Rei Safavi-Naini University of Calgary Joint work with: Hadi Ahmadi iCORE Information Security

Secret key agreement Alice and Bob want to share a secret over a channel that is eavesdropped by Eve. –A fundamental problem in cryptography. No solution if no other assumption is made. Assumptions: –Computational assumption Diffie-Hellman key agreement –Non computational assumption – unlimited adversary Noisy channel  The key questions: –Is it possible? –What is the “secrecy capacity”? This talk: increasing “secrecy capacity” through interaction over noisy channels 2iCIS Lab, University of Calgary

Message transmission& Key agreement Exiting noisy channel models –Wiretap –Noisy broadcast –Public discussion A new model: two-way noisy broadcast –Lower bounds –Interactive Channel Coding –Comparing Key Agreement Protocols Discussion & Concluding Remarks Outline 3iCIS Lab, University of Calgary

Preliminaries p p p

Message transmission & Key agreement Assume eavesdropping adversary –If Alice can send a message ‘securely’ to Bob, –She may choose the message to be a ‘key’  secure message transmission protocol gives a secure key agreement Protocols for secret key agreement

Secure message transmission over noisy channel Model 1 : Wyner [Wy75] Wiretap channel : Channels are noisy DMCs. Eve’s channel is a degraded version of Bob’s. No shared key Secure message transmission is possible if the wiretap channel is not noise-free. –There exists a randomized coding C s =C(P YZ|X )= max p(x)( I(X;Y)-I(X;Z)) Main Channel X Wiretap channel Y Z 6iCIS Lab, University of Calgary

Secure message transmission Model 2: Csiszár and Körner [CK78] noisy broadcast channel : A generalization of Wyner’s work. Eve’s channel can be better than Bob’s Secure message transmission is possible, if Eve’s channel is noisier. C s =C(P YZ|X )= max p(x)( I(X;Y)-I(X;Z)) Main Channel X Wiretap channel Y Z 7iCIS Lab, University of Calgary

Secure key agreement Maurer[Ma93], Ahlswede &Csiszár [AC93] –Noisy broadcast: –Public discussion channel error-free -insecure Secure key agreement is possible if, Eve’s channel is not noise-free and Bob’s channel is not fully noisy. –  no requirement on Eve’s channel be more noisy! Established key can be used to encrypt a message –Send over public channel  secure message transmission In practice: –Implement public discussion channel: using channel coding [BBRM08] Main Channel X Wiretap channel Y Z Public discussion 8iCIS Lab, University of Calgary

Secure key agreement: A new model Secret key agreement over “two-way” (noisy) broadcast channels. –No public discussion: only noisy communication Natural model Secrecy capacity? The rest of the talk: –Define two-way noisy channel secrecy capacity –Give three protocols for key agreement –compare the protocols and derive a lower-bound for two- way secrecy capacity. Main forward channel (Ch mf ) Eve XfXf Eavesdropper's backward channel (Ch eb ) Bob Alice XbXb Eavesdropper's forward channel (Ch ef ) Main backward channel (Ch mb ) ZfZf YfYf YbYb ZbZb 9iCIS Lab, University of Calgary

2-way broadcast Two one-way broadcast channels –A forward broadcast channel: X f →Y f Z f specified by –A backward: X b →Y b Z b specified by Alice and Bob send messages multiple times. Alice, Bob and Eve “view” RVs: View A, View B, View E. Either Alice or Bob calculates S; the other calculates S’. SS’ 10iCIS Lab, University of Calgary View B View E

Secrecy capacity of 2-way broadcast Secrecy capacity : The maximum real number R≥0, such that: for every ε>0 and sufficiently large N, there exist a protocol that uses the two-way broadcast channel N times, and results in viewed RVs M A, M B, M E and calculated RVs S and S’ which satisfy: 11iCIS Lab, University of Calgary

Lower bound 1: one pass communication 1. One-way key agreement Use forward or backward noisy broadcast channel for sending a secure key The first lower-bound is: C s A and C s B are one-way secrecy capacities of forward and backward channels. 12iCIS Lab, University of Calgary

Lower bound 2: 1-round communication 2- Virtual Cascade Channel (VCC) protocol Inspired by Maurer’s technique used for public discussion model Alice (Bob) starts the protocol: –Alice sends X f ; –Bob selects uniformly S, encodes it to V b, and sends X b =Y f +V b ; XfXf ZfZf YfYf Xb=Yf+VbXb=Yf+Vb Z b V’’ b =Z b -Z f Y b V’ b =Y b -X f 13iCIS Lab, University of Calgary

Lower bound 2 Theorem: secrecy capacity is equal to half of the 1-way secrecy capacity of the virtual broadcast channel, V b →V’ b V’’ b, i.e.: When Bob starts the protocol, the secrecy capacity is The second lower-bound is: 14iCIS Lab, University of Calgary

Lower bound 3: 1-round communication Interactive channel coding: –Alice: sends X f n ; Bob and Eve receive Y f n and Z f n. X f is such that Y f has uniform distribution. –Bob: encodes Y f n to M B N =e(Y f n )=(Y f n ||X b d ) and sends X b d ; Alice and Eve receive Y b d and Z b d. –Alice decodes M A N =(X f n ||Y b d ) to ; –Bob and Alice calculate secrets as Eve BobAlice Systematic Encoder Systematic Decoder Ch mf Ch ef Ch eb Ch mb 15

Lower bound from interactive coding The third lower bound is:

The best lower bound so far: Theorem: Secrecy capacity of 2-way noisy broadcast channel is lower bounded by 17iCIS Lab, University of Calgary

Secrecy capacity with ICC Average mutual information between Bob and Alice: Average mutual information between Bob and Eve: The two-way secrecy capacity with ICC is: –if Alice initiates –if Bob initiates Hence: 18iCIS Lab, University of Calgary

Secrecy capacity with ICC Theorem: Let Y f n be an i.i.d. n-vector over set U n with entropy H(Y f )=ζ, where ζ=log|U|, and S k =g −1 (Y f n ). For rates, by choosing N large enough, there exist a suitable partitioning set G n and a pair of (2 ζk,N) encoding/decoding algorithms that communicate Y f n reliably from Bob to Alice, while 19iCIS Lab, University of Calgary

A comparison: BSC channels Channels are binary symmetric –bit error probabilities p 1, p 2, p 3, p 4, where p 1 =p 4. Main forward channel (Ch mf ) Eve XfXf Eavesdropper's backward channel (Ch eb ) Bob Alice XbXb Eavesdropper's forward channel (Ch ef ) Main backward channel (Ch mb ) ZfZf YfYf YbYb ZbZb 20iCIS Lab, University of Calgary

1-rnd and 2-rnd communication 21 Note: h(p) =- plog p -(1-p) log (1-p)

ICC vs. VCC 22iCIS Lab, University of Calgary

Discussion Types of key agreement protocols: –One-party Key Generation: First two protocols –Participatory Key Generation: ICC Secrecy capacity of message transmission vs. key agreement: –Equal : if public discussion channel exists. –Equality for two-way broadcast model is an open question. Strong vs. weak secrecy capacity: –Weak: to maximize Eve’s uncertainty rate [Wy75, CK78, Ma93]. –Strong: to maximize Eve’s absolute uncertainty [MW00]. We consider weak secrecy capacity. Strengthening the security requirement is direct [MW00] 23iCIS Lab, University of Calgary

Concluding remarks Two-way broadcast model is a natural model –Fits in particular in wireless settings –Results are of practical significance Secrecy capacity of 2-way broadcast channel for key agreement is defined in analogy to one-way secrecy capacity Three key agreement protocols in 2-way broadcast setting –One-way key agreement –VCC protocol –ICC protocol Each protocol will provide the best (highest) capacity for certain channels –The best lower-bound is maximum of the three in each case 24iCIS Lab, University of Calgary

Concluding remarks Secrecy capacity will be positive in surprising cases: –the main channels are much worse than the eavesdropper’s channel ICC protocol provides a novel approach to channel coding, using interaction during the encoding phase. Open questions: –Can ICC be extended to multi-round? –Relationship among secrecy capacities of the three protocols –Relation between secrecy capacities of key agreement and message transmission 25iCIS Lab, University of Calgary