Semantic Security for the Wiretap Channel Stefano Tessaro MIT Joint work with Mihir Bellare (UCSD) Alexander Vardy (UCSD)
Cryptography today is (mainly) based on computational assumptions. We wish instead to base cryptography on a physical assumption. Presence of channel noise
Noisy channel assumption has been used previously to achieve oblivious transfer , commitments [CK88,C97] But we return to an older and more basic setting β¦
Wynerβs Wiretap Model [W75,CK78] π· π·β² π π ππ ChR ππ π πβ² ChA π(π) Goals: Message privacy + correctness Assumption: ChA is βnoisierβ than ChR Encryption is keyless Security is information-theoretic Additional goal: Maximize rate π = |π|/|π·|
Channels A channel is a randomized map Ch: 0,1 β 0,1 Ch β¦ , π¦ 4 , π¦ 3 , π¦ 2 , π¦ 1 π§ 1 , π§ 2 , π§ 3 , π§ 4 , β¦ π§ 1 = Ch(π¦ 1 ) We extend the domain of Ch to {0,1} β via π§ 2 = Ch(π¦ 2 ) Ch π¦ 1 π¦ 2 β¦ π¦ π = Ch π¦ 1 Ch π¦ 2 β¦ Ch π¦ π π§ 3 = Ch(π¦ 3 ) π§ 4 = Ch(π¦ 4 ) Ch π = π Clear channel: Binary symmetric channel with error probability π: π with prob. 1 β π BSC π π = 1 β π with prob. π
Wynerβs Wiretap Model β More concretely π· BSC π π π ππ ππ π πβ² BSC π π(π) Assumption: π < π β€ 1 2
Wiretap channel β Realization Increasing practical interest: Physical-layer security Very low power Very short distance 010110 β¦ . e.g. credit card # Large distance Degraded signal
Wiretap Channel β Previous work 35 years of previous work: Hundreds of papers/books on wiretap security within the information theory & coding community Two major drawbacks: 1. Improper privacy notions Entropy-based notions Only consider random messages 2. No polynomial-time schemes with optimal rate Non-explicit decryption algorithms Weaker security This work: We fill both gaps
Our contributions 1. New security notions for the wiretap channel model: ο§ Semantic security, distinguishing security following [GM82] ο§ Mutual-information security ο§ Equivalence among the three 2. Polynomial-time encryption scheme: ο§ Semantically secure ο§ Optimal rate
Outline 1. Security notions 2. Polynomial-time scheme
Prior work β Mutual-information security π· BSC π π ππ ππ π πβ² π π(π) BSC π Uniformly distributed! π π|π(π) = π π π(π) β π π(π) Definition: π π; π(π) = π π β π π|π(π) Random Mutual-Information Security (MIS-R): π π; π(π) = π¨ππ‘π¦ π π = P π (π) β log 1 P π (π) π
Critique β Random messages π· BSC π π ππ ππ π πβ² π π(π) BSC π Uniformly distributed! Common misconception: c.f. e.g. [CDS11] β[β¦ ] the particular choice of the distribution on π as a uniformly random sequence will cause no loss of generality . [ β¦ ] the transmitter can use a suitable source-coding scheme to compress the source to its entropy prior to the transmission, and ensure that from the intruderβs point of view, π is uniformly distributed. β Wrong! No universal (source-independent) compression algorithm exists! We want security for arbitrary message distributions, following [GM82]!
Mutual-information security, revisited Random Mutual-Information Security (MIS-R) π π; π(π) = π¨ππ‘π¦ New: Mutual-Information Security (MIS) max P π π π; π(π) = π¨ππ‘π¦ Maximize over all message distributions Critique: Mutual information is hard to work with / interpret!
Semantic security Maximize over all functions + message distributions Semantic Security (SS) max π,P π max Pr [π©(π(π)) = π(π)] π© β max Pr [π» = π(π)] = π¨ππ‘π¦ π» BSC π π(π) π ππ π π» π π = π© π π(π) π = π(π) π 0/1 0/1
Distinguishing security Uniform random bit πΆ Distinguishing Security (DS) π©,π 0 ,π 1 Pr[π© π 0 , π 1 , π π B max = B] = 1/2 + π¨ππ‘π¦ Fact: = B] = 1 π΅,π 0 ,π 1 Pr[A π 0 , π 1 , π π B max 2 + π¨ππ‘π¦ β max π 0 ,π 1 ππ π π 0 ; π π 1 = π¨ππ‘π¦. ππ π; π = 1 2 P π π€ β P π π€ π€
Relations Theorem. MIS, DS, SS are equivalent. DS MIS MIS-R SS
Outline 1. Security notions 2. Polynomial-time scheme
Polynomial-time scheme π· BSC π π ππ ππ π π πβ² BSC π π(π) Goal: Polynomial-time π ππ and ππ π which satisfy: 1) Correctness: Pr π β π β² = π¨ππ‘π¦ 2) Semantic security 3) Optimal rate ο§ We observe that fuzzy extractors of [DORS08] can be used to achieve 1 + 2. (Also: [M92,β¦] ) ο§ [HM10,MV11] Constructions achieving 1 + 3 or 2 + 3. This work: First polynomial-time scheme achieving 1 + 2 + 3
What is the optimal rate? π· BSC π π ππ ππ π π πβ² BSC π π(π) Definition: Rate π = π /|π·| β π¦ = βπ¦ log π¦ β (1 β π¦) log(1 β π¦) Previous work: [L77] No MIS-R secure scheme can have rate higher than β π β β(π) β π(1) . Our scheme: Rate β π β β π β π(1) Hence, β π β β(π) β π(1) is the optimal rate for all security notions!
Our encryption scheme π β€ π β 1 β β π + π(1) π π ππ π (π) π bits π β π bits π π bits GF 2 π multiplication π β 0 π π Public seed Poly-time + injective + linear π π· π bits
Our encryption scheme β Security Theorem. π ππ is semantically secure . π π β 0 Challenge: Ciphertext distribution π depends on combinatorial properties of E . π π· Two steps: 1. Reduce semantic security to random-message security. 2. Prove random-message security.
Our encryption scheme β Decryptability and rate π = π β 1 β β π + π(1) π ππ π π (π·β²) : π π ππ π (π) : π β π π π = β π β β π β π(1) Optimal rate: π π·β² π β 0 π π πβ² π π β1 π· πβ² π Observation. If (π , π) are encoder/decoder of ECC for BSC π , then correctness holds. Optimal choice: Concatenated codes [F66] , polar codes [A09] : π = 1 β β π β π(1) π
Concluding remarks Summary: ο§ New equivalent security notions for the wiretap setting: DS, SS, MIS. ο§ First polynomial-time scheme achieving these security notions with optimal rate. ο§ Our scheme is simple, modular, and efficient.
Concluding remarks Summary: ο§ New equivalent security notions for the wiretap setting: DS, SS, MIS. ο§ First polynomial-time scheme achieving these security notions with optimal rate. ο§ Our scheme is simple, modular, and efficient. Additional remarks: ο§ We provide a general and concrete treatment. ο§ Scheme can be used on larger set of channels.
Concluding remarks Summary: ο§ New equivalent security notions for the wiretap setting: DS, SS, MIS. ο§ First polynomial-time scheme achieving these security notions with optimal rate. ο§ Our scheme is simple, modular, and efficient. Additional remarks: ο§ We provide a general and concrete treatment. ο§ Scheme can be used on larger set of channels. Thank you!
Recommend
More recommend
