discrete logarithm integer factorization complexity theory complete read/write access
TRANSCRIPT
Information Theoretic Security over
Physical-Layer Channels
PhD Defense Presentation
Hadi AhmadiDepartment of Computer Science
University of Calgary
Discrete LogarithmInteger factorization
Complexity Theory
FIRST PARADIGM: SECURITY OVER HIGHER LAYERS OF NETWORK
Complete read/write access
Problem Overview
Complexity TheoryProbability Theory
FIRST PARADIGM: SECURITY OVER HIGHER LAYERS OF NETWORK
Complete read/write access
Problem Overview
FIRST PARADIGM: SECURITY OVER HIGHER LAYERS OF NETWORKSECOND PARADIGM: SECURITY OVER PHYSICAL LAYER OF NETWORK
TCP/UDPHTTP/FTP
IPPhysical
Secure Message Transmission
Oblivious Transfer
Bit commitment
Secret Key Establishment
…
Restricted read/write access
Problem Overview Our work:
Secret Key Establishment Manipulation Detection Distance Bounding
Verification
Wiretap Channel [Wy75,CK78]
Keyless Information-theoretic Noisier wiretapping
channel
Secure Message TransmissionSecret Key Establishment
Public Discussion ChannelSecure Feedback Channel
Correlated Sources
Secret Key Establis
hment
More natural settings?
A pair of independent wiretap channels
2 independent wiretap channels w/o initial randomness
Two-way wiretap channel
Secret Key Establishment Keyless Information-theoretic Cases with less noisy
wiretapping channel Free local randomness Independent channels
No local randomness
Secret Key Establis
hment
Noise as a single resource for randomness extraction and key agreement
Psbly. higher key rates.
Psbly. dependent channels
Wiretap channel
Leakage Resilient (LR)-AMDAlgebraic Manipulation Detection[CDFPW08]:
Information-theoretic Uses shared key. No leakage to Eve. Arbitrary bounded leakage
Results: Optimal LR-AMD code constructions. Application to robust nonperfect SSS. Application to AMD over wiretap channels.
Bitwise MD for binary wiretap channels. SKE/SMT against active adversary.
Manipulable channelAlgebraic Manipulable Channel with Leakage
Message Authentication Code[GMS74]:
Paradigm 1:Adversary with
full read/write access
• Using correlated randomness
Paradigm 2:Adversary with
restricted access
Keyless
Manipulation Detectio
n
I am at dc!
OK! Let’s make sure you are not farther!
dr
Honest: dr < dcDistance fraud (DFA): dr > dc
Mafia fraud (MFA): dr > dc
Terrorist fraud (TFA): dr > dc
dr
He is at dc!
dcdr
Distance Bounding Verificatio
n
Manipulation Detectio
n
I am at dc!
OK! Let’s make sure you are not farther!
Distance Bounding Verificatio
nUsing Time-of-Flight:
dr
Δt → dr=C.Δt+Tp
• Rapid exchange phase. Natural property in physics. Security promises. Accurate timing.
Alternative solutions?
I am at dc!
OK! Let’s make sure you are not farther!Manipulatio
n Detection
I am at dc!
OK! Let’s make sure you are not farther!
Distance Bounding Verificatio
n
dr
Using Time-of-Flight:
• Rapid exchange phase. Natural property in physics. Security promises. Accurate timing.
Alternative solutions?
Results: Secure DBV protocols against DFA and MFA.
Based on simple challenge-response & MAC. Impossibility for TFA-security. TFA-secure DBV protocol in the BRM.
Using Noise & Attenuation:
• Wiretap channel model. Matches wireless channels. No time measurement.
• Three security functionalities using physical-layer properties.
• Problem formalization and attractive solutions.
Seeking security at physical-layer: advantage to cryptography.
• Important challenges:• Communication models may not match all
scenarios!• Complete knowledge of the physical-channel
behavior!
• Important directions to future work:• Deterministic cryptography using channel noise.• Combining physical-layer and upper-layer
properties.
Conclusion
XA XB
YA YB
YE
BAEBA XXYYYP |
Two-way DMWC
2DMWC
XA
XB
YfE
YB
YA
YbE
AfEB XYYP |
BbEA XYYP |
Backup Slide
With randomness, pe=0.1
Without randomness, pe=0.2
pe=0.1
Backup Slide
Transmission Tampering
bit abstraction signal bit abstraction signal
0 keep
flip
1 set-to-0
set-to-1
On-off Keying (OOK)
Bitwise Manipulation Deetction
Backup Slide
Basic protocol: Challenge&Response + MAC
BRM-DBV protocol: general adversary
BRM-DBV protocol: sampling adversary
Instance 1 (detailed)
),( BB JI
BQ
),( 1 bX b
),( 21 bb YY
BQ
BJBI
rb2:X
rb2:Y
rb2:Z
rf2:Yr
f2:X
rf2:Z
12: rfY
12: rfX
12: rfZ
12: rbX
12: rbY
12: rbZ
rBS2:ˆ12:ˆ r
BS12: r
BSr
BS2: 12: r
ASr
AS2: r
AS2:ˆ12:ˆ r
AS
Alice Bob Alice Bob
Eve Eve
rAU2: r
BU2:
Round 1
Round 2
- Key
- Randomness
OUTPUT:
22: rBU22: r
AU
AU1 AU2 BU1BU2
INPUT:(Randomness)
Instance 2 (abstract)
SKE over 2DMWC without Randomness:The Basic Protocol
Backup Slide