Information Theoretical Security and Secure Network

advertisement
Information Theoretical Security
and Secure Network Coding
NCIS11
May 14, 2011
Ning Cai
Xidian University
The Outline

Two Approaches to Security ;
-computational security
-information theoretical security




Measurements of Information Theoretical
Security;
Examples for Information Theoretical
Security;
A Basic Idea in Secure Network Coding
More About Resource Based on Secure
Network Coding
Two Approaches to Security
Computational Security (CS) vs Information
Theoretical Security (ITS)

Assumptions
(CS): wiretapper—limited computational ability
(ITS): wiretapper—unlimited computational ability

Security
(CS): relatively secure
(ITS): absolutely secure

Resources (Random key, throughput etc)
(CS): less
(ITS): more
Two Approaches to Security

Computational Security – very popular,
especially in commercial systems;

Information Theoretical Security – not so
popular but received more and more attention:
Example :European Telecommunications Standards
Institute (ETSI): new secure standard (for q systems)
– Information theoretical security.
Measurements of Information
Theoretical Security

Shannon Entropy or Mutual Information
S -source message, YW -wiretapped message
Perfect security: I (S ; YW )  0 or H (S | YW )  H (S )
i.e., S and YW are independent.
Imperfect security: I (S;YW )  i
or H (S | YW )  h
for h  (0, H (S )].

Other Information Quantities e.g., Renyi
entropy, von Neumann Entropy or Holevo
Quantity for Quantum, etc.
Examples for ITS
Shannon cipher system
Random message M and
key K are generated from
the same set {0,1,..., p  1}.
m -output of the message M


k -output of key K


y  m  k (mod p)
Examples for ITS
Secret Sharing (SS)(Blakley 1979, Shamir 1979)




A dealer observes a secret message and
chooses random “sharings” and distributes them
to participates.
A subset of participates try to recover the
message by pooling their sharings.
They can recover it if the subset is legal (i.e. in
“access structure”).
Otherwise they should have absolutely no
information about it from their sharings.
Examples for ITS
Secret Sharing (continue)

(r , n)  threshold secret sharing scheme:
participates, all sets with sizes  r are legal
Given the amounts of sharings distributed to the
participates, we want to maximize the amount of
message sharing by them.
The optimal threshold secret sharing scheme is
known. (R-S code)
To find optimal secret sharing schemes for general
(“non- threshold) access structures is a very hard
open problem.
n



Examples for ITS
The wiretap channel II (Ozarow-Wyner 1984)







Message is encoded into a codeword of length n
A legal user receives the whole codeword
A wtiretapper accesses any t components of the
codeword
The legal user can decode correctly
The illegal user has no information about the
message (perfect security), more general the
“equivocation” (conditional entropy) is lower
bounded (imperfect security).
The optimal code is known (R-S code)
Denote the code by (n, t )  WCII.
Examples for ITS
Wiretap network
(Single source acyclic) communication network




A (directed) Graph G  (V , E ) : nodes-users, edgeschannels (noiseless);
A single source node s V , access to source with
message set  ;
Sinks U  V , accessed by receivers;
Acyclic network i.e., G has no directed cycle.
Examples for ITS
Wiretap network (continue)
Coding for a network
Denote by
v V , In(v)  {(u, v) : (u, v)  E}, incoming channels of v;
Out (v)  {(v, u) : (v, u)  E}, outgoing channels of v.

Acyclic  partial order on E ,  total order
such that d e, if v V , d  In(v), e  Out (v).

Assume all channles have the same alphabet F , define a code
e , e  E :
e :   F ,
if e  Out ( s), s  S;
(“local”)
e : F In( v )  F ,
if e  Out (v), v  S.

Introduce a set of functions  e :   F , e  E,
for e  Out(v )
 e (m)  e ( d (m), d  In(v)) recursively. (“global”)

Examples for ITS
Wiretap network (continue)
An NC is linear if all local encoding functions
are linear. The global encoding functions of
a linear NC are linear because a linear
function of linear functions is linear.
Theorem (Li-Yeung-C.,2003) For single source
networks (multicasts), maxflow bound is
achievable by linear codes if the coding field
is sufficiently large.
Examples for ITS
Wiretap network (continue)
Wiretap network (C. and Yeung 2002, 2011)



Communication network;
A collection of subsets of wiretap channels  :
i.e.,  is a collection of subsets of the channels
such that all B   may be fully accessed by a
wiretapper, but no wiretapper may access more
than one wiretap subsets
For security randomness K is necessary.
Examples for ITS
Wiretap network (continue)
secure Code for WN


Fix a network code. Let M be the random message
and k , k  be the outputs of the randomness. For B  ,
denote by YB the output of channels in B. Then the
code is secure if
m  m, u U , u (m, k )   u (m, k ) for all k , k  , where  u is
the message received by sink u , Decodable Condition;
H (M | YB )  H (M ), Security Condition.
Examples for ITS
Wiretap network (continue)


We call the wiretap network r  WN and its secure
code a r  secure network code if  consists of
r subsets of channels i.e., for a r  WN, the
wiretapper may access any r channels.
Imperfect security :The secure condition can be
release to
H (M | YB )  h.
Examples for ITS
SS is equivalent to a special class of WN’s.
Given an SS with access structure  , we
construct a 3 layer WN as follows:
Top layer: source node s
( the dealer)
Middle layer: n intermediate nodes (participates); a
channel with capacity ri connects s and the node
i if the node i gets ri bits sharing.
layer: Receivers labeled by members in .
(legal subsets); The intermediate node connect to
receiver t A if i  A.
Bottom
Examples for ITS
SS is equivalent to a special class of WN’s
(continue)
A
wiretap set of channels corresponds an illegal
subset B and has members (s, b), b  B.
A secure code for the WN exists iff an SS scheme
exists. A (r , n)  threshold secret sharing scheme “is” a
(r  1)  secure network code.
Examples for ITS
ss
v1
v2
….
….
A1 A
1
t A1 t
A1
….
AA
mm
AA2
2
t A2 t A
2
….
……
t Am
t Am
Formulating secret sharing schemes to WN
Examples for ITS
Similarly, (n, t )  WCII is equivalent to a 3 layer
t - WN with a sink and n intermediate nodes.
S
1
2
3
4
n
5
T
Examples for ITS
Shannon Cipher System
is a(2, 2)-threshold SS
and a (2,1)  WCII and
therefore a 1  secure
network code.
Examples for ITS
Private Computations in Networks
A
communication network
1, 2,..., u :users
A subset of nodes
jaccesses a information source X j
Each user
X1 , X 2 ,..., Xare
The sources
mutual independent
u
The users cooperate to compute the value of a
f ( X1 , X 2 ,..., X uby
) exchanging information
function
over the network
Examples for ITS
Private Computations in Networks (continue)
The
users do not trust each others and they want the
others to know no additional information about their
own source. That is, the remaining uncertainty of the
sources for the user j must be
H ( X i , i  j | X j , f ( X1,..., X u )) after the
communication
Randomization is necessary
The goal is minimizing the randomness
The topology of the network play an important role.
Examples for ITS
Wiretap channel (Wyner 1975)
A
sender send a secret message via a noisy channel
A legal receiver and a wiretapper access different
outputs of the channel resp.
Want: the legal receiver may correctly decode with a
high probability and the wiretapper has no (or limited)
information about the message
The goal: maximizing the transmission rate.
Examples for ITS
Key agreement (KA), (distribution)
A
set of (legal) users try to generate a (common)
secret random key
A wiretapper try to have as much as possible
information about the key
The legal users share certain resource (e.g., different
components of correlated source, private channels,
parts of an entanglement q-state...)
The wiretapper possibly may or may not have certain
related resource (r.v. correlated to the source, outputs
of the private channels, part of entanglement state…
Examples for ITS
Key agreement (continue)
By
combining actions on their resources (e.g.,
observation of the outputs of the source,
communication via the private channels, measure the
q-state….), the legal users exchange messages via a
public channel
The wiretapper may observe the output of the public
channel by combining to use his resource
Requirement: at the end all legal users have the same
key and the wiretapper has no (or limited) information
about the key
Goal: maximizing the size of the key
Examples for ITS
An example of KA (Maurer 1993, AhlswedeCsiszar 1993)
correlated memoryless source (X , Y , Z )
Legal users A, B and a wiretapper access
X n , Y n ,resp.
Zn
A and B exchange message publicly according to their
received message and outputs of
n
n
X
,
Y
At end of communication A and B share a random key
The wiretapper can obtain no (or limited) information
about the key from the output of public channel and
n
A
Z n.
n
n
A Basic Idea in Secure Network Coding



Assume the input alphabet of a WN is  the input
of the WN is x   and the message obtained by
the wiretapper from wiretap subset B   is yB
Then yB  gB ( x) is a function of x
To protect the secret message, the sender partitions
 according to the size of the message set and
randomly chooses a element from the i th subset and
sends it via the network if he wants to send the i th
message, (the territory of the i th message)
A Basic Idea in Secure Network Coding


1
Denote by g B (i.e., gB ( y)  {x : gB ( x)  y} ) the
inverse image of mapping g B . Then for a given
B ,{gB1 ( yB )}yB is a partition of . The
1
g
wiretapper knows the input of WN must be in B ( yB )
if he receives yB . Thus his best strategy is “to
guess” the message with the largest intersection of
1
territory to g B ( yB ).
Consequently a code is perfectly secure iff all
1
territories equally intersect to all gB ( yB ), yB , B .
1
A Basic Idea in Secure Network
Coding
A Basic Idea in Secure Network Coding




Assume the network code is linear, x  row vector
Then yB  gB ( x)  xM B for input x and a (known)
matrix M B
gB1 ( yB ) is the solution set of linear function xM B  yB
or a coset of the solution subspace of xM B  0
Further suppose we use the cosets of a linear code
with parity check matrix H as territories of the
messages. I.e., the territory of message m is the
solution of the function xH  m. The intersection of
the territory and the inverse image is the solution of
the function x( H , M B )  (m, yB ).
A Basic Idea in Secure Network Coding


Notice for all row vector  in a finite field
with size q, the function xA   either has
no solution or qnr solutions, where n is
numbers of rows of A and r  rank[a].
Thus our problem is reduced to find matrix
H such that all x(H , M B )  (m, yB ) have
solutions whenever xM B  yB has
solutions.
A Basic Idea in Secure Network Coding

This condition holds if

A such H always can be found if the coding field is
sufficiently large (C.-Yeung 2002, 2011)
A random generated matrix with a high probability
has the property provided the field is sufficiently
large (C.-Chan 2011)
Random network code is secure with a high
probability if coding field is sufficiently large (C.
2009)
Similarly for imperfect security
So far all secure NC’s are constructed in this way.




rank[( H , M B )]  rank[ H ]  rank[M B ]
More About Resource

r  secure network codes constructed in
the above way are optimal. For perfect
security an optimal r  secure NC needs
resource (Yeung C. 2008):
-- r units of randomness (“random key”)
-- r unites of throughput
Too much but may not be improved
More About Resource



Perfect security may not be necessary
In the general case there are more than one
sources and more than one wiretappers. A
particular wiretapper may be interested only
in particular sources or some parts of the
source.
In the both cases often less resource is
needed and sometimes no additional
resource is needed.
More About Resource

Imperfect security, allow the wiretapper to
get (at most) i units of information, i.e.,
I (S ; YW )  i, we need less resource (C.Yeung 2011):
--Randomness reduced i unites
--Gain i unites of throughput
More About Resource


Weak security: Release the security to not
allowing the wiretapper to decode any part
of source, no resource is needed (Bhattad
and Narayanan 2005)
Strong security: in the case the wiretapper
only interested parts of source (unknown for
the communicator), less or even no
resource is needed (Harada and Yamamoto
2008)
More About Resource



Multiple-source and multiple-wiretapper: a
particular wiretapper is interested in special
subset of sources: sometimes no resource
is needed (C.-Chan 2001)
The Reason: Other sources or other parts of
the sources serve as randomness.
Thus we may believed information security
possibly has good application in the future.
Thank You!
Download