Semantic Security in the Presence of Active...

Semantic Security in the Presence of

Active Adversaries

Ziv GoldfeldJoint work with Paul Cuff and Haim Permuter

Ben Gurion University

Advanced Communications Center Annual Workshop

February 22nd, 2016

Motivation

Information Theoretic Security over Noisy Channels

Ziv Goldfeld Ben Gurion University

Semantic Security vs. Active Adversaries 2

Motivation

1 Security versus computationally unlimited eavesdropper.

Motivation

2 No shared key - Use intrinsic randomness of a noisy channel.

Motivation

1 Eve’s channel assumed to be fully known & constant in time.

Motivation

2 Security metrics insufficient for (some) applications.

Motivation

2 Security metrics insufficient for (some) applications.

Our Goal: Stronger metric and remove “known channel” assumption.

Wiretap Channels - Security Metrics

Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]

1 : 2nR]

∼MEnc

XnQY,Z|X

1 : 2nR]

∼MEnc

XnQY,Z|X

n∈N- a sequence of (n, R)-codes

1 : 2nR]

∼MEnc

XnQY,Z|X

Weak-Secrecy: 1n

ICn(M ; Zn) −−−→

n→∞0.

1 : 2nR]

∼MEnc

XnQY,Z|X

Weak-Secrecy: 1n

ICn(M ; Zn) −−−→

n→∞0. Only leakage rate vanishes

1 : 2nR]

∼MEnc

XnQY,Z|X

Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

1 : 2nR]

∼MEnc

XnQY,Z|X

Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy: ICn(M ; Zn) −−−→

n→∞0.

1 : 2nR]

∼MEnc

XnQY,Z|X

Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy: ICn(M ; Zn) −−−→

n→∞0. Security only on average

1 : 2nR]

∼MEnc

XnQY,Z|X

Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy:✭

✭✭✭✭

✭✭✭

✭✭

ICn(M ; Zn) −−−→

n→∞0 .

1 : 2nR]

∼MEnc

XnQY,Z|X

Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy:✭

✭✭✭✭

✭✭✭

✭✭

ICn(M ; Zn) −−−→

n→∞0 .

Semantic Security:

1 : 2nR]

∼MEnc

XnQY,Z|X

Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy:✭

✭✭✭✭

✭✭✭

✭✭

ICn(M ; Zn) −−−→

n→∞0 .

Semantic Security: [Bellare-Tessaro-Vardy 2012]

ICn(M ;Zn) −−−→

n→∞0.

1 : 2nR]

∼MEnc

XnQY,Z|X

Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy:✭

✭✭✭✭

✭✭✭

✭✭

ICn(M ; Zn) −−−→

n→∞0 .

ICn(M ;Zn) −−−→

n→∞0.

⋆ A single code must work well for all message PMFs ⋆

A Stronger Soft-Covering Lemma

Soft-Covering - Setup

WCodebook

QV |UV n

1 : 2nR]

WCodebook

QV |UV n ← Resemble i.i.d.

1 : 2nR]

Random Codebook: Cn ={

Un(w)}

iid∼ Qn

WCodebook

1 : 2nR]

Un(w)}

iid∼ Qn

WCode Cn

1 : 2nR]

Un(w)}

iid∼ Qn

Induced Output Distribution: Codebook Cn =⇒ V n ∼ P(Cn)V n .

WCode Cn

QV |UV n ∼ P

(Cn)V n

1 : 2nR]

Un(w)}

iid∼ Qn

Target IID Distribution: QnV marginal of Qn

U QnV |U .

WCode Cn

QV |UV n ∼ P

(Cn)V n

1 : 2nR]

Un(w)}

iid∼ Qn

U QnV |U .

WCode Cn

QV |UV n ∼ P

(Cn)V n ≈ Qn

1 : 2nR]

Un(w)}

iid∼ Qn

U QnV |U .

⋆ Goal: Choose R (codebook size) s.t. P(Cn)V n ≈ Qn

WCode Cn

QV |UV n ∼ P

(Cn)V n ≈ Qn

1 : 2nR]

Soft-Covering - Results

R > IQ(U ;V ) =⇒ P(Cn)V n ≈ Qn

WCode Cn

QV |UV n ∼ P

(Cn)V n ≈ Qn

1 : 2nR]

Wyner 1975: ECn

P(Cn)V n

∣QnV

−−−→n→∞

WCode Cn

QV |UV n ∼ P

(Cn)V n ≈ Qn

1 : 2nR]

Wyner 1975: ECn

P(Cn)V n

∣QnV

−−−→n→∞

Han-Verdu 1993: ECn

∣P(Cn)V n −Qn

TV−−−→n→∞

WCode Cn

QV |UV n ∼ P

(Cn)V n ≈ Qn

1 : 2nR]

Wyner 1975: ECn

P(Cn)V n

∣QnV

−−−→n→∞

Han-Verdu 1993: ECn

∣P(Cn)V n −Qn

TV−−−→n→∞

◮ Also provided converse.

WCode Cn

QV |UV n ∼ P

(Cn)V n ≈ Qn

1 : 2nR]

Wyner 1975: ECn

P(Cn)V n

∣QnV

−−−→n→∞

Han-Verdu 1993: ECn

∣P(Cn)V n −Qn

TV−−−→n→∞

◮ Also provided converse.

Hou-Kramer 2014: ECnD

P(Cn)V n

∣QnV

−−−→n→∞

WCode Cn

QV |UV n ∼ P

(Cn)V n ≈ Qn

1 : 2nR]

A Stronger Soft-Covering Lemma

Theorem

If R > IQ(U ;V ) and |V| < ∞, then there exists γ1, γ2 > 0 s.t.

P(Cn)V n

∣QnV

> e−nγ1

≤ e−enγ2

for n sufficiently large.

WCode Cn

QV |UV n ∼ P

(Cn)V n ≈ Qn

1 : 2nR]

Wiretap Channels of Type II

Wiretap Channels of Type II - Definition[Ozarow-Wyner 1984]

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

Eavesdropper: Can observe a subset S ⊆ [1 : n] of size µ = ⌊αn⌋,α ∈ [0,1], of transmitted symbols.

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

Transmitted:

0 0 1 0 1 1 1 0 1 0 n = 10 α = 0.63

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

Transmitted:

Observed:

0 0 1 0 1 1 1 0 1 0

? ? ? 1 1 ? 1 00 1

n = 10 α = 0.63

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

Transmitted:

Observed:

⋆ Ensure security versus all possible choices of S ⋆

0 0 1 0 1 1 1 0 1 0

? ? ? 1 1 ? 1 00 1

n = 10 α = 0.63

Wiretap Channels of Type II - Past Results[Ozarow-Wyner 1984]

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

Ozarow-Wyner 1984: Noiseless main channel

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

Ozarow-Wyner 1984: Noiseless main channel◮ Rate equivocation region.

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

Ozarow-Wyner 1984: Noiseless main channel◮ Rate equivocation region.◮ Coset coding.

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

Nafea-Yener 2015: Noisy main channel

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

Nafea-Yener 2015: Noisy main channel◮ Built on coset code construction.

S ⊆ [1 :n], |S|= µ

Xi , i ∈ S

?, i /∈ S

QY |XY n

Nafea-Yener 2015: Noisy main channel◮ Built on coset code construction.◮ Lower & upper bounds - Not match in general.

Wiretap Channels of Type II - SS-Capacity

Semantic Security:

Semantic Security: maxPM ,S:|S|=µ

ICn(M ; Zn) −−−→

n→∞0.

Theorem

For any α ∈ [0, 1]

C(II)Semantic(α) = C

(II)Weak(α) = max

I(U ; Y )− αI(U ; X)]

ICn(M ; Zn) −−−→

n→∞0.

Theorem

For any α ∈ [0, 1]

(II)Weak(α) = max

I(U ;Y )−αI(U ;X)]

RHS is the secrecy-capacity of WTC I with erasure DMC to Eve.

ICn(M ; Zn) −−−→

n→∞0.

Theorem

For any α ∈ [0, 1]

(II)Weak(α) = max

I(U ; Y )− αI(U ; X)]

Standard (erasure) wiretap code & Stronger tools for analysis.

ICn(M ; Zn) −−−→

n→∞0.

Theorem

For any α ∈ [0, 1]

(II)Weak(α) = max

I(U ; Y )− αI(U ; X)]

Standard (erasure) wiretap code & Stronger tools for analysis.

Practical implementations of binary erasure wiretap codes exist.

ICn(M ; Zn) −−−→

n→∞0.

WTC II SS-Capacity - Achievability for U=X

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

m = 1 m = 2 m = 2nR

w = 2nR

......

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

2 Preliminary Step: maxPM ,S:|S|=µ

ICn(M ; Zn) ≤ max

m,S:|S|=µ

P(Cn,S)Zµ|M=m

∣QµZ

m = 1 m = 2 m = 2nR

w = 2nR

......

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

ICn(M ; Zn) ≤ max

m,S:|S|=µ

P(Cn,S)Zµ|M=m

∣QµZ

m = 1 m = 2 m = 2nR

w = 2nR

......

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

ICn(M ; Zn) ≤ max

m,S:|S|=µ

P(Cn,S)Zµ|M=m

∣QµZ

3 Union Bound & Stronger SCL:

m = 1 m = 2 m = 2nR

w = 2nR

......

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

ICn(M ; Zn) ≤ max

m,S:|S|=µ

P(Cn,S)Zµ|M=m

∣QµZ

m = 1 m = 2 m = 2nR

w = 2nR

......

maxPM ,S

ICn(M ; Zn) ≤ e−nγ1

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

ICn(M ; Zn) ≤ max

m,S:|S|=µ

P(Cn,S)Zµ|M=m

∣QµZ

m = 1 m = 2 m = 2nR

w = 2nR

......

maxPM ,S

maxm,S

P(Cn,S)Zµ|M=m

∣QµZ

> e−nγ1

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

ICn(M ; Zn) ≤ max

m,S:|S|=µ

P(Cn,S)Zµ|M=m

∣QµZ

m = 1 m = 2 m = 2nR

w = 2nR

......

maxPM ,S

maxm,S

P(Cn,S)Zµ|M=m

∣QµZ

> e−nγ1

≤∑

P(Cn,S)Zµ|M=m

∣QµZ

> e−nγ1

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

ICn(M ; Zn) ≤ max

m,S:|S|=µ

P(Cn,S)Zµ|M=m

∣QµZ

m = 1 m = 2 m = 2nR

w = 2nR

......

maxPM ,S

maxm,S

P(Cn,S)Zµ|M=m

∣QµZ

> e−nγ1

≤∑

P(Cn,S)Zµ|M=m

∣QµZ

>e−nγ1

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

ICn(M ; Zn) ≤ max

m,S:|S|=µ

P(Cn,S)Zµ|M=m

∣QµZ

m = 1 m = 2 m = 2nR

w = 2nR

......

maxPM ,S

maxm,S

P(Cn,S)Zµ|M=m

∣QµZ

> e−nγ1

≤∑

P(Cn,S)Zµ|M=m

∣QµZ

>e−nγ1

Taking R > αH(X) =⇒

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

ICn(M ; Zn) ≤ max

m,S:|S|=µ

P(Cn,S)Zµ|M=m

∣QµZ

m = 1 m = 2 m = 2nR

w = 2nR

......

maxPM ,S

maxm,S

P(Cn,S)Zµ|M=m

∣QµZ

> e−nγ1

≤∑

P(Cn,S)Zµ|M=m

∣QµZ

>e−nγ1

≤ 2n2nRe−enγ2Taking R > αH(X) =⇒

1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

◮ Cn ={

Xn(m, w)}

iid∼ Qn

ICn(M ; Zn) ≤ max

m,S:|S|=µ

P(Cn,S)Zµ|M=m

∣QµZ

m = 1 m = 2 m = 2nR

w = 2nR

......

maxPM ,S

maxm,S

P(Cn,S)Zµ|M=m

∣QµZ

> e−nγ1

≤∑

P(Cn,S)Zµ|M=m

∣QµZ

>e−nγ1

≤ 2n2nRe−enγ2

−−−→n→∞

0Taking R > αH(X) =⇒

WTC II SS-Capacity - Converse

SS-capacity WTC II ≤ Weak-secrecy-capacity WTC I

◮ WTC I with erasure DMC to Eve - Transition probability α.

Difficulty: Eve might observe more Xi-s in WTC I than in WTC II.

Solution: Sanov’s theorem & Continuity of mutual information.

Summary

◮ Gold standard in cryptography - relevant for applications.

Summary

◮ Equivalent to vanishing inf. leakage for all PM .

Summary

Stronger Soft-Covering Lemma:

Summary

◮ Double-exponential decay of prob. of soft-covering not happening.

Summary

◮ Satisfy exponentially many soft-covering constraints.

Summary

Wiretap Channel II: Noisy Main Channel

Summary

◮ Derivation of SS-capacity & Equality to weak-secrecy-capacity.

Summary

◮ Classic erasure wiretap codes achieve SS-capacity.

Summary

◮ Classic erasure wiretap codes achieve SS-capacity.

Thank You!

Semantic Security in the Presence of Active...

Documents

Computationally Efficient MIMO HSDPA System ... - … · PublisherInfo PublisherName : Springer International Publishing PublisherLocation : Cham PublisherImprintName : Springer Computationally

Computationally-predicted AOPs · computationally-predicted AOPs & networks

Computationally-Efficient Approximation Mechanisms (cont.)

Leveraging Experience for Computationally Efﬁcient ...vdesaraj/papers/Desaraju17_ICRA.pdf · Leveraging Experience for Computationally Efﬁcient Adaptive Nonlinear Model Predictive

Computationally efficient induction of classification

ULTRASONIC EAVESDROPPER - uCozsirak.ucoz.ru/_ld/2/280_TVM.pdfULTRASONIC EAVESDROPPER ... In the mixer, the two signals heterodyne or ‘beat’ together, ... IC4 MC1496 IC1a IC1b IC1c

Computationally efficient dimension reduction of

Computationally modeling interpersonal trust

Remote State Estimation in the Presence of an Eavesdropper · Remote State Estimation in the Presence of an Eavesdropper Alex Leong Paderborn University Workshop on Information and

Chapter 1 Computationally Efﬁcient Clustering of Audio ...homepage.tudelft.nl/3e2t5/Hungetal_BookChap2010.pdf · Chapter 1 Computationally Efﬁcient Clustering of ... 1 Computationally

Making computer vision computationally efficient

Error Correction in Computationally Bounded Channels

From CryptoVerif Specifications to Computationally Secure ... fileIntroductionSpeci cation languageTranslationApplicationConclusion From CryptoVerif Speci cations to Computationally

The Future of Trusted Computing...©2018 Trusted Computing Group Each layer can be attacked Security threats for IoT An Eavesdropper listening in on data or commands can reveal confidential

Statistical Justiﬁcations for Computationally Tractable ... · PDF fileStatistical Justiﬁcations for Computationally Tractable ... Sushmita Roy, Assistant Professor ... Chapter

Prediction versus Understanding in Computationally

CERTIFICATION REPORT - commoncriteriaportal.org HUAWEI... · [EXT1493] Evaluation Technical Report of Huawei 3900 Series LTE eNodeB ... Agent Description Eavesdropper An eavesdropper

Computationally Independent Model and Service Specification · Computationally Independent Model and Service Specification ... Service Specification v. 1.5 - 2 ... 0 Computationally

Protecting Circuits from Computationally-Bounded Leakage

Quantum man-in-the-middle attack on the calibration ... · However, the eavesdropper may attack the calibration process to break the security assumption of QKD and provide precondition