Efficient One-Way Secret-Key Agreement and Private Channel Coding - PowerPoint PPT Presentation

Efficient One-Way Secret-Key Agreement and Private Channel Coding via Polarization Joseph M. Renes, Renato Renner, David Sutter Institute for Theoretical Physics ASIACRYPT 2013, Bangalore 1 / 13

Information Theoretic Cryptography Goal: information-theoretically secure private communication authentic channel Alice Bob • impossible [Shannon’48] • possible when assuming correlated randomness [Maurer’93] • one-way secret key agreement • private channel coding over a wiretap channel 2 / 13

One-Way Secret-Key Agreement (SKA) resources C p P XYZ q N Alice X N Y N Bob S J S J τ A p¨q τ B p¨q A B Eve Z N “ ‰ uniformly distributed S J A ‰ S J • reliability J Ñ8 Pr lim =0 B • (strong) secrecy N Ñ8 } P S J lim A , Z N , C ´ P S J A ˆ P Z N , C } 1 “ 0 3 / 13

One-Way Secret-Key Agreement (SKA) C resources p P XYZ q N X N Y N S J S J τ A p¨q τ B p¨q Alice Bob A B Z N Eve “ ‰ S J A ‰ S J • reliability J Ñ8 Pr lim =0 uniformly distributed B • (strong) secrecy N Ñ8 } P S J lim A , Z N , C ´ P S J A ˆ P Z N , C } 1 “ 0 Historically insufficient ` ˘ 1 S J A ; Z N , C • (weak) secrecy lim N I “ 0 [Maurer&Wolf’00] N Ñ8 ` ˘ S J A ; Z N , C • (strong) secrecy N Ñ8 I lim “ 0 ´ ¯ N Ñ8 δ lim P S J A , P S J “ 0 A 3 / 13

One-Way Secret-Key Agreement (SKA) C resources p P XYZ q N X N Y N S J S J τ A p¨q τ B p¨q Alice Bob A B Z N Eve “ ‰ S J A ‰ S J • reliability J Ñ8 Pr lim =0 uniformly distributed B • (strong) secrecy N Ñ8 } P S J lim A , Z N , C ´ P S J A ˆ P Z N , C } 1 “ 0 Thm [Csisz´ ar&K¨ orner’78] : One-way secret-key rate $ max H p U | Z , V q ´ H p U | Y , V q ’ & P U , V S Ñ p X ; Y | Z q “ s.t. V ´˝´ U ´˝´ X ´˝´ p Y , Z q , ’ % | V | ď | X | , | U | ď | X | 2 . 3 / 13

Private Channel Coding (PCC) W N X N Y N W N enc ˆ M J dec M J Alice Bob 1 W N Eve 2 Z N ” M J ı M J ‰ ˆ • reliability J Ñ8 Pr lim =0 • (strong) secrecy N Ñ8 } P M J , Z N , C ´ P M J ˆ P Z N , C } 1 “ 0 lim Thm [Csisz´ ar&K¨ orner’78] : Secrecy capacity $ max H p V | Z q ´ H p V | Y q ’ & P V , X C s “ s.t. V ´˝´ X ´˝´ p Y , Z q , ’ % | V | ď | X | . 4 / 13

Efficient, Optimal Protocols essentially linear complexity • efficient ‰ practically efficient • optimal “ achieve the highest possible rate • (practically) efficient one-way secret-key agreement • only weak secrecy, degradability assumptions [Abbe’12] • shared key, degradability assumptions [Chou et al. ’13] • (practically) efficient private channel coding • only weak secrecy, degradability assumptions [Mahdavifar&Vardy’11] • binary symmetric wiretap channels (degradablity?!) [Bellare et al. ’12] • degraded wiretap channels [Sasoglu&Vardy’13] 5 / 13

Efficient, Optimal Protocols essentially linear complexity • efficient ‰ practically efficient • optimal “ achieve the highest possible rate • (practically) efficient one-way secret-key agreement • only weak secrecy, degradability assumptions [Abbe’12] • shared key, degradability assumptions [Chou et al. ’13] • (practically) efficient private channel coding • only weak secrecy, degradability assumptions [Mahdavifar&Vardy’11] • binary symmetric wiretap channels (degradablity?!) [Bellare et al. ’12] • degraded wiretap channels [Sasoglu&Vardy’13] getting rid of these assumptions 5 / 13

Polarization Phenomenon - Polar Codes polar transform • let p X N , Y N q „ p P X , Y q N let U N “ G N X N , where G N : “ p 1 1 0 1 q b log N • For ǫ P p 0 , 1 q , define a high- and a low-entropy set ! ´ ˇ ˇ U i ´ 1 , Y N ¯ ) ˇ R N ǫ p X | Y q : “ i P r N s : H U i ě 1 ´ ǫ ˇ ! ´ ˇ U i ´ 1 , Y N ¯ ) ˇ D N ǫ p X | Y q : “ i P r N s : H U i ď ǫ 6 / 13

Polarization Phenomenon - Polar Codes polar transform • let p X N , Y N q „ p P X , Y q N let U N “ G N X N , where G N : “ p 1 1 0 1 q b log N • For ǫ P p 0 , 1 q , define a high- and a low-entropy set ! ´ ˇ ˇ U i ´ 1 , Y N ¯ ) ˇ R N ǫ p X | Y q : “ i P r N s : H U i ě 1 ´ ǫ ˇ ! ´ ˇ U i ´ 1 , Y N ¯ ) ˇ D N ǫ p X | Y q : “ i P r N s : H U i ď ǫ Thm [Arıkan’09] : Polarization Phenomenon: For any ǫ P p 0 , 1 q | R N | D N ǫ p X | Y q| ǫ p X | Y q| lim “ H p X | Y q and lim “ 1 ´ H p X | Y q N N N Ñ8 N Ñ8 • Heart of polar codes (for source and channel coding) 6 / 13

Optimal Lossless Source Coding Using Polar Codes Task : compress X N w.r.t. side information Y N compressor U r R N X N ǫ p X | Y qs compressor decompressor ˆ X N Y N 7 / 13

Optimal Lossless Source Coding Using Polar Codes Task : compress X N w.r.t. side information Y N compressor U r R N X N ǫ p X | Y qs compressor decompressor ˆ X N Y N ‚ compression ‚ U N “ G N X N ‚ take only U r R N ǫ p X | Y qs ‚ decompression ‚ Likelihood estimation using side information Y N 7 / 13

Optimal Lossless Source Coding Using Polar Codes Task : compress X N w.r.t. side information Y N compressor U r R N X N ǫ p X | Y qs compressor decompressor ˆ X N Y N ‚ compression ‚ U N “ G N X N O p N log N q ‚ take only U r R N ǫ p X | Y qs ‚ decompression ‚ Likelihood estimation using side information Y N ” X N ı X N ‰ ˆ “ O p 2 ´ N β q for β ă 1 • reliable[Arıkan’10] Pr 2 1 N | R N • optimal [Slepian&Wolf’73], H p X | Y q “ lim ǫ p X | Y q| N Ñ8 7 / 13

One-Way Secret-Key Agreement Protocol (M=2, L=4) Information Reconcilliation C 1 Privacy Amplification Source X N p Y N , Z N q IR dec G L S J S J A B PA G K r M G K r M IR dec G L τ A τ B C 2 8 / 13

One-Way Secret-Key Agreement Protocol (M=2, L=4) Information Reconcilliation C 1 Privacy Amplification Source X N p Y N , Z N q IR dec G L S J S J A B PA G K r M G K r M IR dec G L τ A τ B C 2 • no degradability assumptions • no shared key needed 8 / 13

One-Way Secret-Key Agreement Characteristics For any β ă 1 2 ´ M 2 ´ L β ¯ “ ‰ S J A ‰ S J • Reliability: Pr “ O B ˆ ? ˙ N 2 ´ N β � � • Secrecy: A , Z N , C ´ P S J A ˆ P Z N , C 1 “ O � P S J � � 2 � ! ) 0 , H p X | Z q ´ H p X | Y q ´ o p N q • Rate: R : “ J N ě max N • Complexity: O p N log N q M = # inner blocks L = # inputs per inner block N = ML (blocklength) 9 / 13

Private Channel Coding (L = 4, M = 2) C 1 Source Source IR dec G L S J S J A B PA r G K M r G K Secret-key agreement M IR dec G L C 2 C 1 W inner inner W Private channel coding enc W dec outer W outer M J ˆ M J enc dec W inner inner W W W enc dec W Wiretap channel C 2 s 10 / 13

Private Channel Coding (L = 4, M = 2) C 1 generate bits as in p Y N , Z N q X N [Honda&Yam.’12] W inner inner W T M T M ˆ enc W dec outer outer W ˆ M J M J enc dec W inner inner W generate bits concept enc W dec W as in introduced in [ arXiv: 1205.3756] C 2 [ arXiv: 1205.3756] • Run secret-key agreement scheme in reverse • Mimic redundant bits • Approx. of the secret-key agreement scenario ( shaping ) Ñ same decoder can be used 10 / 13

Private Channel Coding: Characteristics For any β ă 1 2 ” M J ı ´ M 2 ´ L β ¯ M J ‰ ˆ • Reliability: Pr “ O ˆ ? ˙ N 2 ´ N β • Secrecy: } P M J , Z N , C ´ ¯ P M J ˆ P Z N , C } 1 “ O 2 ! ) 0 , H p X | Z q ´ H p X | Y q ´ o p N q • Rate: R ě max N • Complexity: O p N log N q M = # inner blocks L = # inputs per inner block N = ML (blocklength) 11 / 13

a Summary r X i v : 1 3 0 4 . 3 6 5 8 One-way secret-key agreement and private channel coding • at the optimal rate • strong secrecy • O p N log N q computational complexity • no degradability assumptions • no preshared key 12 / 13

Code Construction C 1 Source X N p Y N , Z N q IR dec G L S J S J A B PA G K r M r G K M IR dec G L τ A τ B C 2 Find index set at IR and PA layer ‚ IR: can be done in linear time [Tal&Vardy’11] ‚ PA: not fully solved yet 13 / 13