Information-theoretic Secrecy A Cryptographic Perspective Stefano Tessaro UC Santa Barbara WCS 2017 April 30, 2017 based on joint works with M. Bellare and A. Vardy
Cryptography Computational assumptions CRYPTO, EUROCRYPT, STOC, FOCS, Informationtheoretic cryptography key-agreement, privacy amplification, multi-party protocols Information-theory & coding Physical assumptions (e.g., noise) ISIT, ITW, IEEE Trans. in IT, Physical -layer security Work continues to date
Parallel dimensions Curious Cryptographer Generic constructions
This talk in a nutshell Cryptographic view on the wiretap channel model. (Though really, this extends to information-theoretic secrecy more broadly) M. Bellare, S. Tessaro and A. Vardy. Semantic Security for the Wiretap Channel. Crypto 2012. M. Bellare, S. Tessaro and A. Vardy. A Cryptographic Treatment of the Wiretap Channel. Cryptology Eprint Archive 2012/15. M. Bellare and S. Tessaro. Polynomial-time, Semantically-Secure Encryption Achieving the Secrecy Capacity. Cryptology Eprint Archive 2012/22.
Physical-layer Security Very low power Very short distance 010110. e.g. credit card # Large distance Degraded signal
Wyner s Wiretap Channel [W75,CK78] M ENC P Y X C C 0 M 0 ChR DEC ChA noiser than ChR ChA P Z X Z(M) Message privacy Z(M) gives no information about M Correctness M = M with very high probability
Example Binary Symmetric Channels BSC e 0 1 0 1 1 1 M ENC C C 0 M 0 BSC p DEC p < q BSC q Z(M) Other examples: BECs, Gaussian channels,
Rate and capacity M ENC C C 0 M 0 ChR DEC ChA Z(M) Goal: Maximize rate R = M C Capacity = best possible rate for m Asymptotic setting (parameter = message length m) ChR / ChA have finite alphabet, used c(m) times
Rate and capacity Cont d I(X; Y )= X x,y M PXY (x, y) P XY (x, y) log ENC CP C 0 X (x)p Y (y) M 0 ChR = H(X) H(X Y ) DEC ChA Z(M) If for all X, we have I(X;ChR(X)) I(X; ChA(X)) C = max P X [I(X;ChR(X)) I(X; ChA(X))] Issues: Existential result + weak security [W75,CK78]
Outline 1. Security metrics for the Wiretap Channel 2. Generic construction of capacity-achieving scheme 3. Open directions
Secrecy Metrics
Traditional secrecy notions Based on Shannon metrics and asymptotic M ENC ChA Z(M) Weak secrecy: Strong secrecy: M m lim m!1 = uniform m-bit message I(M m ; Z(M m )) m =0 lim I(M m; Z(M m )) = 0 m!1 weak notion 1/m vs 2 -m ENC works on arbitrary-length message
How secure is a scheme? Many cryptographers have a quantitative approach to security. ENC Next: Which quantity is most suitable? Advantage in R Example: Adv mis-r (ENC; ChA) = I(M; Z(M)) From now on: One-shot Could Later: depend What on a security about parameter M being (e.g., message length), security means adv small as a function of sec parameter. uniform?
Statistical distance Definition. The statistical distance of X and Y is SD(X, Y )= 1 2 X P X (x) P Y (y) = 1 2 kp X P Y k 1 x X Y D D 0/1 0/1 distinguishing advantage SD(X, Y ) = max D Pr[D(X) = 1] Pr[D(Y ) = 1]
RDS security M KL(XkY )= X x ENC P X (x) log ChA PX (x) P Y (x) Z(M) M M 0 ENC ChA Z(M 0 ) Adv rds (ENC; ChA) = SD((M,Z(M)); (M,Z(M 0 ))) Adv mis-r (ENC; ChA) = KL((M,Z(M))k(M,Z(M 0 )))
Example Guessing p g =Pr[ f M = M] ENC ChA Z(M) fm M Adv rds (ENC; ChA) apple p g p 0 g apple p g apple + 1 2 m M 0 ENC ChA Z(M 0 ) f M M p 0 g =Pr[ f M = M] = 1 2 m
Semantic security First contact For any f, guessing f(m) from Z(M) is not (substantially) easier than without knowing Z(M)! Examples of f: Identity First, last bit of the message Subset of message bits
What about MIS-R security? H(M Z(M)) apple h(p e )+P e log(2 m 1) ENC ChA Z(M) fm M I(M; Z(M)) apple p g =Pr[ f M = M] Hard to estimate Fano inequality gives p g apple 1+ m (Better estimates possible, but hard to work with)
Relations [BTV12] Pinsker s inequality Theorem. Adv rds (ENC; ChA) apple q Adv mis-r (ENC; ChA) Caveat: Generally not tight! Exponents matter Theorem. For = Adv rds (ENC; ChA) Adv mis-r (ENC; ChA) apple 2 log 2 c Tight
Proof of 2 nd Thm First, show that for any c-bit X, Y with SD e, Then, note Let Easy to see: H(X) Then, by concavity, I(M; Z(M)) apple 2 2 m X H(Y ) apple 2 log(2 c / ) I(M; Z(M)) = 1 X 2 m (H(Z(M)) m2{0,1} m m = SD(Z(M),Z(m)) = 1 X 2 m m m m H(Z(m))) m log(2 c / m ) apple 2 log(2 c / )
Lessons learnt The above only advocates SD-based metrics as a target MIS security is asymptotically a good privacy metric, but substantial quantitative losses possible Note: Sometimes Shannon entropy / KL divergence are valuable tools (even when stating end results in terms of SD) e.g. KL(X 4 X 5 Y 4 Y 5 = KL(X 4 Y 4 + KL(X 5 Y 5 )
Random plaintext distribution Adv rds (ENC; ChA) = SD((M,Z(M)); (M,Z(M 0 ))) Adv mis-r (ENC; ChA) = I(M; Z(M)) random and uniform Common argument: If data isn t uniform, then just run a compression algorithm to reduce it to a random string with length equal to its entropy! Not true Data may not have entropy to start with! Universal compression not possible Goldwasser-Micali, 1982 Security must hold for all distributions of the plaintext
Issues with RDS security Enc 0 (M) = 8 < : Enc(M) M 6= 0 m, 1 m 0 n M =0 m 1 n M =1 m Enc RDS secure Enc RDS secure What if we only ever encrypt 0 m and 1 m?
Distinguishing and Semantic security Adv ds (ENC; ChA) = max M 0,M 1 SD(Z(M 0 ); Z(M 1 )) Equivalent to semantic security: f, distributions P M : Computing f(m) given Z(M) is not easier than computing f(m) without Z(M), where M P M Adv ss (Enc; ChA) = max 2 H 1(f(M) Z(M)) f,p M 2 H 1(f(M)) Theorem. Adv ss (Enc; ChA) apple Adv ds (Enc; ChA) apple 2 Adv ss (Enc; ChA)
MIS security Adv mis (ENC; ChA) = max P M I(M; Z(M)) Theorem. Adv ds (ENC; ChA) apple q Adv mis (ENC; ChA) Theorem. For = Adv ds (ENC; ChA) Adv mis (ENC; ChA) apple 2 log 2 c
From RDS to DS security Key agreement K ENC random session key ChR ChA DEC Z(K) K One-time pad M K ECC ChR ECC-DEC M good code for ChR ChA Z(M K) K Problem: Worse rate than in the RDS case!
Constructions
Next A construction Generic construction: Analysis does not depend on details of underlying ECC (unlike e.g. [MV10]) Admits poly-time encryption and decryption Achieves SS/DS security Achieves capacity in interesting scenarios Generalizes previous constructions (with no proofs of DS security) [W75,HM10] First semantically-secure capacity-achieving construction with efficient polytime encryption + decryption
Seeded encryption SeedGen S M ENC C C 0 M 0 ChR DEC ChA Z(M) public Seed can be recycled, and sent as part of the ciphertext
Seeded-encryption scheme ENC S (M) k bits m bits M k m bits Abstraction: Inverting randomness extractor on seed S and output M S GF(2 k ) multiplication Public seed X E Poly-time + injective + linear C n bits
Conditional min-entropy M h i H E Z = x Z 1 (X Z) = log X! max Pr[X = x ^ Z = z] xx z S 0 X E Example: ChA = BSC q n H 1 (X Z) k n 1 log 1 1 q C ChA Z
Smooth min-entropy [RW04] H 1(X Z) = sup H 1 (X Z) X 0 Z 0 :SD(X 0 Z 0 ;XZ)apple X E Example: ChA = BSC q n H 1(X Z) k n (1 h(q)+o(1)) C ChA =2 O(p n) Z Note: 1 h(q) apple 1 log(1/(1 q))
Smooth min-entropy cont d C nq + o(1)
Seeded Encryption Security Theorem. [BT12,BTV12] If ChA symmetric, and H e (X Z) m + 2log(1/e) then Adv ds (ENC; ChA) = O( ). For ChA = BSC qn, ChR = BSC pn. Best possible k to allow for decryption over ChR : For some =2 O(p n) k =(1 h(p) o(1))n H 1(X Z) n(h(q) h(p) o(1)) Largest possible message size m =(h(q) h(p) o(1))n optimal rate!
Proof Two steps 1. Prove RDS security SD((Z(M),S,M); (Z(M),S,M 0 )) apple O( ) 2. From RDS to DS security
Proof RDS Security M M M S -1 0 S -1 0 X X S 0 E S 0 E C C ChA ChA H 1(X Z) Z m + 2 log 1 By the Leftover Hash Lemma [BBR88,ILL89,BBCM95] Z
From RDS to DS security In general: Random-message security does not imply DS security. Lemma. If ChA is symmetric, then ENC is DS secure. Proof idea: M Z S (M) is symmetric Z S (M 0 ) Δ S, M: SD(Z S (M); Z S ($)) apple Z S ($) Z S (M) Z S (M 00 )
Extensions Above only achieves capacity for limited channels: ChA($) = $ Extension to arbitrary symmetric channels [TV13] Alternative: Better estimates of Smooth-minentropy? [C15] New soft-covering lemma used to obtain existential proof that rate is achievable in the semantic-security regime!
Conclusions and Open questions
Open questions A crypto wish list Concrete parameters. Given ChA, ChR, message length m, and security level e, find Enc with smallest possible ciphertext length n such that Adv ds (Enc; ChA) apple Cryptanalysis. Do physical assumptions really hold?
Thank you! Merci!