Information Theoretical Security
Ning Cai
CAM 2016, Hong Kong
August 23, 2016
The Outline
 The concept of information theoretical
security (ITS)
-two approaches to security ;
-measurements of ITS；

Examples for models of ITS;
-combinatorial models (I)
-probability (IT) models (II)

Basic ideas in research on ITS
The concept of ITS:
Two Approaches to Security
Computational Security (CS) vs Information
Theoretical Security (ITS)

Assumptions
(CS): wiretapper(s)—limited computational ability
(ITS): wiretapper(s)—unlimited computational ability

Security
(CS): relatively secure
(ITS): absolutely secure

Resources (Random key, throughput etc)
(CS): less
(ITS): more
The concept of ITS:
Two Approaches to Security


Computational Security – very popular,
especially in commercial systems;
Information Theoretical Security – not so
popular but received more and more attention:
Due to
-increasing of requirement to security;
-developing of network communication (e.g. physical
layer security);
-quantum computation
-others.
The concept of ITS:
the measurement

Shannon Entropy or Mutual Information
S -secure message, YW -wiretapped message
Perfect security:
for model I: I ( S ; YW )  0 or H (S | YW )  H (S )
1
1
for model II: I ( S ; YW )  0 or H ( S | YW )  H ( S )
n
n
as n  
Imperfect security: for i  [0, H ( S )).
1
I ( S ; YW )  i.
for model I: I (S ; YW )  i ; for model II : lim
n 

n
Other Information Quantities e.g., Renyi
entropy, von Neumann Entropy or Holevo
Quantity for Quantum, etc.
Examples for ITS (I)
Shannon cipher system
Random message M and
key K are generated from
the same set {0,1,..., p  1}.
 m -outcome of the message M
 k -output of key K


y  m  k (mod p )
Examples for ITS (I)
The scheme uses a key with size | M |, which
minimizes the size of random key:
log | M | H ( M )  H ( M | Y )
 H (M | Y )  H (M | Y , K )  I (M ; K | Y )
 H (K | Y )  H (K | M ,Y )
 H ( K | Y )  H ( K )  log | K | .
I. e,
| K || M | .
Examples for ITS (I)
Secret Sharing (SS)(Blakley 1979, Shamir 1979)





There are a dealer and n participates in the game.
The dealer accesses a secret message and chooses
n random “sharings” according to the message and
distributes them to participates
A subset of participates try to recover the message
by pooling their sharings.
They can recover it if the subset is legal (i.e. in
“access structure”).
Otherwise they should have absolutely no
information about it from their sharings.
Examples for ITS (I)
Secret Sharing (continue)

(r , n)  threshold secret sharing scheme:
participates, all sets with sizes  r are legal
Given the amounts of sharings distributed to the
participates, we want to maximize the amount of
message sharing by them.
The optimal threshold secret sharing scheme is
known.
To find optimal secret sharing schemes for general
(“non- threshold) access structures is a very hard
open problem (NP-hard).
n



Examples for ITS (I)
k
Secret Sharing (continue)
 A construction of ( r , n)  threshold secret
sharing scheme: Let S be a random secret
message, which is uniformly generated from
GF (q ), with q  n. The dealer randomly
uniformly and independently choose r elements
a0 , a1 ,..., ar 1 , from GF (q ). Define a polynomial
P( z ) : a0  a1 z  ...  ar 1 z
r 1
 Sz .
r
Examples for ITS (I)
Secret Sharing : A construction of (r , n) 
threshold secret scheme (continue)
The dealer chooses n different numbers
1 ,  2 ,...,  n , from GF (q) \{0} and gives X i : P(i )
to the i th participants. (it is why we need
that the size of the field q  n.)
Any r participants may determine P ( z ), and
therefore S because a polynomial of degree
r is determined by r points.
Examples for ITS (I)
Secret Sharing : A construction of
threshold secret scheme (continue)
Proof of security: We shall prove the (perfect)
security, namely for any r  1subset B of
[n]: {1, 2,..., n},{ X i : i  B} is independent of
S. Or in other words, we have to show that
for all X i , xi , i  B, S , s,
P( X i  xi , i  B | S  s)  P( X i  xi , i  B)
Examples for ITS (I)
r  threshold
Secret Sharing : A construction of
secret scheme (continue)
To this end, let M B be the matrix whose columns are
(1,  i ,...,  ir 1 ) , i  B.
Then by our scheme, for all X i , xi , i  B, S , s,
( xi , i  B)  (a0 ,..., ar 1 ) M B  ( s ir , i  B),
Notice  i , i  B are constants, and M B is full rank. So
given s , this gives a 1-1 mapping from a0 ,..., ar 1
to xi , i  B. Since a0 ,..., ar 1 are uniformly distributed
on GF (q)r 1 , so are ( xi , i  B). I. e.,
P( X i  xi , i  B | S  s )  q  ( r 1) .
Examples for ITS (I)
Secret Sharing : A construction of
secret scheme (continue)
Thus we have
P ( X i  xi , i  B）
r  threshold
=  P( S  s ) P( X i  xi , i  B | S  s )
s
  P ( S  s )q
 ( r 1)
q
 ( r 1)
s
 P ( X i  xs , i  B | S  s ),
s.
Examples for ITS (I)
Secret Sharing : A construction of r  threshold secret
scheme (continue)
Proof of the optimality: We need to show for any i  [ n],
| X i || S | . Indeed for all r  1subset B in[ n] \ {i} we have
log | M | H ( M )  H ( M | X j , j  B )
 H ( M | X j , j  B)  H (M | X i , X j , j  B)
 I (M ; X i | X j , j  B)
 H ( X i | X j , j  B)  H ( X i | M , X j , j  B)
 H ( X i | X j , j  B )  H ( X i )  log | X i | .
Examples for ITS (I)
The wiretap channel II (Ozarow-Wyner 1984)






Message is encoded into a codeword of length n
A legal user receives the whole codeword
A wtiretapper accesses any t components of the
codeword
The legal user can decode correctly
The illegal user has no information about the
message (perfect security), more general the
“equivocation” (conditional entropy) is lower
bounded (imperfect security).
The optimal code is known.
Examples for ITS (I)
Wiretap network(WN) (Cai-Yeung 2002, 2011)
Given
 A communication network with source node(s)
 Set of legal users (receivers) in the network;
 A collection  of subsets of edges (channels) of the
network (wiretap subsets) such that a wiretapper can
arbitrarily chooses a wiretap set B  , and accesses all
channels in the subset B .
 Denote by M and YB the secure message and the
message leaked to the wiretapper via the channels in
B respectively
Examples for ITS (I)
Wiretap network (continue)
Requirements
All
legal users may decode the demanded
messages correctly;
The wiretapper(s) has no information (for perfect
security) or limited information (for imperfect
security) about (their interested) message i.e.,
H ( M | YB )  H(M).
Imperfect
security :The secure condition can be
release to
for an i  [0, H ( S )).
I (M ; YB )  i,
Examples for ITS (I)
Wiretap network (continue)
We call a code satisfying above requirements
a secure code. The goal is to find secure codes
Maximizing
the throughput;
Minimizing the randomness.
The simplest communication network is the single
source acyclic network.
Examples for ITS (I)
Wiretap network (continue)

We call the wiretap network r  WN and its secure
code a r  secure network code if  consists of
r subsets of channels i.e., for a r  WN, the
wiretapper may access any r channels.
The results


For r  WN the problem is completely solved,
(Cai-Yeung);
In general case the problem is very hard (NP
completed)
Examples for ITS (I)
Shannon Cipher System
is a（2, 2）-threshold SS,
a（2,1)  WCII and
a 1 secure network
code.
Examples for ITS (I)
SS is equivalent to a special class of WN’s.
Given an SS with access structure  , we
construct a 3 layer WN as follows:
layer: source node s ( the dealer)
Middle layer: n intermediate nodes (participates); a
channel with capacity ri connects s and the node
i if the node i gets ri bits sharing.
Bottom layer: Receivers labeled by members in
legal subsets; The intermediate node i connect to .
receiver t A if i  A.
Top
Examples for ITS(I)
SS is equivalent to a special class of WN’s
(continue)
A
wiretap subset of channels corresponds an illegal
subset B and has members ( s, b), b  B.
Then existence of secure code for the WN is
equivalent to existence of the SS scheme. A
(r , n)  threshold secret sharing scheme “is” a
(r  1)  secure network code.
Examples for ITS (I)
ss
v1
v2
….
A1 A1
t A1 t
A1
….
….
AAmm
AA22
t A2 t A
2
….
……
t Am
t Am
Formulating secret sharing schemes to WN
Examples for ITS (I)
Similarly, (n, t )  WCII is equivalent to a 3 layer
t - WN with a sink and n intermediate nodes.
S
1
2
3
4
n
5
T
Examples for ITS (I)
Private Computations on Networks
A
communication network
A subset of nodes 1, 2,..., u : users;
Each user j accesses a information source X j
The sources X 1 , X 2 ,..., X u are mutual independent
The users cooperate to compute the value of a
function f ( X1 , X 2 ,..., X u ) by exchanging information
over the network;
Examples for ITS(I)
Private Computations in Networks (continue)
The
users do not trust each others and they want the
others to know no additional information about their
own source. That is, the remaining uncertainty of the
sources for the user j must be
H ( X i , i  j | X j , f ( X 1 ,..., X u )) after the
communication;
Randomization is necessary;
The goal is minimizing the randomness or/and
amount transmission messages
The topology of the network play an important role.
Examples for ITS(I)
Remark: Above models just are few of basic
combinatorial models and they have had a lot of
generalizations. For example WN has following
extensions
Weakly WN secure codes (Bhattad-Narayanan 2005);
Strongly WN secure codes (Harada and Yamamoto
2008);
Multiple WN secure code (Chan-Grant 2008);
Algebraic security of random linear network Codes
(Lima-Medard);
Many more……
Examples for ITS(I)
There are much more models and
extensions e.g.,
ramp secret sharing;
secure distributed storage;
Many more……
Examples for ITS (II)
Wiretap channel(WC) or wiretap channel I
(Wyner 1975, Csiszar-Korner 1978)
A
sender send a secret message via a noisy channel
with single input and two outputs
A legal receiver and a wiretapper access different
outputs of the channel resp.
Want: the legal receiver may correctly decode with a
high probability and the wiretapper has no (or limited)
information about the message
The goal: maximizing the transmission rate.
Examples for ITS (II)
Wyner introduced degraded wiretap channel and
had its capacity (i.e., the channel input and outputs
accessed by legal and illegal users form a Markov
chain). Csiszar-Korner extended it to general
case. In fact they did more, broadcast channel with
confidential message. That is, there are two sets of
messages, say public and confidential messages,
and two users. The first user should decode both
message correctly. The second user should
decode public message and have no or limited
information about confidential message.
Examples for ITS (II)
Wiretap channel(WC) or wiretap channel I
m
Encoder
xn
yn
Channel 1
Decoder
yn
k
zn
Channel 2
m
Encoder
xn
Channel
m̂
yn
？ Wiretapper
Decoder
zn
k
？ Wiretapper
m̂
Examples for ITS (II)
Secret key generation (SKG) using public
discussion
A
set(s) of (legal) users try to generate a (common)
secret random key
A wiretapper(s) tries/try to have as much as possible
information about the key
The legal users share certain resource (e.g., different
terminals of correlated source, private channels, parts of
an entanglement q-state...)
The wiretapper possibly may or may not have certain
related resource (r.v. correlated to the source, outputs of
the private channels, part of entanglement state…)
Examples for ITS (II)
Secret key generation using public discussion
(continue)




By combining actions on their resources (e.g.,
observation of the outputs of the source,
communication via the private channels, measure
the q-state….), the legal users exchange messages
via a public channel
The wiretapper may observe the output of the public
channel by combining to use his resource
Requirement: at the end all legal users have the
same key and the wiretapper has no (or limited)
information about the key
Goal: maximizing the size of the key
Examples for ITS(II)

An example of Secret key generation using
public discussion (Maurer 1993, AhlswedeCsiszar 1993):“Source model”
A correlated memoryless source （X n , Y n , Z n )
 Legal users A, B and a wiretapper access
resp. X n , Y n , Z n
A and B exchange message publicly according to their
received message and comes of X n , Y n
 At end of communication A and B share a random key
 The wiretapper can obtain no (or limited) information
about the key from the output of public channel and

Z n.
Examples for ITS(II)
An example of Secret key generation using
public discussion (Ahlswede-Csiszar 1993):
“Channel model”
A
channel (private channel) with one input and two
outputs;
A legal user, Alice accesses the channel input and
another legal user Bob accesses an output of the
channel. Thus Alice may send message to Bob via
the private channel;
A wiretapper accesses the second output;
Examples for ITS(II)
“Channel model” (continue)




Alice and Bob can also exchange message
(each other) via public channels. All public
discussion is observable by the wirepper;
Alice and Bob communicate interactively to
generate a common key;
The requirement is that the wiretapper may
have no or limited information about the key
The goal is maximizing the size of the key.
Examples for ITS(II)
X
Xn
Alice
n
,Y n , Z n 
Zn
Yn
Public discussion
Bob
K?
K'
K
Pr  K  K '   0
xn
zn
Channel
yn
Alice
Public discussion
K
Pr  K  K   0
'
Bob
K'
Eve K ?
Examples for ITS(II)
Remark: Above models just are few basic
models in ITS (II) and they have had a lot of
generalizations. The followings are few
examples.
WC
 Classical WC
Identification via WC (Ahlswede-Zhang, 1995);
WC with feedback (Ahlswede-Cai,2006);
Compound WC (Liang-Kramer-Poor-Shamai 2007:
WMAC (Liang-Poor 2008);
Examples for ITS(II)

Classical WC (continue)
WC with state side information (Chen-Vinck 2008);
AVWC (Bjelakovic-Boche-Sommerfeld 2013);
WC with correlated source helper (Chen-CaiSezgin 2014)
AVWC with common randomness helper (NotzeWiese-Boche 2015)
Many more……
Examples for ITS(II)

Classical-Quantum WC
CQWC (Cai-Winter-Yeung 2004, Devetak 2005);
CQAVWC (Blinovsky-M. Cai 2012);
CQAVWC with various resources (Boche-M. CaiDeppe 2013);
CQ Compound WC (Boche-M.Cai-Cai-Deppe
2014)
Many more……
Examples for ITS(II)
SKG also have many generalizations according
to the resource of different legal and illegal
groups of users, by many authors e.g.,
Csiszar-Narayan 2000, 2004, 2008…
Gohari-Anantharam 2010
A very general model: correlated source +wiretap
channel, tradeoff of the amount of secure key
and message, Prabhakaran-EswaranRamchandran, 2012
Many more……
There are a lot of open problems in this topic.
Some Basic Idea in ITS: Direct Part



Assume the input alphabet of a security system is 
an input of the system is x and the message
obtained by the wiretapper is yB if he uses the
strategy B.
Then yB  g B ( x) is a function of x (for model I) or a
random variable depending on x (for model II).
To protect the secret message, the sender partitions
 according to the size of the message set and
randomly chooses an element from the i th subset
and sends it via the network if he wants to send the
i th message, (the territory of the i th message)
Some Basic Idea in ITS: Direct Part


1
Denote by g B (i.e., g B ( y )  {x : g B ( x)  y} ) the
inverse image of mapping g B . Then for a given
B ,{g B1 ( yB )}yB is a partition of . The
1
g
wiretapper knows the input of WN must be in B ( y B )
if he receives yB . Thus his best strategy is “to
guess” the message with the largest intersection of
1
territory to g B ( yB ).
Consequently a code is perfectly secure iff all
1
territories equally intersect to all g B ( yB ), yB , B  .
1
Some Basic Idea in ITS: Direct Part
Some Basic Idea in ITS: Direct Part
Example: secure network coding.
Let us consider a linear network code, then input set is
a linear space on a finite field. We partition the input
space to cosets and take the i th coset as the
territory of the i th message. Now yB  g B ( x) is
linear because the code is linear. Thus its inverse
images partition the input space into cosets too.
Then the code is secure if the all those cosets are
intersect to each territory because in the case the
intersection must be uniform.

Some Basic Idea in ITS: Direct Part
Example: wiretap channel.
Given a code (with arbitrarily small error
probability) for the main channel, we shall
have a secure code if we can color (binning)
the codebook such that the numbers of the
codewords of all colors with very typical
output of the wiretap channel in the joint
typical set are (almost) the same. This is
usually done by random coloring (binning).

Basic Method in Converse part

The main technique in converse for both
models is applying information inequalities
and identities. Sometimes the proofs are
very tricky. In many cases one can find the
main ideas in the proofs originally from
Shannon.
Thank You!