Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Theoretical Security

Published bySherman Fletcher Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Theoretical Security"— Presentation transcript:

1 Information Theoretical Security
Ning Cai CAM 2016, Hong Kong August 23, 2016

2 The concept of information theoretical security (ITS)
The Outline The concept of information theoretical security (ITS) -two approaches to security ; -measurements of ITS; Examples for models of ITS; -combinatorial models (I) -probability (IT) models (II) Basic ideas in research on ITS

3 The concept of ITS: Two Approaches to Security
Computational Security (CS) vs Information Theoretical Security (ITS) Assumptions (CS): wiretapper(s)—limited computational ability (ITS): wiretapper(s)—unlimited computational ability Security (CS): relatively secure (ITS): absolutely secure Resources (Random key, throughput etc) (CS): less (ITS): more

4 The concept of ITS: Two Approaches to Security
Computational Security – very popular, especially in commercial systems; Information Theoretical Security – not so popular but received more and more attention: Due to -increasing of requirement to security; -developing of network communication (e.g. physical layer security); -quantum computation -others.

5 The concept of ITS: the measurement
Shannon Entropy or Mutual Information -secure message, wiretapped message Perfect security: for model I: or for model II: or as Imperfect security: for for model I: ; for model II : Other Information Quantities e.g., Renyi entropy, von Neumann Entropy or Holevo Quantity for Quantum, etc.

6 Examples for ITS (I) Random message and
Shannon cipher system Random message and key are generated from the same set -outcome of the message -output of key 6

7 Examples for ITS (I) The scheme uses a key with size which minimizes the size of random key: I. e,

8 Examples for ITS (I) Secret Sharing (SS)(Blakley 1979, Shamir 1979)
There are a dealer and participates in the game. The dealer accesses a secret message and chooses random “sharings” according to the message and distributes them to participates A subset of participates try to recover the message by pooling their sharings. They can recover it if the subset is legal (i.e. in “access structure”). Otherwise they should have absolutely no information about it from their sharings.

9 Examples for ITS (I) Secret Sharing (continue)
threshold secret sharing scheme: participates, all sets with sizes are legal Given the amounts of sharings distributed to the participates, we want to maximize the amount of message sharing by them. The optimal threshold secret sharing scheme is known. To find optimal secret sharing schemes for general (“non- threshold) access structures is a very hard open problem (NP-hard).

10 Examples for ITS (I) Secret Sharing (continue)
A construction of threshold secret sharing scheme: Let be a random secret message, which is uniformly generated from with The dealer randomly uniformly and independently choose elements from Define a polynomial

11 Examples for ITS (I) Secret Sharing : A construction of threshold secret scheme (continue) The dealer chooses different numbers from and gives to the th participants. (it is why we need that the size of the field Any participants may determine and therefore because a polynomial of degree is determined by points.

12 Examples for ITS (I) Secret Sharing : A construction of threshold secret scheme (continue) Proof of security: We shall prove the (perfect) security, namely for any subset of is independent of Or in other words, we have to show that for all

13 Examples for ITS (I) Secret Sharing : A construction of threshold secret scheme (continue) To this end, let be the matrix whose columns are Then by our scheme, for all Notice are constants, and is full rank. So given this gives a 1-1 mapping from to Since are uniformly distributed on , so are I. e.,

14 Examples for ITS (I) Secret Sharing : A construction of threshold secret scheme (continue) Thus we have

15 Examples for ITS (I) Secret Sharing : A construction of threshold secret scheme (continue) Proof of the optimality: We need to show for any Indeed for all subset in we have

16 Examples for ITS (I) The wiretap channel II (Ozarow-Wyner 1984)
Message is encoded into a codeword of length A legal user receives the whole codeword A wtiretapper accesses any components of the codeword The legal user can decode correctly The illegal user has no information about the message (perfect security), more general the “equivocation” (conditional entropy) is lower bounded (imperfect security). The optimal code is known.

17 Examples for ITS (I) Wiretap network(WN) (Cai-Yeung 2002, 2011) Given
A communication network with source node(s) Set of legal users (receivers) in the network; A collection of subsets of edges (channels) of the network (wiretap subsets) such that a wiretapper can arbitrarily chooses a wiretap set and accesses all channels in the subset Denote by and the secure message and the message leaked to the wiretapper via the channels in respectively

18 Examples for ITS (I) Wiretap network (continue) Requirements
All legal users may decode the demanded messages correctly; The wiretapper(s) has no information (for perfect security) or limited information (for imperfect security) about (their interested) message i.e., Imperfect security :The secure condition can be release to for an

19 Examples for ITS (I) Wiretap network (continue)
We call a code satisfying above requirements a secure code. The goal is to find secure codes Maximizing the throughput; Minimizing the randomness. The simplest communication network is the single source acyclic network.

20 Examples for ITS (I) Wiretap network (continue)
We call the wiretap network WN and its secure code a secure network code if consists of subsets of channels i.e., for a WN, the wiretapper may access any channels. The results For WN the problem is completely solved, (Cai-Yeung); In general case the problem is very hard (NP completed)

21 Examples for ITS (I) Shannon Cipher System is a threshold SS,
a WCII and a secure network code. 21

22 Examples for ITS (I) SS is equivalent to a special class of WN’s. Given an SS with access structure , we construct a 3 layer WN as follows: Top layer: source node ( the dealer) Middle layer: intermediate nodes (participates); a channel with capacity connects and the node if the node gets bits sharing. Bottom layer: Receivers labeled by members in legal subsets; The intermediate node connect to receiver if

23 Examples for ITS(I) SS is equivalent to a special class of WN’s (continue) A wiretap subset of channels corresponds an illegal subset and has members Then existence of secure code for the WN is equivalent to existence of the SS scheme. A threshold secret sharing scheme “is” a secure network code.

24 Examples for ITS (I) s Am A1 A2 ……
…. s A1 A2 Am …… Formulating secret sharing schemes to WN

25 Examples for ITS (I) Similarly, WCII is equivalent to a 3 layer WN with a sink and intermediate nodes.

26 Examples for ITS (I) Private Computations on Networks
A communication network A subset of nodes users; Each user accesses a information source The sources are mutual independent The users cooperate to compute the value of a function by exchanging information over the network;

27 Examples for ITS(I) Private Computations in Networks (continue)
The users do not trust each others and they want the others to know no additional information about their own source. That is, the remaining uncertainty of the sources for the user must be after the communication; Randomization is necessary; The goal is minimizing the randomness or/and amount transmission messages The topology of the network play an important role.

28 Examples for ITS(I) Remark: Above models just are few of basic combinatorial models and they have had a lot of generalizations. For example WN has following extensions Weakly WN secure codes (Bhattad-Narayanan 2005); Strongly WN secure codes (Harada and Yamamoto 2008); Multiple WN secure code (Chan-Grant 2008); Algebraic security of random linear network Codes (Lima-Medard); Many more……

29 Examples for ITS(I) There are much more models and extensions e.g.,
ramp secret sharing; secure distributed storage; Many more……

30 Examples for ITS (II) Wiretap channel(WC) or wiretap channel I (Wyner 1975, Csiszar-Korner 1978) A sender send a secret message via a noisy channel with single input and two outputs A legal receiver and a wiretapper access different outputs of the channel resp. Want: the legal receiver may correctly decode with a high probability and the wiretapper has no (or limited) information about the message The goal: maximizing the transmission rate.

31 Examples for ITS (II) Wyner introduced degraded wiretap channel and had its capacity (i.e., the channel input and outputs accessed by legal and illegal users form a Markov chain). Csiszar-Korner extended it to general case. In fact they did more, broadcast channel with confidential message. That is, there are two sets of messages, say public and confidential messages, and two users. The first user should decode both message correctly. The second user should decode public message and have no or limited information about confidential message.

32 Examples for ITS (II) Wiretap channel(WC) or wiretap channel I

33 Examples for ITS (II) Secret key generation (SKG) using public discussion A set(s) of (legal) users try to generate a (common) secret random key A wiretapper(s) tries/try to have as much as possible information about the key The legal users share certain resource (e.g., different terminals of correlated source, private channels, parts of an entanglement q-state...) The wiretapper possibly may or may not have certain related resource (r.v. correlated to the source, outputs of the private channels, part of entanglement state…)

34 Examples for ITS (II) Secret key generation using public discussion
(continue) By combining actions on their resources (e.g., observation of the outputs of the source, communication via the private channels, measure the q-state….), the legal users exchange messages via a public channel The wiretapper may observe the output of the public channel by combining to use his resource Requirement: at the end all legal users have the same key and the wiretapper has no (or limited) information about the key Goal: maximizing the size of the key

35 Examples for ITS(II) An example of Secret key generation using public discussion (Maurer 1993, Ahlswede-Csiszar 1993):“Source model” A correlated memoryless source Legal users A, B and a wiretapper access resp. A and B exchange message publicly according to their received message and comes of At end of communication A and B share a random key The wiretapper can obtain no (or limited) information about the key from the output of public channel and

36 Examples for ITS(II) An example of Secret key generation using public discussion (Ahlswede-Csiszar 1993): “Channel model” A channel (private channel) with one input and two outputs; A legal user, Alice accesses the channel input and another legal user Bob accesses an output of the channel. Thus Alice may send message to Bob via the private channel; A wiretapper accesses the second output;

37 Examples for ITS(II) “Channel model” (continue)
Alice and Bob can also exchange message (each other) via public channels. All public discussion is observable by the wirepper; Alice and Bob communicate interactively to generate a common key; The requirement is that the wiretapper may have no or limited information about the key The goal is maximizing the size of the key.

38 Examples for ITS(II)

39 Examples for ITS(II) Remark: Above models just are few basic models in ITS (II) and they have had a lot of generalizations. The followings are few examples. WC Classical WC Identification via WC (Ahlswede-Zhang, 1995); WC with feedback (Ahlswede-Cai,2006); Compound WC (Liang-Kramer-Poor-Shamai 2007: WMAC (Liang-Poor 2008);

40 Examples for ITS(II) Classical WC (continue)
WC with state side information (Chen-Vinck 2008); AVWC (Bjelakovic-Boche-Sommerfeld 2013); WC with correlated source helper (Chen-Cai-Sezgin 2014) AVWC with common randomness helper (Notze-Wiese-Boche 2015) Many more……

41 Examples for ITS(II) Classical-Quantum WC Many more……
CQWC (Cai-Winter-Yeung 2004, Devetak 2005); CQAVWC (Blinovsky-M. Cai 2012); CQAVWC with various resources (Boche-M. Cai-Deppe 2013); CQ Compound WC (Boche-M.Cai-Cai-Deppe 2014) Many more……

42 Examples for ITS(II) SKG also have many generalizations according to the resource of different legal and illegal groups of users, by many authors e.g., Csiszar-Narayan 2000, 2004, 2008… Gohari-Anantharam 2010 A very general model: correlated source +wiretap channel, tradeoff of the amount of secure key and message, Prabhakaran-Eswaran-Ramchandran, 2012 Many more…… There are a lot of open problems in this topic.

43 Some Basic Idea in ITS: Direct Part
Assume the input alphabet of a security system is an input of the system is and the message obtained by the wiretapper is if he uses the strategy Then is a function of (for model I) or a random variable depending on (for model II). To protect the secret message, the sender partitions according to the size of the message set and randomly chooses an element from the th subset and sends it via the network if he wants to send the th message, (the territory of the th message)

44 Some Basic Idea in ITS: Direct Part
Denote by (i.e., ) the inverse image of mapping Then for a given is a partition of The wiretapper knows the input of WN must be in if he receives Thus his best strategy is “to guess” the message with the largest intersection of territory to Consequently a code is perfectly secure iff all territories equally intersect to all

45 Some Basic Idea in ITS: Direct Part

46 Some Basic Idea in ITS: Direct Part
Example: secure network coding. Let us consider a linear network code, then input set is a linear space on a finite field. We partition the input space to cosets and take the th coset as the territory of the th message. Now is linear because the code is linear. Thus its inverse images partition the input space into cosets too. Then the code is secure if the all those cosets are intersect to each territory because in the case the intersection must be uniform.

47 Some Basic Idea in ITS: Direct Part
Example: wiretap channel. Given a code (with arbitrarily small error probability) for the main channel, we shall have a secure code if we can color (binning) the codebook such that the numbers of the codewords of all colors with very typical output of the wiretap channel in the joint typical set are (almost) the same. This is usually done by random coloring (binning).

48 Basic Method in Converse part
The main technique in converse for both models is applying information inequalities and identities. Sometimes the proofs are very tricky. In many cases one can find the main ideas in the proofs originally from Shannon.

49 Thank You!

Download ppt "Information Theoretical Security"

Similar presentations

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
I NFORMATION CAUSALITY AND ITS TESTS FOR QUANTUM COMMUNICATIONS I- Ching Yu Host : Prof. Chi-Yee Cheung Collaborators: Prof. Feng-Li Lin (NTNU) Prof. Li-Yi.

I NFORMATION CAUSALITY AND ITS TESTS FOR QUANTUM COMMUNICATIONS I- Ching Yu Host : Prof. Chi-Yee Cheung Collaborators: Prof. Feng-Li Lin (NTNU) Prof. Li-Yi.
Information and Coding Theory

Information and Coding Theory
PAUL CUFF ELECTRICAL ENGINEERING PRINCETON UNIVERSITY Causal Secrecy: An Informed Eavesdropper.

PAUL CUFF ELECTRICAL ENGINEERING PRINCETON UNIVERSITY Causal Secrecy: An Informed Eavesdropper.
Capacity of Wireless Channels

Capacity of Wireless Channels
Enhancing Secrecy With Channel Knowledge

Enhancing Secrecy With Channel Knowledge
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.

Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.
Chain Rules for Entropy

Chain Rules for Entropy
Chapter 6 Information Theory

Chapter 6 Information Theory
1 Network Coding: Theory and Practice Apirath Limmanee Jacobs University.

1 Network Coding: Theory and Practice Apirath Limmanee Jacobs University.
1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Mobile Ad Hoc Networks Network Coding and Xors in the Air 7th Week.

1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Mobile Ad Hoc Networks Network Coding and Xors in the Air 7th Week.
Network Coding Theory: Consolidation and Extensions Raymond Yeung Joint work with Bob Li, Ning Cai and Zhen Zhan.

Network Coding Theory: Consolidation and Extensions Raymond Yeung Joint work with Bob Li, Ning Cai and Zhen Zhan.
1 Network Source Coding Lee Center Workshop 2006 Wei-Hsin Gu (EE, with Prof. Effros)

1 Network Source Coding Lee Center Workshop 2006 Wei-Hsin Gu (EE, with Prof. Effros)
BB84 Quantum Key Distribution 1.Alice chooses (4+  )n random bitstrings a and b, 2.Alice encodes each bit a i as {|0>,|1>} if b i =0 and as {|+>,|->}

BB84 Quantum Key Distribution 1.Alice chooses (4+  )n random bitstrings a and b, 2.Alice encodes each bit a i as {|0>,|1>} if b i =0 and as {|+>,|->}
A Graph-based Framework for Transmission of Correlated Sources over Multiuser Channels Suhan Choi May 2006.

A Graph-based Framework for Transmission of Correlated Sources over Multiuser Channels Suhan Choi May 2006.
Lo-Chau Quantum Key Distribution 1.Alice creates 2n EPR pairs in state each in state |  00 >, and picks a random 2n bitstring b, 2.Alice randomly selects.

Lo-Chau Quantum Key Distribution 1.Alice creates 2n EPR pairs in state each in state |  00 >, and picks a random 2n bitstring b, 2.Alice randomly selects.
Linear Codes for Distributed Source Coding: Reconstruction of a Function of the Sources -D. Krithivasan and S. Sandeep Pradhan -University of Michigan,

Linear Codes for Distributed Source Coding: Reconstruction of a Function of the Sources -D. Krithivasan and S. Sandeep Pradhan -University of Michigan,
EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.

EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.
Noise, Information Theory, and Entropy

Noise, Information Theory, and Entropy

Similar presentations

Ads by Google