Information-theoretic Secrecy A Cryptographic Perspective

Transcription

1 Information-theoretic Secrecy A Cryptographic Perspective Stefano Tessaro UC Santa Barbara WCS 2017 April 30, 2017 based on joint works with M. Bellare and A. Vardy

2

3 Cryptography Computational assumptions CRYPTO, EUROCRYPT, STOC, FOCS, Informationtheoretic cryptography key-agreement, privacy amplification, multi-party protocols Information-theory & coding Physical assumptions (e.g., noise) ISIT, ITW, IEEE Trans. in IT, Physical -layer security Work continues to date

4 Parallel dimensions Curious Cryptographer Generic constructions

5 This talk in a nutshell Cryptographic view on the wiretap channel model. (Though really, this extends to information-theoretic secrecy more broadly) M. Bellare, S. Tessaro and A. Vardy. Semantic Security for the Wiretap Channel. Crypto M. Bellare, S. Tessaro and A. Vardy. A Cryptographic Treatment of the Wiretap Channel. Cryptology Eprint Archive 2012/15. M. Bellare and S. Tessaro. Polynomial-time, Semantically-Secure Encryption Achieving the Secrecy Capacity. Cryptology Eprint Archive 2012/22.

6 Physical-layer Security Very low power Very short distance e.g. credit card # Large distance Degraded signal

7 Wyner s Wiretap Channel [W75,CK78] M ENC P Y X C C 0 M 0 ChR DEC ChA noiser than ChR ChA P Z X Z(M) Message privacy Z(M) gives no information about M Correctness M = M with very high probability

8 Example Binary Symmetric Channels BSC e M ENC C C 0 M 0 BSC p DEC p < q BSC q Z(M) Other examples: BECs, Gaussian channels,

9 Rate and capacity M ENC C C 0 M 0 ChR DEC ChA Z(M) Goal: Maximize rate R = M C Capacity = best possible rate for m Asymptotic setting (parameter = message length m) ChR / ChA have finite alphabet, used c(m) times

10 Rate and capacity Cont d I(X; Y )= X x,y M PXY (x, y) P XY (x, y) log ENC CP C 0 X (x)p Y (y) M 0 ChR = H(X) H(X Y ) DEC ChA Z(M) If for all X, we have I(X;ChR(X)) I(X; ChA(X)) C = max P X [I(X;ChR(X)) I(X; ChA(X))] Issues: Existential result + weak security [W75,CK78]

11 Outline 1. Security metrics for the Wiretap Channel 2. Generic construction of capacity-achieving scheme 3. Open directions

12 Secrecy Metrics

13 Traditional secrecy notions Based on Shannon metrics and asymptotic M ENC ChA Z(M) Weak secrecy: Strong secrecy: M m lim m!1 = uniform m-bit message I(M m ; Z(M m )) m =0 lim I(M m; Z(M m )) = 0 m!1 weak notion 1/m vs 2 -m ENC works on arbitrary-length message

14 How secure is a scheme? Many cryptographers have a quantitative approach to security. ENC Next: Which quantity is most suitable? Advantage in R Example: Adv mis-r (ENC; ChA) = I(M; Z(M)) From now on: One-shot Could Later: depend What on a security about parameter M being (e.g., message length), security means adv small as a function of sec parameter. uniform?

15 Statistical distance Definition. The statistical distance of X and Y is SD(X, Y )= 1 2 X P X (x) P Y (y) = 1 2 kp X P Y k 1 x X Y D D 0/1 0/1 distinguishing advantage SD(X, Y ) = max D Pr[D(X) = 1] Pr[D(Y ) = 1]

16 RDS security M KL(XkY )= X x ENC P X (x) log ChA PX (x) P Y (x) Z(M) M M 0 ENC ChA Z(M 0 ) Adv rds (ENC; ChA) = SD((M,Z(M)); (M,Z(M 0 ))) Adv mis-r (ENC; ChA) = KL((M,Z(M))k(M,Z(M 0 )))

17 Example Guessing p g =Pr[ f M = M] ENC ChA Z(M) fm M Adv rds (ENC; ChA) apple p g p 0 g apple p g apple m M 0 ENC ChA Z(M 0 ) f M M p 0 g =Pr[ f M = M] = 1 2 m

18 Semantic security First contact For any f, guessing f(m) from Z(M) is not (substantially) easier than without knowing Z(M)! Examples of f: Identity First, last bit of the message Subset of message bits

19 What about MIS-R security? H(M Z(M)) apple h(p e )+P e log(2 m 1) ENC ChA Z(M) fm M I(M; Z(M)) apple p g =Pr[ f M = M] Hard to estimate Fano inequality gives p g apple 1+ m (Better estimates possible, but hard to work with)

20 Relations [BTV12] Pinsker s inequality Theorem. Adv rds (ENC; ChA) apple q Adv mis-r (ENC; ChA) Caveat: Generally not tight! Exponents matter Theorem. For = Adv rds (ENC; ChA) Adv mis-r (ENC; ChA) apple 2 log 2 c Tight

21 Proof of 2 nd Thm First, show that for any c-bit X, Y with SD e, Then, note Let Easy to see: H(X) Then, by concavity, I(M; Z(M)) apple 2 2 m X H(Y ) apple 2 log(2 c / ) I(M; Z(M)) = 1 X 2 m (H(Z(M)) m2{0,1} m m = SD(Z(M),Z(m)) = 1 X 2 m m m m H(Z(m))) m log(2 c / m ) apple 2 log(2 c / )

22 Lessons learnt The above only advocates SD-based metrics as a target MIS security is asymptotically a good privacy metric, but substantial quantitative losses possible Note: Sometimes Shannon entropy / KL divergence are valuable tools (even when stating end results in terms of SD) e.g. KL(X 4 X 5 Y 4 Y 5 = KL(X 4 Y 4 + KL(X 5 Y 5 )

23 Random plaintext distribution Adv rds (ENC; ChA) = SD((M,Z(M)); (M,Z(M 0 ))) Adv mis-r (ENC; ChA) = I(M; Z(M)) random and uniform Common argument: If data isn t uniform, then just run a compression algorithm to reduce it to a random string with length equal to its entropy! Not true Data may not have entropy to start with! Universal compression not possible Goldwasser-Micali, 1982 Security must hold for all distributions of the plaintext

24 Issues with RDS security Enc 0 (M) = 8 < : Enc(M) M 6= 0 m, 1 m 0 n M =0 m 1 n M =1 m Enc RDS secure Enc RDS secure What if we only ever encrypt 0 m and 1 m?

25 Distinguishing and Semantic security Adv ds (ENC; ChA) = max M 0,M 1 SD(Z(M 0 ); Z(M 1 )) Equivalent to semantic security: f, distributions P M : Computing f(m) given Z(M) is not easier than computing f(m) without Z(M), where M P M Adv ss (Enc; ChA) = max 2 H 1(f(M) Z(M)) f,p M 2 H 1(f(M)) Theorem. Adv ss (Enc; ChA) apple Adv ds (Enc; ChA) apple 2 Adv ss (Enc; ChA)

26 MIS security Adv mis (ENC; ChA) = max P M I(M; Z(M)) Theorem. Adv ds (ENC; ChA) apple q Adv mis (ENC; ChA) Theorem. For = Adv ds (ENC; ChA) Adv mis (ENC; ChA) apple 2 log 2 c

27 From RDS to DS security Key agreement K ENC random session key ChR ChA DEC Z(K) K One-time pad M K ECC ChR ECC-DEC M good code for ChR ChA Z(M K) K Problem: Worse rate than in the RDS case!

28 Constructions

29 Next A construction Generic construction: Analysis does not depend on details of underlying ECC (unlike e.g. [MV10]) Admits poly-time encryption and decryption Achieves SS/DS security Achieves capacity in interesting scenarios Generalizes previous constructions (with no proofs of DS security) [W75,HM10] First semantically-secure capacity-achieving construction with efficient polytime encryption + decryption

30 Seeded encryption SeedGen S M ENC C C 0 M 0 ChR DEC ChA Z(M) public Seed can be recycled, and sent as part of the ciphertext

31 Seeded-encryption scheme ENC S (M) k bits m bits M k m bits Abstraction: Inverting randomness extractor on seed S and output M S GF(2 k ) multiplication Public seed X E Poly-time + injective + linear C n bits

32 Conditional min-entropy M h i H E Z = x Z 1 (X Z) = log X! max Pr[X = x ^ Z = z] xx z S 0 X E Example: ChA = BSC q n H 1 (X Z) k n 1 log 1 1 q C ChA Z

33 Smooth min-entropy [RW04] H 1(X Z) = sup H 1 (X Z) X 0 Z 0 :SD(X 0 Z 0 ;XZ)apple X E Example: ChA = BSC q n H 1(X Z) k n (1 h(q)+o(1)) C ChA =2 O(p n) Z Note: 1 h(q) apple 1 log(1/(1 q))

34 Smooth min-entropy cont d C nq + o(1)

35 Seeded Encryption Security Theorem. [BT12,BTV12] If ChA symmetric, and H e (X Z) m + 2log(1/e) then Adv ds (ENC; ChA) = O( ). For ChA = BSC qn, ChR = BSC pn. Best possible k to allow for decryption over ChR : For some =2 O(p n) k =(1 h(p) o(1))n H 1(X Z) n(h(q) h(p) o(1)) Largest possible message size m =(h(q) h(p) o(1))n optimal rate!

36 Proof Two steps 1. Prove RDS security SD((Z(M),S,M); (Z(M),S,M 0 )) apple O( ) 2. From RDS to DS security

37 Proof RDS Security M M M S -1 0 S -1 0 X X S 0 E S 0 E C C ChA ChA H 1(X Z) Z m + 2 log 1 By the Leftover Hash Lemma [BBR88,ILL89,BBCM95] Z

38 From RDS to DS security In general: Random-message security does not imply DS security. Lemma. If ChA is symmetric, then ENC is DS secure. Proof idea: M Z S (M) is symmetric Z S (M 0 ) Δ S, M: SD(Z S (M); Z S ($)) apple Z S ($) Z S (M) Z S (M 00 )

39 Extensions Above only achieves capacity for limited channels: ChA($) = $ Extension to arbitrary symmetric channels [TV13] Alternative: Better estimates of Smooth-minentropy? [C15] New soft-covering lemma used to obtain existential proof that rate is achievable in the semantic-security regime!

40 Conclusions and Open questions

41 Open questions A crypto wish list Concrete parameters. Given ChA, ChR, message length m, and security level e, find Enc with smallest possible ciphertext length n such that Adv ds (Enc; ChA) apple Cryptanalysis. Do physical assumptions really hold?

42 Thank you! Merci!