A Model for Adversarial Wiretap Channel Rei Safavi-Naini, U - PowerPoint PPT Presentation

A Model for Adversarial Wiretap Channel Rei Safavi-Naini, U Calgary, CANADA Joint work with Pengwei Wang .

Alice wants to send a private message to Bob Shannon (1949) E-enc E-dec Hello n First reliability Hello n Then, secrecy k Hello Hello Dec Enc X!-?s4#Lf#@ H ( M | Z ) = H ( M )

Alice wants to send a private message to Bob n Wyner (1975) 1010010101 1010010101 n Wiretap channel W-enc W-dec M M’ Z 1010010101 Secrecy: 1 k H ( M | Z ) ≥ 1 − ε à Perfect secrecy Reliability: Pr (M' ≠ M) ≤ ε

Adversary

This talk: A model for adversarial wiretap n Bound & construction n Relations with other primitives n Networks 1. Secret Sharing 2. n Limited View Adversary n Reliability n Concluding remarks

Adversarial Wiretap Channel Adversarial wiretap n Wiretap II (OW ‘84) (S-N,W ‘13) 0100100.. + 0010100.. 0100100.. Wireless

Adversarial Wiretap Channel Goals: Reliability & Privacy 1010010101 1010000001 c n + Dec Y X m ’ Enc 1010010101 m 0000010100 S r S w Z n | S r | = ρ r N , | S w | = ρ w N

AWTP Codes AWTPenc : M × R → C ⊂ ∑ N AWTPdec : ∑ N → M S w S r ( ε , δ ) − AWTP code: • Δ ( View A ( m 1 ); View A ( m 2 )) ≤ ε | S r | = ρ r N • Pr( M ' ≠ M ) ≤ δ | S w | = ρ w N R ( C N ) = log | M | N log | ∑ |= 1 N log | ∑ | | M | Δ ( X ; Y ) = 1 ∑ | Pr( X = i ) − Pr( Y = i )| 2 i

AWTP Codes ε - Code Family C ε : { C N } N ∈ N R( C ε ) : for any ξ , there exists N 0 , such that, N > N 0 , 1 log | ∑ | | M | ≥ R( C ε ) - ξ N Capacity of a ( ρ r , ρ w ) − channel : C ε = max C ε R( C ε ) ⇒ Fraction of a bit that can be sent with perfect reliability, and ε -security.

Upperbound & Capacity Theorem: 1 C ε ≤ 1 − ρ r − ρ w + 2 ερ r (1+ log | Σ | ε ) C 0 = 1 − ρ r − ρ w ρ r = ρ w = ρ ⇒ 0 ≤ C 0 = 1 − 2 ρ ⇒ ρ ≤ 1 2

Construction n An efficient capacity achieving code n Σ = F q n Building blocks AMD codes [CDFPW ‘08] 1. Subset evasive sets [DL ‘11] 2. Folded Reed-Solomon codes [GD ‘8] 3. AWTPenc = FRS ( SESenc ( AMD ( m ||[0] g ))||[ r ] u ρ r L ) AWTPdec = AMDdec ( SESdec ( FRSdec ( y )))

Relation with other primitives 1. Networks 2. Secret Sharing

Relation with other primitives: Security in networks C c 1 n DDWY ‘93, FW ’98 c 1 C ’ n S ecure M essage T ransmission c 2 c 2 c 3 n SMTenc(m, r)=C c’ 3 n SMTdec(C’) =m’ c N c 1 c 2 c 3 ( ε , δ ) − SMT max m 1 , m 2 Δ ( View A ( m 1 , r ); View A ( m 2 , r )) ≤ ε Correctness: ∀ m ∈ M , Pr R ( Dec ( C ') ≠ m ) ≤ δ

Efficiency and Bounds Corruption Transmission rate N ≥ 2 t + 1 ∑ log|V i | i τ = log|M| 1 − round (0,0)-SMT : N τ ≥ Ω ( N − 2 t ) N ≥ 3 t + 1

AWTP à SMT n A more general adversary model n AWTPenc, AWTPdec à (SMTenc, SMTdec) n Optimal constructions ρ w = ρ r = ρ 1 2 H ( δ ) τ ( SMT ) ≥ 1 − 2 ρ + δ ' δ ' = N log | Σ | + 2 δ

Relation with other primitives: Robust Secret Sharing Dealer c X Enc Dec m Y m ’ 1010010 P 1 P 2 P L-1 P L Z n Reconstruct Share(m,r)=(s 1 ,s 2 ! s L ) SD ( View A ( m 1 , r ); View A ( m 1 , r )) = 0 Reconst(s 1 ,s 2 ! s t )=m Pr( m ' ∉ { m , ⊥ }) ≤ δ Reconst(s' 1 ,s' 2 ! s' L )=m'

AWTP à Robust SS n N=2t+1 n A more general model of adversary AWTPenc, AWTPdec à (RSSenc, RSSdec)

Limited View Adversary Reliability Only n Theorem C ≤ 1 − ρ w S w S r n Comparison: List decodable codes 1010010101

Limited View Adversary Code n Building blocks Message Authentication Codes 1. AWTP Code 2. FRS code with subspace evasive set 3. n Encoding: c AWTP = AWTPenc ( r ) c FRS = FRSenc ( m , t = MAC ( m , r )) ⎡ ⎤ c AWTP AWTPenc = ⎢ ⎥ ⎢ ⎥ c FRS ⎣ ⎦

Limited View Adversary Code n Decoding: r = AWTPdec ( c AWTP ) 1. ( m i , t i ) ∈ L = FRSdec ( c FRS ) 2. t i = ? MAC ( m i , r ) 3. n Requirement: ρ r < 1 − ρ w

Concluding remarks n LV codes with ρ r > 1- ρ w n AWTP/LV codes for small alphabet n Interactive coding n Key agreement n AWTP with public discussion