Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Semantic Security in the Presence of
Active Adversaries
Ziv GoldfeldJoint work with Paul Cuff and Haim Permuter
Ben Gurion University
Advanced Communications Center Annual Workshop
February 22nd, 2016
Motivation
Information Theoretic Security over Noisy Channels
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 2
Motivation
Information Theoretic Security over Noisy Channels
Pros:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 2
Motivation
Information Theoretic Security over Noisy Channels
Pros:
1 Security versus computationally unlimited eavesdropper.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 2
Motivation
Information Theoretic Security over Noisy Channels
Pros:
1 Security versus computationally unlimited eavesdropper.
2 No shared key - Use intrinsic randomness of a noisy channel.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 2
Motivation
Information Theoretic Security over Noisy Channels
Pros:
1 Security versus computationally unlimited eavesdropper.
2 No shared key - Use intrinsic randomness of a noisy channel.
Cons:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 2
Motivation
Information Theoretic Security over Noisy Channels
Pros:
1 Security versus computationally unlimited eavesdropper.
2 No shared key - Use intrinsic randomness of a noisy channel.
Cons:
1 Eve’s channel assumed to be fully known & constant in time.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 2
Motivation
Information Theoretic Security over Noisy Channels
Pros:
1 Security versus computationally unlimited eavesdropper.
2 No shared key - Use intrinsic randomness of a noisy channel.
Cons:
1 Eve’s channel assumed to be fully known & constant in time.
2 Security metrics insufficient for (some) applications.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 2
Motivation
Information Theoretic Security over Noisy Channels
Pros:
1 Security versus computationally unlimited eavesdropper.
2 No shared key - Use intrinsic randomness of a noisy channel.
Cons:
1 Eve’s channel assumed to be fully known & constant in time.
2 Security metrics insufficient for (some) applications.
Our Goal: Stronger metric and remove “known channel” assumption.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 2
Wiretap Channels - Security Metrics
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 3
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
{
Cn
}
n∈N- a sequence of (n, R)-codes
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
{
Cn
}
n∈N- a sequence of (n, R)-codes
Weak-Secrecy: 1n
ICn(M ; Zn) −−−→
n→∞0.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
{
Cn
}
n∈N- a sequence of (n, R)-codes
Weak-Secrecy: 1n
ICn(M ; Zn) −−−→
n→∞0. Only leakage rate vanishes
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
{
Cn
}
n∈N- a sequence of (n, R)-codes
Weak-Secrecy:✭✭
✭✭✭
✭✭✭✭
✭✭1n
ICn(M ; Zn) −−−→
n→∞0 .
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
{
Cn
}
n∈N- a sequence of (n, R)-codes
Weak-Secrecy:✭✭
✭✭✭
✭✭✭✭
✭✭1n
ICn(M ; Zn) −−−→
n→∞0 .
Strong-Secrecy: ICn(M ; Zn) −−−→
n→∞0.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
{
Cn
}
n∈N- a sequence of (n, R)-codes
Weak-Secrecy:✭✭
✭✭✭
✭✭✭✭
✭✭1n
ICn(M ; Zn) −−−→
n→∞0 .
Strong-Secrecy: ICn(M ; Zn) −−−→
n→∞0. Security only on average
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
{
Cn
}
n∈N- a sequence of (n, R)-codes
Weak-Secrecy:✭✭
✭✭✭
✭✭✭✭
✭✭1n
ICn(M ; Zn) −−−→
n→∞0 .
Strong-Secrecy:✭
✭✭✭✭
✭✭✭
✭✭
ICn(M ; Zn) −−−→
n→∞0 .
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
{
Cn
}
n∈N- a sequence of (n, R)-codes
Weak-Secrecy:✭✭
✭✭✭
✭✭✭✭
✭✭1n
ICn(M ; Zn) −−−→
n→∞0 .
Strong-Secrecy:✭
✭✭✭✭
✭✭✭
✭✭
ICn(M ; Zn) −−−→
n→∞0 .
Semantic Security:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
{
Cn
}
n∈N- a sequence of (n, R)-codes
Weak-Secrecy:✭✭
✭✭✭
✭✭✭✭
✭✭1n
ICn(M ; Zn) −−−→
n→∞0 .
Strong-Secrecy:✭
✭✭✭✭
✭✭✭
✭✭
ICn(M ; Zn) −−−→
n→∞0 .
Semantic Security: [Bellare-Tessaro-Vardy 2012]
max
PM
ICn(M ;Zn) −−−→
n→∞0.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]
U[
1 : 2nR]
∼MEnc
XnQY,Z|X
Y n
Zn
Dec
Eve
M
M
{
Cn
}
n∈N- a sequence of (n, R)-codes
Weak-Secrecy:✭✭
✭✭✭
✭✭✭✭
✭✭1n
ICn(M ; Zn) −−−→
n→∞0 .
Strong-Secrecy:✭
✭✭✭✭
✭✭✭
✭✭
ICn(M ; Zn) −−−→
n→∞0 .
Semantic Security: [Bellare-Tessaro-Vardy 2012]
max
PM
ICn(M ;Zn) −−−→
n→∞0.
⋆ A single code must work well for all message PMFs ⋆
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 4
A Stronger Soft-Covering Lemma
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 5
Soft-Covering - Setup
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 6
WCodebook
Un
QV |UV n
Unif[
1 : 2nR]
Soft-Covering - Setup
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 6
WCodebook
Un
QV |UV n ← Resemble i.i.d.
Unif[
1 : 2nR]
Soft-Covering - Setup
Random Codebook: Cn ={
Un(w)}
w
iid∼ Qn
U .
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 6
WCodebook
Un
QV |UV n ← Resemble i.i.d.
Unif[
1 : 2nR]
Soft-Covering - Setup
Random Codebook: Cn ={
Un(w)}
w
iid∼ Qn
U .
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 6
WCode Cn
Un
QV |UV n ← Resemble i.i.d.
Unif[
1 : 2nR]
Soft-Covering - Setup
Random Codebook: Cn ={
Un(w)}
w
iid∼ Qn
U .
Induced Output Distribution: Codebook Cn =⇒ V n ∼ P(Cn)V n .
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 6
WCode Cn
Un
QV |UV n ∼ P
(Cn)V n
Unif[
1 : 2nR]
Soft-Covering - Setup
Random Codebook: Cn ={
Un(w)}
w
iid∼ Qn
U .
Induced Output Distribution: Codebook Cn =⇒ V n ∼ P(Cn)V n .
Target IID Distribution: QnV marginal of Qn
U QnV |U .
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 6
WCode Cn
Un
QV |UV n ∼ P
(Cn)V n
Unif[
1 : 2nR]
Soft-Covering - Setup
Random Codebook: Cn ={
Un(w)}
w
iid∼ Qn
U .
Induced Output Distribution: Codebook Cn =⇒ V n ∼ P(Cn)V n .
Target IID Distribution: QnV marginal of Qn
U QnV |U .
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 6
WCode Cn
Un
QV |UV n ∼ P
(Cn)V n ≈ Qn
V
Unif[
1 : 2nR]
Soft-Covering - Setup
Random Codebook: Cn ={
Un(w)}
w
iid∼ Qn
U .
Induced Output Distribution: Codebook Cn =⇒ V n ∼ P(Cn)V n .
Target IID Distribution: QnV marginal of Qn
U QnV |U .
⋆ Goal: Choose R (codebook size) s.t. P(Cn)V n ≈ Qn
V ⋆
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 6
WCode Cn
Un
QV |UV n ∼ P
(Cn)V n ≈ Qn
V
Unif[
1 : 2nR]
Soft-Covering - Results
R > IQ(U ;V ) =⇒ P(Cn)V n ≈ Qn
V
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 7
WCode Cn
Un
QV |UV n ∼ P
(Cn)V n ≈ Qn
V
Unif[
1 : 2nR]
Soft-Covering - Results
R > IQ(U ;V ) =⇒ P(Cn)V n ≈ Qn
V
Wyner 1975: ECn
1n
D(
P(Cn)V n
∣
∣
∣
∣
∣
∣QnV
)
−−−→n→∞
0.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 7
WCode Cn
Un
QV |UV n ∼ P
(Cn)V n ≈ Qn
V
Unif[
1 : 2nR]
Soft-Covering - Results
R > IQ(U ;V ) =⇒ P(Cn)V n ≈ Qn
V
Wyner 1975: ECn
1n
D(
P(Cn)V n
∣
∣
∣
∣
∣
∣QnV
)
−−−→n→∞
0.
Han-Verdu 1993: ECn
∣
∣
∣
∣
∣
∣P(Cn)V n −Qn
V
∣
∣
∣
∣
∣
∣
TV−−−→n→∞
0.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 7
WCode Cn
Un
QV |UV n ∼ P
(Cn)V n ≈ Qn
V
Unif[
1 : 2nR]
Soft-Covering - Results
R > IQ(U ;V ) =⇒ P(Cn)V n ≈ Qn
V
Wyner 1975: ECn
1n
D(
P(Cn)V n
∣
∣
∣
∣
∣
∣QnV
)
−−−→n→∞
0.
Han-Verdu 1993: ECn
∣
∣
∣
∣
∣
∣P(Cn)V n −Qn
V
∣
∣
∣
∣
∣
∣
TV−−−→n→∞
0.
◮ Also provided converse.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 7
WCode Cn
Un
QV |UV n ∼ P
(Cn)V n ≈ Qn
V
Unif[
1 : 2nR]
Soft-Covering - Results
R > IQ(U ;V ) =⇒ P(Cn)V n ≈ Qn
V
Wyner 1975: ECn
1n
D(
P(Cn)V n
∣
∣
∣
∣
∣
∣QnV
)
−−−→n→∞
0.
Han-Verdu 1993: ECn
∣
∣
∣
∣
∣
∣P(Cn)V n −Qn
V
∣
∣
∣
∣
∣
∣
TV−−−→n→∞
0.
◮ Also provided converse.
Hou-Kramer 2014: ECnD
(
P(Cn)V n
∣
∣
∣
∣
∣
∣QnV
)
−−−→n→∞
0.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 7
WCode Cn
Un
QV |UV n ∼ P
(Cn)V n ≈ Qn
V
Unif[
1 : 2nR]
A Stronger Soft-Covering Lemma
Theorem
If R > IQ(U ;V ) and |V| < ∞, then there exists γ1, γ2 > 0 s.t.
PCn
(
D(
P(Cn)V n
∣
∣
∣
∣
∣
∣QnV
)
> e−nγ1
)
≤ e−enγ2
for n sufficiently large.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 8
WCode Cn
Un
QV |UV n ∼ P
(Cn)V n ≈ Qn
V
Unif[
1 : 2nR]
Wiretap Channels of Type II
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 9
Wiretap Channels of Type II - Definition[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 10
Wiretap Channels of Type II - Definition[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Eavesdropper: Can observe a subset S ⊆ [1 : n] of size µ = ⌊αn⌋,α ∈ [0,1], of transmitted symbols.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 10
Wiretap Channels of Type II - Definition[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Eavesdropper: Can observe a subset S ⊆ [1 : n] of size µ = ⌊αn⌋,α ∈ [0,1], of transmitted symbols.
Transmitted:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 10
0 0 1 0 1 1 1 0 1 0 n = 10 α = 0.63
Wiretap Channels of Type II - Definition[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Eavesdropper: Can observe a subset S ⊆ [1 : n] of size µ = ⌊αn⌋,α ∈ [0,1], of transmitted symbols.
Transmitted:
Observed:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 10
0 0 1 0 1 1 1 0 1 0
? ? ? 1 1 ? 1 00 1
n = 10 α = 0.63
Wiretap Channels of Type II - Definition[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Eavesdropper: Can observe a subset S ⊆ [1 : n] of size µ = ⌊αn⌋,α ∈ [0,1], of transmitted symbols.
Transmitted:
Observed:
⋆ Ensure security versus all possible choices of S ⋆
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 10
0 0 1 0 1 1 1 0 1 0
? ? ? 1 1 ? 1 00 1
n = 10 α = 0.63
Wiretap Channels of Type II - Past Results[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Ozarow-Wyner 1984: Noiseless main channel
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 11
Wiretap Channels of Type II - Past Results[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Ozarow-Wyner 1984: Noiseless main channel◮ Rate equivocation region.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 11
Wiretap Channels of Type II - Past Results[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Ozarow-Wyner 1984: Noiseless main channel◮ Rate equivocation region.◮ Coset coding.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 11
Wiretap Channels of Type II - Past Results[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Ozarow-Wyner 1984: Noiseless main channel◮ Rate equivocation region.◮ Coset coding.
Nafea-Yener 2015: Noisy main channel
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 11
Wiretap Channels of Type II - Past Results[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Ozarow-Wyner 1984: Noiseless main channel◮ Rate equivocation region.◮ Coset coding.
Nafea-Yener 2015: Noisy main channel◮ Built on coset code construction.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 11
Wiretap Channels of Type II - Past Results[Ozarow-Wyner 1984]
mEnc
S ⊆ [1 :n], |S|= µ
Zi =
{
Xi , i ∈ S
?, i /∈ S
Xn
QY |XY n
Zn
Dec
Eve
m
m
Ozarow-Wyner 1984: Noiseless main channel◮ Rate equivocation region.◮ Coset coding.
Nafea-Yener 2015: Noisy main channel◮ Built on coset code construction.◮ Lower & upper bounds - Not match in general.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 11
Wiretap Channels of Type II - SS-Capacity
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 12
Semantic Security:
Wiretap Channels of Type II - SS-Capacity
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 12
Semantic Security: maxPM ,S:|S|=µ
ICn(M ; Zn) −−−→
n→∞0.
Wiretap Channels of Type II - SS-Capacity
Theorem
For any α ∈ [0, 1]
C(II)Semantic(α) = C
(II)Weak(α) = max
QU,X
[
I(U ; Y )− αI(U ; X)]
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 12
Semantic Security: maxPM ,S:|S|=µ
ICn(M ; Zn) −−−→
n→∞0.
Wiretap Channels of Type II - SS-Capacity
Theorem
For any α ∈ [0, 1]
C(II)Semantic(α) = C
(II)Weak(α) = max
QU,X
[
I(U ;Y )−αI(U ;X)]
RHS is the secrecy-capacity of WTC I with erasure DMC to Eve.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 12
Semantic Security: maxPM ,S:|S|=µ
ICn(M ; Zn) −−−→
n→∞0.
Wiretap Channels of Type II - SS-Capacity
Theorem
For any α ∈ [0, 1]
C(II)Semantic(α) = C
(II)Weak(α) = max
QU,X
[
I(U ; Y )− αI(U ; X)]
RHS is the secrecy-capacity of WTC I with erasure DMC to Eve.
Standard (erasure) wiretap code & Stronger tools for analysis.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 12
Semantic Security: maxPM ,S:|S|=µ
ICn(M ; Zn) −−−→
n→∞0.
Wiretap Channels of Type II - SS-Capacity
Theorem
For any α ∈ [0, 1]
C(II)Semantic(α) = C
(II)Weak(α) = max
QU,X
[
I(U ; Y )− αI(U ; X)]
RHS is the secrecy-capacity of WTC I with erasure DMC to Eve.
Standard (erasure) wiretap code & Stronger tools for analysis.
Practical implementations of binary erasure wiretap codes exist.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 12
Semantic Security: maxPM ,S:|S|=µ
ICn(M ; Zn) −−−→
n→∞0.
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
2 Preliminary Step: maxPM ,S:|S|=µ
ICn(M ; Zn) ≤ max
m,S:|S|=µ
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
2 Preliminary Step: maxPM ,S:|S|=µ
ICn(M ; Zn) ≤ max
m,S:|S|=µ
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
2 Preliminary Step: maxPM ,S:|S|=µ
ICn(M ; Zn) ≤ max
m,S:|S|=µ
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
3 Union Bound & Stronger SCL:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
2 Preliminary Step: maxPM ,S:|S|=µ
ICn(M ; Zn) ≤ max
m,S:|S|=µ
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
3 Union Bound & Stronger SCL:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
P
(
{
maxPM ,S
ICn(M ; Zn) ≤ e−nγ1
}c)
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
2 Preliminary Step: maxPM ,S:|S|=µ
ICn(M ; Zn) ≤ max
m,S:|S|=µ
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
3 Union Bound & Stronger SCL:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
P
(
{
maxPM ,S
ICn(M ; Zn) ≤ e−nγ1
}c)
≤P
(
maxm,S
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
> e−nγ1
)
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
2 Preliminary Step: maxPM ,S:|S|=µ
ICn(M ; Zn) ≤ max
m,S:|S|=µ
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
3 Union Bound & Stronger SCL:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
P
(
{
maxPM ,S
ICn(M ; Zn) ≤ e−nγ1
}c)
≤P
(
maxm,S
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
> e−nγ1
)
≤∑
m,S
P
(
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
> e−nγ1
)
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
2 Preliminary Step: maxPM ,S:|S|=µ
ICn(M ; Zn) ≤ max
m,S:|S|=µ
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
3 Union Bound & Stronger SCL:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
P
(
{
maxPM ,S
ICn(M ; Zn) ≤ e−nγ1
}c)
≤P
(
maxm,S
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
> e−nγ1
)
≤∑
m,S
P
(
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
>e−nγ1
)
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
2 Preliminary Step: maxPM ,S:|S|=µ
ICn(M ; Zn) ≤ max
m,S:|S|=µ
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
3 Union Bound & Stronger SCL:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
P
(
{
maxPM ,S
ICn(M ; Zn) ≤ e−nγ1
}c)
≤P
(
maxm,S
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
> e−nγ1
)
≤∑
m,S
P
(
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
>e−nγ1
)
Taking R > αH(X) =⇒
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
2 Preliminary Step: maxPM ,S:|S|=µ
ICn(M ; Zn) ≤ max
m,S:|S|=µ
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
3 Union Bound & Stronger SCL:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
P
(
{
maxPM ,S
ICn(M ; Zn) ≤ e−nγ1
}c)
≤P
(
maxm,S
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
> e−nγ1
)
≤∑
m,S
P
(
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
>e−nγ1
)
≤ 2n2nRe−enγ2Taking R > αH(X) =⇒
WTC II SS-Capacity - Achievability for U=X
1 Wiretap Code:
◮ W ∼ Unif[
1 : 2nR]
.
◮ Cn ={
Xn(m, w)}
m,w
iid∼ Qn
X
2 Preliminary Step: maxPM ,S:|S|=µ
ICn(M ; Zn) ≤ max
m,S:|S|=µ
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
3 Union Bound & Stronger SCL:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 13
m = 1 m = 2 m = 2nR
. . .
w = 1
w = 2nR
......
...
...
n
P
(
{
maxPM ,S
ICn(M ; Zn) ≤ e−nγ1
}c)
≤P
(
maxm,S
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
> e−nγ1
)
≤∑
m,S
P
(
D(
P(Cn,S)Zµ|M=m
∣
∣
∣
∣
∣
∣QµZ
)
>e−nγ1
)
≤ 2n2nRe−enγ2
−−−→n→∞
0Taking R > αH(X) =⇒
WTC II SS-Capacity - Converse
SS-capacity WTC II ≤ Weak-secrecy-capacity WTC I
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 14
WTC II SS-Capacity - Converse
SS-capacity WTC II ≤ Weak-secrecy-capacity WTC I
◮ WTC I with erasure DMC to Eve - Transition probability α.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 14
WTC II SS-Capacity - Converse
SS-capacity WTC II ≤ Weak-secrecy-capacity WTC I
◮ WTC I with erasure DMC to Eve - Transition probability α.
Difficulty: Eve might observe more Xi-s in WTC I than in WTC II.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 14
WTC II SS-Capacity - Converse
SS-capacity WTC II ≤ Weak-secrecy-capacity WTC I
◮ WTC I with erasure DMC to Eve - Transition probability α.
Difficulty: Eve might observe more Xi-s in WTC I than in WTC II.
Solution: Sanov’s theorem & Continuity of mutual information.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 14
Summary
Semantic Security: [Bellare-Tessaro-Vardy 2012]
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 15
Summary
Semantic Security: [Bellare-Tessaro-Vardy 2012]
◮ Gold standard in cryptography - relevant for applications.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 15
Summary
Semantic Security: [Bellare-Tessaro-Vardy 2012]
◮ Gold standard in cryptography - relevant for applications.
◮ Equivalent to vanishing inf. leakage for all PM .
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 15
Summary
Semantic Security: [Bellare-Tessaro-Vardy 2012]
◮ Gold standard in cryptography - relevant for applications.
◮ Equivalent to vanishing inf. leakage for all PM .
Stronger Soft-Covering Lemma:
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 15
Summary
Semantic Security: [Bellare-Tessaro-Vardy 2012]
◮ Gold standard in cryptography - relevant for applications.
◮ Equivalent to vanishing inf. leakage for all PM .
Stronger Soft-Covering Lemma:
◮ Double-exponential decay of prob. of soft-covering not happening.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 15
Summary
Semantic Security: [Bellare-Tessaro-Vardy 2012]
◮ Gold standard in cryptography - relevant for applications.
◮ Equivalent to vanishing inf. leakage for all PM .
Stronger Soft-Covering Lemma:
◮ Double-exponential decay of prob. of soft-covering not happening.
◮ Satisfy exponentially many soft-covering constraints.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 15
Summary
Semantic Security: [Bellare-Tessaro-Vardy 2012]
◮ Gold standard in cryptography - relevant for applications.
◮ Equivalent to vanishing inf. leakage for all PM .
Stronger Soft-Covering Lemma:
◮ Double-exponential decay of prob. of soft-covering not happening.
◮ Satisfy exponentially many soft-covering constraints.
Wiretap Channel II: Noisy Main Channel
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 15
Summary
Semantic Security: [Bellare-Tessaro-Vardy 2012]
◮ Gold standard in cryptography - relevant for applications.
◮ Equivalent to vanishing inf. leakage for all PM .
Stronger Soft-Covering Lemma:
◮ Double-exponential decay of prob. of soft-covering not happening.
◮ Satisfy exponentially many soft-covering constraints.
Wiretap Channel II: Noisy Main Channel
◮ Derivation of SS-capacity & Equality to weak-secrecy-capacity.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 15
Summary
Semantic Security: [Bellare-Tessaro-Vardy 2012]
◮ Gold standard in cryptography - relevant for applications.
◮ Equivalent to vanishing inf. leakage for all PM .
Stronger Soft-Covering Lemma:
◮ Double-exponential decay of prob. of soft-covering not happening.
◮ Satisfy exponentially many soft-covering constraints.
Wiretap Channel II: Noisy Main Channel
◮ Derivation of SS-capacity & Equality to weak-secrecy-capacity.
◮ Classic erasure wiretap codes achieve SS-capacity.
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 15
Summary
Semantic Security: [Bellare-Tessaro-Vardy 2012]
◮ Gold standard in cryptography - relevant for applications.
◮ Equivalent to vanishing inf. leakage for all PM .
Stronger Soft-Covering Lemma:
◮ Double-exponential decay of prob. of soft-covering not happening.
◮ Satisfy exponentially many soft-covering constraints.
Wiretap Channel II: Noisy Main Channel
◮ Derivation of SS-capacity & Equality to weak-secrecy-capacity.
◮ Classic erasure wiretap codes achieve SS-capacity.
Thank You!
Ziv Goldfeld Ben Gurion University
Semantic Security vs. Active Adversaries 15