Semantic Security in the Presence of Active Adversariespeople.ece.cornell.edu/zivg/Talk_Feder.pdfPros: 1 Security versus computationally unlimited eavesdropper. 2 No shared key - Use

Semantic Security in the Presence of

Active Adversaries

Ziv GoldfeldJoint work with Paul Cuff and Haim Permuter

Ben Gurion University

Advanced Communications Center Annual Workshop

February 22nd, 2016

Motivation

Information Theoretic Security over Noisy Channels

Ziv Goldfeld Ben Gurion University

Semantic Security vs. Active Adversaries 2

Motivation


Pros:



Motivation


Pros:

1 Security versus computationally unlimited eavesdropper.



Motivation


Pros:


2 No shared key - Use intrinsic randomness of a noisy channel.



Motivation


Pros:



Cons:



Motivation


Pros:



Cons:

1 Eve’s channel assumed to be fully known & constant in time.



Motivation


Pros:



Cons:


2 Security metrics insufficient for (some) applications.



Motivation


Pros:



Cons:


2 Security metrics insufficient for (some) applications.

Our Goal: Stronger metric and remove “known channel” assumption.



Wiretap Channels - Security Metrics



Wiretap Channels and Security MetricsDegraded [Wyner 1975], General [Csiszar-Korner 1978]

U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M




U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M

{

Cn

}

n∈N- a sequence of (n, R)-codes




U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M

{

Cn

}


Weak-Secrecy: 1n

ICn(M ; Zn) −−−→

n→∞0.




U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M

{

Cn

}


Weak-Secrecy: 1n

ICn(M ; Zn) −−−→

n→∞0. Only leakage rate vanishes




U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M

{

Cn

}


Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .




U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M

{

Cn

}


Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy: ICn(M ; Zn) −−−→

n→∞0.




U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M

{

Cn

}


Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy: ICn(M ; Zn) −−−→

n→∞0. Security only on average




U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M

{

Cn

}


Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy:✭

✭✭✭✭

✭✭✭

✭✭

ICn(M ; Zn) −−−→

n→∞0 .




U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M

{

Cn

}


Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy:✭

✭✭✭✭

✭✭✭

✭✭

ICn(M ; Zn) −−−→

n→∞0 .

Semantic Security:




U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M

{

Cn

}


Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy:✭

✭✭✭✭

✭✭✭

✭✭

ICn(M ; Zn) −−−→

n→∞0 .

Semantic Security: [Bellare-Tessaro-Vardy 2012]

max

PM

ICn(M ;Zn) −−−→

n→∞0.




U[

1 : 2nR]

∼MEnc

XnQY,Z|X

Y n

Zn

Dec

Eve

M

M

{

Cn

}


Weak-Secrecy:✭✭

✭✭✭

✭✭✭✭

✭✭1n

ICn(M ; Zn) −−−→

n→∞0 .

Strong-Secrecy:✭

✭✭✭✭

✭✭✭

✭✭

ICn(M ; Zn) −−−→

n→∞0 .


max

PM

ICn(M ;Zn) −−−→

n→∞0.

⋆ A single code must work well for all message PMFs ⋆



A Stronger Soft-Covering Lemma



Soft-Covering - Setup



WCodebook

Un

QV |UV n

Unif[

1 : 2nR]




WCodebook

Un

QV |UV n ← Resemble i.i.d.

Unif[

1 : 2nR]


Random Codebook: Cn ={

Un(w)}

w

iid∼ Qn

U .



WCodebook

Un


Unif[

1 : 2nR]



Un(w)}

w

iid∼ Qn

U .



WCode Cn

Un


Unif[

1 : 2nR]



Un(w)}

w

iid∼ Qn

U .

Induced Output Distribution: Codebook Cn =⇒ V n ∼ P(Cn)V n .



WCode Cn

Un

QV |UV n ∼ P

(Cn)V n

Unif[

1 : 2nR]



Un(w)}

w

iid∼ Qn

U .


Target IID Distribution: QnV marginal of Qn

U QnV |U .



WCode Cn

Un

QV |UV n ∼ P

(Cn)V n

Unif[

1 : 2nR]



Un(w)}

w

iid∼ Qn

U .



U QnV |U .



WCode Cn

Un

QV |UV n ∼ P

(Cn)V n ≈ Qn

V

Unif[

1 : 2nR]



Un(w)}

w

iid∼ Qn

U .



U QnV |U .

⋆ Goal: Choose R (codebook size) s.t. P(Cn)V n ≈ Qn

V ⋆



WCode Cn

Un

QV |UV n ∼ P

(Cn)V n ≈ Qn

V

Unif[

1 : 2nR]

Soft-Covering - Results

R > IQ(U ;V ) =⇒ P(Cn)V n ≈ Qn

V



WCode Cn

Un

QV |UV n ∼ P

(Cn)V n ≈ Qn

V

Unif[

1 : 2nR]



V

Wyner 1975: ECn

1n

D(

P(Cn)V n

∣

∣

∣

∣

∣

∣QnV

)

−−−→n→∞

0.



WCode Cn

Un

QV |UV n ∼ P

(Cn)V n ≈ Qn

V

Unif[

1 : 2nR]



V

Wyner 1975: ECn

1n

D(

P(Cn)V n

∣

∣

∣

∣

∣

∣QnV

)

−−−→n→∞

0.

Han-Verdu 1993: ECn

∣

∣

∣

∣

∣

∣P(Cn)V n −Qn

V

∣

∣

∣

∣

∣

∣

TV−−−→n→∞

0.



WCode Cn

Un

QV |UV n ∼ P

(Cn)V n ≈ Qn

V

Unif[

1 : 2nR]



V

Wyner 1975: ECn

1n

D(

P(Cn)V n

∣

∣

∣

∣

∣

∣QnV

)

−−−→n→∞

0.

Han-Verdu 1993: ECn

∣

∣

∣

∣

∣

∣P(Cn)V n −Qn

V

∣

∣

∣

∣

∣

∣

TV−−−→n→∞

0.

◮ Also provided converse.



WCode Cn

Un

QV |UV n ∼ P

(Cn)V n ≈ Qn

V

Unif[

1 : 2nR]



V

Wyner 1975: ECn

1n

D(

P(Cn)V n

∣

∣

∣

∣

∣

∣QnV

)

−−−→n→∞

0.

Han-Verdu 1993: ECn

∣

∣

∣

∣

∣

∣P(Cn)V n −Qn

V

∣

∣

∣

∣

∣

∣

TV−−−→n→∞

0.

◮ Also provided converse.

Hou-Kramer 2014: ECnD

(

P(Cn)V n

∣

∣

∣

∣

∣

∣QnV

)

−−−→n→∞

0.



WCode Cn

Un

QV |UV n ∼ P

(Cn)V n ≈ Qn

V

Unif[

1 : 2nR]

A Stronger Soft-Covering Lemma

Theorem

If R > IQ(U ;V ) and |V| < ∞, then there exists γ1, γ2 > 0 s.t.

PCn

(

D(

P(Cn)V n

∣

∣

∣

∣

∣

∣QnV

)

> e−nγ1

)

≤ e−enγ2

for n sufficiently large.



WCode Cn

Un

QV |UV n ∼ P

(Cn)V n ≈ Qn

V

Unif[

1 : 2nR]

Wiretap Channels of Type II



Wiretap Channels of Type II - Definition[Ozarow-Wyner 1984]

mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m




mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m

Eavesdropper: Can observe a subset S ⊆ [1 : n] of size µ = ⌊αn⌋,α ∈ [0,1], of transmitted symbols.




mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m


Transmitted:



0 0 1 0 1 1 1 0 1 0 n = 10 α = 0.63


mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m


Transmitted:

Observed:



0 0 1 0 1 1 1 0 1 0

? ? ? 1 1 ? 1 00 1

n = 10 α = 0.63


mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m


Transmitted:

Observed:

⋆ Ensure security versus all possible choices of S ⋆



0 0 1 0 1 1 1 0 1 0

? ? ? 1 1 ? 1 00 1

n = 10 α = 0.63

Wiretap Channels of Type II - Past Results[Ozarow-Wyner 1984]

mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m

Ozarow-Wyner 1984: Noiseless main channel




mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m

Ozarow-Wyner 1984: Noiseless main channel◮ Rate equivocation region.




mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m

Ozarow-Wyner 1984: Noiseless main channel◮ Rate equivocation region.◮ Coset coding.




mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m


Nafea-Yener 2015: Noisy main channel




mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m


Nafea-Yener 2015: Noisy main channel◮ Built on coset code construction.




mEnc

S ⊆ [1 :n], |S|= µ

Zi =

{

Xi , i ∈ S

?, i /∈ S

Xn

QY |XY n

Zn

Dec

Eve

m

m


Nafea-Yener 2015: Noisy main channel◮ Built on coset code construction.◮ Lower & upper bounds - Not match in general.



Wiretap Channels of Type II - SS-Capacity



Semantic Security:




Semantic Security: maxPM ,S:|S|=µ

ICn(M ; Zn) −−−→

n→∞0.


Theorem

For any α ∈ [0, 1]

C(II)Semantic(α) = C

(II)Weak(α) = max

QU,X

[

I(U ; Y )− αI(U ; X)]




ICn(M ; Zn) −−−→

n→∞0.


Theorem

For any α ∈ [0, 1]


(II)Weak(α) = max

QU,X

[

I(U ;Y )−αI(U ;X)]

RHS is the secrecy-capacity of WTC I with erasure DMC to Eve.




ICn(M ; Zn) −−−→

n→∞0.


Theorem

For any α ∈ [0, 1]


(II)Weak(α) = max

QU,X

[

I(U ; Y )− αI(U ; X)]


Standard (erasure) wiretap code & Stronger tools for analysis.




ICn(M ; Zn) −−−→

n→∞0.


Theorem

For any α ∈ [0, 1]


(II)Weak(α) = max

QU,X

[

I(U ; Y )− αI(U ; X)]


Standard (erasure) wiretap code & Stronger tools for analysis.

Practical implementations of binary erasure wiretap codes exist.




ICn(M ; Zn) −−−→

n→∞0.

WTC II SS-Capacity - Achievability for U=X

1 Wiretap Code:




1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.




1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X



m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n


1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X

2 Preliminary Step: maxPM ,S:|S|=µ

ICn(M ; Zn) ≤ max

m,S:|S|=µ

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)



m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n


1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X


ICn(M ; Zn) ≤ max

m,S:|S|=µ

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)



m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n


1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X


ICn(M ; Zn) ≤ max

m,S:|S|=µ

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

3 Union Bound & Stronger SCL:



m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n


1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X


ICn(M ; Zn) ≤ max

m,S:|S|=µ

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)




m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n

P

(

{

maxPM ,S

ICn(M ; Zn) ≤ e−nγ1

}c)


1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X


ICn(M ; Zn) ≤ max

m,S:|S|=µ

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)




m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n

P

(

{

maxPM ,S


}c)

≤P

(

maxm,S

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

> e−nγ1

)


1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X


ICn(M ; Zn) ≤ max

m,S:|S|=µ

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)




m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n

P

(

{

maxPM ,S


}c)

≤P

(

maxm,S

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

> e−nγ1

)

≤∑

m,S

P

(

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

> e−nγ1

)


1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X


ICn(M ; Zn) ≤ max

m,S:|S|=µ

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)




m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n

P

(

{

maxPM ,S


}c)

≤P

(

maxm,S

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

> e−nγ1

)

≤∑

m,S

P

(

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

>e−nγ1

)


1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X


ICn(M ; Zn) ≤ max

m,S:|S|=µ

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)




m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n

P

(

{

maxPM ,S


}c)

≤P

(

maxm,S

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

> e−nγ1

)

≤∑

m,S

P

(

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

>e−nγ1

)

Taking R > αH(X) =⇒


1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X


ICn(M ; Zn) ≤ max

m,S:|S|=µ

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)




m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n

P

(

{

maxPM ,S


}c)

≤P

(

maxm,S

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

> e−nγ1

)

≤∑

m,S

P

(

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

>e−nγ1

)

≤ 2n2nRe−enγ2Taking R > αH(X) =⇒


1 Wiretap Code:

◮ W ∼ Unif[

1 : 2nR]

.

◮ Cn ={

Xn(m, w)}

m,w

iid∼ Qn

X


ICn(M ; Zn) ≤ max

m,S:|S|=µ

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)




m = 1 m = 2 m = 2nR

. . .

w = 1

w = 2nR

......

...

...

n

P

(

{

maxPM ,S


}c)

≤P

(

maxm,S

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

> e−nγ1

)

≤∑

m,S

P

(

D(

P(Cn,S)Zµ|M=m

∣

∣

∣

∣

∣

∣QµZ

)

>e−nγ1

)

≤ 2n2nRe−enγ2

−−−→n→∞

0Taking R > αH(X) =⇒

WTC II SS-Capacity - Converse

SS-capacity WTC II ≤ Weak-secrecy-capacity WTC I





◮ WTC I with erasure DMC to Eve - Transition probability α.






Difficulty: Eve might observe more Xi-s in WTC I than in WTC II.






Difficulty: Eve might observe more Xi-s in WTC I than in WTC II.

Solution: Sanov’s theorem & Continuity of mutual information.



Summary




Summary


◮ Gold standard in cryptography - relevant for applications.



Summary



◮ Equivalent to vanishing inf. leakage for all PM .



Summary




Stronger Soft-Covering Lemma:



Summary





◮ Double-exponential decay of prob. of soft-covering not happening.



Summary






◮ Satisfy exponentially many soft-covering constraints.



Summary







Wiretap Channel II: Noisy Main Channel



Summary








◮ Derivation of SS-capacity & Equality to weak-secrecy-capacity.



Summary









◮ Classic erasure wiretap codes achieve SS-capacity.



Summary









◮ Classic erasure wiretap codes achieve SS-capacity.

Thank You!



Documents

Semantic Security in the Presence of Active Adversariespeople.ece.cornell.edu/zivg/Talk_Feder.pdfPros: 1 Security versus computationally unlimited eavesdropper. 2 No shared key - Use