Common Randomness Principles of Secrecy

Transcription

1 Common Randomness Principles of Secrecy Himanshu Tyagi Department of Electrical and Computer Engineering and Institute of Systems Research

2 1 Correlated Data, Distributed in Space and Time Sensor Networks Cloud Computing Biometric Security Hardware Security

3 2 Secure Processing of Distributed Data Three classes of problems are studied: 1. Secure Function Computation with Trusted Parties 2. Communication Requirements for Secret Key Generation 3. Querying Eavesdropper

4 Secure Processing of Distributed Data Three classes of problems are studied: 1. Secure Function Computation with Trusted Parties 2. Communication Requirements for Secret Key Generation 3. Querying Eavesdropper Our Approach Identify the underlying common randomness Decompose common randomness into independent components 2

5 3 Outline 1. Basic Concepts 2. Secure Computation 3. Minimal Communication for Optimum Rate Secret Keys 4. Querying Common Randomness 5. Principles of Secrecy Generation

6 4 Basic Concepts Multiterminal Source Model Interactive Communication Protocol Common Randomness Secret Key

7 5 Multiterminal Source Model X n 1 X n 2 X n m Assumption on the data Xi n = (X i1,...,x in ) - Data observed at time instance t: X Mt = (X 1t,...,X mt ) - Probability distribution of X 1,...,X m is known. Observations are i.i.d. across time: - X M1,...,X Mn are i.i.d. rvs. Observations are finite-valued.

8 Interactive Communication Protocol COMMUNICATION NETWORK F 11 X n 1 X n 2 X n m Assumptions on the protocol Each terminal has access to all the communication. Multiple rounds of interactive communication are allowed. Communication from terminal 1: F 11 = f 11 (X1) n 6

9 Interactive Communication Protocol COMMUNICATION NETWORK F 11 F 21 X n 1 X n 2 X n m Assumptions on the protocol Each terminal has access to all the communication. Multiple rounds of interactive communication are allowed. Communication from terminal 2: F 21 = f 21 (X2,F n 11 ) 6

10 Interactive Communication Protocol COMMUNICATION NETWORK F 1 F 2 F m X n 1 X n 2 X n m Assumptions on the protocol Each terminal has access to all the communication. Multiple rounds of interactive communication are allowed. r rounds of interactive communication: F = F 1,...,F m 6

11 Common Randomness COMMUNICATION NETWORK A F X n 1 X n 2 X n m L 1 L 2 Definition. L is an ǫ-common randomness for A from F if P(L = L i (Xi n,f), i A) 1 ǫ Ahlswede-Csiszár 93 and 98. 7

12 Secret Key COMMUNICATION NETWORK A F X n 1 X n 2 X n m K K Definition. An rv K K is an ǫ-secret key for A from F if 1. Recoverability: K is an ǫ-cr for A from F 2. Security: K is concealed from an observer of F Maurer 93 Ahlswede-Csiszár 93 Csiszár-Narayan 04. 8

13 Secret Key COMMUNICATION NETWORK A F X n 1 X n 2 X n m K K Definition. An rv K K is an ǫ-secret key for A from F if 1. Recoverability: K is an ǫ-cr for A from F 2. Security: K is concealed from an observer of F P KF U K P F Maurer 93 Ahlswede-Csiszár 93 Csiszár-Narayan 04. 8

14 Notions of Security Kullback-Leibler Divergence s in (K,F) = D(P KF U K P F ) = log K H(K)+I(K F) 0 Variational Distance s var (K,F) = P KF U K P F 1 0 Weak s weak (K,F) = 1 n s in(k,f) 0 9

15 Notions of Security Kullback-Leibler Divergence s in (K,F) = D(P KF U K P F ) = log K H(K)+I(K F) 0 Variational Distance s var (K,F) = P KF U K P F 1 0 Weak s weak (K,F) = 1 n s in(k,f) 0 2s var (K,F) 2 s in (K,F) s var (K,F)log K s var(k,f) 9

16 10 Secret Key Capacity Definition. An rv K K is an ǫ-secret key for A from F if 1. Recoverability: K is an ǫ-cr for A from F 2. Security: s(k,f) 0 as n

17 10 Secret Key Capacity Definition. An rv K K is an ǫ-secret key for A from F if 1. Recoverability: K is an ǫ-cr for A from F 2. Security: s(k,f) 0 as n Rate of K 1 n log K

18 10 Secret Key Capacity Definition. An rv K K is an ǫ-secret key for A from F if 1. Recoverability: K is an ǫ-cr for A from F 2. Security: s(k,f) 0 as n Rate of K 1 n log K ǫ-sk capacity C(ǫ) = supremum over the rates of ǫ-sks SK capacity C = inf 0<ǫ<1 C(ǫ)

19 Secret Key Capacity Theorem (Csiszár-Narayan 04) The SK capacity is given by C = H(X M ) R CO, where m R CO = min R i, such that i B R i H(X B X B c), for all A B M. i=1 11

20 Secret Key Capacity R CO min. rate of communication for omniscience" for A Theorem (Csiszár-Narayan 04) The SK capacity is given by C = H(X M ) R CO, where m R CO = min R i, such that i B R i H(X B X B c), for all A B M. i=1 11

21 Secret Key Capacity R CO min. rate of communication for omniscience" for A Theorem (Csiszár-Narayan 04) The SK capacity is given by C = H(X M ) R CO, where m R CO = min R i, such that i B R i H(X B X B c), for all A B M. i=1 (Maurer 93, Ahlswede-Csiszár 93) For m = 2: C = I(X 1 X 2 ) 11

22 Secure Computation

23 Computing Functions of Distributed Data COMMUNICATION NETWORK F X n 1 X n 2 X n m g 1 g 2 g m Function computed at terminal i: g i (x 1,...,x m ) - Denote the random value of g i (x 1,...,x m ) by G i 13

24 Computing Functions of Distributed Data COMMUNICATION NETWORK F X n 1 X n 2 X n m g 1 g 2 g m Function computed at terminal i: g i (x 1,...,x m ) - Denote the random value of g i (x 1,...,x m ) by G i ( ) P G n i = Ĝ(n) i (Xi n,f), for all 1 i m 1 ǫ 13

25 Secure Function Computation COMMUNICATION NETWORK I(G n 0 F) 0 F X n 1 X n 2 X n m g 1 g 2 g m Value of private function g 0 must not be revealed Definition. Functions g 0,g 1,...,g m are securely computable if ( ) 1. Recoverability: P G n i = Ĝ(n) i (Xi n,f), i M 1 2. Security: I(G n 0 F) 0 14

26 Secure Function Computation When are functions g 0,g 1,...,g m securely computable? COMMUNICATION NETWORK I(G n 0 F) 0 F X n 1 X n 2 X n m g 1 g 2 g m Value of private function g 0 must not be revealed Definition. Functions g 0,g 1,...,g m are securely computable if ( ) 1. Recoverability: P G n i = Ĝ(n) i (Xi n,f), i M 1 2. Security: I(G n 0 F) 0 14

27 Secure Function Computation When is a function g securely computable? COMMUNICATION NETWORK I(G n F) 0 F X n 1 X n 2 X n m g g g Value of Private function g 0 = g Definition. Function g is securely computable if ( ) 1. Recoverability: P G n = Ĝ(n) i (Xi n,f), i M 1 2. Security: I(G n F) 0 15

28 16 A Necessary Condition If g is securely computable, then it constitutes an SK for M. Therefore, rate of G SK Capacity, i.e., H(G) C.

29 When is g securely computable? Theorem If g is securely computable, then H(G) C. Conversely, g is securely computable if H(G) < C. For a securely computable function g: Omniscience can be obtained using F G n. Noninteractive communication suffices. Randomization is not needed. 17

30 Example: Secure Computation using Secret Keys X 1 B 1 K K B 2 X 2 H(K) = 1 Secret Key K g(x 1,X 2 ) = B 1 B 2 18

31 18 Example: Secure Computation using Secret Keys B 1 X 1 B 1 K K B 2 X 2 H(K) = 1 Secret Key K g(x 1,X 2 ) = B 1 B 2

32 18 Example: Secure Computation using Secret Keys B 1 X 1 B 1 K K B 2 X 2 K B 1 B 2 H(K) = 1 Secret Key K g(x 1,X 2 ) = B 1 B 2

33 18 Example: Secure Computation using Secret Keys Do fewer than n bits suffice? B B 1n K 1... K n K 1... K n B B 2n Secret Key K g(x n 1,X n 2) = B 11 B 21,...,B 1n B 2n

34 18 Example: Secure Computation using Secret Keys Do fewer than n bits suffice? B B 1n K 1... K n K 1... K n B B 2n Secret Key K g(x n 1,X n 2) = B 11 B 21,...,B 1n B 2n If parity is securely computable: 1 = H(G) C = H(K)

35 Characterization of Secure Computability Theorem The functions g 0,g 1,...,g m are secure computable if (>) and only if ( ) H(X M G 0 ) R. R : minimum rate of F such that F F X n i X n i G n 0 G n i X n M Omniscience A data compression problem with no secrecy 19

36 20 Example: Functions of Binary Sources X 1 0 Pr(X 1 = 1) = δ δ δ 1 δ X 2 0 Pr(X 1 X 2 ) = δ 1 1 h(δ) δ = 0.5 δ Functions are securely computable iff(!) h(δ) τ g 0 g 1 g 2 τ X 1 X 2 X 1 X 2 φ 1 X 1 X 2 X 1 X 2 X 1.X 2 2/3 X 1 X 2 X 1 X 2 X 1 X 2 1/2 X 1 X 2, X 1.X 2 X 1 X 2, X 1.X 2 X 1.X 2 2δ/3

37 20 Example: Functions of Binary Sources X 1 0 Pr(X 1 = 1) = δ δ δ 1 δ X 2 0 Pr(X 1 X 2 ) = δ 1 1 h(δ) δ = 0.5 δ Functions are securely computable iff(!) h(δ) τ g 0 g 1 g 2 τ X 1 X 2 X 1 X 2 φ 1 X 1 X 2 X 1 X 2 X 1.X 2 2/3 X 1 X 2 X 1 X 2 X 1 X 2 1/2 X 1 X 2, X 1.X 2 X 1 X 2, X 1.X 2 X 1.X 2 2δ/3

38 Example: Functions of Binary Sources X 1 0 Pr(X 1 = 1) = δ δ δ 1 δ X 2 0 Pr(X 1 X 2 ) = δ 1 1 h(δ) δ = 0.5 δ Functions are securely computable iff(!) h(δ) τ g 0 g 1 g 2 τ X 1 X 2 X 1 X 2 φ 1 X 1 X 2 X 1 X 2 X 1.X 2 2/3 X 1 X 2 X 1 X 2 X 1 X 2 1/2 X 1 X 2, X 1.X 2 X 1 X 2, X 1.X 2 X 1.X 2 2δ/3 20

39 Computing the Private Function H(X M G 0 ) R Suppose g i = g 0 F R : minimum rate of F such that F F X n i X n i G n 0 X n i G n 0 X n M Omniscience 21

40 21 Computing the Private Function H(X M G 0 ) R Suppose g i = g 0 R : minimum rate of F such that F F If g 0 is securely computable at a terminal then the entire F data can be recovered securely at that terminal X n i X n i G n 0 X n i G n 0 X n M Omniscience

41 Minimal Communication for an Optimum Rate Secret Key

42 Secret Key Generation for Two Terminals COMMUNICATION NETWORK F X n 1 X n 2 K K Weak secrecy criterion: 1 n s in(k,f) 0. Secret key capacity C = I(X 1 X 2 ) Maurer 93 Ahlswede-Csiszár 93 23

43 Common Randomness for SK Capacity What is the form of CR that yields an optimum rate SK? Maurer-Ahlswede-Csiszár Common randomness generated X1 n or X2 n Rate of communication required min{h(x 1 X 2 ),H(X 2 X 1 )} Decomposition H(X 1 ) = H(X 1 X 2 )+I(X 1 X 2 ) H(X 2 ) = H(X 2 X 1 )+I(X 1 X 2 ) 24

44 25 Digression: Secret Keys and Biometric Security Secure Server K(X 1 ) X 1 Public Server F(X 1 )

45 25 Digression: Secret Keys and Biometric Security Secure Server K(X 1 ) X 1 Public Server F(X 1 ) X 2

46 25 Digression: Secret Keys and Biometric Security Secure Server K(X 1 ) =? Public Server F(X 1 ) X 2

47 25 Digression: Secret Keys and Biometric Security Secure Server K(X 1 ) =? Public Server F(X 1 ) X 2 Similar approach can be applied for physically uncloneable functions

48 26 Common Randomness for SK Capacity What is the form of CR that yields an optimum rate SK? Maurer-Ahlswede-Csiszár Common randomness generated X n 1 or Xn 2 Rate of communication required min{h(x 1 X 2 ),H(X 2 X 1 )} Decomposition H(X 1 ) = H(X 1 X 2 )+I(X 1 X 2 ) H(X 2 ) = H(X 2 X 1 )+I(X 1 X 2 )

49 26 Common Randomness for SK Capacity What is the form of CR that yields an optimum rate SK? Maurer-Ahlswede-Csiszár Csiszár-Narayan Common randomness generated Rate of communication required X n 1 or Xn 2 (X n 1,Xn 2 ) min{h(x 1 X 2 ),H(X 2 X 1 )} H(X 1 X 2 )+H(X 2 X 1 ) Decomposition H(X 1 ) = H(X 1 X 2 )+I(X 1 X 2 ) H(X 2 ) = H(X 2 X 1 )+I(X 1 X 2 ) H(X 1,X 2 ) = H(X 1 X 2 )+H(X 2 X 1 )+I(X 1 X 2 )

50 27 Characterization of CR for Optimum Rate SK Theorem A CR J recoverable from F yields an optimum rate SK iff 1 n I(Xn 1 Xn 2 J,F) 0. Examples: X n 1 or X n 2 or (X n 1,X n 2)

51 28 Interactive Common Information Interactive Common Information Let J be a CR from communication F. CI r i (X 1;X 2 ) min. rate of L = (J,F) such that 1 n I(Xn 1 Xn 2 L) 0 ( ) CI i (X 1 X 2 ) := lim r CI r i (X 1;X 2 )

52 28 Interactive Common Information Interactive Common Information Let J be a CR from communication F. CI r i (X 1;X 2 ) min. rate of L = (J,F) such that 1 n I(Xn 1 Xn 2 L) 0 ( ) CI i (X 1 X 2 ) := lim r CI r i (X 1;X 2 ) Wyner s Common Information CI(X 1 X 2 ) min. rate of L(X1 n,xn 2 ) s.t. ( ) holds

53 29 Minimum Communication for Optimum Rate SK R r SK : min. rate of an r-round communication F needed to generate an optimum rate SK Theorem The minimum rate R r SK is given by R r SK = CIr i (X 1;X 2 ) I(X 1 X 2 ). It follows upon taking the limit r that R SK = CI i (X 1 X 2 ) I(X 1 X 2 ) A single letter characterization of CI r i is available.

54 29 Minimum Communication for Optimum Rate SK R r SK : min. rate of an r-round communication F needed to generate an optimum rate SK Theorem The minimum rate R r SK is given by R r SK = CIr i (X 1;X 2 ) I(X 1 X 2 ). It follows upon taking the limit r that R SK = CI i (X 1 X 2 ) I(X 1 X 2 ) Binary symmetric rvs: CI 1 i =... = CIr i = min{h(x 1),H(X 2 )}

55 29 Minimum Communication for Optimum Rate SK R r SK : min. rate of an r-round communication F needed to generate an optimum rate SK Theorem The minimum rate R r SK is given by R r SK = CIr i (X 1;X 2 ) I(X 1 X 2 ). It follows upon taking the limit r that R SK = CI i (X 1 X 2 ) I(X 1 X 2 ) There is an example with CI 1 i > CI 2 i Interaction does help!

56 30 Common Information Quantities CI GC I(X 1 X 2 ) CI CI i min{h(x 1 ),H(X 2 )}

57 30 Common Information Quantities CI GC I(X 1 X 2 ) CI CI i min{h(x 1 ),H(X 2 )}

58 30 Common Information Quantities CI GC I(X 1 X 2 ) CI CI i min{h(x 1 ),H(X 2 )}

59 30 Common Information Quantities CI GC I(X 1 X 2 ) CI CI i min{h(x 1 ),H(X 2 )}

60 30 Common Information Quantities CI GC I(X 1 X 2 ) CI CI i min{h(x 1 ),H(X 2 )} Interactive Common Information

61 30 Common Information Quantities CI GC I(X 1 X 2 ) CI CI i min{h(x 1 ),H(X 2 )} Interactive Common Information CI i is indeed a new quantity Binary symmetric rvs: CI < min{h(x 1 ),H(X 2 )} = CI i.

62 Querying Common Randomness

63 Common Randomness COMMUNICATION NETWORK A F X n 1 X n 2 X n m L 1 L 2 Definition. L is an ǫ-common randomness for A from F if P(L = L i (Xi n,f), i A) 1 ǫ Ahlswede-Csiszár 93 and

64 33 Query Strategy V = v q(u 1 v) = 1 q(u t v) = t Is U = u 1? no Is U = u t? yes yes no u 1 u t Query strategy for U given V Massey 94, Arikan 96, Arikan-Merhav 99, Hanawal-Sundaresan 11

65 34 Query Strategy Given rvs U,V with values in the sets U,V. Definition. A query strategy q for U given V = v is a bijection q( v) : U {1,..., U }, where the querier, upon observing V = v, asks the question Is U = u?" in the q(u v) th query. q(u V): random query number for U upon observing V

66 34 Query Strategy Given rvs U,V with values in the sets U,V. Definition. A query strategy q for U given V = v is a bijection q( v) : U {1,..., U }, where the querier, upon observing V = v, asks the question Is U = u?" in the q(u v) th query. q(u V): random query number for U upon observing V {u : q(u v) < γ} < γ

67 35 Optimum Query Exponent Definition. E 0 is an ǫ-achievable query exponent if there exists ǫ-cr L n for A from F n such that sup q P ( q(l n F n ) < 2 ne) 0 as n, where the sup is over every query strategy for L n given F n.

68 35 Optimum Query Exponent Definition. E 0 is an ǫ-achievable query exponent if there exists ǫ-cr L n for A from F n such that sup q P ( q(l n F n ) < 2 ne) 0 as n, where the sup is over every query strategy for L n given F n. E (ǫ) sup{e : E is an ǫ-achievable query exponent} E inf 0<ǫ<1 E (ǫ) : optimum query exponent

69 36 Characterization of Optimum Query Exponent Theorem For 0 < ǫ < 1, the optimum query exponent E equals E = E (ǫ) = C.

70 36 Characterization of Optimum Query Exponent Theorem For 0 < ǫ < 1, the optimum query exponent E equals Proof. E = E (ǫ) = C. Achievability: E (ǫ) C(ǫ) - Easy Converse: E (ǫ) C - Main contribution

71 Characterization of Optimum Query Exponent Theorem For 0 < ǫ < 1, the optimum query exponent E equals Proof. E = E (ǫ) = C. Achievability: E (ǫ) C(ǫ) - Easy Converse: E (ǫ) C - Main contribution Theorem (Strong converse for SK capacity) For 0 < ǫ < 1, the ǫ-sk capacity is given by C(ǫ) = E = C. 36

72 37 A Single-Shot Converse For rvs Y 1,...,Y k, let L be an ǫ-cr for {1,...,k} from F. Theorem Let θ be such that ({ P (y 1,...,y k ) : P Y 1,...,Y k (y 1,...,y k ) k i=1 P Y i (y i ) θ }) 1. Then, there exists a query strategy q 0 for L given F such that ( ) P q 0 (L F) θ 1 k 1 (1 ǫ) 2 > 0.

73 38 Small Cardinality Sets with Large Probabilities Rényi entropy of order α of a probability measure µ on U: H α (µ) 1 1 α log µ(u) α, 0 α 1 u U Lemma. There exists a set U δ U with µ(u δ ) 1 δ s.t. U δ exp(h α (µ)), 0 α < 1.

74 38 Small Cardinality Sets with Large Probabilities Rényi entropy of order α of a probability measure µ on U: H α (µ) 1 1 α log µ(u) α, 0 α 1 u U Lemma. There exists a set U δ U with µ(u δ ) 1 δ s.t. U δ exp(h α (µ)), 0 α < 1. Conversely, for any set U δ U with µ(u δ ) 1 δ, U δ exp(h α (µ)), α > 1.

75 Small Cardinality Sets with Large Probabilities Rényi entropy of order α of a probability measure µ on U: H α (µ) 1 1 α log µ(u) α, 0 α 1 u U Lemma. There exists a set U δ U with µ(u δ ) 1 δ s.t. U δ exp(h α (µ)), 0 α < 1. Conversely, for any set U δ U with µ(u δ ) 1 δ, H α (P) log X U δ exp(h α (µ)), α > 1. H(X) 1 α 38

76 In Closing...

77 Our Approach Identify the underlying common randomness Decompose common randomness into independent components 40

78 Our Approach Identify the underlying common randomness Decompose common randomness into independent components Secure Computing Common Randomness Omniscience with side information g 0 for decoding Decomposition The private function, the communication and the residual randomness 40

79 Our Approach Identify the underlying common randomness Decompose common randomness into independent components Two Terminal Secret Key Generation Common Randomness Renders the observations conditionally independent Decomposition The secret key and the communication 40

80 Our Approach Identify the underlying common randomness Decompose common randomness into independent components Querying Eavesdropper Requiring the number of queries to be as large as possible is tantamount to decomposition into independent parts 40

81 41 ÈÖ Ò ÔÐ Ó Ë Ö Ý Ò Ö Ø ÓÒ Computing the private function g 0 at a terminal is as difficult as securely recovering the entire data at that terminal. A CR yields an optimum rate SK iff it renders the observations of the two terminals (almost) conditionally independent. Almost independence secrecy criterion is equivalent to imposing a lower bound on the complexity of a querier of the secret.

82 Supplementary Slides

83 Sufficiency Share all data to compute g: Omniscience X n M Can we attain omniscience using F G n? Entropy of G Total randomness: H(X M ) Communication required to share the randomness: R CO Claim: Omniscience can be attained using F G n if: H(G) < H(X M ) R CO. 43

84 Random Mappings For Omniscience COMMUNICATION NETWORK F X n 1 X n 2 X n m ˆX (n) M ˆX (n) M ˆX (n) M F i = F i (Xi n): random mapping of rate R i. With large probability, F 1,...,F m result in omniscience if: R i H(X B X B c), B M. i B R CO = min i M R i. Csiszár-Körner 80 Han-Kobayashi 80 Csiszár-Narayan 04 44

85 Independence Properties of Random Mappings P be a family of N pmfs on X s.t. P ({x X : P(x) > 12 }) ǫ, P P. d Balanced Coloring Lemma: Probability that a random mapping F : X {1,...,2 r } fails to satisfy for some P P 2 r P(F(X) = i) 1 3ǫ. 2 r i=1 is less than exp { r +log(2n) (ǫ 2 /3)2 (d r)}. Ahlswede-Csiszár 93 and 98 45

86 Independence Properties of Random Mappings P be a family of N pmfs on X s.t. P ({x X : P(x) > 12 }) ǫ, P P. d Balanced Coloring Lemma: Probability that a random mapping F : X {1,...,2 r } fails to satisfy for some P P 2 r P(F(X) = i) 1 3ǫ. 2 r i=1 is less than exp { r +log(2n) (ǫ 2 /3)2 (d r)}. Generalized Privacy Amplification Ahlswede-Csiszár 93 and 98 Bennett-Brassard-Crépeau-Maurer 95 45

87 Sufficiency of H(G) < H(X M ) R CO Consider random mappings F i = F i (Xi n ) of rates R i such that R i H (X B X B c), B M. i B F results in omniscience at all the terminals. F is approximately independent of G n. 46

88 Sufficiency of H(G) < H(X M ) R CO Consider random mappings F i = F i (Xi n ) of rates R i such that R i H (X B X B c), B M. i B F results in omniscience at all the terminals. F is approximately independent of G n. Note: I(F 1,...,F m G n ) m i=1 I(F i G n,f M\i ) 46

89 Sufficiency of H(G) < H(X M ) R CO Consider random mappings F i = F i (Xi n ) of rates R i such that R i H (X B X B c), B M. i B F results in omniscience at all the terminals. F is approximately independent of G n. Note: I(F 1,...,F m G n ) m i=1 I(F i G n,f M\i ) Show I(F i G n,f M\i ) 0 with probability close to 1 - using an extension of the BC Lemma [Lemma 2.7] 46