Dennis Goeckel Electrical and Computer Engineering (ECE) University of Massachusetts at Amherst Fundamental Limits of Covert Communications Joint work with: Boulat BashUMass, BBN Don Towsley Tamara Sobers Ramin Khalili Amir Houmansadr UMass Saikat Guha Andrei Georghe (Amherst College) Jon Habif Monika Patel Raytheon BBN Quantum Info Processing Group This work is supported by the U.S. National Science Foundation under Grant ECCS and Raytheon BBN Technologies.

Dennis Goeckel Electrical and Computer Engineering (ECE) University of Massachusetts at Amherst Fundamental Limits of Covert Communications Joint work with: Boulat BashUMass, BBN Don Towsley Tamara Sobers Ramin Khalili Amir Houmansadr UMass Saikat Guha Andrei Georghe (Amherst College) Jon Habif Monika Patel Raytheon BBN Quantum Info Processing Group This work is supported by the U.S. National Science Foundation under Grant ECCS and Raytheon BBN Technologies. (a.k.a. Low Prob of Detection)

3 Secret Wireless Communications Much of modern security research is dedicated to avoiding message decoding: 1.Cryptography (standard practice): Encode the message in such a way that an eavesdropper without the key cannot decode the message, without significant computation 1.Information-theoretic Secrecy (emerging?): Exploit any physical advantage on the channel so that the eavesdropper will never be able to decode the message Bob Eve Building I. Introduction II. Wireless III. Wired IV. Extensions Alice

4 Motivation: Covert Communications But what if encryption is not enough: 1.Social unrest: government may shut down any, especially encrypted, message transmission 2.Military: want to hide the presence of any activity 3.Government snooping: revelations of government surveillance indicate it is often the “meta-data” that is important Source: PraxisFilms How do we conceal the presence of a message (or, conversely, keep people from doing such)? This talk: II. Wireless Channels III. Wireline Channels IV. Looking forward I. Introduction II. Wireless III. Wired IV. Extensions

5 Scenario  Alice wants to talk to Bob on noisy broadcast channel  Also has to keep Willie from detecting her message  Alice and Bob prepare by sharing a secret Has to extract from using Has to tell whether is noisy or just noise Noise! I. Introduction II. Wireless III. Wired IV. Extensions

6 Main Result: The Square Root Law for AWGN channels  Given that Alice has to tolerate some risk of being detected, how many bits can Alice covertly send to Bob? Not many: bits in channel uses If she sends bits in channel uses, either Willie detects her, or Bob is subject to decoding errors Intuition: Alice has to “softly whisper” to reduce detection, which hurts how much she can send [JSAC ‘13, ISIT ‘12, ISIT ’13, ISIT ‘14] I. Introduction II. Wireless III. Wired IV. Extensions

7 Outline  Introduction  Covert communication on a Wireless Channel AWGN communication model Detection model Theory: Achievability and Converse Experiment: Optical Communications  Covert communication on a Wired Channel Poisson Packet communication model Theory: Achievability of positive rate  Can we beat the square root law on a Wireless Channel? I. Introduction II. Wireless III. Wired IV. Extensions

8 Communication model  Alice wants to talk to Bob over an AWGN channel  Also has to keep Willie from detecting her message  Alice and Bob prepare by sharing a secret Has to extract from using Has to tell whether is or + I. Introduction II. Wireless III. Wired IV. Extensions

9 Why not use Steganography?  Steganography: embed messages into covertext Covertext=finite alphabet objects: machine code,.jpg,.mp3 Stegotext=Covertext with hidden message No channel noise: Bob and Willie see same stegotext  Result of Ker, Fridrich, et al: bits can be safely embedded in covertext of size by modifying symbols of covertext Blindly apply this result to continuous alphabet/channel scenario: Can only modify symbols? Transmit infinite amount of information covertly? I. Introduction II. Wireless III. Wired IV. Extensions Source: User Cyp, Wikipedia

10 Plan of Attack Tension: Alice must limit power not to be detected (“whisper”), while still being decodable at Bob Plan of Attack: Has to extract from using Has to tell whether is or + (1) Analyze Alice-to-Willie channel to find allowable power; (2) Design Alice-to-Bob channel to maximize comms rate at that power. I. Introduction II. Wireless III. Wired IV. Extensions

11 Detection model (the Alice-to-Willie channel)  Willie attempts to classify observations of Alice’s channel as either noise or signal corrupted by noise Null hypothesis : observations are noise Alternate : Alice transmitting signals  Willie’s probability of error  Alice desires (covertness criterion) Willie’s test decision Noise ( ) Signal ( ) is quiet ( ) x-mitting ( ) Alice I. Introduction II. Wireless III. Wired IV. Extensions

12 Desirable by Willie Intuition behind Willie’s metric  Willie picks desired and uses a detector that maximizes  Alice wants to lower-bound Picks appropriate distribution for covert symbols Detector ROC 22 Desirable by Alice I. Introduction II. Wireless III. Wired IV. Extensions

13 Outline  Introduction  Covert communication on a Wireless Channel AWGN communication model Detection model Theory: Achievability and Converse Experiment: Optical Communications  Covert communication on a Wired Channel Poisson Packet communication model Theory: Achievability of positive rate  Can we beat the square root law on a wireless channel?

14 Achievability  Alice can reliably transmit bits in uses of her AWGN channel to Bob while maintaining at Willie’s detector for any Willie’s channel to Alice  Proof structure 1.Fix Alice/Bob communication system 2.Employ power = 3.Show for all detectors 4.Demonstrate that Bob’s probability of decoding error is close to zero; then, #bits = Willie’s Detector ROC 22 I. Introduction II. Wireless III. Wired IV. Extensions

15 Converse: Willie’s Detector  Willie collects independent readings of his channel to Alice:  Interested in discriminating between:  Use power detector (radiometer):  For some threshold, accuse Alice if I. Introduction II. Wireless III. Wired IV. Extensions Can show this limits Alice to and #bits=

16 Related Work (A Subset!) Korzhik, Morales-Luna, and Lee, 2005, “On the existence of perfect stegosystems,” Proc. 4th Int. Workshop Digital Watermarking (IWDW) + [Independent work] Achievability of sqrt(n) result for Gaussian inputs. Che, Bakshi, Jaggi, 2014 “Reliable deniable communication: hiding messages in noise”: + for Binary Symmetric Channels (BSCs) with an advantage at Bob, no secret key required L. Wang, G. Wornell, L. Zhang, 2015, 2016: “Limits of low-probability-of- detection communication over a discrete memoryless channel” M. Bloch, 2015, 2016, “Covert communication over noisy memoryless channels: A resolvability perspective” + Consideration of key size required at Alice and Bob + Derivation of the constant hidden in the O(.) notation. Bash et al, “Quantum-secure Covert Communication on Bosonic Channels”, Nature Communications, 2015.

17 Outline  Introduction  Covert communication on a Wireless Channel AWGN communication model Detection model Theory: Achievability and Converse Experiment: Optical Communications  Covert communication on a Wired Channel Poisson Packet communication model Theory: Achievability of Positive Rate  Can we beat the square root law on a wireless channel?

18 Optical LPD communication  Validation of LPD communication in free-space optical setting Infra-red laser communication  Use single-photon detectors (SPDs) Best instruments for detecting low power light Poissonian noise, not Gaussian (“dark count” arrivals) Square root law: same form, different derivation  Reed-Solomon coding over pulse position modulation (PPM) symbols I. Introduction II. Wireless III. Wired IV. Extensions

19 Experimental setup Alice (laser) Variable attenuator Willie (SPD) Bob ( SPD ) Mirror Beamsplitter NI DAQ board Message generation, encoding NI DAQ board Detection Message decoding I. Introduction II. Wireless III. Wired IV. Extensions

20 Experimental setup NI DAQ Board Willie’s SPD Output (laser) Trigger Bob’s SPD Input (detector) trigger External clock Alice BobWillie Pulsed laser Pulse generator Temperature control Variable attenuator I. Introduction II. Wireless III. Wired IV. Extensions

21 Experimental setup I. Introduction II. Wireless III. Wired IV. Extensions

22 Number of bits received by Bob Bits received Number PPM slots used ( ) Careful Alice, Careless Alice, Dangerously careless Alice Average over 100 trials per data point; confidence intervals negligible. total # photons transmitted I. Introduction II. Wireless III. Wired IV. Extensions

23 Willie probability of detection error: Experimental Careful Alice, Careless Alice, Dangerously careless Alice Willie’s probability of error Experimental evaluation 100 trials per data point DKW conf. interval at each point: ±0.136 Number PPM slots used ( ) total # photons transmitted I. Introduction II. Wireless III. Wired IV. Extensions

24 Outline  Introduction  Covert communication on a Wireless Channel AWGN communication model Detection model Theory: Achievability and Converse Experiment: Optical Communications  Covert communication on a Wired Channel Poisson Packet communication model Theory: Achievability of Positive Rate  Can we beat the square root law on a Wireless Channel?

25 Covert Wired Communications  Alice & Bob use the channel between Jack & Steve  Warden Willie is listening Clipart source: Artist Gerald_G, openclipart.org Buffer Router JackSteve AliceBob Warden Willie Queue I. Introduction II. Wireless III. Wired IV. Extensions

26 Problem Statement  Problem 1: Unauthenticated packets; Packet insertion channel  Problem 2: Authenticated packets; Packet timing channel I. Introduction II. Wireless III. Wired IV. Extensions

27 Problem 1: Packet Insertion Channel – Results I. Introduction II. Wireless III. Wired IV. Extensions Achievability: By inserting packets, Alice can covertly transmit packets to Bob in time period T. Converse: Alice cannot transmit packets to Bob in time period T. Why? Willie simply counts packets.

28 Problem 2: Packet Timing Channel  Packet transmission from Jack is Poisson process ( λ )  Alice & Willie know λ < μ.  Willie can authenticate the packets: no insertion! Strategy: Alice adjusts packet timing, using codewords from the optimal codebook, which are instantiations of a Poisson process (i.e. covert!). I. Introduction II. Wireless III. Wired IV. Extensions

29 Problem: What if I run out of packets? Hmmm…first need to buffer up some extras. Codebook Generation I. Introduction II. Wireless III. Wired IV. Extensions

30 Packet Timing Channel Buffer Router JackSteve Alice Bob Warden Willie Queue

31 Packet Timing Channel - Collection Achievability: In the first phase, Alice can covertly buffer packets in T. Converse: Alice cannot collect packets covertly. I. Introduction II. Wireless III. Wired IV. Extensions

32 Packet Timing Channel – Did we collect enough packets? Alice I. Introduction II. Wireless III. Wired IV. Extensions Alice’s buffer: initially packets. Is it enough? Packets released with timing according to codeword. Packets arrive from Jack via Poisson process with rate λ. Random walk analysis: for α large enough, just enough packets collected so that Alice does not run out. We can transmit packets for duration (1-α)T, hence bits conveyed.

33 Outline  Introduction  Covert communication on a Wireless Channel AWGN communication model Detection model Theory: Achievability and Converse Experiment: Optical Communications  Covert communication on a Wired Channel Poisson Packet communication model Theory: Achievability of Positive Rate  Can we beat the square root law on a Wireless Channel?

34 Can we beat sqrt(n)? Has to extract from using Has to tell whether is or + Return to the model: have we missed anything? Recall that, for our achievability: = …and Willie is just detecting by checking the power: is it σ w 2 or σ w 2 + σ a 2 ? But, what if he does not know σ w 2 ? I. Introduction II. Wireless III. Wired IV. Extensions

35 Achieve O(n) bits in n channel uses? [Take 1] [Lee and Baxley, 2014] Result: Suppose Willie has uncertainty about σ w 2 ; say σ w 2 -Δ ≤ σ w 2 ≤ σ w 2 + Δ and he is restricted to employing a power detector. Then, Alice can achieve O(n) bits in n channel uses covertly. Proof (idea): Alice employs very small (δ: constant) power per symbol, with ε chosen s.th. P e (w) > ½ - δ. Since Willie does not know precisely the power to expect, this can be done. Then: R = log (1 + δ) ≈ δ bits/symbol, and δ n bits in n symbols. Weaknesses: 1.Assumptions on Willie’s receiver 2.Is this uncertainly model physically reasonable? Takeaways: sqrt(n) to n rate improvement in “realistic” scenarios. I. Introduction II. Wireless III. Wired IV. Extensions

36 Achieve O(n) bits in n channel uses? [Take 2] slot 1slot 2      slot t A      slot T(n) Slot being checked. [Goeckel et al 2015] Theorem: If Willie does not know σ w 2, the throughput is still sqrt(n log T(n)): same as if he knew σ w 2, for any T(n) > 1. Proof (idea): Willie tests each slot individually for transmission: He forms an estimate of σ w 2 for that slot’s test based on the remainder of the slots. It is possible to show that the convergence of the estimate is fast enough to its true value to bound Alice to the same rate as if Willie knew σ w 2. Form estimate of σ w 2 from these slots. I. Introduction II. Wireless III. Wired IV. Extensions

37 Achieve O(n) bits in n channel uses? [Take 3] So, uncertainty in the (constant) noise power at Willie will not do it. But what if we vary that noise? Has to extract from using Has to tell whether is or + Friendly (uninformed) jamme r I. Introduction II. Wireless III. Wired IV. Extensions

38 Achieve O(n) bits in n channel uses? [Take 3] Friendly (uninformed) jammer simply varies his power σ J 2 every K < n symbol periods randomly. slot 1slot 2      slot t A      slot T(n) Slot used by Alice and Bob Willie cannot use empty slots to estimate σ J 2, and thus a power detector will fail. But is that the optimal detector? [Sobers et al, 2015] Theorem: With the help of a friendly uninformed jammer, Alice can reliably transmit O(n) covert bits in n channel uses against the optimal detector. Proof: If K=n, the optimal detector at Willie can be shown to be a power detector. If K < n, this is no longer true, but the result can still be shown. I. Introduction II. Wireless III. Wired IV. Extensions

39 Conclusion We have  defined the covert communications problem  established the fundamental limits of covert communications on AWGN channels: sqrt(n) bits (and only sqrt(n) bits) can be sent reliably in n channel uses.  validated our result experimentally  established an achievability result for covert communications on Poisson packet channels: O(λT) bits can be sent covertly using a timing channel  established that even an uninformed jammer can greatly facilitate covert wireless communications Our work has revived interest in covert communications…

40 Revival of interest in covert communications  ISIT 2012 (Boston, MA) B. Bash, D. Goeckel, and D. Towsley, “Square Root Law for Communication with Low Probability of Detection on AWGN Channels”  ISIT 2013 (Istanbul, Turkey) Che, Bakshi, Jaggi “Reliable deniable communication: hiding messages in noise” Bash, Guha, Goeckel, Towsley “Quantum Noise Limited Optical Communication with Low Probability of Detection”  2014 Lee and Baxley “Achieving positive rate with undetectable communication over AWGN and Rayleigh channels”  Lee, Baxley, McMahon, Frazier “Achieving positive rate with undetectable communication over MIMO Rayleigh channels” Hou and Kramer “Effective Secrecy: Reliability, Confusion and Stealth” Bash, Goeckel, Towsley “LPD Communication when the Warden Does Not Know When” Kadhe, Jaggi, Bakshi, Sprintson ”Reliable, Deniable, and Hidable Communication over Multipath Networks” Soltani, Bash, Goeckel, Guha, Towsley “Covert Single-hop Communication in a Wireless Network with Distributed Artificial Noise Generation” …