Semantic Security for the
Wiretap Channel
Joint work with
Mihir Bellare (UCSD)
Alexander Vardy (UCSD)
Stefano Tessaro
MIT
Cryptography today is (mainly) based on computational
assumptions.
We wish instead to base cryptography on a
physical assumption.
Presence of channel noise
Noisy channel assumption has been used previously to
achieve oblivious transfer, commitments [CK88,C97]
But we return to an older and more basic setting โฆ
Wynerโs Wiretap Model [W75,CK78]
ChR
ChA ๐(๐)
๐๐๐ ๐โฒ ๐๐๐ ๐ ๐ถ
Goals: Message privacy + correctness
Assumption: ChA is โnoisierโ than ChR
Encryption is keyless
Security is information-theoretic
Additional goal: Maximize rate ๐ = |๐|/|๐ถ|
๐ถโฒ
Channels
๐ฅ1 , ๐ฆ4, โฆ Ch
A channel is a randomized map Ch: 0,1 โ 0,1
We extend the domain of Ch to {0,1}โ via
Ch ๐ฅ1๐ฅ2 โฆ๐ฅ๐ = Ch ๐ฅ1 Ch ๐ฅ2 โฆCh ๐ฅ๐
๐ฆ1 = Ch(๐ฅ1)
๐ฆ2 = Ch(๐ฅ2)
๐ฆ3 = Ch(๐ฅ3)
๐ฆ4 = Ch(๐ฅ4)
Ch ๐ = ๐
โฆ , ๐ฅ4, ๐ฅ2, ๐ฅ3, ๐ฆ1 , ๐ฆ2 , ๐ฆ3
Clear channel:
BSC๐ ๐ = ๐ with prob. 1 โ ๐
1 โ ๐ with prob. ๐
Binary symmetric channel with error probability ๐:
Wynerโs Wiretap Model โ More concretely
BSC๐
BSC๐ ๐(๐)
๐๐๐ ๐โฒ ๐๐๐ ๐ ๐ถ
Assumption: ๐ < ๐ โค 1 2
Wiretap channel โ Realization
Increasing practical interest: Physical-layer security
010110โฆ .
Very short distance Very low power
Large distance
Degraded signal
e.g. credit card #
Wiretap Channel โ Previous work
Two major drawbacks:
1. Improper privacy notions
Entropy-based notions
Only consider random messages
2. No polynomial-time schemes with optimal rate
Non-explicit decryption algorithms
Weaker security
35 years of previous work:
Hundreds of papers/books on wiretap
security within the information theory &
coding community
This work: We fill both gaps
Our contributions
1. New security notions for the wiretap channel model:
Semantic security, distinguishing security
following [GM82]
Mutual-information security
Equivalence among the three
2. Polynomial-time encryption scheme:
Semantically secure
Optimal rate
Outline
1. Security notions
2. Polynomial-time scheme
Prior work โ Mutual-information security
BSC๐
BSC๐ ๐(๐)
๐๐๐ ๐โฒ ๐๐๐ ๐ ๐ถ
Uniformly distributed!
Definition: ๐ ๐; ๐(๐) = ๐ ๐ โ ๐ ๐|๐(๐)
Random Mutual-Information Security (MIS-R):
๐ ๐; ๐(๐) = ๐ง๐๐ ๐ฅ ๐ ๐ = P๐(๐) โ log 1 P๐(๐)
๐
๐ ๐|๐(๐) = ๐ ๐ ๐(๐) โ ๐ ๐(๐)
Critique โ Random messages
BSC๐
BSC๐ ๐(๐)
๐๐๐ ๐โฒ ๐๐๐ ๐ ๐ถ
We want security for arbitrary message distributions,
following [GM82]!
Common misconception: c.f. e.g. [CDS11] โ[โฆ] the particular choice of the distribution on ๐ as a uniformly random
sequence will cause no loss of generality. [โฆ] the transmitter can use a
suitable source-coding scheme to compress the source to its entropy prior to
the transmission, and ensure that from the intruderโs point of view, ๐ is
uniformly distributed.โ
Wrong! No universal (source-independent)
compression algorithm exists!
Uniformly distributed!
Mutual-information security, revisited
New: Mutual-Information Security (MIS)
maxP๐
๐ ๐; ๐(๐) = ๐ง๐๐ ๐ฅ
Random Mutual-Information Security (MIS-R)
๐ ๐; ๐(๐) = ๐ง๐๐ ๐ฅ
Maximize over all message distributions
Critique: Mutual information is hard to work with / interpret!
Semantic security
Semantic Security (SS)
max๐,P๐
max๐จ
Pr [๐จ(๐(๐)) = ๐(๐)]
โ max๐บ
Pr [๐บ = ๐(๐)] = ๐ง๐๐ ๐ฅ
Maximize over all functions + message distributions
BSC๐ ๐(๐)
๐๐๐ ๐
๐ ๐ ๐(๐)
=
0/1
๐จ ๐ ๐ ๐ ๐(๐)
=
0/1
๐บ
Distinguishing security
Distinguishing Security (DS)
max๐จ,๐0,๐1
Pr[๐จ ๐0, ๐1, ๐ ๐B = B] = 1/2 + ๐ง๐๐ ๐ฅ
Uniform random bit ๐ต
Fact:
max๐ด,๐0,๐1
Pr[A ๐0, ๐1, ๐ ๐B = B] =1
2+ ๐ง๐๐ ๐ฅ
โ max๐0,๐1
๐๐ ๐ ๐0 ; ๐ ๐1 = ๐ง๐๐ ๐ฅ.
๐๐ ๐; ๐ =1
2 P๐ ๐ฃ โ P๐ ๐ฃ
๐ฃ
Relations
MIS DS
SS MIS-R
Theorem. MIS, DS, SS are equivalent.
Outline
1. Security notions
2. Polynomial-time scheme
Polynomial-time scheme
BSC๐
BSC๐ ๐(๐)
๐๐๐ ๐โฒ ๐๐๐ ๐ ๐ถ
Goal: Polynomial-time ๐๐๐ and ๐๐๐ which satisfy:
1) Correctness: Pr ๐ โ ๐โฒ = ๐ง๐๐ ๐ฅ 2) Semantic security
3) Optimal rate
We observe that fuzzy extractors of [DORS08] can be
used to achieve 1 + 2. (Also: [M92,โฆ])
[HM10,MV11] Constructions achieving 1 + 3 or 2 + 3.
This work: First polynomial-time scheme achieving 1 + 2 + 3
What is the optimal rate?
BSC๐
BSC๐ ๐(๐)
๐๐๐ ๐โฒ ๐๐๐ ๐ ๐ถ
Definition: Rate ๐ = ๐ /|๐ถ|
Previous work: [L77] No MIS-R secure scheme can
have rate higher than โ ๐ โ โ(๐) โ ๐(1).
Our scheme: Rate โ ๐ โ โ ๐ โ ๐(1)
Hence, โ ๐ โ โ(๐) โ ๐(1) is the optimal rate for all
security notions!
โ ๐ฅ = โ๐ฅ log ๐ฅ โ (1 โ ๐ฅ) log(1 โ ๐ฅ)
Our encryption scheme
๐
๐ bits
๐
๐ โ 0๐
๐ bits
๐
๐ถ
๐ bits
๐๐๐๐(๐) ๐ โ ๐ bits
GF 2๐ multiplication
Poly-time + injective
+ linear
๐ โค ๐ โ 1 โ โ ๐ + ๐(1) ๐
Public seed
Our encryption scheme โ Security
Theorem. ๐๐๐ is semantically secure.
Challenge:
Ciphertext distribution
depends on combinatorial
properties of E.
Two steps:
1. Reduce semantic security to random-message security.
2. Prove random-message security.
๐
๐
๐ โ 0
๐
๐ถ
Our encryption scheme โ Decryptability and rate
๐
๐
๐ โ 0
๐
๐ถ
๐ถโฒ
๐
๐โฒ
๐โ1
๐โฒ
๐๐๐๐(๐): ๐๐๐๐(๐ถโฒ):
Observation. If (๐, ๐) are encoder/decoder of ECC for
BSC๐, then correctness holds.
Optimal choice: Concatenated codes [F66],
polar codes [A09]: ๐ = 1 โ โ ๐ โ ๐(1) ๐
๐ โ ๐ ๐
๐
๐ = ๐ โ 1 โ โ ๐ + ๐(1) ๐
Optimal rate: ๐
๐= โ ๐ โ โ ๐ โ ๐(1)
Concluding remarks
Summary:
New equivalent security notions for the wiretap setting:
DS, SS, MIS.
First polynomial-time scheme achieving these security
notions with optimal rate.
Our scheme is simple, modular, and efficient.
Concluding remarks
Summary:
New equivalent security notions for the wiretap setting:
DS, SS, MIS.
First polynomial-time scheme achieving these security
notions with optimal rate.
Our scheme is simple, modular, and efficient.
Additional remarks:
We provide a general and concrete treatment.
Scheme can be used on larger set of channels.
Concluding remarks
Summary:
New equivalent security notions for the wiretap setting:
DS, SS, MIS.
First polynomial-time scheme achieving these security
notions with optimal rate.
Our scheme is simple, modular, and efficient.
Additional remarks:
We provide a general and concrete treatment.
Scheme can be used on larger set of channels.
Thank you!