Information Theoretic Security S ¸ ennur Ulukus ¸ Department of ECE University of Maryland [email protected]Joint work with Raef Bassily, Ersen Ekrem, Nan Liu, Shabnam Shafiee. 2012 European School of Information Theory April 2012 — Antalya, Turkey 1
129
Embed
Information Theoretic Security - University Of …ulukus/papers/tutorials/itsec...– Especially in wireless and/or infrastructureless networks, i.e., ad-hoc and sensor networks †
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Rates with Gaussian signalling (with or without cooperative jamming) do not scale.
• Rates with scaling based alignment (SBA) and ergodic secret alignment (ESA) scale.
• ESA performs better than SBA.
97
Broadcast Channel with an External Eavesdropper
• In cellular communications: base station to end-users channel can be eavesdropped.
• This channel can be modelled as a broadcast channel with an external eavesdropper
• In general, the problem is intractable for now.
• Even without an eavesdropper, optimal transmission scheme is unknown.
Alice
Bob 2
Eve
1 2,W W
X
2Y
Z
Bob 1
1Y
1W
2W
1 2, |
nH W W Z
98
Degraded Broadcast Channel with an External Eavesdropper-I
• Observations of receivers and the eavesdropper satisfy a certain order.
• This generalizes Wyner’s model to a multi-receiver (broadcast) setting.
X 2Y Z1
Y1 2,W W
1 2, |
nH W W Z
EveBob 1 Bob 2Alice
• Gaussian multi-receiver wiretap channel is an instance of this channel model.
• Plays a significant role in the Gaussian MIMO multi-receiver wiretap channel.
• The secrecy capacity region is obtained by Bagherikaram-Motahari-Khandani for K = 2 andby Ekrem-Ulukus for arbitrary K.
99
Degraded Broadcast Channel with an External Eavesdropper-II
• Capacity region for degraded broadcast channel:
R1 ≤ I(X ;Y1|U)
R2 ≤ I(U ;Y2)
where U → X → Y1,Y2
• Capacity region is achieved by superposition coding
• Using superposition coding with stochastic encoding, the secrecy capacity region of thedegraded broadcast channel with an external eavesdropper can be obtained:
R1 ≤ I(X ;Y1|U)− I(X ;Z|U)
R2 ≤ I(U ;Y2)− I(U ;Z)
where U → X → Y1,Y2,Z
100
Degraded Broadcast Channel with an External Eavesdropper-III
(l, k)
(1, 1) . . . (1, j)(
1, 2nR2
)
. . .
(i, 1) . . . (i, j)(
i, 2nR2
)
. . .
(2nR2 , 1) . . . (2R1 , j)(
2nR2 , 2nR2
)
. . .
...
...
...
...
...
...
...
...
...
...
2nR2
2nR2
(1, 1) . . . (1, k)(
1, 2nR1
)
. . .
(l, 1) . . .
(
l, 2nR1
)
. . .
(2nR1 , 1) . . . (2R1 , k)(
2nR1 , 2nR1
)
. . .
...
...
...
...
...
...
...
...
...
...
2nR1
2nR1
Un sequences Xn sequences for a given Un sequence
...
• Un(w2, w2) and Xn(w1, w1,w2, w2):
R1 + R1 ≤ I(X ;Y1|U)
R2 + R2 ≤ I(U ;Y2)
and
I(U ;Z)≤ R2
I(X ;Z|U)≤ R1
101
Gaussian Broadcast Channel with an External Eavesdropper-I
• Channel model:
Y1 = X +N1
Y2 = X +N2
Z = X +NZ
where E[X2]≤ P and
σ21 ≤ σ2
2 ≤ σ2Z
which is equivalent to
X → Y1 → Y2 → Z
• Since channel is degraded, secrecy capacity region is given in the following single-letter form:
R1 ≤ I(X ;Y1|U)− I(X ;Z|U)
R2 ≤ I(U ;Y2)− I(U ;Z)
where E[X2]≤ P.
102
Gaussian Broadcast Channel with an External Eavesdropper-I
• Channel model:
Y1 = X +N1
Y2 = X +N2
Z = X +NZ
where E[X2]≤ P and
σ21 ≤ σ2
2 ≤ σ2Z
which is equivalent to
X → Y1 → Y2 → Z
• Since channel is degraded, secrecy capacity region is given in the following single-letter form:
R1 ≤ I(X ;Y1|U)− I(X ;Z|U)
R2 ≤ I(U ;Y2)− I(U ;Z)
where E[X2]≤ P.
103
Gaussian Broadcast Channel with an External Eavesdropper-II
• Using jointly Gaussian (U,X) in the single-letter description, we obtain
R1 ≤ 12
logαP+σ2
1
σ21
− 12
logαP+σ2
Z
σ2Z
R2 ≤ 12
logP+σ2
2
αP+σ22− 1
2log
P+σ2Z
αP+σ2Z
• Indeed, this is the secrecy capacity region
104
Gaussian Broadcast Channel with an External Eavesdropper-III
• Secrecy rate of the second user:
R2 ≤ I(X ;Y2|U)− I(X ;Z|U)
=[h(Y2)−h(Z)
]− [h(Y2|U)−h(Z|U)
]
where red term can be bounded as
h(Y2)−h(Z)≤ 12
logP+σ2
2
P+σ2Z
as we did for the single-user Gaussian wiretap channel.
Gaussian Broadcast Channel with an External Eavesdropper-IV
• Hence, there exists α ∈ [0,1] such that
h(Y2|U)−h(Z|U) =12
logαP+σ2
2
αP+σ2Z
which implies
R2 ≤ 12
logP+σ2
2
αP+σ22− 1
2log
P+σ2Z
αP+σ2Z
• Next, we bound the first user’s secrecy rate
R1 ≤ I(X ;Y1|U)− I(X ;Z|U)
= h(Y1|U)−h(Z|U)− 12
logσ2
1
σ2Z
subject to the constraint
h(Y2|U)−h(Z|U) =12
logαP+σ2
2
αP+σ2Z
106
Gaussian Broadcast Channel with an External Eavesdropper-V
• We use Costa’s entropy-power inequality
• Due to degradedness, we have
Y2 = Y1 +√
t∗(N1 + N2)
where
t∗ =σ2
2−σ21
σ2Z −σ2
1
• Hence,
e2[
h(Y2|U)−h(Z|U)]
= e2[
h(Y1+√
t∗(N1+N2)|U)−h(Z|U)]
≥ t∗+(1− t∗)2[
h(Y1|U)−h(Z|U)]
• Using the values of t∗ and h(Y2|U)−h(Z|U), we have
h(Y1|U)−h(Z|U)≤ 12
logαP+σ2
1
αP+σ2Z
which implies
R1 ≤ 12
logαP+σ2
1
σ21
− 12
logαP+σ2
Z
σ2Z
107
Broadcast Channel with an External Eavesdropper-General Case
• Superposition coding with stochastic encoding is not optimal
• An achievable rate region can be obtained by using Marton’s inner bound in conjunction withstochastic encoding
• Marton’s inner bound without secrecy constraints:
R1 ≤ I(V1;Y1)
R2 ≤ I(V2;Y2)
R1 +R2 ≤ I(V1;Y1)+ I(V2;Y2)− I(V1;V2)
for some V1,V2 satisfying V1,V2 → X → Y1,Y2.
• One corner point:
R′1 = I(V1;Y1)
R′2 = I(V2;Y2)− I(V2;V1)
• Encode W1 by using V n1 (w1)
• V n1 is a non-causally known interference for the second user: Gelfand-Pinsker setting
• Encode W2 by using V n2 (w2, l2) where l2 is for binning
108
Broadcast Channel with an External Eavesdropper-General Case
• This achievable scheme can be combined with stochastic encoding (random binning) toobtain an inner bound for broadcast channel with an external eavesdropper:
R in = conv(
R in12 ∪R in
21
)
where R in12 is
R1 ≤ I(V1;Y1)− I(V1;Z)
R2 ≤ I(V2;Y2)− I(V2;V1,Z)
for some V1,V2 such that V1,V2 → X → Y1,Y2,Z
• This inner bound is tight for Gaussian MIMO case
109
Broadcast Channel with an External Eavesdropper-General Case
• Encode W1 by using V n1 (w1, w1)
• Gelfand-Pinsker setting for the second user
• Encode W2 by using V n2 (w2, w2, l2)
• We have
R1 + R1 ≤ I(V1;Y1)
R2 + R2 +L2 ≤ I(V2;Y2)
R1 = I(V1;Z)
R2 = I(V2;Z|V1)
L2 = I(V1;V2)
which gives R in12 .
• Changing encoder order gives R in21
110
Gaussian MIMO Multi-receiver Wiretap Channel-I
• Channel model:
Yk = HkX+Nk, k = 1, . . . ,K
Z = HZX+NZ
Bob 1
Alice
X
1Y
Z
2Y
Eve
Bob 2
1W
2W
1 2, |
nH W W Z
.
.
.
.
.
.
.
.
.
1 2,W W
• The secrecy capacity region is established by [Ekrem-Ulukus].
111
Gaussian MIMO Multi-receiver Wiretap Channel-II
• Secrecy capacity region is obtained in three steps
• As the first step, the degraded channel is considered
Y1 = X+N1
Y2 = X+N2
Z = X+NZ
where the noise covariance matrices satisfy
Σ1 ¹Σ2 ¹ΣZ
• Since the secrecy capacity region depends on the marginal distributions, but not the entirejoint distribution, this order is equivalent to
X→ Y1 → Y2 → Z
112
Gaussian MIMO Multi-receiver Wiretap Channel-III
• To obtain the secrecy capacity region of the degraded MIMO channel is tantamount toevaluating the region
R1 ≤ I(X;Y1|U)− I(X;Z|U)
R2 ≤ I(U ;Y2)− I(U ;Z)
• We show that jointly Gaussian (U,X) is sufficient to evaluate this region
• Thus, the secrecy capacity region of the degraded MIMO channel:
R1 ≤ 12
log|K+Σ1||Σ1| − 1
2log
|K+ΣZ ||ΣZ |
R2 ≤ 12
log|S+Σ2||K+Σ2| −
12
log|S+ΣZ ||K+ΣZ |
where 0¹K¹ S.
113
Gaussian MIMO Multi-receiver Wiretap Channel-IV
• As the second step, the aligned non-degraded channel is considered
Y1 = X+N1
Y2 = X+N2
Z = X+NZ
where the noise covariance matrices does not satisfy any order
• There is no single-letter formula for the secrecy capacity region
• An achievable secrecy rate region is obtained by using dirty-paper coding in the Marton-typeachievable scheme:
R in = conv(
R in12 ∪R in
21
)
where R in12 is
R1 ≤ I(V1;Y1)− I(V1;Z)
R2 ≤ I(V2;Y2)− I(V2;V1,Z)
for some V1,V2 such that V1,V2 → X → Y1,Y2,Z
114
Gaussian MIMO Multi-receiver Wiretap Channel-V
• The resulting achievable secrecy rate region is
R in(S) = conv(
R in12(S)∪R in
21(S))
where R in12(S) is
R1 ≤ 12
log|S+Σ1||K+Σ1| −
12
log|S+ΣZ ||K+ΣZ |
R2 ≤ 12
log|K+Σ2||Σ2| − 1
2log
|K+ΣZ ||ΣZ |
where 0¹K¹ S.
• This inner bound is shown to be tight by using channel enhancement
115
Gaussian MIMO Multi-receiver Wiretap Channel-VI
• For each point on the boundary of R in(S), we construct an enhanced channel
• Enhanced channel is degraded, i.e., its secrecy capacity region is known
• Secrecy capacity region of the enhanced channel includes that of the original channel
• The point on R in(S) for which enhanced channel is constructed is also on the boundary of thesecrecy capacity region of the enhanced channel
• Thus, this point is on the boundary of the secrecy capacity region of the original channel
• R in(S) is the secrecy capacity region of the original channel
116
Gaussian MIMO Multi-receiver Wiretap Channel-VII
• The most general case:
Y1 = H1X+N1
Y2 = H2X+N2
Z = HZX+NZ
• The secrecy capacity region for the most general case is obtained by using some limitingarguments in conjunction with the capacity result for the aligned case
117
Broadcast Channels with Confidential Messages-I
• Each user eavesdrops the other user:
X
2Y
Bob\Eve 1
1Y
1 2 1ˆ , ( | )
nW H W Y
2 1 2ˆ , ( | )
nW H W Y
1 2,W W
Alice
Bob\Eve 2
• In general, problem is intractable for now
• Even without secrecy concerns, optimal transmission scheme is unknown
118
Broadcast Channels with Confidential Messages-II
• Using Marton’s inner bound in conjunction with stochastic encoding, we can obtain anachievable rate region:
R1 ≤ I(V1;Y1)− I(V1;Y2,V2)
R2 ≤ I(V2;Y2)− I(V2;Y1,V1)
where V1,V2 → X → Y1,Y2.
• Encode W1 by using V n1 (w1, w1, l1)
• Encode W2 by using V n2 (w2, w2, l2)
• w1 and w2 are confusion messages
• l1 and l2 are for binning
119
Broadcast Channels with Confidential Messages-III
• We have
R1 + R1 +L1 ≤ I(V1;Y1)
R2 + R2 +L2 ≤ I(V2;Y2)
R1 +L1 = I(V1;Y2,V2)
R2 +L2 = I(V2;Y1,V1)
I(V1;V2)≤ L1 +L2
which gives us the achievable rate region:
R1 ≤ I(V1;Y1)− I(V1;Y2,V2)
R2 ≤ I(V2;Y2)− I(V2;Y1,V1)
• This inner bound is tight for Gaussian MIMO channel
120
Gaussian MIMO Broadcast Channel with Confidential Messages
• Each user eavesdrops the other user:
Alice
X
1Y
2Y
Bob\Eve 1
1 2 1ˆ , ( | )
nW H W Y
2 1 2ˆ , ( | )
nW H W Y
.
.
.
.
.
.
1 2,W W
Bob\Eve 2
• In SISO case, only one user can have positive secrecy rate.
• In MIMO case also, both users can enjoy positive secrecy rates [Liu-Liu-Poor-Shamai].
121
Cooperative Channels and Secrecy
• How do cooperation and secrecy interact?
• Is there a trade-off or a synergy?
Charles\Eve
1|
nH W Y
W1
X Y
1Y
2X
W
BobAlice
• Relay channel [He-Yener].
• Cooperative broadcast and cooperative multiple access channels [Ekrem-Ulukus].
122
Interactions of Cooperation and Secrecy
• Existing cooperation strategies:
– Decode-and-forward (DAF)
– Compress-and-forward (CAF)
• Decode-and-forward:
– Relay decodes (learns) the message.
– No secrecy is possible.
• Compress-and-forward:
– Relay does not need to decode the message.
– Can it be useful for secrecy?
• Achievable secrecy rate when relay uses CAF:
I(X1;Y1,Y1|X2)− I(X1;Y2|X2) = I(X1;Y1|X2)− I(X1;Y2|X2)︸ ︷︷ ︸+ I(X1;Y1|X2,Y1)︸ ︷︷ ︸secrecy rate of the additional term
wiretap channel due to CAF
123
Example: Gaussian Relay Broadcast Channel (Charles is Stronger)
0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.60
0.02
0.04
0.06
0.08
0.1
0.12
0.14
R1 (bits/channel use)
R2
(bits/channel use)
Joint jamming and relayingRelaying
• Bob cannot have any positive secrecy rate without cooperation.
• Cooperation is beneficial for secrecy if CAF based relaying (cooperation) is employed.
• Charles can further improve his own secrecy by joint relaying and jamming.124
Multiple Access (Uplink) Channel with Cooperation
• Overheard information at users can be used to improve achievable rates.
• This overheard information results in loss of confidentiality.
• Should the users ignore it or can it be used to improve (obtain) secrecy?
– DAF cannot help.
– CAF may help.
– CAF may increase rate of a user beyond the decoding capability of the cooperating user.
Alice\Eve
1W
1X
Y
2 1|
nH W Y
Bob
1 2ˆ ˆ,W W
Charles\Eve
2W
2X
1 2|
nH W Y
1Y
2Y
125
Example: Gaussian Multiple Access Channel with Cooperation
• Both inter-user links are stronger than the main link.
• Without cooperation, none of the users can get a positive secrecy rate.
0 0.005 0.01 0.015 0.02 0.025 0.03 0.0350
0.005
0.01
0.015
0.02
0.025
0.03
0.035
R1 (bits/channel use)
R2
(bits/channel use)
Two−sided cooperation
• Cooperation is beneficial for secrecy if CAF is employed.126
Going Back to where We have Started...
• Cryptography
– at higher layers of the protocol stack
– based on the assumption of limited computational power at Eve
– vulnerable to large-scale implementation of quantum computers
• Techniques like frequency hopping, CDMA
– at the physical layer
– based on the assumption of limited knowledge at Eve
– vulnerable to rogue or captured node events
• Information theoretic security
– at the physical layer
– no assumption on Eve’s computational power
– no assumption on Eve’s available information
– based on the assumption of limited ? ? ? ? at Eve
– unbreakable, provable, and quantifiable (in bits/sec/hertz)
– implementable by signal processing, communications, and coding techniques