Information Theoretic Security over

Physical-Layer Channels

PhD Defense Presentation

Hadi AhmadiDepartment of Computer Science

University of Calgary

Discrete LogarithmInteger factorization

Complexity Theory

FIRST PARADIGM: SECURITY OVER HIGHER LAYERS OF NETWORK

Complete read/write access

Problem Overview

Complexity TheoryProbability Theory

FIRST PARADIGM: SECURITY OVER HIGHER LAYERS OF NETWORK

Complete read/write access

Problem Overview

FIRST PARADIGM: SECURITY OVER HIGHER LAYERS OF NETWORKSECOND PARADIGM: SECURITY OVER PHYSICAL LAYER OF NETWORK

TCP/UDPHTTP/FTP

IPPhysical

Secure Message Transmission

Oblivious Transfer

Bit commitment

Secret Key Establishment

…

Restricted read/write access

Problem Overview Our work:

Secret Key Establishment Manipulation Detection Distance Bounding

Verification

Wiretap Channel [Wy75,CK78]

Keyless Information-theoretic Noisier wiretapping

channel

Secure Message TransmissionSecret Key Establishment

Public Discussion ChannelSecure Feedback Channel

Correlated Sources

Secret Key Establis

hment

More natural settings?

A pair of independent wiretap channels

2 independent wiretap channels w/o initial randomness

Two-way wiretap channel

Secret Key Establishment Keyless Information-theoretic Cases with less noisy

wiretapping channel Free local randomness Independent channels

No local randomness

Secret Key Establis

hment

Noise as a single resource for randomness extraction and key agreement

Psbly. higher key rates.

Psbly. dependent channels

Wiretap channel

Leakage Resilient (LR)-AMDAlgebraic Manipulation Detection[CDFPW08]:

Information-theoretic Uses shared key. No leakage to Eve. Arbitrary bounded leakage

Results: Optimal LR-AMD code constructions. Application to robust nonperfect SSS. Application to AMD over wiretap channels.

Bitwise MD for binary wiretap channels. SKE/SMT against active adversary.

Manipulable channelAlgebraic Manipulable Channel with Leakage

Message Authentication Code[GMS74]:

Paradigm 1:Adversary with

full read/write access

• Using correlated randomness

Paradigm 2:Adversary with

restricted access

Keyless

Manipulation Detectio

n

I am at dc!

OK! Let’s make sure you are not farther!

dr

Honest: dr < dcDistance fraud (DFA): dr > dc

Mafia fraud (MFA): dr > dc

Terrorist fraud (TFA): dr > dc

dr

He is at dc!

dcdr

Distance Bounding Verificatio

n

Manipulation Detectio

n

I am at dc!

OK! Let’s make sure you are not farther!

Distance Bounding Verificatio

nUsing Time-of-Flight:

dr

Δt → dr=C.Δt+Tp

• Rapid exchange phase. Natural property in physics. Security promises. Accurate timing.

Alternative solutions?

I am at dc!

OK! Let’s make sure you are not farther!Manipulatio

n Detection

I am at dc!

OK! Let’s make sure you are not farther!

Distance Bounding Verificatio

n

dr

Using Time-of-Flight:

• Rapid exchange phase. Natural property in physics. Security promises. Accurate timing.

Alternative solutions?

Results: Secure DBV protocols against DFA and MFA.

Based on simple challenge-response & MAC. Impossibility for TFA-security. TFA-secure DBV protocol in the BRM.

Using Noise & Attenuation:

• Wiretap channel model. Matches wireless channels. No time measurement.

• Three security functionalities using physical-layer properties.

• Problem formalization and attractive solutions.

Seeking security at physical-layer: advantage to cryptography.

• Important challenges:• Communication models may not match all

scenarios!• Complete knowledge of the physical-channel

behavior!

• Important directions to future work:• Deterministic cryptography using channel noise.• Combining physical-layer and upper-layer

properties.

Conclusion

XA XB

YA YB

YE

BAEBA XXYYYP |

Two-way DMWC

2DMWC

XA

XB

YfE

YB

YA

YbE

AfEB XYYP |

BbEA XYYP |

Backup Slide

With randomness, pe=0.1

Without randomness, pe=0.2

pe=0.1

Backup Slide

Transmission Tampering

bit abstraction signal bit abstraction signal

0 keep

flip

1 set-to-0

set-to-1

On-off Keying (OOK)

Bitwise Manipulation Deetction

Backup Slide

Basic protocol: Challenge&Response + MAC

BRM-DBV protocol: general adversary

BRM-DBV protocol: sampling adversary

Instance 1 (detailed)

),( BB JI

BQ

),( 1 bX b

),( 21 bb YY

BQ

BJBI

rb2:X

rb2:Y

rb2:Z

rf2:Yr

f2:X

rf2:Z

12: rfY

12: rfX

12: rfZ

12: rbX

12: rbY

12: rbZ

rBS2:ˆ12:ˆ r

BS12: r

BSr

BS2: 12: r

ASr

AS2: r

AS2:ˆ12:ˆ r

AS

Alice Bob Alice Bob

Eve Eve

rAU2: r

BU2:

Round 1

Round 2

- Key

- Randomness

OUTPUT:

22: rBU22: r

AU

AU1 AU2 BU1BU2

INPUT:(Randomness)

Instance 2 (abstract)

SKE over 2DMWC without Randomness:The Basic Protocol

Backup Slide