Channel Coding for Secure Transmissions

Size: px

Start display at page:

Download "Channel Coding for Secure Transmissions"

Beverly Golden
6 years ago
Views:

1 Channel Coding for Secure Transmissions March 27, / 51

2 McEliece Cryptosystem Coding Approach: Noiseless Main Channel Coding Approach: Noisy Main Channel 2 / 51

3 Outline We present an overiew of linear block codes that can be used for secure transmissions. A cryptographic algorithm based on linear block codes is presented for computational security. For perfect secrecy, we also show that linear block codes can be used. Information-theortic approaches are used to show perfect secrecy. 3 / 51

4 For convenience, we only consider binary codes. Channel codes are to provide protection of message sequences against channel errors. Denote by m {0, 1} k a message sequence. Denote by c {0, 1} n a codeword. We assume that n > k and encoding is to find c for a given m. Code rate r = k n. A code is assumed to be a set of codewords: C = {c 1,..., c 2 k}. 4 / 51

5 Examples k = 2 and n = 3 Input Output (n = 3) A very simple block code is the repetition code. For (n, k) = (3, 1), 0 bit becomes 000 and 1 becomes 111. If one bit error happens, it can be corrected: / 51

6 There are some requirements to be good block codes: Good error detection and correction performance Computationally efficient encoding and decoding rules In order to find good block codes, some mathematical approaches are used (algebraic codes). Linear codes are easy to build and analyze. Thus, we focus on linear binary block codes. 6 / 51

7 Modulo-2 operations: Addition 0 0 = = = = 0. Multiplication Inverse ac = { c, if a = 1 0, if a = 0 a = a 7 / 51

8 A linear code A (n, k) linear block code consists of 2 k codewords of n tuples: C = {c 1, c 2,..., c 2 k}, c i = [c i,1 c i,2 c i,n ]. Every linear combination of codewords yields another codeword. A linear block code must include the codeword 0 because c i + c i = 0. Due to the linear property, we can see that c i Span(c 1, c 2,..., c 2 k). 8 / 51

9 With a linear code, any codeword is given by c i = k g p b i,p, p=1 where g p are some binary row vectors of n-tuple and b i,p {0, 1}. Let G = g 1 g 2. g k, which is called the generator matrix (of size k n). 9 / 51

10 An analogy Consider a vector x = [x 1 x 2 x 3 ] in a 3-dimensional space. A set of vectors can be defined as X = {x = [x 1 x 2 0] x 1, x 2 R}. Clearly, any linear combination of vectors in X becomes a vector of X. That is, if x 1, x 2 X, then c 1 x 1 + c 2 x 2 X. Any vector in X can be also written as x = [1 0 0]x [ 1 + [0 1 0]x ] = [x 1 x 2 ] = bg. 10 / 51

11 Encoding using Generator matrix Any linear code can be characterized by a generator matrix, G, which is k n binary matrix. Encoding is the following matrix-vector multiplication: c = mg, where m is a 1 k message vector and c is its codeword. Example: G = [ ] Input vector Coded vector / 51

12 If G has the following form G = [I k k P k (n k) ], the linear block code is called systematic. If G is systematic, the message vector is a subvector of its codeword. 12 / 51

13 Error detection and correction Define the (n k) n parity-check matrix as H = [ P T I (n k) (n k) ] = [P T I (n k) (n k) ]. It can be shown that GH T = [I P] [ P I ] = P + P = 0. If c is a codeword, we can show that ch T = bgh T = / 51

14 Example: For the generator matrix, [ G = the parity-check matrix is H = ],. 14 / 51

15 Error detection Suppose that the received signal vector is where e is the error vector. r = c e, Then, we have the 1 (n k) syndrome s as s = rh T = (c e)h T = ch }{{} T eh T =0 = eh T (Syndrome test). Detection based on syndrome test (Error Detection) We assume that there is no error if s = 0. Otherwise, there are errors. Note that there are cases that even though s = 0, e 0 (errors are not detected in this case). 15 / 51

16 Error correction For the error correction, we need to have the 2 (n k) 2 k standard array format: Coset leaders Syndroms u 1 (+0) u 2 (+0) u 2 k(+0) s 1 = 0 e 2 u 2 + e 2 u 2 k + e 2 s 2 = e 2 H T..... e 2 (n k) u 2 + e 2 (n k) u 2 k + e 2 (n k) s 2 (n k) In this array, all the possible combinations of n-tuple binary vectors are listed. The vectors in the same row have the same syndrome. 16 / 51

17 Procedure: 1. Calculate the syndrome of the received vector, r, and find the corresponding row in the array. 2. Locate the coset leader (error pattern) ê corresponding to the syndrome rh T. 3. Provide the corrected coded block as u = r ê = (c e) e = c, if ê = e 17 / 51

18 Example: (6, 3) block code Let us consider the following generator matrix: G = Then, we can construct a standard array format as follows: The coset leaders are chosen under the minimum weight criterion. Here, the weight means the number of 1 s. This criterion is vital to minimize the BER. 18 / 51

19 Hamming distance and error correction Consider two codewords. c i = [01011] c j = [10101], The Hamming distance between the two codewords, which is denoted by d H (c i, c j ), is the number of different bits, 4. The Hamming weight of a codeword is the number of 1 s. For c i, the Hamming weight is 3 and the Hamming weight is denoted by w(c i ). 19 / 51

20 A key result: d H (c i, c j ) = w(c i c j ) The performance of error correction is decided by the minimum Hamming distance of the code which is defined as It can also be shown that d min = min i j d H(c i, c j ), c i, c j C. d min = min c i 0 w(c i), c i C. Remarks: If dmin = 3, we can correct up to 1 bit error. If dmin = 11, we can correct up to 5 bit errors. The number of bit errors that can be corrected is t = d min / 51

21 Error detection Consider a simplified channel including transmitter and Due to the receiver, noise, which there can are be errors characterized and the by error a single probability parameter is p. p, An sim example to called see the thiscrossover channelprobability: is the following binary symmetric the binarychannel symmetric chan (BSC): (BSC): 1 p 0 0 p 1 p 1 p 1 In this case, Forwe binary haveask, we have ( {) ( ) 1 p, if y = x f Y X (y, x) = a 2Eb p = Q p, = Q if y x σ w N 0 Note that f X (x) isnotgivenyet. 21 / 51

22 Through the BSC, the received coded signal can have error. r = c i + e, where e is the error vector which will be zero vector if there is no error. With r, we can consider some cases: no error: e = 0 and its corresponding probability is (1 p) n. undetected error: r = c j, where c j c i. For this, there should be more than d min bit errors. That is, the undetected error probability is ( n P ud d min ) ( p d min (1 p) n d min n d min ) p d min when p 1. errors not corrected: 22 / 51

23 Consider the probability that errors cannot be corrected. If there are more than t errors, the codeword cannot be recovered and its probability becomes P uc n j=t+1 ( n j ( n t + 1 ) p j (1 p) n j ) p t+1, p 1. In most cases, a codeword can be incorrectly corrected to be a neighborhood which has 2t + 1 bits difference. 23 / 51

24 Hence, among n bits, there are 2t + 1 different bits. It gives an approximate bit error probability as Pe coded 2t + 1 ( ) n p t+1 n t + 1 (n 1)! = (2t + 1) (t + 1)!(n t 1)! pt+1 24 / 51

25 Perfect code If d min is odd, then any errors with the Hamming weight w(e) t = d min 1 2 can be corrected. For even d min, we have w(e) t = d min 2. 2 There are 2 k codewords, c i, and the number of possible received signals, r, is 2 n in n-dimensional space. If any r lies within a Hamming distance t = d min 1 2 from one of the codewords, the code is called perfect. 25 / 51

26 In this case, the spheres of center c i and radius t should cover the full n-dimension. Since t = d min 1 2, the spheres are not overlapped. d min should be odd in a perfect code There are t ( ) n i i=0 received vectors belong to the sphere of center c i Since there are 2 k codewords, 2 n = 2 k in a perfect code. t i=0 ( ) n or i t i=0 ( ) n = 2 n k i 26 / 51

27 In any code, we have ( t n i=0 i Hamming bound. ) 2 n k, which is called Hamming codes: Let t = 1 (single error correction). Then, we have 1 + n 2 n k Hamming codes are single error correcting perfect codes (i.e., 2 n k = 1 + n). n k = 2 (3, 1) n k = 3 (7, 4) n k = 4 (15, 11) n k = 5 (31, 26) 27 / 51

28 Maximum likelihood decoding The likelihood function of the qth bit over BSC is given by { 1 p, if rq = c f(r q c q ) = q, q = 1, 2,..., n. p, if r q c q, For independent errors, the likelihood function of c becomes n f(r c) = f(r q c q ) = p dh(r,c) (1 p) n dh(r,c). q=1 Using the Hamming distance between r and c, it can be shown that the log-likelihood function is given by or log f(r c) = d H (r, c) log p + (n d H (r, c)) log(1 p). p log f(r c) = d H (r, c) log +Const. 1 p }{{} <1 28 / 51

29 The ML decoding is to find the codeword of the minimum distance from r as follows: ĉ = arg max f(r c) c C = arg max log f(r c) c C = arg max c C d H(r, c) log = arg min c C d H(r, c) p 1 p An exhaustive search requires a complexity of 2 k. 29 / 51

30 Error probability of ML decoding Error correction can be done up to t bits. Decoding errors happen if there are more than t errors. The probability that a j-bit error over a BSC with crossover probability p is p j (1 p) n j. The number of the error patterns with j-bit error is ( n j). Hence, the error probability of (all possible) j-bit error becomes ( ) n P j = p j (1 p) n j. j The decoding error probability is given by n n ( ) n P d = P j = p j (1 p) n j. j j=t+1 j=t+1 30 / 51

31 Information theory (revisited): Noisy channel theorem The channel capacity of BSC is C = 1 h b (p). We want to know whether we can really achieve this capacity using a block code or not. Fact: np k=0 ( ) n < 2 nhb(p), k where h b (p) = p log 2 p (1 p) log 2 (1 p) and n is sufficiently large and p < 1/2. M: the number of n-length codeword Let R: the rate We have R = k n or M = 2k = 2 nr. 31 / 51

32 In order to have a good performance, we need to have np M ( ) n 2 n. k k=0 To have a good performance: acodeword received vector BSC np We need to have np ( n M k Since M = 2 nr, we have np ( n k=0 k) < 2 n(1 R). Using Fact, it should be satisfied k=0 np k=0 ( ) n k where p is the bit error probability. Since M =2 nrt,wehave np k=0 ( n k ) 2 n, < 2 nh b(p) 2 n(1 R) R < 1 h b (p) = C ) < 2 n(1 RT ). Using Fact, it should be satisfied 32 / 51

33 McEliece Cryptosystem McEliece Cryptosystem Using the notion of channel coding, a cryptosystem can be built. An approach was proposed by McEliece in 1978 (an asymmetric cipher). This does not provide perfect secrecy, but computationally secure. Bob can choose an (n, k) linear code with generator matrix G. Bob also chooses a k k invertible matrix S and an n n permutation matrix P. Define G 1 = SGP, which is the public key (available to Alice as well as Eve). 33 / 51

34 McEliece Cryptosystem The code with G is powerful and can correct upto t errors. Alice does not know S and P, but G 1 which is the public key. At Alice: Alice encrypts the plaintext, x, to find the ciphertext as y = xg 1 + e, where e is a 1 n random binary vector of weight t. 34 / 51

35 McEliece Cryptosystem At Bob: Compute yp 1 = (xsgp + e)p 1 = xsg + ep 1 Since P is a permutation matrix, its inverse is also a permutation matrix and ep 1 is a 1 n vector of weight t. Let z = xs. Perform decoding to estimate z as Decoding(yP 1 ) = z x = zs 1 (= xss 1 ) Note that the decoding is successful as the code is powerful to correct upto t errors. 35 / 51

36 McEliece Cryptosystem At Eve: y and G 1 are given. For any possible ê of weight t, Alice attempts to solve y = xg 1 + ê There are ( n t) ê s of weight t. For example, if n = 1024 and t = 50, we have ( ) ( ) n 1024 = t 50 Eve s attack with known ciphertext, y, becomes computationally infeasible. 36 / 51

37 Coding Approach: Noiseless Main Channel Coding Approach: Noiseless Main Channel We consider a simple example under the following setting: X(Alice) Y (Bob) Z(Eve), where X = Y (noise free) and the channel from Bob (or Alice) to Eve is a BEC: Here, ɛ is the erasure probability. 37 / 51

38 Coding Approach: Noiseless Main Channel Message M {0, 1} Random coding: M X n = { b B0, if M = 0; b B 1, if M = 1, where B m = {b n i=1 b i = b 1 b n = m {0, 1}} Let Z n denote the received signal at Eve. Define { 0, if Z E = n does not have any erasure; 1, otherwise. 38 / 51

39 Coding Approach: Noiseless Main Channel We have H(M Z n ) = H(M Z n, E) Thus, we have = H(M Z n, E = 0) Pr(E = 0) + H(M Z n, E = 1) Pr(E = 1) = H(M Z n, E = 1)(1 (1 ɛ) n ) = H(M)(1 (1 ɛ) n ) = H(M) H(M)(1 ɛ) n lim n H(M Zn ) = H(M), which implies that the random coding can achieve perfect secrecy over Eve s BEC. In general, random coding is a key element for secure communications to exploit degraded Eve s channel. 39 / 51

40 Coding Approach: Noiseless Main Channel Suppose that Eve has a degraded channel and can only distinguish bigger blocks, while Bob can see details and distinguish all blocks. Alice randomly chooses any red block among 16 red block to send a (secret) message 00 (red for 00, blue for 01, yellow Wiretapfor Codes 11, and greed for 10), while Eve can only see a triangle. Confusion at the eavesdropper Msg 1 Msg 2 Msg 3 Msg 4 Information Theoretic Security: Fundamentals and Applications : Ashish Khisti (University of Toronto) 17 / 53 A general approach can be obtained for BSC using coset codes. 40 / 51

41 Coding Approach: Noiseless Main Channel Coset Codes for Secure Transmission over BSCs Let C M = 1 and C W < 1 (over BSC). Let H be a parity check matrix of size K N, where K < N. (Encoding) For a given message s, we choose x randomly from C(s) = {x Hx = s}. Since K < N, there are more than 1 x in C(s). That is, C(s) = 2N 2 K = 2N K. For convenience, let S K = s and X N = x. Thus, for given S K, we have H(X N S K ) = N K. 41 / 51

42 Coding Approach: Noiseless Main Channel Consider Eve s capacity: S K X N (Alice) X N (Bob) Z N (Eve) I(X N ; Z N ) C W = max P (X) N I(S K, X N ; Z N ) = I(S K ; Z N ) + I(X N ; Z N S K ) = I(X N ; Z N ) + I(S K ; Z N X N ). }{{} =0 42 / 51

43 Coding Approach: Noiseless Main Channel I(S K ; Z N ) = I(X N ; Z N ) I(X N ; Z N S K ) = NC W (H(X N S K ) H(X N Z N, S K ) = NC W H(X N S K ) + H(X N Z N, S K ) }{{} 0 = NC W (N K) + ɛ N = K N(1 C W ) + ɛ N If we have K = N(1 C W ) R = K N = 1 C W, I(S K ; Z N ) 0, N. 43 / 51

44 Coding Approach: Noiseless Main Channel Fano s inequality: H(X N Z N, S K ) = ɛ N 0, N. For given S K, there are 2 N K possible X N in C(S K ). The code rate is r = N K N = 1 R = C W. Since Eve s channel capacity is C W, Eve can decode X N from Z N when S K is available with a low error probability, p N. Due to Fano s inequality, we have H(X N Z N, S K ) h b (p N )+p N log 2 ( C(S K ) 1) 0, N. 44 / 51

45 Coding Approach: Noisy Main Channel Coding Approach: Noisy Main Channel Consider BSCs for Bob and Eve. S N X N Y N (Bob) Z N (Eve) Each channel has independent bit errors. We now assume that C M = I(X; Y ) < 1 (i.e., noisy main channel). In addition, C M > C W. Due to the noisy main channel, we also need to have a capacity achieveing 45 / 51

46 Coding Approach: Noisy Main Channel Two key ingredients Random coding (coset codes) s :M 1 (binary codeword) H :M N, (N > M) Denote by C(s) = {x Hx = s} the coset with coset leader s. We have C(s) = 2N 2 M = 2N M For a given s, random coding is to randomly choose one of the elements in C(s). Thus, Capacity achieving codes H(x s) = N M. }{{} H x = 0 if (K C M N) (N K) N 46 / 51

47 Coding Approach: Noisy Main Channel Combining the two ingredients over BSCs Code design: [ H1 H 2 ] [ 0 x = s ], { H1 : R N N H 2 : RN N For given s, Alice randomly chooses x from { C(s) = x [ ] [ H1 0 x = H 2 s Rate: H 2 x = s {0, 1} RN That is, the secrecy rate is R, while the total rate is R + R. ]} 47 / 51

48 Coding Approach: Noisy Main Channel Decoding at Bob At Bob, find ˆx from y that satisfies H 1 x = 0 (1 R < C M ) to have a negligible error prob. Then, from ˆx, ŝ becomes ŝ = H 2ˆx (R 1) to uniquely decode s Uncertainty at Eve The size of C(s): C(s) = 2 N 2 = ) N(R+R ) 2N N(R+R = 2 N(1 (R+R )) Thus, we have the following key result: H(x s) = N(1 (R+R )) = N(1 R R) = N(C M δ N R) 48 / 51

49 Coding Approach: Noisy Main Channel Using the key result, we have I(s; z) = I(x; z) I(x; z s) = I(x; z) H(x s) + H(x s, z) = NC W N(C M δ N R) + H(x s, z) = NC W N(C M δ N R) + ɛ N (Fano s inequality) = N(R (C M C W )) + Nδ N + ɛ N Thus, if R < C M C W, we have I(s; z) / 51

50 Coding Approach: Noisy Main Channel Nested codes (Thangaraj et al.) Consider a code consists of 2 NR disjoint subcodes: C = 2NR i=1 C i, where C i is the ith subcode is a capacity-achieving code over the eavesdropper s channel: 1 N I(XN ; Z N M = i) C W ɛ Suppose that all the subcodes are capacity-achieving and i is the index for secret message, M. 50 / 51

51 Coding Approach: Noisy Main Channel It can be shown that I(M; Z N ) = I(Z N ; M, X N ) I(Z N ; X N M) = I(X N ; Z N ) + I(Z N ; M X N ) I(Z N ; X N M). Since M X N Z N, we have I(Z N ; M X N ) = 0. Thus, 1 N I(M; ZN ) = 1 N I(XN ; Z N ) 1 N I(ZN ; X N M) C W (C W ɛ) = ɛ This implies that a nested code can achieve weak secrecy. 51 / 51

16.36 Communication Systems Engineering

MIT OpenCourseWare http://ocw.mit.edu 16.36 Communication Systems Engineering Spring 2009 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms. 16.36: Communication