum key

distribution)! Alice and Bob only have to agree on a key based on common

randomness and not to transmit a particular message.

60

Secret Key Agreement

Alice

Q

Z

QY

+

+Nwt

Nm

Q

k-bit message

Bob

me

Eve

X

10110

10101

11011

Assume Eve has worse channel

61

Two steps1. Reconciliation2. Privacy amplification


Alice

Q

Z

QY

+

+Nwt

Nm

Q

k-bit message

Bob

me

Eve

X

10110

10101

11011

62



Alice

Q

Z

QY

+

+Nwt

Nm

Q

k-bit message

Bob

me

Eve

X

10110

10101

11011

63



Alice

Q

Z

QY

+

+Nwt

Nm

Q

k-bit message

Bob

me

Eve

X

10110

10101

11011

64



Alice

Q

Z

QY

+

+Nwt

Nm

Q

k-bit message

Bob

me

Eve

X

10110

10101

11011

65



k-bit message

Alice

Q

Z

QY

+

+Nwt

Nm

Q

Bob

me

Eve

X

10110

10101

11011

66


011

011

XXX


Alice

Q

Z

QY

+

+Nwt

Nm

Q

k-bit message

Bob

me

Eve

X

10110

10101

11011

67

TransmissionAlice codes n random symbols X with quantum states

Bob measures received states to obtain correlated symbols Y

AnalysisEvaluation of information intercepted based by Eve based on simple statistical

measures (bit error rate, variance)

ReconciliationCorrection of errors

Minimum number of bits to transmit :

Privacy AmplificationChoice of key size

Random choice of compression function

Secret informationafter transmission

Information exchangedduring reconciliation

securityparameter

We can learn from Quantum Key Distribution

AB E

)|( YXHI rec

));()(( 0rIZXIXHnk rec

02),|( rkGZKkH

68

• Goal: Exploit channel variability to secure information

With fading the instantaneous secrecy capacity can be strictly positive

How about wireless security? [Barros, Rodrigues, ISIT06]

69

Opportunistic Secret Key Agreement

Cs>0

share common randomness

Cs=0

generate secret key

Cs=0

communicate securely (e.g one-time pad)

[Bloch, Barros, Rodrigues, McLaughlin ’06]

70

Opportunistic secret key agreement

71

Reconciliation•Correct discrepancies between A and B using reconciliation information.

• In practice small overhead ǫ (10%), thus you have to transmit (1 + ǫ)H(X|YM) bits per symbols.

• Assign binary labels to each of the transmitted symbol and use multilevel coding. The syndromes are used as reconciliation information.

• Very similar to source coding with side information.

72

Two Modes of Operation

Perfect Information-theoretic Security: Generate a secret key and use it as a one-time pad (perfect security at very low rates)

Combined physical layer and cryptography: Generate a secret key and use a symmetric cipher such as AES (very high rates are possible)

Example: with fraction of time dedicated to secret key generation as small as 1%, we can renew a 256-bit encryption key every 25kbits, i.e. with SNR(M)=10dB and SNR(W)=20 dB, at an average rate of 2Mbps, this would renew a key every 16 milliseconds.

73

Average secure communication rate

Case of perfect CSI - communication with one-time pad

Protocol optimal

74

Practical Considerations

It is possible to exploit

the noise of fading channels to generate

secret keys, even with

imperfect CSI:

R

econciliation efficiency ~90% over wide range of SNRs

S

ome latency and complexity (long block length of LDPC code)

C

ombine physical layer and standard cryptography

Ex: AES with high key regeneration rate

We require a small

shared key for authentication.M. Bloch, J. Barros, M. R. D. Rodrigues and S. W. McLaughlin,Wireless Information-Theoretic Security, IEEE Transactions on Information Theory, June 2008.

75

Advanced Topics and Applications

76

Network Security

Interference

Cooperation

Feedback

Network

X1

X3

X4

X2

Y1

Y2

?

What happens when we have multiple parties communicating over unreliable noisy networks with multiple eavesdroppers and jammers?

77

M users communicate messages F and agree on secret key K

common secret key

secrecy against eavesdropper

uniformity

secret key (SK) capacity is the largest entropy rate of K

Multi-user Secrecy Generation

1)...( 21 MKKKKP

0);( FKI

||log)( spacekeyKH

78

Example with three users and two-bit sequences

Bob

Alice

Charlie

1211BB

2221BB

3231BB

Bob and Charlie observe sequences of Bernoulli (1/2) symbols. Alice observes the symbolwise XOR of their sequences.

Optimal Secret Key Agreement

Alice sends

Bob sends

Charlie sends

All are able to recover

11B

22B

3231 BB

31B

0);,,( 3132312211 BBBBBI

2

1)(

2

131 BH

Eavesdropper is in the dark: SK rate:

[Csiszár and Narayan, 2006]

79

Encoding Correlated Sources

Decoder

Source 1 Encoder 1U1

U2

R1

R2

Û1

Û2Encoder 2

Sink

R1+R2 > H(U1U2)

R1 > H(U1|U2)

R2

R1

SlepianWolf1973

H(U1|U2) H(U1)

H(U2)

H(U2|U1)

H(U1U2)

H(U1U2)

R2 > H(U2|U1)

Encoder

Shannon1948

Source 2

p(u1,u2)

80

Many correlated sources

1

2

0

U1

U2

R10

R20

MUM

RM0

))(|)((0c

Sii SUSUHR

for all sets

Perfect reconstruction is

possible if and only if

0

,0

},,....,2,1{

S

SS

MSc

81

Secret Key Capacity for Two Terminals

[Maurer ‘93, Ahlswede and Csizár, ‘93]

BobAlice U2

R1

U1

R1 > H(U1|U2)

R2 > H(U2|U1)R2

)]|()|([),( 122121 UUHUUHUUHCSK

);( 21 UUI

non-interactive communication

82

Secret Key Capacity for Multiple Terminals

[Csiszár and Narayan, 2006]

min21 ),...,,( RUUUHC MSK

is the minimum sum rate required for all terminals to be able to reconstruct all sources with arbitrarily small probability of error.

minRNetwork

U1

U4

U6

U3

U2

U5

Notice that in this case the eavesdropper observes only the communication between the nodes and not one of the correlated sources.

83

Extensions and Variations

S

ecret key agreement with helpers [Csizár, Narayan, 2005]

M

ultiple group keys with secrecy with respect to a prescribed

subset of users [Ye,

Narayan, 2005]

S

atellite Channel Model [Csizár, Narayan, 2005]

S

ecret key capacity when eavesdropper observes a

correlated source of

randomness remains unsolved.

84

Active Attacker

Adversary has access to the communications channel used by the legitimate parties and can do the following:

Send / Receive; Read; Replay; Forge; Block; Modify; Insert;

84

85

Secret Key Agreement with Public Discussion

Bob

AliceX n

p(yz|x)

Y n

EveZn

Alice and Bob want to increase their secrecy capacity by exchanging information over the feedback channel and generate a secret key.

But what if Eve is allowed to read and write on the public channel? Adversary with infinite computing power; Adversary with complete control over public channel.

public unauthenticatedchannel

[Maurer, 93][Maurer, Wolf, 03]

86

Source Model

Bob

AliceX n

p(x,y,z)Y n

EveZn

publicauthenticated

channel

Alice and Bob see X n and Y n and exchange messages C:=(C1, C2, C3, . . .Ct)

Outcome of the key generation process: H(SA|CX) = 0 or H(SB|CY ) = 0

Alice sends (C1, C3, . . . , C2k+1, . . .), Bob sends (C2, C4, . . ., C2k, . . .)

Eve gets to see a correlated random variable Zn and can read and write on

the public channel.

SA

SB

87

Impossibility Results

Simulatability Condition

To generate a key, Alice and Bob must have advantage over Eve in terms of the distribution PXYZ;

Eve cannot be able to generate from Z a random variable X’ which Bob, knowing Y, is unable to distinguish from X (and vice versa).

Secret Key Capacity with Active Adversary

Either a secret key can be generated at the same rate as in the (well-studied) passive-adversary case, or such secret key agreement is completely impossible;

if Eve can use Z to simulate X or to simulate Y the secret key capacity is zero.

88

Information-theoretically Secure Message Authentication

We assume opponent has unlimited computing power and knows

everything about the system – except for a secret key.

Can we provide bounds on an opponent´s cheating probability for a

given tolerable probability of rejecting a valid message?

Hypothesis testing problem: decide whether a received message is

authentic or not:

Either the message was generated by the legitimate sender knowing the

secret key;

Or by an opponent without a priori knowledge of secret key.

[Maurer, 2000]

89

Problem Setup

Sender and receiver share a secret key K

Sender: sequence of plaintext messages

Each is authenticated by sending an encoded message which depends on K,Xi and encoded possibly also using the previous plaintext messages and

Receiver:

based on , and possibly also on and ,decides to either reject the message or accept it as authentic

if case of acceptance: decodes to a message

1 2, ,..., nX X X

iX

iY

1 1,..., iX X 1 1,..., iY Y

,iY Z1 1,..., iX X

1 1,..., iY Y

iY ˆiX

90

Possible Attacks

The opponent with read and write access to communication channel can use either of two different strategies for cheating

Impersonation attack at time : the opponent waits until he has seen the encoded messages and then sends a fraudulent message which he hopes to be accepted by the receiver as the message

Substitution attack at time : the opponents lets pass messages ,intercepts , and replaces it by a different message which he hopes to be accepted by the receiver

i

i

1 1,..., iY Y

iYith

1 1,..., iY Y iY

iY

91

Results

When a sequence of messages is to be authenticated, an opponent can choose the type of attack with the highest success probability;

A secret key K is used optimally when the maximum of the success probability is minimal;

When it is required that a legitimate message is always accepted α=0 in all of these possible attacks,

n1,..., nX X

1

)(

,,,,....,1, 2)max(

n

KH

nSnII PPP

92

PHY-Based Authentication

Spoofing detection

Verify if a transmission came from a particular transmitter

Location information can be extracted to authenticate a

transmitter relative to its previous location.

Probe Pulse u(t)

Alice

Eve

1. Estimates channel h = hAB (t,)2. Compares against h’ = hAB (t-1,)3. Accepts transmission if

h = h’ Spoof Alice:

Probe Pulse u(t)

1. Estimates channel hEB (t,)2. Verification fails!!! 3. Does not accept Eve

as Alice!

Bob

[Trappe et al, 2007]

93

Spread Spectrum Communications and Jamming

Direct Sequence / Frequency Hopping use pseudo-random sequences to

spread the narrowband signal over a wide band of frequencies;

Effective against narrow-band jamming; lowers probability of intercept; can

provide privacy if spreading sequence is kept secret;

Used in Code Division Multiple Access (CDMA) systems.

1

1 0 1 1 0 1 0 0 1 1 1 0 1 0 1 1 0 0 1 0 1 0 1 1 0 1 0 1 0

0

0 1 0 0 1 0 1 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 1 1 0 1 0 1 0

94

BobAliceX Y

Eve

Z

+

+

NM

NW

Repeat-back jamming in wireless networks (e.g. amplification, modification

retransmission of intercepted signals, inducing errors in radars and receivers).

Jammer can cause a lot of harm even with access to only a noisy version of the

sent signal, with phase or timing jitter and with limited processing capabilities.

Not detectable via the received power at Bob.

Extended to Multiple Access Channels by [Shafiee and Ulukus, 2005]

[Médard, 1997]

+

Capacity of Channels with Correlated Jamming

95

Cooperative Jamming in the Gaussian Multiple Access Channel

[Tekin and Yener, 2006]

DecoderAlice Encoder 1

Charlie

U1

U2 Encoder 2

X1

X2

Y

p(yz|x1 x2)

Bob

EveDecoderZ

Secrecy conditions can be individual or collective yielding different results for each case.

Alice and Charlie can cooperate to increase Eve’s uncertainty about the sent messages.

96

General Broadcast Channel with Multiple Secrecy Conditions

[Csiszár and Koerner, 1978] considered one secrecy condition.

[Liu et al. , 2006] provided inner bound for two secrecy conditions, and also for interference channels.

Decoder 1

Alice Encoder

BobX

p( y1 y2 |x)

Y1

Y2Decoder 2 Eve

U2,U1

Û1

Û2

97

Multiple Access Channel with confidential messages

Cooperative jamming over the Gaussian MAC

[Tekin and Yener, 2006]W

ith channel outputs at the encoders + individual secrecy conditions [Liang and Poor, 2006]

DecoderAlice Encoder 1

Charlie

U1

U2

Encoder 2

p(u1) p(u2)

X1

X2

Y

p(y1 y2 yz|x1 x2)

Bob

EveDecoderZ

Y1

Y2

U0

98

Relay Channel with confidential messages

Discrete Memoryless Case [Oohama, 2004] Randomization helps to increase the rate-equivocation region.

BobAliceX n

p(yz|xs) Y n

Eve

ZnSn

99

Exploiting MIMO

Alice can leverage multiple antennas by transmitting artificial noise into the null space of Bob

This approach can be used effectively, even when position of Eve is unknown.

Alice

Bob

Eve

[Goel and Negi, 2005]

100

Jamming to increase the secrecy capacity

BobAliceX Y

Eve

Z

+

+

NM

NW

WMWMS

PPCCC

2222 1log2

11log

2

1

Can we increase the noise in Eve’s channel without affecting Bob?

101

Increasing the Secrecy Capacity with Jammers

102

Jammer Impact on Outage Secrecy Capacity in Fading Environment

103

Multiple Jammers in Fading Environment

104

Store-and-Forward versus Network Coding

In today’s networks, information is viewed as a commodity, which is transmitted in packets and forwarded from router to router pretty much as water in pipes or cars in highways.

In contrast, network coding allows intermediate nodes to mix different information flows by combining different input packets into one or more output packets.

[Ahlswede, Cai, Li and Yeung, 2000]

105

A simple three-node example

AB

C

a a

b b

In the current networking paradigm we require 4 transmissions.

106

Network Coding

AB

C

a b

With network coding we require only 3 transmissions.

a+b

107

Algebraic Framework for Network Coding

Binary vector of length m: element in

Random processes at nodes

Transfer matrix

Generalized MIN-CUT MAX-FLOW Condition

F2m

Y (e3) iX(v,i) jY (e j )j1,2

i

z xM

M A(I F) 1BT

M 0

[Koetter and Médard, 2003]

108

Packetized Network Coding

Assume each packet carries L bits

s consecutive bits can be viewed as a symbol in

Fq

Ls

Perform network coding on a symbol by symbol basis.

Output packet also has length L.

Send the coefficients (the “encoding vector”) in the header.

Information is spread over multiple packets.

enc. vector

109

Practical Considerations

E

ncoding: Elementary linear operations which can be implemented in a straightforward manner

(with shifts and additions).

D

ecoding: Once a receiver has enough linearly independent packets, it can decode the data

using Gaussian elimination, which requires operations.

G

enerations: To manage the complexity and memory requirements, we mix only generations

with fixed number of packets and limit the field size. Each keeps a buffer sorted by generation

number. Non-innovative packets are discarded.

D

elay: Since we must wait until we have enough packets to decode, there is some delay (not

very significant, since we require less transmissions in many relevant scenarios)

110

Benefits beyond throughput

Reliability: Network Coding can achieve optimal delay and rate in the presence of

erasures and errors.

Simpler Optimization: The multicast routing problem is NP-hard (packing Steiner

trees), however with network coding there exist polynomial time algorithms.

Robustness: Random network coding is completely decentralized and preserves

the information in the network, even in highly volatile networking scenarios.

111

Applications of Network Coding

D

istributed Storage and Peer-to-Peer: robustness against failures in highly volatile networks;

W

ireless Networks: Information dissemination using opportunistic transmission;

S

ensor Networks: Data gathering with extremely unreliable sensing devices;

N

etwork Management: Assessing critical network parameters (e.g. topology changes and link

quality)

First real-life application in July 2007:

Microsoft Secure Content Downloader (a.k.a. Avalanche)

112

Classes of Network Coding Protocols

We distinguish between two types of protocols:

stateless network coding protocols, which do not rely on network state information (e.g. topology or link costs) to decide when to mix different packets (e.g. Random Linear Network Coding);

state-aware network coding protocols, which rely on partial or full network state information to compute a network code or determine opportunities to perform network coding in a dynamic fashion (e.g. COPE).

113

Secret Key Dist.[Oliveira, Barros, ’07]

SPOC[Vilela, Lima, Barros, ’08]

Cooperative Security[Gkantsidis, Rodriguez, ’06]

Network Coding Security Taxonomy

Network Coding Protocols

State information

Security Infrastructure

Stateless

RLNC[Ho et al, ’04]

State-aware

COPE[Katti et al, ’06]

Polynomial time[Jaggi et al, ’05]

CooperativeKey

Management

some intrinsic security (no state information)

Prone to Byzantine attacks

Prone to Byzantine attacks

Network state information

- Extra redundancy- Hash symbols included in packets

- Cooperative security schemes- Homomorphic hash functions

-Signatures- Key distribution- Confidentiality

Signatures Content Dist.[Zhao et al, ’07]

Detection Byzantine[Ho et al, ’04]

Resilient codes[Jaggi et al, ’06][Koetter, Kschischang, ’07]

Network codes

114

Network Coding: A Free Cipher?

Nodes are assumed to be “nice but

curious” (comply with protocol but could

be malicious eavesdroppers)

Intermediate nodes have different levels

of confidentiality;

Nodes T and U have partial information

about the data;

Node W has full access to the data;

Node X cannot decode any useful data –

a free cypher!

S

T U

W

Y Z

X

a b

a

a

b

ba+b

a+b a+b

Previous work considered wiretapping attacks on multiple links,

e.g. [Cai and Yeung,’02], [Feldman et al,’04] [Bhattad et al,’05]

[Lima, Médard and Barros, ISIT’07]

115

Secure Network Coding

S

T U

a b c d

e f g h

S

T U

a+b+c+d+e+f+g3a+b+c+d+5fa+2b+c+d+4ga+b+c+3d+5h

5a+b+5h6b+c+4gb+7c+3ab+c+9e

R R

Nodes T and U have access to half of the sent data.

NodesT and U need to decode to obtain partial data.

116

Algebraic Security Criterion

Definition (Algebraic Security Criterion): The level of security provided by random linear network coding is measured by the number of symbols that an intermediate node v has to guess in order to decode one of the transmitted symbols.

In other words, we compute the difference between the global rank of the code and the local rank in each intermediate node.

117

Results

Theorem 1:The

probability P(ld > 0) of recovering a strictly positive number of symbols ld at the intermediate nodes (by

Gaussian elimination) goes to zero for sufficiently large number of nodes and alphabet size

Proof Idea:

An intermediate

node can gain access to relevant information

1)w

hen the partial transfer matrix has full rank

2)w

hen the partial transfer matrix has diagonalizable parts.

Carry out

independent analyzes in terms of rank and in terms of partially diagonalizable matrices.

Show that the

probability of having partially diagonizable matrices goes to zero for sufficiently large number of nodes and

alphabet size.

118

SPOC - Secure Practical netwOrk Coding

Assured confidentiality against attacker with access to all the links.

Two types of coefficients:

Locked

Unlocked

Same operations

Requirements:

Key management mechanism

119

SPOC - Secure Practical netwOrk Coding - Results

Number of AES encryption operations according to the payload size, for SPOC (encryption of locked coefficients) versus traditional encryption mechanism (encryption of the whole payload).

120

SPOC - Secure Practical netwOrk Coding - Results

Packet size overhead of including the locked coefficients, per packet.

121

Mutual Information between Payload and Coding Coefficients

[Lima, Vilela, Barros, Médard, 2008]

122

Detection of Byzantine Modification

Hash symbols, calculated as simple polynomial functions of the source data, are included in each source packet.

Receiver nodes check if decoded packets are consistent, i.e. have matching data and hash values.

Additional computation is minimal as no other cryptographic functions are involved.

Detection probability can be traded off against communication overhead, field size (complexity) of the network code and the time taken to detect an attack.

[Ho et al, ISIT 2004]

Ls

enc. vectorhash

123

[Gkantsidis, Rodriguez, Infocom 2006]

Cooperation to achieve on-the-fly detection of malicious packets.

Homomorphic hash functions: a hash of an encoded packet is easily derived from the hashes of the previously encoded packets.

However, these hash functions are computationally expensive.

To increase efficiency every node performs block checks with a certain probability and alerts its neighbors upon detection.

In addition, there exist techniques to prevent Denial of Service (DoS) attacks aimed at the dissemination of alarms.

Cooperative security for network coding

124

Resilient Network Codes

Use the error correction capabilities of linear network coding.

An active attacker can be viewed as a second source of data.

Add enough redundancy to allow the destination to distinguish

between valid and erroneous packets.

Some information may have to be protected by a shared secret key.

[Jaggi et al. , Infocom 2006]

[Koetter and Kschischang, 2007]

125

How can each pair of neighboring nodes share a secret key?

Sensor Networks

Task: Collect and transmit data through secure links

Data confidentiality

Constraints: Energy

Limited Data Rate

Processing Power

Memory Secret Key Distribution

126

Key Pre-distribution

Goal: Store keys into the memory of the sensor nodes for them to share a secret with their neighbors after the deployment.

Challenges: Minimize the impact of compromised nodes; Efficient use of the resources; Scalability in dynamic environments; Avoid single points of attack.

127

Secret Key Distribution using Network Coding

Our approach:

Key pre-distribution scheme; Efficient use of resources; Uses a mobile node to “blindly” complete the key distribution process; Designed for dynamic scenarios.

Prior to sensor node deployment:

Generate a large pool of keys and their identifiers; Load different keys and the corresponding identifiers into the memory of

each sensor node; Store in the memory of the mobile node all the keys encrypted with the

same one-time pad and their corresponding identifiers.

[Oliveira and Barros, 2007]

128

Secret Key Distribution in WSNs

After sensor node deployment:

BSA

Hello Hello

)()( BiAi KK )()( BiAi KK

)()( BAK mE

Ai

)()( ABK mE

Bi

)(Ai )(Bi

RKRK BiAi )()(

)()()( BiBiAi KKK )()()( AiBiAi KKK

)(BiK)( AiK

)(BiK)( AiK

RK

RK

RK

i

Bi

Ai

(.)

)(

)(

...

[Oliveira and Barros, 2007]

129

One-Time Pad Security

One-time pad is secure if the key is:Truly random;Never reused;Kept secret.

The knowledge of does not increase the information that the attacker has about any one key

},...,,{ 21 RKRKRK m

mixKPyRKyRKxKPnimmi ,...,1,

2

1,...,| 11

[Oliveira, Costa and Barros, 2007]

130

Extensions and Variations

Mobile key distribution for many nodes

Group and cluster keys

Key revocation

Key renewal

Authentication

131

Millionaires- problem

Suppose 2 millionaires want to determine which one is richer, without revealing the precise amount of their wealth.

In the general secure multi-party computation problem, users u1, u2, ..., un possess data d1, d2, ..., dn and want to compute the outcome of a public function F(d1, d2, ..., dn ) without revealing d1, d2, ..., dn .

132

Other Problems beyond Secure Communication

Communicating securely is not the only problem in cryptography.

Problem: Suppose Alice and Bob are linked through a network and want to flip a coin. How can they ensure that the coin flip is fair?

Network

$

$

Solution: Alice and Bob send one bit each in separate envelopes. They open the envelopes simultaneously and take the XOR of the two bits.

The protocol works if and only if

Bob knows nothing about Alice’s bit before he sends his envelope;

Alice cannot change her bit once the envelope is sealed.

...and vice versa (for Bob’s bit).

133

Alice puts a bit bin a strong box

b

Alice gives this box to Bob. She cannot change b

Later Alice can unveil b to Bob

b

A commitment scheme is said to be secure if it is:

• Binding: the probability that Alice can successfully open two

different commitments is negligible.

• Concealing: Bob gets at most negligible information on b

before the opening phase.

• Correct: The probability that honest Alice fails to open

a commitment is negligible.

Commit Open

Bit Commitment

134

Bit Commitment over the erasure channel

Commit Phase:

• Alice selects a random codeword with parity equal to the value she

wants to commit to and sends it to Bob through the erasure channel.

Open Phase:

• Alice sends the codeword she has sent in the commit phase over a

noiseless channel. Bob rejects if the codeword he receives differs in

at least one position from the codeword he received through the noisy

channel.

p-Erasure Channel

n n

Xn Yn

b = parity(X)

135

Protocol Analysis:

• Bob learns the commitment with probability

• Alice unveils a bit different than the one she committed

to and is not detected with probability

Bit Commitment over the erasure channel

nB pP )1(

pPA

p-Erasure Channel

n n

Xn Yn

b = parity(X)

Problems:

•Non-negligible error probability (binding condition)

•The channel is used n times to commit to a single bit.

136

Binary string

Bob learns b with probability

Alice cheats successfully with probability

Commitment rate

Commitment capacity

Commitment Rate and Capacity

If we commit to a string of length k, what is the maximum commitment rate k/n of a secure protocol we can achieve (i.e., capacity)?

kb }1,0{

n

kR

RCXP

com max

0 nAP

0 nBP

137

The Commitment Capacity of DMC’s

Define a “redundant” channel (a channel is called non-redundant if none of its output distributions is a convex combination of its other output distributions).

Redundancy can be “cut” from a channel, by removing all input symbols which are convex combinations of others.

If after removing the redundancy of a channel, its equivocation becomes zero, the channel is called trivial.

The commitment capacity of a DMC equals its equivocation H(X|Y) after its redundancy is removed.

[Winter, Nascimento, Imai ’03]

138

Motivation:

- more realistic channel model (e.g. wireless medium)

- commitment capacity for continuous channels unknown

- techniques differ from the discrete case

How about the Gaussian Channel?

+iX iY

iZAverage Power Constraint:

Channel Capacity:

21log

2

1

P

C

iii ZXY

n

ii Px

n 1

21

),0( 2NZ i

139

Caveat: practical wiretap codes are hard to design!

How about the Gaussian Channel?

140

Using a wiretap interpretation of commitment, we can prove that

22*

1log2

11log

2

1

GCcom

PPC

Any positive will give us a binding protocol, by making it arbitrarily small, we get that the maximum achievable rate can be made arbitrarily large

*C

Commitment rate

The commitment capacity of the Gaussian channel is infinite.

141

[Bloch, Barros and McLaughlin, 2007]

Commitment from Secret Key Agreement

142

Cryptographic protocols

based on noisy channels,

Crépeau, 1997

Commitment Capacity of

Discrete Memoryless Channels,

Winter, Nascimento,

Imai, 2003

Oblivious Transfer using

noisy channels,

Crépeau. Morozov,

Wolf, 2004

Pseudo-signatures,

Broadcast, and Multi-party Computation,

M. Fitzi, S. Wolf, and

J. Wullschleger, 2004

Commitment Capacity of

Gaussian Channels,

Barros, Imai,

Nascimento and Skudlarek 2006

Practical Information-

Theoretic Commitment

Bloch, Barros and

McLaughlin, 2007

Beyond secure communication

143

Physical-Layer Security:

10 Open Issues

144

#1 How can we provide rigorous descriptions of security primitives?


Security schemes are based on (unproven) assumptions of intractability of certain functions;

Typically done at upper layers of the protocol stack

Information-Theoretic (Perfect or unconditional) Security

strictest notion of security, no computability assumption

H(M|X)=H(M) or I(X;M)=0

Implementable at the physical layer

Alice

Eve

Bobk-bit message W


key I

X X

Xkey K

145

BobAliceX n

p(y|x)Y n

p(z|x)

Eve

Zn

Theoretical results from the seventies (Wyner, Csiszár and Koerner)

Caveat: eavesdropper must have a worse channel.

Renaissance of information-theoretic security in the last 2 years.

Most results are based on weak secrecy conditions (equivocation rate)

Strong secrecy is possible (requires CS techniques)

#2 What are the fundamental limits of security for strong secrecy?

146

Tag

Attacker

X

Z

Reader

Yk-bit message w

w’ +

+Nw

Nm

#3 How can we leverage state-of-the art channel coding to enhance security at the physical layer?

147

Main channel is noiseless; wire-tapper’s channel is a BEC with erasure probability e

Eve receives a subset of the transmitted bits (or packets)

For this instance (only), we have secrecy capacity achieving codes.

Alice

Eve

X

Z

ee1-e 1-e

Bob

Xk-bit message w

wb

o

1

1

o ?

#4 How do we construct secrecy achieving codes for wireless channels?

148

Common Randomness: Alice and Bob share correlated

random sequences.

Reconciliation: Alice sends Bob enough side information

for Bob to reconstruct Alice’s sequence.

Privacy Amplification: Alice and Bob use hash functions

to maximize Eve’s equivocation.

#5 How can we borrow from quantum cryptography?

149

Wireless Network with Potential Eavesdropping

•Goal: Exploit channel variability to secure information at the physical-layer.

#6 How can we leverage fading?

150

Intermediate nodes have different

levels of confidentiality;

Nodes T and U have partial

information about the data;

Node W has full access to the data;

Node X cannot decode any useful

data – a free cypher?

Active attacks can compromise the

information flow.

S

T U

W

Y Z

X

a b

a

a

b

ba+b

a+b a+b

a b a b

a b

#7 How can we provide security for network coding?

151

Problem: How can each pair of sensor nodes agree on a secret key?

Our approach: Key pre-distribution scheme; Uses a mobile node to complete

the key distribution process blindly using network coding;

Reduced memory requirements;

#8 How can we use coding ideas to distribute secret keys?

152

Cryptography is not only concerned with communicating securely.

Based on noisy channels and state-of-the-art error correction codes

we can implement bit commitment and oblivious transfer, which are

the building stones of secure multi-party computation.

Authentication is a vital issue and could potentially be carried out

over noisy channels possibly without initial shared secret.

[Wolf and Maurer’98], [Trappe et al’07 ]

How about anonymity? How about non-repudiation?

#9 How can we use physical-layer techniques to go beyond secure communication?

153

Classical Cryptography under the Computational Model

Advantages

no publicly-known, efficient attacks on public-key systems

security is provided on a block-to-block basis

if cryptographic primitive is secure then every encoded block is secure

systems are widely deployed, technology is readily available, inexpensive

Disadvantages

Security is based on unproven assumptions

No precise metrics trade off between reliability and

security as a function of the block length is unknown

security of the cryptographic protocol is measured by whether it survives a set of attacks or not.

Conventional model (error free channel) secrecy capacity of these systems is zero

can’t guarantee reliable and perfectly secure system

154

Physical layer security under the information-theoretic (perfect) security model

Advantages: No computational restrictions

placed on eavesdropper Very precise statements can be

made about the information that is leaked

Quantum key distribution implemented

Wireless solutions appear Suitably long codes get

exponentially close to perfect secrecy

Disadvantages: Information-theoretic security

is an average-information measure.

Requires assumptions about the communication channels that may not be accurate in practice.

Limits its application A few systems (e.g QKD) are

deployed but the technology is not as widely available and is expensive.

155

#10 It may well be worth rethinking our security architecture.

Application

Link

Transport

Network

Physical

Application

Link

Transport

Network

Physical Bottom-up Security?

How can we combine physical-layer security and cryptographic protocols?

156

Acknowledgements and credits

M

atthieu Bloch, Georgia Tech

M

iguel Rodrigues, University of Porto

A

ndrew Thangaraj, IIT Madras

R

ob Calderbank, Princeton

A

nderson Nascimento, University of Brasilia

M

uriel Medard, MIT

L

uísa Lima, University of Porto

J

oão Paulo Vilela, University of Porto

P

aulo Oliveira, University of Porto

R

ui Costa, University of Porto

D

emijan Klinc, Georgia Tech

Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT...

Documents

Transcript of Theory and Practice João Barros Instituto de Telecomunicações Universidade do Porto and EECS/MIT...