Message Transmission and Key Establishment:
Conditions for Equality of Weak and Strong
Capacities
Hadi Ahmadi
University of Calgary
(joint work with Reihaneh Safavi-Naini)
October 25, 2012
1 / 20
Overview
Secrecy capacity
I
Secure message transmission (SMT) over wiretap channel
[Wy75,CK78].
I
I
I
Discrete memoryless channels from Alice to Bob and Eve.
Alice wants to send Bob a message that stays private from Eve.
SMT is possible when Eve’s channel is noisier.
2 / 20
Overview
Secrecy capacity
I
Secure message transmission (SMT) over wiretap channel
[Wy75,CK78].
I
Discrete memoryless channels from Alice to Bob and Eve.
Alice wants to send Bob a message that stays private from Eve.
SMT is possible when Eve’s channel is noisier.
I
But how many message bits can be sent?
I
I
3 / 20
Overview
Secrecy capacity
I
Secure message transmission (SMT) over wiretap channel
[Wy75,CK78].
I
Discrete memoryless channels from Alice to Bob and Eve.
Alice wants to send Bob a message that stays private from Eve.
SMT is possible when Eve’s channel is noisier.
I
But how many message bits can be sent? infinite!
I
I
4 / 20
Overview
Secrecy capacity
I
Secure message transmission (SMT) over wiretap channel
[Wy75,CK78].
I
I
I
I
I
Discrete memoryless channels from Alice to Bob and Eve.
Alice wants to send Bob a message that stays private from Eve.
SMT is possible when Eve’s channel is noisier.
But how many message bits can be sent? infinite!
Say how may message bits per channel use? That is secrecy
capacity!
5 / 20
Overview
Secrecy capacity
I
Secure message transmission (SMT) over wiretap channel
[Wy75,CK78].
I
Discrete memoryless channels from Alice to Bob and Eve.
Alice wants to send Bob a message that stays private from Eve.
SMT is possible when Eve’s channel is noisier.
I
Secrecy capacity (the highest transmission rate) is derived as
I
I
wc
Cws
=
max
U↔X ↔(Y ,Z )
I (U; Y ) − I (U; Z ).
6 / 20
Overview
SK capacity
I
Secret key agreement (SKE) over noisy channels
[Ma93,AC93].
I
I
I
Alice and Bob want to share a key that stays private from Eve.
Secret key (SK) capacity: highest key rate in bits/channel use.
SKE is like SMT in the wiretap channel setting.
wc
wc
Cwsk
= Cws
7 / 20
Overview
SK capacity
I
Secret key agreement (SKE) over noisy channels
[Ma93,AC93].
I
I
I
Alice and Bob want to share a key that stays private from Eve.
Secret key (SK) capacity: highest key rate in bits/channel use.
SKE is like SMT in the wiretap channel setting.
wc
wc
Cwsk
= Cws
I
By adding public discussion SK capacity increases.
wc+pdc
wc
Cwsk
≥ Cwsk
8 / 20
Overview
weak/strong SK capacity
I
From weak to strong security in SKE [MW00].
I
I
I
Motivation: use of weak security (negligible leakage rate).
Proposal: define strong security (negligible absolute leakage).
Problem: relation between the two.
Definition (Weak SK capacity)
Requiring SA ≈ SB such that weak secrecy:
I (SA ; ViewE ) ≤ H(SA )δ.
Definition (Strong SK capacity)
Requiring uniform SA ≈ SB such that strong secrecy:
I (SA ; ViewE ) ≤ δ.
Note:
Similarly one can define weak and strong secercy capacities.
9 / 20
Motivation to our work
I
Maurer and Wolf [MW00] prove strengthening security is
doable without sacrificing the key rate:
wc
wc
Cwsk
= Cssk
,
wc+pdc
wc+pdc
Cwsk
= Cssk
I
Followup research studied weakly secure SKE in new setups.
I
Not clear whether these results also holds for strong security.
Question1:
What are general conditions for the equality of weak and strong
SK capacities?
Question2:
What about weak and strong secrecy capacities (for message
transmission)?
10 / 20
Part 1: Equality conditions for SK capacity
The MW approach
I
For equality conditions of SK capacity, we revisit the MW
proof.
I
I
I
The proof is quite generic: slight modification makes it work
for many other setups.
But it does not apply to ALL existing setups
The MW approach has two phases:
Ph1 Equality of weak and uniform SK capacities.
I
This is general: works for any DM setup.
Ph2 Construction of strong protocols from uniform ones.
I
Relies on implicit assumptions...
Let’s see what is inside this phase!
11 / 20
Part 1: Equality conditions for SK capacity
Phase 2 of the MW approach
I
Four steps to make a strong protocol from a uniform one:
S1 Independent repetition of uniform protocol n times: SA , SB
I
Cost is n times that of the uniform protocol.
S2 Information reconciliation by universal hashing: SA ≈ SB
I
Resources to send function description, say l bits.
S3 Privacy amplification by a seeded extractor: S = Ext(R, SA )
I
I
Resources to generate random seed, say r bits.
Resources to send r -bit random seed.
S4 Uniformization to make key uniform: H(S) = log |S|.
I
Free: does not require resource.
12 / 20
Part 1: Equality conditions for SK capacity
Phase 2 of the MW approach
I
Four steps to make a strong protocol from a uniform one:
S1 Independent repetition of uniform protocol n times: SA , SB
I
Cost is n times that of the uniform protocol.
S2 Information reconciliation by universal hashing: SA ≈ SB
I
Resources to send function description, say l bits.
S3 Privacy amplification by a seeded extractor: S = Ext(R, SA )
I
I
Resources to generate random seed, say r bits.
Resources to send r -bit random seed.
S4 Uniformization to make key uniform: H(S) = log |S|.
I
I
Free: does not require resource.
Proof sketch: By choosing n sufficiently large,
I
I
I
the parameters l and r become negligible in cost, and
The key size is close to n time that of uniform protocol.
hence the key rate stays the same.
13 / 20
Part 1: Equality conditions for SK capacity
Modified proof sketch
I
Assumptions made by the MW approach:
I
I
I
The assumptions do not hold in all setups, e.g.,
I
I
I
Channel with positive (reliability) capacity.
Free local source of randomness.
Two-way wiretap channels [AS11] with zero reliability capacity.
Secret key from noise [AS11*] with no random source.
Are both assumptions necessary conditions?
I
I
We remove the first assumption, i.e., need for randomness.
Trick: using a two-source extractor for privacy amplification.
14 / 20
Part 1: Equality conditions for SK capacity
Modified proof sketch
I
Our steps to make a strong protocol from a uniform one.
S1 Independent repetition of uniform protocol 2n times:
I
I
Alice has (SA,1 , SA,2 ) and Bob has (SB,1 , SB,2 ).
Cost is 2n times that of the uniform protocol.
S2 Information reconciliation by universal hashing: SA ≈ SB
I
I
Gives (SA,1 , SA,2 ) ≈ (SB,1 , SB,2 ).
Resources to send function description, say 2l bits.
S3 Privacy amplification by a two-source extractor:
I
I
Gives S = TExt(SA,1 , SA,2 ).
Free: does not require resource.
S4 Uniformization to make key uniform: H(S) = log |S|.
I
I
Free: does not require resource.
Reliable transmission however is still needed.
15 / 20
Part 1: Equality conditions for SK capacity
Modified proof sketch
I
Our steps to make a strong protocol from a uniform one.
S1 Independent repetition of uniform protocol 2n times:
I
I
Alice has (SA,1 , SA,2 ) and Bob has (SB,1 , SB,2 ).
Cost is 2n times that of the uniform protocol.
S2 Information reconciliation by universal hashing: SA ≈ SB
I
I
Gives (SA,1 , SA,2 ) ≈ (SB,1 , SB,2 ).
Resources to send function description, say 2l bits.
S3 Privacy amplification by a two-source extractor:
I
I
Gives S = TExt(SA,1 , SA,2 ).
Free: does not require resource.
S4 Uniformization to make key uniform: H(S) = log |S|.
I
I
Free: does not require resource.
Reliable transmission however is still needed.
Conclusion:
Weak and strong SK capacities equal in any discrete memoryless
setup that allows reliable transmission.
16 / 20
Part 2: Equality conditions for secrecy capacity
Proof sketch
I
Steps for strong transmission protocol from weak one.
S1 Expansion of message by extractor inversion.
I
Resources to generate random bits for expansion, say r bits.
S2 Split: message in to pieces and send by weak protocol.
I
Cost equals that of weak protocol.
S3 Information reconciliation: to make key uniform.
I
Resources to send function description, say l bits.
S4 Extraction: of message by two-source extractor.
I
I
I
Free: does not require resource.
Reliable transmission requirement can be removed: A setup
with weak secrecy capacity always allows reliable transmission.
Randomness generation however is needed.
Conclusion:
Weak and strong secrecy capacities equal in any discrete
memoryless setup that lets sender generate randomness.
17 / 20
Conclusion
I
SMT vs. SKE: duality
Requirement
Randomness access
Reliable transmission
I
MW approach
Our approach
Our approach
(SK)
(SK)
(Secrecy)
required
required
required
required
-
Equality conditions: Sufficient but not necessary, e.g.,
I
I
Noisy two-way two-way channel YA = YB = XA + XB + N and
YE = f (YA ) where N is uniform.
Secure channel YB = XA + N 0 and YE = ⊥, and no
randomness.
18 / 20
References
Ahlswede, R., Csiszár, I.: Common randomness in information theory
and cryptography. Part I: secret sharing. IEEE-IT (1993)
Ahmadi, H., Safavi-Naini, R.: Common randomness and secret key
capacities of two-way channels. ICITS (2011)
Ahmadi, H., Safavi-Naini, R.: Secret Keys from Channel Noise.
Eurocrypt (2011)
Csiszár, I., Körner, J.: Broadcast channels with confidential
messages. IEEE-IT (1978)
Maurer, U.: Secret key agreement by public discussion from
common information. IEEE-IT (1993)
Maurer, U., Wolf, S.: Information-theoretic key agreement: from
weak to strong secrecy for free. Eurocrypt (2000)
Wyner, A.D.: The wire-tap channel. Bell Sys Tech Journal (1975)
19 / 20