Best-Possible Wiretap Coding: Beyond the Csiszr-Krner Bound

Slide Note
Embed
Share

Explore the concept of wiretap coding for secure communication in scenarios with eavesdroppers. This content delves into formal definitions, impossibility scenarios, and the quest for achieving secure transmission between parties without compromising data privacy. Learn about encryption schemes, adversaries, and the challenges posed by channel degradations. Discover the intricacies of wiretap channels and the underlying principles of achieving statistical and computational security.


Uploaded on Sep 20, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Beyond the Csiszr-Krner Bound: Best-Possible Wiretap Coding via Obfuscation Yuval Ishai Technion Alexis Korb UCLA Paul Lou UCLA Amit Sahai UCLA

  2. Wiretap Channel [Wyn75] Alice Bob Encode Decode Xn Yn M M ChB Eve Zn ChE Goal: Alice wants to send a message to Bob without Eve learning it.

  3. Wiretap Channel [Wyn75] Alice Bob Encode Decode Xn Yn M M ChB Eve Discrete memoryless channels (DMCs) Non-interactive No shared secrets Zn ChE Goal: Alice wants to send a message to Bob without Eve learning it.

  4. Formal Definition Def: (Enc, Dec) is a statistically secure wiretap coding scheme for wiretap channel (ChB, ChE) if Correctness: For all messages m 0,1 , Pr ??? 1 ,? ? ??? 1 ,? = ? 1 ????( ) Security: For all adversaries A, = ? 1 Pr ? 1 ,? ? ??? 1 ,? 2+ ????( ) where b is uniformly distributed over 0,1 .

  5. Formal Definition Def: (Enc, Dec) is a statistically (resp. computationally) secure wiretap coding scheme for wiretap channel (ChB, ChE) if Correctness: For all messages m 0,1 , Pr ??? 1 ,? ? ??? 1 ,? = ? 1 ????( ) Security: For all (resp. non-uniform polynomial-time) adversaries A, = ? 1 Pr ? 1 ,? ? ??? 1 ,? 2+ ????( ) where b is uniformly distributed over 0,1 . (Computational Definition Only): (Enc, Dec) are PPT algorithms.

  6. Formal Definition Def: (Enc, Dec) is a statistically (resp. computationally) secure wiretap coding scheme for wiretap channel (ChB, ChE) if Correctness: For all messages m 0,1 , Pr ??? 1 ,? ? ??? 1 ,? = ? 1 ????( ) Security: For all (resp. non-uniform polynomial-time) adversaries A, = ? 1 Pr ? 1 ,? ? ??? 1 ,? 2+ ????( ) where b is uniformly distributed over 0,1 . (Computational Definition Only): (Enc, Dec) are PPT algorithms. Our results also generalize to larger message spaces.

  7. Simple Impossibility Def: ChB is a degradation of ChE if there exists a channel ChS such that = ChE ChS ChB Observation: In this case, Eve can learn the same distribution Bob learns, so wiretap coding is impossible.

  8. Simple Impossibility Def: ChB is a degradation of ChE if there exists a channel ChS such that = Assign erasures to random bits ex) BEC2p BSCp Observation: In this case, Eve can learn the same distribution Bob learns, so wiretap coding is impossible.

  9. Information Theoretic Setting Can we create a wiretap coding scheme whenever ChB is not a degradation of ChE?

  10. Information Theoretic Setting Can we create a wiretap coding scheme whenever ChB is not a degradation of ChE? No [CK78] Wiretap coding schemes are possible if and only if ChE is not less noisy than ChB.

  11. (Not) Less Noisy [CK78] Def: ChE is not less noisy than ChB if there exists a Markov chain M X YZ where pY|X(y|x) corresponds to ChB, pZ|X(z|x) corresponds to ChE, and H(M | Y) < H(M | Z) Bob has an advantage over Eve in terms of conditional entropy. Encode X M Y ChB X is a one symbol encoding of M ChE Z

  12. Information Theoretic Impossibility ex) ChB = BSCp ChE = BEC [Nair10] Secure Wiretap Coding Less Noisy 2p (Impossibility) Degraded Less Noisy (Impossibility) p (BSC0.1, BEC0.3)

  13. Information Theoretic Impossibility ex) ChB = BSCp ChE = BEC [Nair10] Secure Wiretap Coding Less Noisy 2p Can we do better in the computational setting? (Impossibility) Degraded Less Noisy (Impossibility) p (BSC0.1, BEC0.3)

  14. Computational Assumptions and Feasibility Results Information Theoretic Computational key length message length [Shannon1949] Secure Encryption Fixed key length, unlimited messages (1970s) Secure Multi-Party Computation Honest majority of parties needed [BGW88,CCD88] Only need one honest party [GMW87] Secure Wiretap Coding Schemes Introduced [Wyner75], "Less Noisy" characterization [CK78] OPEN Until our paper in 2022, no improvement

  15. Computational Setting Can we create a wiretap coding scheme whenever ChB is not a degradation of ChE? Recall: Impossible (even computationally) if ChB is a degradation of ChE.

  16. Computational Setting Can we create a wiretap coding scheme whenever ChB is not a degradation of ChE? Yes! Our Work: Assuming secure evasive function obfuscation for the class of generalized fuzzy point functions, wiretap coding schemes are possible if and only if ChB is not a degradation of ChE.

  17. Computational Setting Can we create a wiretap coding scheme whenever ChB is not a degradation of ChE? Alternatively, in the ideal obfuscation model, our scheme is unconditionally secure against unbounded adversaries who can make only polynomially many queries to the obfuscated function. Yes! Our Work: Assuming secure evasive function obfuscation for the class of generalized fuzzy point functions, wiretap coding schemes are possible if and only if ChB is not a degradation of ChE.

  18. Statistically Evasive Circuit Collection with Auxiliary Input Let D be a distribution of circuits. Let Aux be an auxiliary input generator. For all unbounded oracle machines A that are limited to polynomially many queries to their oracle and for all , Pr ? ??1 ,???(1 ,? = 1;? ? 1 ????( )

  19. Statistically Evasive Circuit Collection with Auxiliary Input D will be a class of generalized fuzzy point functions with a randomly chosen center r. Let D be a distribution of circuits. Let Aux be an auxiliary input generator. For all unbounded oracle machines A that are limited to polynomially many queries to their oracle and for all , Pr ? ??1 ,???(1 ,? = 1;? ? 1 ????( )

  20. Statistically Evasive Circuit Collection with Auxiliary Input D will be a class of generalized fuzzy point functions with a randomly chosen center r. Let D be a distribution of circuits. Let Aux be an auxiliary input generator. Aux = ChE(r) For all unbounded oracle machines A that are limited to polynomially many queries to their oracle and for all , Pr ? ??1 ,???(1 ,? = 1;? ? 1 ????( )

  21. Statistically Evasive Function Obfuscation Let (D, Aux) be a statistically evasive circuit collection with auxiliary input. Correctness: For all , all ? ? 1 , Pr ?,??? 1 ,? ? ?(?) ????( ) VBB Security: For all polytime A, there exists a polytime oracle machine Sim such that for all , Pr ? 1 ,???(1 ,?),???(1 ,?) = 1;? ? 1 Pr ????1 ,1|?|,???(1 ,?) = 1;? ? 1 ????( )

  22. Statistically Evasive Function Obfuscation No impossibility results known for VBB obfuscation of statistically evasive circuits! Previous impossibility results for evasive circuits require the auxiliary input to statistically reveal non-trivial inputs. Plausible conjecture that iO achieves statistically evasive function obfuscation since iO is a best possible obfuscator [GR07]. [BSMZ16] gives a construction with security in an idealized weak multilinear map model with no known attacks.

  23. Construction

  24. Starting Point: Example ex) ChB = BSC0.1,ChE = BEC0.3 ChB is not a degradation of ChE. Secure Wiretap Coding 2p ChE is less noisy than ChB [Nair10] (and hence wiretap coding impossible information theoretically [CK78]) Less Noisy (Impossibility) p (BSC0.1, BEC0.3)

  25. Example: ChB = BSC0.1, ChE = BEC0.3 rB contains ~10% bit flips relative to r r rB ChB = BSC0.1 rE contains ~30% erasures relative to r rE ChE = BEC0.3

  26. Example: ChB = BSC0.1, ChE = BEC0.3 Observation: If r 0,1? is uniformly random, then w.h.p. Eve cannot find a string that contains ~10% bit flips relative to r. rB contains ~10% bit flips relative to r r rB ChB = BSC0.1 rE contains ~15% bit flips relative to r rE r' ChE = BEC0.3 Eve s Best Strategy: Assign erased bits a random value.

  27. Example: ChB = BSC0.1, ChE = BEC0.3 Construction: Send a uniform random r 0,1? across the wiretap channel. Then, send across an obfuscation of fr defined below. fr(r ): Output m if r contains ~10% bit flips relative to r. Output otherwise. r ChB = BSC0.1 rB rE ChE = BEC0.3

  28. Example: ChB = BSC0.1, ChE = BEC0.3 Construction: Send a uniform random r 0,1? across the wiretap channel. Then, send across an obfuscation of fr defined below. fr(r ): Correctness: fr(rB) = m with high probability Output m if r contains ~10% bit flips relative to r. Output otherwise. r ChB = BSC0.1 rB rE ChE = BEC0.3

  29. Example: ChB = BSC0.1, ChE = BEC0.3 Construction: Send a uniform random r 0,1? across the wiretap channel. Then, send across an obfuscation of fr defined below. fr(r ): Correctness: fr(rB) = m with high probability Output m if r contains ~10% bit flips relative to r. Output otherwise. Security: W.h.p. Eve cannot find an r such that fr(r ) = m. Obfuscation hides value of m in this case. r ChB = BSC0.1 rB rE ChE = BEC0.3

  30. Starting Point: Example ex) ChB = BSC0.1,ChE = BEC0.3 ChB is not a degradation of ChE. Secure Wiretap Coding 2p ChE is less noisy than ChB [Nair10] (and hence wiretap coding impossible information theoretically [CK78]) Now possible! p (BSC0.1, BEC0.3)

  31. General Case

  32. General Case: Not Degraded Def: ChB is not a degradation of ChE if for all channels ChS we have: ChE ChS ChB For every ChS, there exists (x*, y*) such that Pr ? ? ? = ? Pr ? ?(? ? ? ) = ? > 0 In fact, we can show the difference is at least some constant dependent on ChB and ChE.

  33. General Case: Not Degraded Construction: Send a uniform random r 0,1? across the wiretap channel. Then, send across an obfuscation of fr defined below. fr(r ): Output m if for all symbols (x,y), | ? ? :??= ? ??? ? ?= ? | ~ as expected for an r = ChB(r). Output otherwise. r ChB rB rE ChE

  34. General Case: Not Degraded Construction: Send a uniform random r 0,1? across the wiretap channel. Then, send across an obfuscation of fr defined below. fr(r ): Output m if for all symbols (x,y), | ? ? :??= ? ??? ? ?= ? | ~ as expected for an r = ChB(r). Output otherwise. Correctness: fr(rB) = m with high probability r ChB rB rE ChE

  35. General Case: Not Degraded Construction: Send a uniform random r 0,1? across the wiretap channel. Then, send across an obfuscation of fr defined below. fr(r ): Output m if for all symbols (x,y), | ? ? :??= ? ??? ? ?= ? | ~ as expected for an r = ChB(r). Output otherwise. Correctness: fr(rB) = m with high probability Security: ??? r ChB rB rE ChE

  36. General Case: Not Degraded Observation: If Eve s strategy for finding inputs r for fr is to apply a DMC ChS to rE, then we can prove security. fr(r ): Output m if for all symbols (x,y), | ? ? :??= ? ??? ? ?= ? | ~ as expected for an r = ChB(r). Output otherwise. r ChB rB rE r ChS ChE

  37. General Case: Not Degraded Observation: If Eve s strategy for finding inputs r for fr is to apply a DMC ChS to rE, then we can prove security. fr(r ): Output m if for all symbols (x,y), | ? ? :??= ? ??? ? ?= ? | ~ as expected for an r = ChB(r). Output otherwise. r ChB rB 1) Since ChB is not a degradation of ChE, there exists (x*, y*) such that Pr[ChS(ChE(x*)) = y*] differs from Pr[ChB(x*) = y*]. rE r ChS ChE

  38. General Case: Not Degraded check fails on (x*, y*). 2) Thus, whp, fr(r ) = as the Observation: If Eve s strategy for finding inputs r for fr is to apply a DMC ChS to rE, then we can prove security. fr(r ): ~ as expected for an r = ChB(r). Output otherwise. Output m if for all symbols (x,y), | ? ? :??= ? ??? ? ?= ? | r ChB rB 1) Since ChB is not a degradation of ChE, there exists (x*, y*) such that Pr[ChS(ChE(x*)) = y*] differs from Pr[ChB(x*) = y*]. rE r ChS ChE

  39. General Case: Not Degraded check fails on (x*, y*). 2) Thus, whp, fr(r ) = as the Observation: If Eve s strategy for finding inputs r for fr is to apply a DMC ChS to rE, then we can prove security. fr(r ): ~ as expected for an r = ChB(r). Output otherwise. 3) Obfuscation hides m in this case. Output m if for all symbols (x,y), | ? ? :??= ? ??? ? ?= ? | r ChB rB 1) Since ChB is not a degradation of ChE, there exists (x*, y*) such that Pr[ChS(ChE(x*)) = y*] differs from Pr[ChB(x*) = y*]. rE r ChS ChE

  40. General Case: Not Degraded Observation: If Eve s strategy for finding inputs r for fr is to apply a DMC ChS to rE, then we can prove security. fr(r ): Output m if for all symbols (x,y), | ? ? :??= ? ??? ? ?= ? | ~ as expected for an r = ChB(r). Output otherwise. Issue: Eve can use any arbitrary strategy g (not necessarily a DMC) to find r ! r ChB rB rE r g ChE

  41. Proving Security Goal: Show that for any strategy g, there exists a DMC ChS and a polynomial p such that Pr ??? ?? = ? p n Pr ??? ? ?? = ? + ????(?) Eve cannot do much better by using g than by using ChS! This gives us security! We show this via a hybrid argument. (See our paper for more details.)

  42. Conclusion Main Theorem: Assuming secure evasive function obfuscation for the class of generalized fuzzy point functions, wiretap coding schemes are possible if and only if ChB is not a degradation of ChE. Now possible computationally! (Information theoretically impossible) Less Noisy Degraded Impossible (even computationally)

  43. Conclusion Main Theorem: Assuming secure evasive function obfuscation for the class of generalized fuzzy point functions, wiretap coding schemes are possible if and only if ChB is not a degradation of ChE. Extensions: Extends to general message spaces Optimal rate Universal encoding (encoding only depends on ChB, not ChE)

  44. Conclusion Main Theorem: Assuming secure evasive function obfuscation for the class of generalized fuzzy point functions, wiretap coding schemes are possible if and only if ChB is not a degradation of ChE. Thank You! Extensions: Extends to general message spaces Optimal rate Universal encoding (encoding only depends on ChB, not ChE)

More Related Content