Proceedings of the 2nd Workshop on Communication Security : Cryptography and Physical Layer Security 978-3-319-59265-7, 3319592653, 978-3-319-59264-0

Table of contents :
Front Matter ....Pages i-xiii
A Study of Injection and Jamming Attacks in Wireless Secret Sharing Systems (Arsenia Chorti)....Pages 1-14
Robust Secret Sharing for End-to-End Key Establishment with Physical Layer Keys Under Active Attacks (Stefan Pfennig, Sabrina Engelmann, Elke Franz, Anne Wolf)....Pages 15-32
Semantically-Secured Message-Key Trade-Off over Wiretap Channels with Random Parameters (Alexander Bunin, Ziv Goldfeld, Haim H. Permuter, Shlomo Shamai (Shitz), Paul Cuff, Pablo Piantanida)....Pages 33-48
Hash-then-Encode: A Modular Semantically Secure Wiretap Code (Setareh Sharifian, Fuchun Lin, Reihaneh Safavi-Naini)....Pages 49-63
A CCA-Secure Cryptosystem Using Massive MIMO Channels (Thomas Dean, Andrea Goldsmith)....Pages 65-77
You Are How You Play: Authenticating Mobile Users via Game Playing (Riccardo Spolaor, Merylin Monaro, Pasquale Capuozzo, Marco Baesso, Mauro Conti, Luciano Gamberini et al.)....Pages 79-96
Fuzzy Authentication Using Rank Distance (Alessandro Neri, Joachim Rosenthal, Davide Schipani)....Pages 97-108
A McEliece-Based Key Exchange Protocol for Optical Communication Systems (Joo Yeon Cho, Helmut Griesser, Danish Rafique)....Pages 109-123
An ICN-Based Authentication Protocol for a Simplified LTE Architecture (Alberto Compagno, Mauro Conti, Muhammad Hassan)....Pages 125-140
Back Matter ....Pages 141-141

Citation preview

Lecture Notes in Electrical Engineering 447

Marco Baldi Elizabeth A. Quaglia Stefano Tomasin Editors

Proceedings of the 2nd Workshop on Communication Security Cryptography and Physical Layer Security

Lecture Notes in Electrical Engineering Volume 447

Board of Series editors Leopoldo Angrisani, Napoli, Italy Marco Arteaga, Coyoacán, México Samarjit Chakraborty, München, Germany Jiming Chen, Hangzhou, P.R. China Tan Kay Chen, Singapore, Singapore Rüdiger Dillmann, Karlsruhe, Germany Haibin Duan, Beijing, China Gianluigi Ferrari, Parma, Italy Manuel Ferre, Madrid, Spain Sandra Hirche, München, Germany Faryar Jabbari, Irvine, USA Janusz Kacprzyk, Warsaw, Poland Alaa Khamis, New Cairo City, Egypt Torsten Kroeger, Stanford, USA Tan Cher Ming, Singapore, Singapore Wolfgang Minker, Ulm, Germany Pradeep Misra, Dayton, USA Sebastian Möller, Berlin, Germany Subhas Mukhopadyay, Palmerston, New Zealand Cun-Zheng Ning, Tempe, USA Toyoaki Nishida, Sakyo-ku, Japan Bijaya Ketan Panigrahi, New Delhi, India Federica Pascucci, Roma, Italy Tariq Samad, Minneapolis, USA Gan Woon Seng, Nanyang Avenue, Singapore Germano Veiga, Porto, Portugal Haitao Wu, Beijing, China Junjie James Zhang, Charlotte, USA

About this Series “Lecture Notes in Electrical Engineering (LNEE)” is a book series which reports the latest research and developments in Electrical Engineering, namely: • • • • •

Communication, Networks, and Information Theory Computer Engineering Signal, Image, Speech and Information Processing Circuits and Systems Bioengineering

LNEE publishes authored monographs and contributed volumes which present cutting edge research information as well as new perspectives on classical fields, while maintaining Springer’s high standards of academic excellence. Also considered for publication are lecture materials, proceedings, and other related materials of exceptionally high quality and interest. The subject matter should be original and timely, reporting the latest research and developments in all areas of electrical engineering. The audience for the books in LNEE consists of advanced level students, researchers, and industry professionals working at the forefront of their fields. Much like Springer’s other Lecture Notes series, LNEE will be distributed through Springer’s print and electronic publishing channels.

More information about this series at http://www.springer.com/series/7818

Marco Baldi Elizabeth A. Quaglia Stefano Tomasin •

Editors

Proceedings of the 2nd Workshop on Communication Security Cryptography and Physical Layer Security

123

Editors Marco Baldi Università Politecnica delle Marche Ancona Italy

Stefano Tomasin University of Padova Padova Italy

Elizabeth A. Quaglia Royal Holloway, University of London Egham UK

ISSN 1876-1100 ISSN 1876-1119 (electronic) Lecture Notes in Electrical Engineering ISBN 978-3-319-59264-0 ISBN 978-3-319-59265-7 (eBook) DOI 10.1007/978-3-319-59265-7 Library of Congress Control Number: 2017940807 © Springer International Publishing AG 2018 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer International Publishing AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Preface

In the recent years, we have assisted at a rising interest and dialogue between two approaches to security: the well-established cryptographic approach based on computational security and the recently explored physical-layer (or information theoretic) security, also known as unconditional security. While both approaches have solid basis on the works by Shannon, their evolution over the years has taken different paths. On the one hand, cryptography typically relies on the difficulty of solving hard mathematical problems which can be drastically simplified with some a priori knowledge, i.e. the secret. This approach now faces various challenges from the ever-growing computational power available to end-users, and the increasing progress of quantum computing that promises to ultimately break computational barriers. On the other hand, physicallayer security aims at exploiting the physical characteristics of the channels over which a confidential communication occurs, providing a secret not available to attackers who experience different channels: under suitable assumptions, we can ensure that the attacker does not have any knowledge of the secret communication, irrespective of its computational power. Physical-layer security also has limits since it is prone to other types of attacks typically leveraging the physical implementation of devices (such as the use of multiple antennas), allowing, for instance, to capture information on the legitimate channel conditions, thus having access to the secret shared by the legitimate parties. The two approaches have also developed their own performance metrics and methodologies, as well as their implemented solutions. A seminal work by Bellare, Tessaro and Vardy plays the role of a Rosetta Stone by putting side by side metrics and languages of the two worlds and establishing a bridge between them. In the meantime, engineers have been studying how to integrate the solutions into their products rather than relying exclusively on one of the two. Since then, works on code design and secure system architectures have been appearing, confirming this trend. Moreover, practical implementations of security systems may de-facto incorporate cryptography and physical-layer security. Examples include the use of physical characteristics (such as electrical noise) for the generation of random numbers then used for cryptography, or the use of two factors in authentication, v

vi

Preface

where the user is identified both by a password and physical characteristics (e.g. biometric features). The aim of the Second Workshop on Communication Security (WCS), organized in 2017 in Paris and affiliated with Eurocrypt 2017, was to provide a forum to discuss cutting-edge cross-disciplinary research in these areas and to share visions for future advances. This book collects the contributions presented at the workshop. The first two chapters are devoted to recent advances in physical-layer security techniques. Chapter “A Study of Injection and Jamming Attacks in Wireless Secret Sharing Systems” studies the vulnerabilities of physical-layer secret key generation schemes to denial of service attacks based on signal jamming and injection by an active attacker. Some relevant countermeasures based on optimal signalling schemes are also described. A scenario of the same type is considered in Chapter “Robust Secret Sharing for End-to-End Key Establishment with Physical Layer Keys Under Active Attacks” which addresses the issue of end-to-end key establishment between a sender and a receiver in the presence of a special class of active attackers, able to modify or drop messages in transit. This and other adversarial attacks are counteracted by using a robust secret sharing scheme. The second group of chapters is devoted to cross-layer approaches between cryptography and physical-layer security. In the rigorous framework of semantic security, Chapter “Semantically-Secured Message-Key Trade-off over Wiretap Channels with Random Parameters” considers the secret message/secret key trade-off over wiretap channels with non-causal encoder channel state information and establishes a new bound on the region of semantically secure message/key pairs using a novel superposition coding scheme. This work lives in the physical-layer security domain, but benefits from a unified language to which cryptographers can also relate. With a similar cross-disciplinary approach, Chapter “Hash-then-Encode: A Modular Semantically Secure Wiretap Code” proposes a modular semantically secure wiretap code, relying on cryptographic tools such as efficiently invertible universal hash functions, as well as error correcting codes. Proof of security and capacity analysis provide a formal framework to a simple and elegant solution. Chapter “A CCA-Secure Cryptosystem Using Massive MIMO Channels” also combines physical-layer security with computational security and proposes to use the massive multiple input multiple output (MIMO) channel as a key to encrypt messages between the legitimate transmitter and receiver, while leaving the eavesdropper with an exponentially complex decoding problem. In this case, both the physical channel (which is not needed to be secret but clearly links the two legitimate parties) and the complexity associated with lattice decoding provide the desired security. The third group of chapters is devoted to computational security approaches, with special focus on authentication techniques. Chapter “You Are How You Play: Authenticating Mobile Users via Game Playing” proposes the use of cognitive skills to complement password-based user authentication on mobile devices. In this two-factor approach, the user is requested to play small games which are based on the attentional paradigm of cognitive psychology. Chapter “Fuzzy Authentication Using Rank Distance” deals with authentication techniques specifically designed

Preface

vii

for using biometric features, like fingerprints. Fuzzy authentication schemes using rank metric codes and linearized polynomials are proposed, as a valid alternative to classical schemes based on codes in the Hamming metric. Chapter “A McElieceBased Key Exchange Protocol for Optical Communication Systems” proposes an application of the McEliece cryptosystem, that is a well-known public-key cryptosystem able to resist attacks based on quantum computers, to the context of authentication protocols for optical networks. In Chapter “An ICN-Based Authentication Protocol for a Simplified LTE Architecture”, the authentication protocol used in the long-term evolution (LTE) cellular communication system is revised, and a simplified infrastructure supporting Internet protocol (IP) mobility is proposed, using the information centric networking paradigm. The proposed solution reduces the number of messages required to perform authentication. The results presented in this book advance the state of the art in crossdisciplinary security research and significantly contribute to a vision of improved joint security. Ancona, Italy Egham, UK Padova, Italy March 2017

Marco Baldi Elizabeth A. Quaglia Stefano Tomasin

Program Committee

Marco Baldi, Università Politecnica delle Marche Jean-Claude Belfiore, Telecom ParisTech/Huawei Matthieu Bloch, Georgia Institute of Technology Srdjan Capkun, ETH Zurich Franco Chiaraluce, Università Politecnica delle Marche Arsenia Chorti, University of Essex Angelo De Caro, IBM Research Trung Duong, Queen’s University Belfast Willie Harrison, University of Colorado Colorado Springs Camilla Hollanti, Aalto University Eduard Jorswieck, Technical University Dresden Stefan Katzenbeisser, TU Darmstadt Nicola Laurenti, University of Padova David Naccache, ENS Kenneth Paterson, Royal Holloway, University of London Elizabeth A. Quaglia, Royal Holloway, University of London Joachim Rosenthal, University of Zurich Rafael Schaefer, Technische Universität Berlin Stefano Tomasin, University of Padova Damien Vergnaud, ENS Ulm João P. Vilela, University of Coimbra

ix

Contents

A Study of Injection and Jamming Attacks in Wireless Secret Sharing Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Arsenia Chorti 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Secret Key Generation Systems in the Presence of an Active Adversary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 MiM in SKG Systems: Injection Attacks . . . . . . . . . . . . . . . . 4 Jamming Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Robust Secret Sharing for End-to-End Key Establishment with Physical Layer Keys Under Active Attacks . . . . . . . . . . . . . . . . . . . . Stefan Pfennig, Sabrina Engelmann, Elke Franz and Anne Wolf 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Physical Layer Key Generation . . . . . . . . . . . . . . . . . . . . . . . 4 End-to-End Key Establishment . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

....

1

....

1

. . . . .

2 4 8 12 13

....

15

. . . . . .

15 16 19 20 31 31

. . . . .

. . . . .

. . . . . .

. . . . .

. . . . . .

. . . . . .

Semantically-Secured Message-Key Trade-Off over Wiretap Channels with Random Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alexander Bunin, Ziv Goldfeld, Haim H. Permuter, Shlomo Shamai (Shitz), Paul Cuff and Pablo Piantanida 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 SM-SK Trade-Off over Wiretap Channels with Non-Causal Encoder CSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Past Results as Special Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33

34 37 38 42

xi

xii

Contents

5 Outline of Proof of Theorem 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Summary and Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hash-then-Encode: A Modular Semantically Secure Wiretap Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setareh Sharifian, Fuchun Lin and Reihaneh Safavi-Naini 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Preliminary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 A Modular Construction of Efficiently Invertible UHFs (ei-UHF) . . . . . . . . . . . . . . . . . . . . . . . . . . 4 HtE (Hash-then-Encode) Construction . . . . . . . . . 5 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

45 46 47

.............

49

............. .............

49 53

. . . . .

. . . . .

55 57 61 62 63

....

65

. . . . . .

65 67 69 71 75 76

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

A CCA-Secure Cryptosystem Using Massive MIMO Channels . . . . Thomas Dean and Andrea Goldsmith 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Main Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 A CCA-Secure Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . .

. . . . .

. . . . . .

. . . . .

. . . . . .

. . . . . .

You Are How You Play: Authenticating Mobile Users via Game Playing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Riccardo Spolaor, Merylin Monaro, Pasquale Capuozzo, Marco Baesso, Mauro Conti, Luciano Gamberini and Giuseppe Sartori 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fuzzy Authentication Using Rank Distance . . . . . . . . . . . . . . Alessandro Neri, Joachim Rosenthal and Davide Schipani 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Rank Metric Codes and Linearized Polynomials . . . . . 3 Fuzzy Commitment Scheme with the Rank Distance . . 4 A Linearized Polynomial Fuzzy Vault Scheme . . . . . . 5 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

......... . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

79

80 81 83 88 92 94 97 97 98 100 101 107 108

Contents

A McEliece-Based Key Exchange Protocol for Optical Communication Systems . . . . . . . . . . . . . . . . . . . . . . . . . . Joo Yeon Cho, Helmut Griesser and Danish Rafique 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 A Proposed Key Exchange Protocol . . . . . . . . . . 5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 6 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . An ICN-Based Authentication Protocol for a Simplified LTE Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alberto Compagno, Mauro Conti and Muhammad Hassan 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 ICN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Authentication and Mobile Management in LTE . 4 Simplified LTE Architecture for ICN . . . . . . . . . . 5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Security Discussion . . . . . . . . . . . . . . . . . . . . . . . 7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xiii

.............

109

. . . . . . . . .

. . . . . . . . .

109 111 113 113 115 118 120 120 121

.............

125

. . . . . . . .

125 127 127 130 135 138 139 139

. . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . .

. . . . . . . .

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

A Study of Injection and Jamming Attacks in Wireless Secret Sharing Systems Invited Paper Arsenia Chorti

Abstract Secret key generation (SKG) schemes have been shown to be vulnerable to denial of service (DoS) attacks in the form of jamming and to man in the middle attacks implemented as injection attacks. In this paper, a comprehensive study on the impact of correlated and uncorrelated jamming and injection attacks in wireless SKG systems is presented. First, two optimal signalling schemes for the legitimate users are proposed and the impact of injection attacks as well as counter-measures are investigated. Finally, it is demonstrated that the jammer should inject either correlated jamming when imperfect channel state information (CSI) regarding the main channel is at their disposal, or, uncorrelated jamming when the main channel CSI is completely unknown.

1 Introduction The increasing deployment of wireless systems poses security challenges in next generation dynamic and decentralized networks, consisting of low cost, low complexity devices. Over the last two decades alternative/complementary means to secure data exchange in wireless settings have been investigated in the framework of physical layer security (PLS), addressing jointly the issues of reliability and secrecy. One of the most mature topics in PLS is the generation of secret keys via public discussion, based on either the so-called source model [1, 2] or the so-called channel model [3]. Single letter characterizations of the secret key capacity were derived in [1], while in [2] it was demonstrated that the secret keys can be generated without any information leakage to a passive adversary; in [4] these results have been extended to multiple terminals. Simple secret key generation (SKG) techniques have been proposed for wireless networks by exploiting the inherent correlation of the channel state information (CSI) between a pair of legitimate nodes due to reciprocity [5]. FurtherA. Chorti (B) School of Computer Science and Electronic Engineering, Wivenhoe Park, Colchester CO4 3SQ, UK e-mail: [email protected] © Springer International Publishing AG 2018 M. Baldi et al. (eds.), Proceedings of the 2nd Workshop on Communication Security, Lecture Notes in Electrical Engineering 447, DOI 10.1007/978-3-319-59265-7_1

1

2

A. Chorti

more, SKG processes over unauthenticated channels have recently been proposed [6–8], allowing to consolidate the proposed techniques with standard authenticated encryption (A.E.) schemes [9]. However, SKG systems are not robust against all types of active adversaries. Recently, in [10] the effect of denial of service attacks (DoS) in the form of jamming was demonstrated to substantially decrease SKG rates; with increasing jamming power the SKG rates were shown to asymptotically diminish. In this investigation the adversaries were assumed to inject constant jamming signals and have been shown to have a maximum impact on the SKG system when they were able to evaluate the channel state information (CSI) in the links between themselves and the legitimate nodes (partial CSI availability). However, neither the optimality of employing constant jamming signals nor the scenario of an adversary with imperfect estimate of the main channel CSI were addressed. Furthermore, in [11] and it was shown that injection type of attacks allow an active adversary to act as a man in the middle (MiM) and potentially control (a large) part of the generated key. A simple heuristic approach to defend against injection type of attacks was presented in [12] by multiplying the received signals with independent zero-mean random signals, locally generated at the legitimate nodes. Although the proposed approach allows converting injection attacks to (potentially less harmfull) uncorrelated jamming attacks, the choice of the independent random signals was not optimized to maximize the SKG rates. The limited literature on the impact of active adversaries on SKG systems reveals that a systematic analysis of these types of attacks is timely. In the present study, we begin with a review of joint SKG and crypto protocols in Sect. 2. Next, we determine optimal signalling schemes for the pair of legitimate nodes in Sect. 3, where we also investigate injection type of attacks. It is demonstrated that by employing a binary symmetric Bernoulli probing the legitimate nodes can reduce the injection attack to an uncorrelated jamming attack. Subsequently, jamming attacks are investigated in detail in Sect. 4, accounting for the worst case scenario in which a malicious node might obtain an imperfect estimate of the main channel CSI. This worst case scenario is essential in evaluating realistically the limitations of employing physical layer security techniques in next generation systems as argued in [13]. The conclusions of this work are presented in Sect. 5.

2 Secret Key Generation Systems in the Presence of an Active Adversary The SKG standard procedure typically encompasses three phases [2]: (1) Advantage distillation: The legitimate nodes exchange probe signals to obtain estimates of their reciprocal CSI and pass them through a suitable quantizer [14]. Commonly, the received signal strength (RSS) has been used as the CSI parameter for generating the shared key [15], while in [9, 16] the CSI phase has been proposed.

A Study of Injection and Jamming Attacks in Wireless Secret Sharing Systems Fig. 1 System model of the SKG process. Alice and Bob denote the legitimate nodes and Mallory an active adversary

3

H Alice

H

Bob

Mallory

(2) Information reconciliation: Discrepancies in the quantizer local outputs due to imperfect channel estimation are reconciled through public discussion using Slepian Wolf decoders. Numerous practical information reconciliation approaches using standard forward error correction (FEC) codes such as low density parity check codes have been proposed [17, 18], while in [9] the possibility of employing short Bose, Chaudhuri, Hocquenghem (BCH) FEC codes has also been explored. (3) Privacy amplification: Applying universal hash functions to the reconciled information ensures that the generated keys are uniformly distributed and completely unpredictable by an adversary [19]. Privacy amplification ensures that the generated keys have maximum entropy (i.e., are uniformly distributed). More importantly, it ensures that even if an adversary has access to (even a large) part of the decoder output, the final secret key can be unpredictable [20]. The baseline SKG system model in the presence of an active adversary is depicted in Fig. 1. Following standard nomenclature of information security, the legitimate nodes are referred to as Alice and Bob while the malicious active adversary as Mallory. The SKG process exploiting rich multipath wireless channels includes two distinct cycles over which the channel coefficients between Alice and Bob are assumed to be reciprocal and stationary and then to change independently [20, 21], i.e., both cycles take place within the channel’s coherence time.1 The main channel fading coefficient is denoted by H and is modeled as a complex zero-mean Gaussian circularly symmetric random variable H ∼ C N (0, σ H2 ). Typically, in modern communication systems, tampering attacks are averted by the employment of public key encryption (PKE) schemes when no pre-shared secret (i.e., a pre-established key at both Alice and Bob) is available. To be deemed adequately robust, current PKE schemes rely on trapdoor functions such as the RivestShamir-Adleman (RSA) protocol or Diffie-Hellman (DH) variants with key lengths of at least 2048 bits. However, the computational resources required to generate symmetric keys using RSA or DH are substantial. Even more importantly, increasing computing power and especially the potential of quantum computing, threatens these schemes. As a result, the key generation phase in the PKE protocol can be a limiting factor in the performance of resource constrained systems such as sensor networks, and, physical layer security alternatives would be worth exploring [23]. 1 This

assumption does not affect the nature of the conclusions reached. For more realistic channel models that account for correlation of the fading coefficients see [22] and related works.

4

A. Chorti

To develop robust algorithms that can withstand tampering attacks, standard symmetric key block ciphers and message authentication (MAC) protocols can be used in conjunction with SKG [6–9, 15]. Reviewing such a possible scheme, let us assume that Alice wishes to transmit over a wireless multipath channel a secret message m to Bob. The following algorithms are employed: the SKG scheme, a symmetric encryption algorithm denoted by Es with corresponding decryption Ds and a MAC denoted by Sign with a corresponding verification algorithm Ver. The SKG procedure is launched between Alice and Bob; at the output of her Slepian Wolf decoder Alice obtains a secret key K and a corresponding coset. She breaks her key in two parts K={Ke, Ki} and uses the first part of the key to encrypt the message as the ciphertext cipher=Es(Ke, m). Subsequently, using the second part of the key she signs the ciphertext using the signing algorithm t=Sign(Ki, cipher) and transmits to Bob the extended ciphertext C = [coset||cipher||t] . Bob checks the integrity of the received ciphertext as follows: from C he extracts coset, cipher and t. From coset and his own observation he evaluates K={Ke, Ki}. Subsequently, Bob evaluates v=Ver(Ki, cipher, t); v is either equal to ⊥ if the integrity test failed or cipher if the integrity test was successful. The integrity test will fail if any part of C was modified; for example, if coset was modified during the transmission then Bob would have evaluated a wrong key K and the integrity test would have failed. If the integrity test was successful then Bob decrypts m=Ds(Ke, cipher). It is clear form the above that building semantically secure A.E. protocols using the SKG procedure is straightforward as long as the channel probing phase of the scheme is robust against active attacks. Therefore it is of particular interest to study man in the middle (MiM) and denial of service attacks during the channel excitation phase of the SKG protocol. In the following Sections two such active attacks during the channel probing are discussed. Firstly, MiM attacks referred to as “injection” attacks are investigated in Sect. 3; an active adversary—Mallory—tries to control part of the generated secret key K by spoofing the channel estimation phase of the SKG scheme. Subsequently, in Sect. 4, DoS in the form of jamming are studied. In either case Mallory’s optimal strategy is discussed and respective countermeasures are proposed.

3 MiM in SKG Systems: Injection Attacks We begin our discussion of injection attacks by investigating optimal signalling schemes for SKG systems.

A Study of Injection and Jamming Attacks in Wireless Secret Sharing Systems

5

3.1 Optimal Signalling Let us assume that Alice and Bob exchange a probe signal X and that their respective observations Z A and Z B , can be expressed as Z A = X H + N A, Z B = X H + NB ,

(1) (2)

where X denotes the channel input and N A and N B denote zero mean Gaussian random variables that model the impact of additive white Gaussian noise with (N A , N B ) ∼ C N (0, diag(σ A2 , σ B2 )). An upper bound on the SKG rate is given by min[I (Z A ; Z B ), I (Z A ; Z B |Z M )], where Z M denotes the adversarial observation [1, 2]. In Rayleigh fading channels in particular, the above bound can be made tight and the SKG capacity can be expressed as C = I (Z A ; Z B ) if Z M is uncorrelated with Z A and Z B due to the decorrelation properties of the fading coefficients over short distances (of the order of a wavelength) [18, 24]. In the following we assume that the decorrelation property holds. For the above system model with an average power constraint E[|X |2 ] ≤ P and assuming the adversary’s observation is independent from Z A , Z B , the input distribution of X maximizing the secret key capacity C = I (Z A ; Z B ) is discrete with a finite number of mass points, similarly to the optimal input distribution of Rayleigh fading channels without CSI at the transmitter and the receiver [25]. To verify the validity of this statement we begin by formulating the signalling optimization problem as max I (Z A ; Z B ) p(x)

(3)

s.t. E[|X |2 ] ≤ P. where p(x) is the pdf of X . (1), (2) correspond to the two-look channel [26, pp. 290] with input variable X H and power constraint E[|X H |2 ] = E[|X |2 ]E[|H |2 ] = E[|X |2 ]σ H2 ≤ Pσ H2 . The input distribution that maximizes I (Z A ; Z B ) is Gaussian [26] while the convexity of the mutual information dictates transmitting with maximum power. √   Remark 1 Since H ∼ C N 0, σ H2 , scalar signalling X = P preserves the Gaussianity of the input and is therefore optimal. This is the standard signalling method employed in SKG systems, e.g., [18]. However, it is worth noting that the Gaussianity of the product X H is also preserved √ when√X is a zero-mean symmetric P, P} and probability mass funcBernoulli random variable with support k = {− √ √ tion p X (− P) = p X ( P) = 0.5. Next, it is demonstrated that using the latter signalling as opposed to the former can be employed as a simple defense mechanism, reducing injection type of attacks to jamming attacks.

6

A. Chorti

3.2 Injection Attacks MiM in the form of injection type of attacks constitute one of the most serious limitations in SKG systems extracting secret keys from RSS measurements [5, 11, 12] (it is yet unknown whether this attack can be launched to systems using CSI or the phase of the received signal [13]). Various possible approaches have so far surfaced on how to launch injection attacks; in [5] the attack consisted in controlling the movement of intermediate objects in the wireless medium, thus generating predictable changes in the received RSS (e.g., by obstructing or not a LOS), while in [11] whenever similar channel envelope measurements were received from Alice and Bob, Mallory spoofed the SKG process by injecting a MiM signal W . Irrespective of the practical approach used to launch the attack, Alice’s and Bob’s observations respectively under injection type of attacks can be expressed as: Z A = X H + W + N A, Z B = X H + W + NB .

(4) (5)

where W denotes the spoofing signal. Assuming a power constraint E[|W |2 ] ≤ Γ , an upper bound of the secret key rate controlled Mallory is given by L ≤ I (Z A , Z B ; W ).

(6)

The optimal injection signal corresponds to maximizing the capacity of the twolook Gaussian channel and can be shown to be Gaussian [26]. Assuming that W ∼ C N (0, Γ ) we have that I (Z A , Z B ; W ) = h(Z A , Z B ) − h(X H + N A , X H + N B ) = log(2π e)2 |K | − log(2π e)2 |Q| ⎛ ⎞ Γ ⎠, = log ⎝1 + σ2σ2 Pσ H2 + σ 2A+σB2 A

(7)

B

where (Z A , Z B ) ∼ C N (0, K ) with  K =

Pσ H2 + Γ Pσ H2 + Γ + σ A2 2 Pσ H2 + Γ + σ B2 Pσ H + Γ



and (X H + N A , X H + N B ) ∼ C N (0, Q) with  Q=

Pσ H2 Pσ H2 + σ A2 2 Pσ H Pσ H2 + σ B2

.

(8)

A Study of Injection and Jamming Attacks in Wireless Secret Sharing Systems

7

In the following two possible countermeasures are discussed based on the availability of side information regarding the injection signal W .

3.3 Defense Against MiM with Side Information Injection type of attacks can be averted at the privacy amplification stage [12]. However, it is necessary for Alice and Bob to be able to estimate the necessary compression rate to suppress information leakage to Mallory. This task is not trivial as Alice and Bob would need to be able to measure L, which is only possible when side information regarding the power Γ of W is available at Alice and Bob. For the system model described in (4) and (5) the achievable rate I (Z A ; Z B ) at the output of the Slepian Wolf decoders can be evaluated as: I (Z A ; Z B ) = h(Z A ) + h(Z B ) − h(Z A , Z B ) ⎛ ⎞ 2 + Γ Pσ H ⎠. = log ⎝1 + σ 2 σ B2 σ A2 + σ B2 + PσA2 +Γ

(9)

H

Assuming that Mallory does not have any side information regarding H , the secret key rate is upper bounded by [1] C ≤ min[I (Z A ; Z A |W ), I (Z A ; Z B )] = I (Z A ; Z B |W ) = h(Z A , Z B |W ) − h(N A , N B ) ⎛ ⎞ 2 Pσ H ⎠. = log ⎝1 + σ A2 σ B2 2 2 σ A + σ B + Pσ 2

(10)

H

Therefore, the necessary compression rate D at the privacy amplification stage is lower bounded by D ≥ I (Z A ; Z B ) − I (Z A ; Z B |W )  (Pσ H2 + Γ )2 = log 1 + (Pσ H2 + Γ )(σ A2 + σ B2 ) + σ A2 σ B2  (Pσ H2 )2 . − log 1 + Pσ H2 (σ A2 + σ B2 ) + σ A2 σ B2

(11)

As long as Mallory does not have a practically noiseless channel, rate compression of the (maximum achievable) rate I (Z A ; Z B ) at the outputs of the Slepian Wolf decoders by at least D ensures that Alice and Bob can establish a secret key without leakage to Mallory.

8

A. Chorti

3.4 Defense Against MiM Without Side Information An alternative countermeasure against MiM attacks was proposed in [12], denoted by user introduced randomness (UIR). The central idea behind the proposed approach was the post-multiplication of Alice’s and Bob’s observation by local zero-mean independent random variables to eliminate any correlation between the injected signals observed by Alice and Bob. Following this approach it is possible to reduce injection attacks to jamming attacks. Motivated by the UIR approach and taking into consideration Remark 1, we propose the√following modification of the standard SKG protocol with constant signalling X = P, detailed in the following. Alice and Bob observe local sources of randomness denoted by ω A and ω B respectively. According to the output of ω A Alice transmits a random probe signal √ X√following a zero-mean symmetric Bernoulli distribution with support k = {− P, P} and success probability p = 0.5, X ∼ B( p, k). Likewise, Bob observes ω B and generates a random probe signal Y ∼ B( p, k). Finally Alice and Bob use X, Y to pre and post multiply their observations so that the secret key is to be generated from the new observations Z˜ A = X Y H + X W + X N A , Z˜ B = X Y H + Y W + Y N B .

(12) (13)

Due to the fact that X, Y are independent and zero-mean, it is straightforward to show that X W and Y W are uncorrelated while the Gaussianity of Z˜ A , Z˜ B is preserved. Alice and Bob extract the common key from the new common randomness X Y H instead of H . On the other hand, since X H, Y H, X N A , Y N B are independent zero-mean Gaussian random variables, the proposed scheme renders injection attacks to uncorrelated jamming attacks. Assuming that Mallory does not have any information on X Y H , the secret key capacity is upper bounded by [1] C˜ ≤ min[I ( Z˜ A ; Z˜ A |W ), I ( Z˜ A ; Z˜ B )] = I ( Z˜ A ; Z˜ B ) ⎛ ⎞ 2 Pσ H ⎠. = log ⎝1 + (σ 2 +Γ )(σ 2 +Γ ) σ A2 + σ B2 + 2Γ + A Pσ 2 B

(14)

H

4 Jamming Attacks There have been numerous analyses of proactive and reactive jamming attacks in wireless systems [27], the main difference between the two being whether the malicious node injects jamming signals constantly or during certain parts of the commu-

A Study of Injection and Jamming Attacks in Wireless Secret Sharing Systems

9

nication cycle. It has been found that standard methods for identifying and protecting against reactive jamming attacks can fail because of the low energy required to launch the attack compared to proactive jamming. It can be deduced that with respect to (w.r.t.) SKG systems it is necessary for Mallory to disrupt only one of the two communication cycles in order to inflict an efficient attack. Based on this observation, the set up for the study of jamming attacks is detailed in the following: During the first cycle, Alice broadcasts probe signals X while Mallory observes the channel and obtains an estimate Hˆ of the main channel CSI that satisfies [28, 29]

(15) H = 1 − α 2 Hˆ + α H˜ , where H˜ ∼ C N (0, σ H ) denotes the estimation error and α ∈ [0, 1]. For α = 0 Mallory has a perfect estimate of the main channel CSI while for α = 1 Mallory has no main channel CSI. In analogy to the first cycle, during the second cycle Bob broadcasts Y . In standard SKG systems α = 1, however in the present investigation we allow for the possibility of a very powerful adversary using ray tracing techniques as proposed in [13]. The motivation behind investigating scenarios with α < 1 lies in the numerous practical systems implementing basic versions of the SKG approach using the RSS as the source of shared randomness due to ease of implementation and not accounting for phase information in the CSI; in these types of systems, particularly in Rician environments it is possible to retrieve a noisy version of the shared randomness variable. Furthermore, we assume that Mallory is able to obtain a perfect estimate of its CSI to Alice and Bob. In this work we assume that Mallory attempts to obtain an estimate of the main channel CSI over the first cycle and transmit a jamming signal J over the second with power Γ . Based on the above, Alice’s and Bob’s observations, denoted by Z A and Z B , respectively, can be expressed as Z A = H X + N A,

(16)

Z B = H X + G J + NB ,

(17)

where G ∼ C N (0, σG2 ) models the Bob-Mallory link CSI, (N A , N B ) ∼ C N (0, I2 ) denote i.i.d. circularly symmetric complex Gaussian random variables modeling the effect of white noise on the system and In the identity matrix of dimension n. For the establishment of the secret key Alice needs to transmit reconciliation data to Bob at a minimum rate h(Z B |Z A ) [1, 2, 24]. Using this model, in [10] the metric employed to evaluate the impact of a jammer on the SKG process was defined by R=

h(Z B |Z A ) , C

(18)

10

A. Chorti

where C denotes the SKG capacity. In this study, for simplicity the derivation of optimal jamming schemes and of the power allocation policies for the jammer employs as objective function the raw rate of reconciliation data h(Z B |Z A ).

4.1 Full Main Channel CSI at Mallory: Correlated Jamming For simplicity, in the √ following, we assume that the legitimate users employ constant signalling X = Y = P. In the case of perfect CSI availability at the jammer, it has been shown that correlated jamming is optimal in point-to-point as well as multi-user and multiple input multiple output systems [30, 31]. We will demonstrate that the same is true in the case of SKG systems when α = 0. When the jammer has a perfect estimate of the main channel CSI H the SKG capacity is C = 0 and it can be argued that jamming is not necessary; however, the following analysis will serve as the basis in deriving the jamming strategy in the realistic scenario α > 0. In this context, following the methodology introduced in [10] we assume that Mallory’s objective is the disruption of the SKG process (instead of eavesdropping), by increasing the cost of the reconciliation phase, i.e., by maximizing h(Z B |Z A ). Employing this criterion the following proposition formalizes the jammer’s optimal jamming strategy. Proposition 1 When full CSI is available at the jammer, the optimal jamming signal J that maximizes the minimum required rate of reconciliation data h(Z B |Z A ) is linear to H . Proof The jammer wishes to maximize h(Z B |Z A ) = h(Z A , Z B |H ) + h(H ) − h(Z A ).

(19)

The maximization is achieved by maximizing the term h (Z A , Z B |H ) that is controlled by the jammer; h(H ) and h(Z A ) are independent of the jammer’s actions. We show that a linear jamming signal achieves this goal. We have that h (Z A , Z B |H ) = h (Z A , Z B − λH |H ) ≤ h (Z A , Z B − λH )   ≤ log (2π e)2 |Λ| ,

(20) (21)

where (20) holds because conditioning reduces entropy and Λ is the covariance matrix of (Z A , Z B − λH ). Regarding (21), we note that for a given autocorrelation matrix the entropy is maximized by a Gaussian distribution [26]. Equations (20) and ∗ (21) hold for arbitrary λ; here we choose λ = E[ZσB2H ] . H

A Study of Injection and Jamming Attacks in Wireless Secret Sharing Systems

11

Now let’s assume that the jammer employs linear jamming so that the jamming signal can be expressed as J =

√ κ H + v, G

(22)

where κ ∈ R and v ∈ R+ . Substituting (22) into (16)–(17), the observations at Alice and Bob can then be rewritten as ZA =

√

P H + N A, √ √ P + κ H + vG + N B . ZB =

(23) (24)

Next, suppose that optimal J˜ is found so that h (Z A , Z B |H ) is maximized, or, equivalently, (21) is satisfied with equality. We define R such that R = J˜ −

 E J˜ H ∗ H,

σ H2

(25)

so that R is uncorrelated with H . Exploiting this fact, the power of the optimal jamming signal is found to be 

E | J˜|2 =

 2    E  J˜ H ∗  σ H2

  + E |R|2 ,

and must satisfy the power constraint so that the optimal jamming signal is feasible. We observe that setting

κ=

 E J˜ G H ∗ σ H2

  v = E |R|2 ,

,

(26) (27)

results in J having the same power as J˜. Furthermore, the autocorrelation matrix Λ is the same for both J and J˜. Since uncorrelated Gaussian signals are also independent, J˜ achieves (20) and (21) with equality, and therefore so does J . In conclusion, J has power equal to that of the optimal jamming signal and satisfies the same constraints as the optimal jamming signal; as a result, J is optimal.  Remark 2 If Mallory has enough available power then the optimal jamming signal √ can designed so that κ = − P, i.e., Bob’s transmission during the second cycle can be completely canceled off.

12

A. Chorti

4.2 Imperfect Main Channel CSI at Mallory: Linear Jamming Now √let us assume that Mallory has imperfect main channel CSI s.t. H = 1 − α 2 Hˆ + α H˜ for some α ∈ (0, 1) and perfect channel CSI for the link Mallory-Alice. Based on the analysis in Sect. 4.1 Mallory can simply inject linear jamming in the form κ

J= 1 − α 2 Hˆ , (28) G so that Bob’s observation can be expressed as: √ Z B = ( P + κ)H + N˜ B ,

(29)

to the case of perfect main channel CSI, h(Z B |Z A ) with N˜ B = N B − ακ H˜ . Similarly √ is maximized for κ = − P if the jammer has sufficient power resources. When imperfect main channel CSI Hˆ is at Mallory’s disposal, the jamming signal that maximizes the rate of reconciliation data h(Z B |Z A ) is linear to Hˆ .

4.3 Absence of Main Channel CSI at Mallory: Uncorrelated Jamming Next, the optimal jamming is characterized in absence of main channel CSI, i.e., α = 1 in the following proposition. Proposition 2 For α = 1 when no main channel CSI √ is available at the jammer the optimal jamming signal J is the constant signal J = Γ . Proof The case of absence of main channel CSI can be treated as a subcase of the full CSI availability case examined in Sect. 4.1. Based on this observation, as shown in the proof of√Proposition 1, the optimal jamming signal can be expressed ∗ as J = E[Jσ G2 GH ] H + v. In absence of knowledge of H , the term J G is necessarily H √ √ ∗ ] uncorrelated with H so that J = E[J G]E[H H + v = v. Finally, due to the conσ H2 G vexity of the entropy, maximization √ is achieved when the power constraint is satisfied √ with equality, i.e., J = v = Γ . 

5 Conclusions In this study optimal signalling schemes were derived for SKG systems. Furthermore, a detailed analysis of injection type of attacks has revealed that it is possible to reduce them to jamming attacks by suitable signalling. Finally, the impact of correlated and uncorrelated jamming has been studied.

A Study of Injection and Jamming Attacks in Wireless Secret Sharing Systems

13

References 1. Ahlswede R, Csiszár I (1993) Common randomness in information theory and cryptography. part I: secret sharing. IEEE Trans Inf Theory 39(4):1121–1132 2. Maurer U (1993) Secret key agreement by public discussion based on common information. IEEE Trans Inf Theory 39(5):733–742 3. Lai L, Liang Y, Poor H (2012) A unified framework for key agreement over wireless fading channels. IEEE Trans Inf Forensics Secur 7(2):480–490 4. Csiszár I, Narayan P (2004) Secrecy capacities for mulitple terminals. IEEE Trans Inf Theory 50(12):3047–3061 5. Jana S, Nandha SP, Clark M, Kasera SK, Patwari N, Krishnamurthy SV (2009) On the effectiveness of secret key extraction from wireless signal strength in real environments. In: Proceedings of the 15th annual international conference on mobile computing networking. ACM, New York, pp 321–332 6. Maurer U, Wolf S (2003) Secret-key agreement over unauthenticated public channels-part I: definitions and a completeness result. IEEE Trans Inf Theory 49(4):822–831 7. Maurer U, Wolf S (2003) Secret-key agreement over unauthenticated public channels-part II: the simulatability condition. IEEE Trans Inf Theory 49(4):832–838 8. Maurer U, Wolf S (2003) Secret-key agreement over unauthenticated public channels-part III: privacy amplification. IEEE Trans Inf Theory 49(4):839–851 9. Saiki C, Chorti A (2015) A novel physical layer authenticated encryption protocol exploiting shared randomness. In: Proceedings of the IEEE conference communications and network security (CNS), Florence, Italy, pp 113–118 10. Zafer M, Agrawal D, Srivatsa M (2012) Limitations of generating a secret key using wireless fading under active adversary. IEEE/ACM Trans Netw 20(5):1440–1451 11. Eberz S, Strohmeier M, Wilhelm M, Martinovic I (2012) A practical man-in-the-middle attack on signal-based key generation protocols. In: Foresti S, Yung M, Martinelli F (eds) Proceedings of the 17th european symposium on research in computer security—computer security (ESORICS). Springer, Berlin Heidelberg, pp 235–252 12. Rong J, Kai Z (2015) Physical layer key agreement under signal injection attacks. In: IEEE conference on communications and network security (CNS), pp 254–262 13. Trappe W (2015) The challenges facing physical layer security. IEEE Commun Mag 53(6):16– 20 14. Wang Q, Su H, Ren K, Kim K (2011) Fast and scalable secret key generation exploiting channel phase randomness in wireless networks. In: Proceedings of the IEEE international conference on computer communications (INFOCOM), pp 1422–1430 15. Mathur S, Trappe W, Mandayam N, Ye C, Reznik A (2008) Radio-telepathy: extracting a secret key from an unauthenticated wireless channel. In: Proceedings of the 14th ACM international conference on mobile computing and networking. ACM, New York, pp 128–139 16. Sayeed A, Perrig A (2008) Secure wireless communications: secret keys through multipath. In: Proceedings of the IEEE international conference on acoustics, speech signal processing (ICASSP), Las Vegas, NV, 30 Mar–4 Apr 2008, pp 3013–3016 17. Ye C, Reznik A, Shah Y (2006) Extracting secrecy from jointly Gaussian random variables. In: Proceedings of the international symposium information theory (ISIT), Seatle, US, pp 2593–2597 18. Ye C, Mathur S, Reznik A, Shah Y, Trappe W, Mandayam N (2010) Information-theoretically secret key generation for fading wireless channels. IEEE Trans Inf Forensics Secur 5(2):240– 154 19. Maurer U, Renner R, Wolf S (2007) Unbreakable keys from random noise. In: Security with noisy data: on private biometrics, secure key storage and anti-counterfeiting. Springer, London, pp 21–44 20. Bloch M, Barros J (2011) Physical-layer security: from information theory to security engineering. Cambridge University Press, Cambridge, UK

14

A. Chorti

21. Mukherjee A, Fakoorian SAA, Jing H, Swindlehurst A (2014) Principles of physical layer security in multiuser wireless networks: a survey. IEEE Comm Surv Tuts 16(3):1550–1573 22. Chen C, Jensen M (2011) Secret key establishment using temporally and spatially correlated wireless channel coefficients. IEEE Trans Mob Comput 10(2):205–215 23. Mukherjee A (2015) Physical-layer security in the internet of things: sensing and communication confidentiality under resource constraints. Proc IEEE 103(10):1747–1761 24. Wilson R, Tse D, Scholtz R (2007) Channel identification: secret sharing using reciprocity in UWB channels. IEEE Trans Inf Forensics Secur 2(3):364–375 25. Abou-Faycal IC, Trott MD, Shamai S (2001) The capacity of discrete-time memoryless rayleigh-fading channels. IEEE Trans Inf Theory 47(4):1290–1301 26. Cover TM, Thomas JA (2006) Elements of information theory. Wiley, Hoboken, NJ 27. Fang S, Liu Y, Ning P (2016) Wireless communications under broadband reactive jamming attacks. IEEE Trans Dependable Secure Comput 13(3):394–408 28. Mukherjee A, Swindlehurst AL (2011) Robust beamforming for security in MIMO wiretap channels with imperfect CSI. IEEE Trans Signal Process 59(1):351–361 29. Geraci G, Dhillon HS, Andrews JG, Yuan J, Collings IB (2014) Physical layer security in downlink multi-antenna cellular networks. IEEE Trans Commun 62(6):2006–2021 30. Médard M (1997) Capacity of correlated jamming channels. In: Proceedings of the 35th annual allerton conference on communications, control and computing, Monticello, IL, Sep–Oct 1997 31. Shafiee S, Ulukus S (2009) Mutual information games in multiuser channels with correlated jamming. IEEE Trans Inf Theory 55(10):4598–4607

Robust Secret Sharing for End-to-End Key Establishment with Physical Layer Keys Under Active Attacks Stefan Pfennig, Sabrina Engelmann, Elke Franz and Anne Wolf

Abstract In recent years, there has been an increasing interest in physical layer key generation. Most of the approaches require that the communication partners who wish to generate a common secret key share a physical channel. That raises the question whether and how physical layer point-to-point keys can be used for a secure end-toend key exchange over multiple hops. However, a multi-hop communication implies that an advanced attacker model has to be taken into consideration. In former work, we introduced possibilities for an end-to-end key exchange under the consideration of outsiders and passive insiders. Within this paper, we now focus on active insiders. The basic idea is to use a robust secret sharing scheme. We discuss the applicability and security of this method under different attack scenarios. Our investigations show that a secure key exchange is even possible with a high number of attackers in the system. Simulations allow an estimation of the expected costs in terms of communication overhead.

1 Introduction Confidentiality and integrity of transmitted data are essential requirements on any data transfer. These protection goals are usually enforced by means of cryptography. Besides security, efficiency of data transmission plays an important role as well.

S. Pfennig (B) · S. Engelmann · E. Franz · A. Wolf Technische Universität Dresden, SFB 912 – Highly Adaptive Energy-Efficient Computing, Dresden, Germany e-mail: [email protected] S. Engelmann e-mail: [email protected] E. Franz e-mail: [email protected] A. Wolf e-mail: [email protected] © Springer International Publishing AG 2018 M. Baldi et al. (eds.), Proceedings of the 2nd Workshop on Communication Security, Lecture Notes in Electrical Engineering 447, DOI 10.1007/978-3-319-59265-7_2

15

16

S. Pfennig et al.

Under the consideration of efficiency, symmetric cryptography is of special interest since it offers a performance that is magnitudes better in comparison to asymmetric cryptography. However, symmetric cryptography has the disadvantage that it requires the prior secure exchange of a secret key between the communication partners. This usually requires that a trusted third party is involved in the key exchange or that the communication partners already own a common secret key [4]. In recent years, there has been an increasing interest in physical layer key generation as an alternative to the common key exchange. Usually, a common channel between the two parties who wish to generate a secret key is assumed. This assumption implies, however, that only point-to-point keys can be established. There are also approaches that use a relay in the key generation what allows generating keys over more than one hop but a secret end-to-end key exchange over an arbitrary number of hops still remains a problem. In former work, we studied possibilities for a secure end-to-end key exchange over multiple hops based on physical layer point-to-point keys [10]. The basic idea is to generate sub keys, to select different paths for the transmission of these sub keys, and to compute the secret key locally at the sender and receiver as XOR sum of all sub keys. As long as there is at least one trustworthy path, the establishment of a secret key is possible. As attacker model, we considered outside attackers as well as passive insiders (forwarders who are nice but curious). The contribution of this paper is to consider also active insiders as attackers. We introduce a basic idea for a secure key exchange under this attacker model and discuss variations of the basic idea that are suitable for different scenarios regarding the number of passive and active insiders in the system. For the discussed solutions, we also evaluate the computational and communication overhead. The paper is structured as follows. In Sect. 2, we explain our system model composed of the network as well as the attacker model. Section 3 gives an overview on the physical layer key generation. In Sect. 4, we explain the utilization of the physical layer keys to establish end-to-end keys on higher layers under active attackers. Section 5 concludes and gives an outlook.

2 System Model 2.1 Network Model For the investigations within this paper, we assume a similar system model as introduced in [10]. Two communication partners, a sender S and a receiver R, wish to establish a common secret key kS R for the protection of their data transmission by means of symmetric cryptography. Sender and receiver have to communicate over multiple hops, i.e., there is no direct link between these two parties. All messages are transmitted over intermediate nodes (relays) which we call forwarders Fi, j in the following. The assumed topology is shown in Fig. 1.

Robust Secret Sharing for End-to-End Key Establishment …

17

Fig. 1 System model similar to [10]

The forwarders are organized in  different groups F 1 , F 2 , . . . , F  . Within each group F i , there are m forwarders Fi,1 , Fi,2 , . . . , Fi,m . Each node of a certain group F i has direct links to all nodes on the neighboring groups F i−1 and F i+1 . Thus, sender and receiver have direct links to all nodes in group F 1 and F  , respectively. This model is inspired by the envisioned topology of the high-performance lowenergy computing platform HAEC that is currently under development [6]. The HAEC topology consists of a number of boards with optically connected compute nodes. In our model, the nodes of one board establish one group. All nodes of adjacent boards can directly communicate by means of wireless links. For the investigation in this paper, we focus on the links between boards since we assume that these wireless links are used for the generation of physical layer keys. Particularly, we assume that each pair of nodes directly connected in our model has generated a physical layer point-to-point key kS ,F1, j , kFi, j ,Fi+1, j  and kF, j ,R with j, j  ∈ {1, 2, . . . , m} and i ∈ {1, 2, . . . ,  − 1} (Fig. 1) according to physical layer key generation mechanisms described in [2, 10]. The physical layer keys are used to protect the exchange of the end-to-end key kS R between sender and receiver.

2.2 Attacker Model Basically, we assume that sender and receiver are trustworthy. They want to establish a common secret key in the presence of possible attackers. Accordingly, we also assume that adjacent nodes are trustworthy with respect to the generation of their physical layer keys since they are interested in protecting communication with their neighbors. However, forwarders are not necessarily trustworthy with respect to the end-to-end key exchange. To clearly describe our assumptions regarding the possible

18

S. Pfennig et al.

attackers with respect to the end-to-end key exchange, we focus on the behavior of the attacker, his area of control, and his role within the system. Regarding the behavior, we distinguish between passive and active attackers. A passive attacker only eavesdrops communicated messages, while an active attacker is able to disturb the communication. We especially focus on the case that an active attacker modifies or drops messages. The area of control of an attacker defines how many links or forwarding nodes he controls. There can also be multiple attackers in the system. Regarding confidentiality, the worst case is given if these attackers cooperate; however, this case is equivalent to an attacker that controls all the links and nodes the single attackers can control. Similarly, it is sufficient to give the number of nodes controlled by one or more active attackers. For the discussions in this paper, it is only interesting to characterize the area of control of passive and active attackers individually. The role of an attacker can be discussed at different levels [10]. For the physical layer key generation, an important distinction is whether the adjacent nodes who want to generate a point-to-point key have knowledge about the channel to the attacker (insider) or not (external entity). Since we discuss an end-to-end key exchange based on already established physical layer keys, we focus on attackers on the network layer. At this level, we can distinguish between insiders who participate in the transmission of data between sender and receiver and outsiders who do not participate. Of course, insiders are forwarders who transmit data. Outsiders may be other nodes in the network not selected as forwarders or external entities who may observe or jam the wireless communication, i.e., who access the links in our model. In our former investigations in [10], we considered outsiders and passive insiders only. In this paper, we also consider active insiders; particularly, we focus on insiders as attacker since protection against outsiders can be achieved by link-to-link protection using the physical layer keys as discussed in [10]. We clearly distinguish between the two types of insiders who may control a certain number of nodes. There are e passive attackers (eavesdroppers) who are nice but curious, i.e., they transmit messages without any modifications but they cooperate to determine the secret endto-end key kS R . Additionally, there are a active attackers who are only interested in preventing a successful end-to-end key exchange. We assume, that active attackers usually do not cooperate, but we also evaluate limits if they collaborate. Moreover, if attackers are modifying as well as eavesdropping, we have to add them to both categories. Even we focus on attacks on the network layer, there is no reason why an active attacker should not try to disturb the prior physical layer key generation. Thus, we want to give a short overview on this problem in the next section.

Robust Secret Sharing for End-to-End Key Establishment …

19

3 Physical Layer Key Generation 3.1 Key Generation Key generation on the physical layer is widely discussed in literature nowadays (see [2, 7] for an overview). Mainly, there are two different approaches that need to be distinguished: the source-type model and the channel-type model. For both models, the main idea is the same: Two users, A and B, want to generate a common secret key by means of the physical layer. For that purpose, they use a certain advantage they have over an eavesdropper E , i.e., a passive attacker. For the source-type model, such an advantage is that A and B can observe correlated sequences from a common source of randomness, whereas E has either no access to this source or can only observe another sequence, which differs from the realizations obtained by A and B. One example for such a source of common randomness is the current realization of their communication channel, which cannot be observed by an eavesdropper that is located at another position. For the channel-type model, the source of randomness is controlled either by A or B and the observation of this source is then transmitted over the wireless channel via a wiretap code. Exploiting their particular advantage over the eavesdropper, A and B want to agree on a common key. Ideally, they can communicate over an authenticated and noiseless public channel with unlimited bandwidth in order to exchange some information for the key agreement. The communication strategy has to guarantee that the key is kept secret from E who has perfect access to this public channel. Finally, both generate an individual key based on the information that is then available to them. The requirements for a secret key agreement are formulated as follows in [2, 7]: 1. The keys that are generated by A and B have to be equal with high probability. 2. The generated keys have to be independent of the public communication and the further observations of the eavesdropper. 3. The generated keys have to be approximately uniformly distributed over the key alphabet. Here, it is assumed that all involved parties are allowed to know the applied codebook as well as the public communication strategy in principle.

3.2 Key Generation Under Active Attacks As mentioned before, we assume that the two users A and B are interested in generating a common key and, therefore, are not malicious. Therefore, our attacker is another node of the system, which shares direct links with A and B. In order to analyze key generation schemes under active attacks we need to distinguish between the two key generation models.

20

S. Pfennig et al.

Active Attacks in the Source-Type Model An overview on physical layer key generation under active attacks in the source-type model, where the common randomness is given by the random channel between A and B, is given in [13]. Here, three different attack categories are distinguished: • Disruptive jamming attacks: The attacker aims to prevent A and B from the successful generation of a key, e.g., by jamming during the channel probing phase. • Manipulative jamming attacks: The attacker sends a signal in order to manipulate the channel measurements and therefore compromises the generated key. • Channel manipulation attacks: The attacker aims to control the wireless channel between A and B such that he can infer the generated key. For a key generation scheme, which defends against these attacks, we refer the reader to [13]. Active Attacks in the Channel-Type Model Key generation schemes under active attacks in the channel-type model are not yet studied in the literature. Due to the fact that the channel-type model is similar to the secure communication over the wiretap channel, some of the results may be applied to the key generation, e.g., we can take a look on the results on the arbitrarily varying wiretap channel [3, 9]. Hence, we assume that physical layer keys can be generated even in the presence of active attackers and focus on end-to-end key establishment in the following.

4 End-to-End Key Establishment 4.1 Robust Secret Sharing for Key Establishment In former studies, we excluded active insiders. Hence, a simple XOR of the sub keys was the basis to establish a common secret key kS R between sender and receiver in different hostile multihop scenarios. The attacker knows all sub keys transmitted over paths that contain at least one corrupted node. As long as one sub key is not known to the attacker, he has no chance to derive kS R . In this work, we focus on active insiders. Thus, we need another approach that allows for erased and modified messages (sub keys). To deal with erasures, the secret sharing by Shamir [12] looks promising. The idea of this scheme is to split a secret s into u shares in such a way that t of these shares are necessary to reconstruct the secret. The benefit of this scheme is twofold. On the one hand, it secures availability of the system against erasing attackers. Only t of u messages are needed to “decode” the information. On the other hand, it secures confidentiality against eavesdroppers. Less than t messages do not reveal any information about the shared secret. Technically, a secret sharing scheme ss(u, t) computes u shares  of a secret s by means of a polynomial f (x) = αt−1 · x t−1 + · · · + α1 · x 1 + α0 ·x 0 of degree t − 1. The coefficient α0 is set to s, the other t − 1 coefficients αi with i ≥ 1 are

Robust Secret Sharing for End-to-End Key Establishment …

21

randomly chosen within a finite field F p . One share consists of a tuple (xi , f (xi )), where xi ∈ F p is a sample point (xi = 0) and f (xi ) is the function value. All the u shares should contain a different xi . By means of Lagrange interpolation, any t tuples allow for recovery of the function f (x). The desired secret is obtained by calculating f (0) = α0 = s. If we apply this scheme to the key generation, the end-to-end key represents the secret. The sender can compute a number of shares and send these shares as separate messages to the receiver who needs only t of them to successfully reconstruct the key. The problem with secret sharing is, however, that the availability is only ensured when active attackers drop messages. If they modify messages, they distort the obtaining of the secret. At the end, a single modified message prevents the successful decoding. However, there exists a solution to this issue, namely robust secret sharing. The goal of robust secret sharing is to ensure that the secret can be correctly reconstructed even if up to u − t of the shares are corrupted by attackers. Using such a scheme, sender and receiver can be enabled to securely exchange a secret key even in the presence of active insiders. A number of robust secret sharing schemes has been introduced in the literature. In [8], the author recommend digital signatures. This is not an option for us, since we want to avoid asymmetric cryptography. Otherwise, we could establish a common key, e.g., by a Diffie-Hellman key agreement without using any physical layer keys at all. Another idea for the construction of a robust secret sharing scheme is to use Message Authentication Codes (MACs) for the protection of the shares [1, 5, 11]. The goal is here to enable the reconstructors to check the validity of the shares they want to use for the reconstruction of the share. Generally, the majority of the players need to be honest to ensure the correct reconstruction. In the cites approaches, a number of MACs are computed for each share and the necessary keys need to be distributed as well. Since we want to focus on the discussion whether a robust secret sharing scheme can be helpful for a secure end-to-end key exchange, we will use a simple scheme that requires less overhead. This scheme is introduced in the next section.

4.2 Proposed Basic Scheme Inspired by the majority scheme introduced in [11], we can define a first simple construction of a robust secret sharing scheme. The key idea is to use two of instead t−1 αi · x i one polynomial and to “hide” the secret s in the first polynomial f (x) = i=0 t−1 and the squared secret s 2 in the second polynomial g(x) = i=0 βi · x i . Thus, a receiver can test whether the squared result of the first polynomial is equal to the result of the second, otherwise he will discard the result. The reason for squaring s is to avoid linearity between the two functions and, therewith, to prevent forgeability. The probability to forge a share in such a system depends on the size of F p and is exactly 1p by guessing, as long as the active attackers have not eavesdropped t or more parts.

22

S. Pfennig et al.

In our system, there are  groups with m nodes each. Thus, we can construct m parallel paths for the secret sharing. Hence, we can set u = m for a uniform utilization of the forwarding nodes. Let us denote an rss(m, t) as a robust secret sharing scheme that is confidential against e < t eavesdroppers and that stays available against a ≤ m − t active attackers. Such an rss(m, t) scheme has two functions: share(s, m, t) and assemble(y = [(x1 , f (x1 ), g(x1 )), (x2 , f (x2 ), g(x2 )), . . .]) with |y| = t. The first function share(s, m, t) creates two random polynomials f (x) and g(x) of degree t − 1 where f (0) = α0 = s and g(0) = β0 = s 2 . For each of the m forwarders, it outputs a triple (xi , f (xi ), g(xi )) with xi ∈ {1, 2, . . . , m}. The assemble function uses t of those triples to recover f (x) and g(x) and tests whether f (0)2 = g(0). If this holds, assemble returns s = f (0), otherwise it discards the result. As stated previously, the reason for squaring s is to avoid linearity between the two functions and, therewith, to prevent forgeability. The third value of a triple works like a checksum. If we set the secret of the second function g(x), e.g., to a fixed value, the receiver could recognize any change one the first and the third element of the triple. However, an attacker may just alter the second element of the triple, which would lead to a false assembled secret, but would not be recognizable. If we set the last coefficient β0 of g(x) equal to s or to a fixed multiple n of s, an attacker could easily add a value Δ to the function value of f (x) and Δ · n to the value of g(x), which would yield a valid but forged secret. The reason for this issue is the calculation of the Lagrange interpolation. Let us assume, we want to assemble t shares (x1 , f (x1 ), g(x1 )), . . . , (xt , f (xt ), g(xt )). To calculate the secret s, we use the Lagrange interpolation for finite fields. It holds: s = f (0) =

t 

⎛ ⎝ f (xi ) ·

i=1



⎞ (−x j )(xi − x j )−1 ⎠

i= j

= f (x1 ) · c1 + f (x2 ) · c2 + · · · + f (xt ) · ct  Since i= j (−x j )(xi − x j )−1 is equal for both functions f (x) and g(x), we can substitute this by a factor ci . Moreover, we assume that the secret of the second polynomial g(x) is a product of factor n and secret s of function one. Then it holds: f (x1 ) · c1 + f (x2 ) · c2 + · · · + f (xt ) · ct =

g(x1 ) · c1 + g(x2 ) · c2 + · · · + g(xt ) · ct n

If an active attacker wants to alter a share, he adds Δ to f (x) and Δ · n to g(x). W.l.o.g., we assume he adds it to the second triple, which leads to (x2 , f (x2 ) + Δ, g(x2 ) + Δn). We will now show that the equality remains:

Robust Secret Sharing for End-to-End Key Establishment …

23

f (x1 ) · c1 + ( f (x2 ) + Δ) · c2 + · · · + f (xt ) · ct = f (x1 ) · c1 + f (x2 ) · c2 + · · · + f (xt ) · ct + Δ · c2 = g(x1 ) · c1 + g(x2 ) · c2 + · · · + g(xt ) · ct + Δ · c2 = n g(x1 ) · c1 + g(x2 ) · c2 + · · · + g(xt ) · ct + Δn · c2 = n g(x1 ) · c1 + (g(x2 ) + Δn) · c2 + · · · + g(xt ) · ct n However, by using s 2 as secret for the second polynomial, an attacker who want to alter the second element of a triple, e.g., adding a fixed value like before, cannot forge the third value without knowledge about s. Moreover, we found out in some simulations that for fixed but arbitrarily chosen first and second values of a triple only one element of F p is accepted by the assemble function. This third value (which is accepted) depends on s, i.e., there exists a bijective function from s ∈ F p to a valid checksum. Without any knowledge about s, an attacker only could guess a valid third value with probability 1p . Thus, using s 2 as coefficient β0 for the second function g(x) prevents unseen attacks as long as s is secret, which means that an attacker eavesdropped less than t messages. In comparison to other work, it seems to be contradictory that we want to achieve security even with a majority of active attackers. However, we need to keep in mind, that our attacker model is slightly more differentiated than attacker models in the literature. Thus, our a active attackers just want to corrupt the messages and do not cooperate. In case of clever adaptation to the secret, they need to eavesdrop t parts in the first place, which would make them to cooperating eavesdroppers and yield an increased e. Hence, the requirement in the related work that the majority of nodes have to be honest, i.e., a < m2 , is comparable to our assumption a + e < m if we assume that dishonest nodes may eavesdrop and actively attack. Without the possibility of eavesdropping, active attackers are only able to create valid shares of a wrong secret if they cooperate. Thus, we assume that the collaboration of active attackers is limited. Especially, when a ≥ t, we need to assure that the largest number of active attackers that collaborate is below t. Put differently, if we construct j distinct sets of collaborating active attackers A1 , . . . , A j , we need to assure max1≤i≤ j |Ai | < t. From this follows that t > 1 if a > 0. Otherwise, cooperating active attackers could easily construct valid shares for a wrong secret and prevent integrity. Figure 2 illustrates an example of robust secret sharing. On the one side, the modification of the message by F1,2 is recognized by R and messages of F1,1 and F1,3 are sufficient to obtain the secret s. One the other side, neither F1,1 nor F1,3 individually can use their knowledge about one sample point to gain any information about s. Thus, confidentiality is preserved.

24

S. Pfennig et al.

Fig. 2 Example of rss(3, 2) scheme. The transmission of the secret s = 7 is confidential against e < t eavesdroppers. Furthermore, the availability is ensured against a ≤ m − t active attackers

In the following sections, we will discuss how this basic construction can work under the consideration of different attacker models. This discussion necessitates to classify the relevant scenarios and explain why we need a different strategy there. As a first step, we define the lower and upper limits with respect to the key generation. The lower limit is given by a = 0, i.e., there is no active attacker. This case is covered by the solutions introduced in [10]. For the upper limit, we could think of an attacker that controls a complete group of forwarders. Thus, it would be impossible to exchange a key since each message can be modified or dropped by the attacker. Moreover, even a forwarder group with a + e ≥ m is not controllable. For confidentiality reasons, it is necessary to fulfill t > e; for availability reasons, m − a ≥ t is needed. Thus, we get a contradiction, because m − a > e ⇒ m > a + e . Hence, the basic requirement for a successful key establishment is that at least one forwarder per group is not under the control of an attacker. Under this assumption, we can distinguish three classes that require a specific solution: Case 1: a + e < m – rss using m distinct paths Case 2: a + maxPerGroup(e) < m – XOR of many rss using all possible paths Case 3: maxPerGroup(a) + maxPerGroup(e) maxPerGroup(e) for many sequential rss(m, t) schemes. The shares of each scheme are transmitted using different link configurations. Each transmission delivers a sub key. Finally, these sub keys are XORed in order to compute the end-to-end key kS F . As long as at least one of those sub keys remains confidential, the summed secret remains confidential as well. There exists m!−1 link configurations of which each could transmit a sub key. However, this would yield in a large amount of sub keys and can be optimized. Since we only need to connect eavesdroppers with each other to limit the eavesdropped path to m − a − 1, we simply choose maxPerGroup(e) out of m per group and connect them. Thus, there will be at least one link configuration with the wanted properties.   m sub keys to guarantee a confidential Overall, we need to exchange maxPerGroup(e) key establishment. The costs for such an exchange depend on the actual parameters and, thus, may be quite high as well. Hence, we tried to figure out by means of simulation how many sub keys are really necessary, especially if a + maxPerGroup(e) is clearly smaller than m. For the simulation, we constructed a random network of m ×  forwarders and assigned a nodes in the whole network to be active attackers and e nodes per group to be eavesdroppers. Afterwards, we tried to achieve a confidential summed key by using random link configurations for a transmission with the rss scheme. We performed 10, 000 runs on different networks and 10 runs each with the same settings regarding the attackers. In this process, we counted the number of sub keys needed and evaluated average as well as maximum numbers. In Fig. 4, we present the results for the example of a 9 × 3 forwarder matrix. We see that for any combination of e eavesdroppers per group and a active attackers greater or equal to the number of nodes per group m, there is no possibility to establish a common secret. However, if a + maxPerGroup(e) < m, we get a solution. The number of sub keys needed rapidly decreases with smaller e or a. If m is significantly larger than a + maxPerGroup(e), then the costs are quite small. However, when using only as much sub keys as shown, we would achieve confidentiality only on average or in 99% of the cases, respectively. Thus, the actual number of sequential rss exchanges

S. Pfennig et al.

number of sub keys (avg)

28

104 103 102 101 100 7

7 6 5 6

4 5

4

3 3

2

eavesdropper per group e

2

attacker a

1 1

number of sub keys (99 %)

(a) Average number of sub keys needed

104 103 102 101

7 6

0

10

7

5 6

4 5

4

3 3

eavesdropper per group e

2

2 1 1

attacker a

(b) Number of sub keys sufficient for 99 % of the cases

Fig. 4 The number of sub keys to establish a confidential key for the example of m = 9 and  = 3

Robust Secret Sharing for End-to-End Key Establishment …

29

highly depends on the security demands. Moreover, in some extreme cases with very high costs, the solution introduced in the next section may be more efficient.

4.5 Case 3: Many Active and Passive Attackers The last scenario represents the worst case for the establishment of a key. We assume maxPerGroup(a) + maxPerGroup(e) < m, which means that in the extreme case, there is only one trustworthy node in each group. We cannot simply send sub keys by means of sequential rss, because there may be link configurations where the number of actively attacked paths plus the number of eavesdropped links is larger or equal the number of all paths m. Thus, we can guarantee neither the confidentiality, nor the arrival of each sub key at the receiver. However, there also exists a link configuration that connects all eavesdroppers or all active attackers with each other, what leads to a fully trustworthy path and a + e < m attacked paths. To exploit each trustworthy node in a group, we need to think iteratively. If we assume  = 1, then it holds maxPerGroup(e) = e and maxPerGroup(a) = a. Thus, it also holds a + e < m, which implies that the first scheme with one rss(m, t = m − a) scheme would work here. To extend this finding to the case where  = 2, we assume all forwarders in group 2 are kind of “intermediate” receivers that have to assemble the secret from the messages they got from forwarders of group 1. Each of the m “intermediate” receivers can receive a message (secret) securely by means of an rss(m, t = m − a) scheme via all predecessor nodes. Hence, a secure communication to all nodes in group 2 is possible. Furthermore, the sender could also send an encapsulated rss-tuple instead of a single secret to each “intermediate” receiver. Thus, after all nodes in the group assembled their secret (here: an rss-tuple), they can send it to the receiver, who can then assemble the secret of the sender. We denote this method as nested robust secret sharing (nrss). In Fig. 5, we illustrate the procedure for m = 3. We need m = 3 tuples that are sent to a successor to enable him to assemble the secret. This secret may be an element of a further tuple. For this solution, we need to send a lot of messages that contain many elements. However, we can guarantee the availability and the confidentiality of the system, if maxPerGroup(a) + maxPerGroup(e) < m holds and the single rss parameters are chosen adequately. In the following, we want to present a proof for the security of the suggested scheme as well as an identification of the communication costs in terms of number of messages to be sent and the lengths of these messages to establish a key with the receiver. Theorem 1 For a secure transmission of a key kS R ∈ F p in an m ×  forwarder matrix, it is sufficient to send m  messages of size 3 elements ∈ F p . Proof We will prove the theorem by mathematical induction. For the sake of convenience, we assume that the “x-points” for the secret sharing are smaller than p. base case: The theorem holds for  = 0 (no forwarders).

30

S. Pfennig et al.

Fig. 5 Example of nested robust secret sharing scheme

messages: Communication is easily possible via a direct physical connection. We need exactly m  = m 0 = 1 message from sender to receiver to communicate. message size: To protect the transmitted key kS R , we encrypt it by means of the physical layer generated key between sender and receiver. We need a message of length 3 = 30 = 1, since we only send one message and do not split the secret into shares that need to be transported. induction step: Assuming the theorem holds for  = n, then we will show it also holds for  = n + 1. messages: If we want to communicate with any node in group n + 1, we need to send an rss(m, m − a) message via any node in group n. We have to use an rss(m, m − a) scheme for the transmission. Hence, m messages need to be sent. Thus, we will send m · m n = m n+1 messages. Since we only have a active attackers and e eavesdroppers in group n, the message can be assembled (t ≤ m − a) and it stays confidential (t > m − e). message size: The message size to a node of group n + 1 is tripled in relation to the message size to a node of group n because we have to transmit the x-value and its function values for the two polynomials each of F p to enable the rss assemble function to get s of size q. Overall, we need 3 · 3n = 3n+1 elements per message.  In Table 1, we illustrate the costs by means of elements we need to transmit in order to securely transmit a secret of size 1. For example, the sender has to transmit 19, 683 · 16 = 314, 928 Bytes for the transport of a 128 bit end-to-end key in a 9 × 3 forwarder matrix. Thus, this scheme is extremely costly, but we can prove the security. Furthermore, we see room for improvement, e.g., implicit x-values or heterogeneous finite fields, but this is not the focus of this paper.

Robust Secret Sharing for End-to-End Key Establishment …

31

Table 1 Transmitted data (in elements of F p ) for end-to-end key exchange with nested robust secret sharing in dependency of m and  m\ 0 1 2 3 4 5 1 4 9 16 25

1 1 1 1 1

3 12 27 48 75

9 144 729 2,304 5,625

27 1,728 19,683 110,592 421,875

81 20,736 531,441 5,308,416 31,640,625

243 248,832 14,348,907 254,803,968 2,373,046,875

5 Conclusion We have shown that end-to-end key establishment with physical layer keys under active insider attacks is possible. We analyzed limits and presented three different approaches based on a robust secret sharing scheme. Within this work, we only focused on the general possibilities and their security but not on efficiency. However, we estimated the costs for our schemes and demonstrated that they are quite high, depending on the area of control of the attacker. Hence, we want to emphasize that the most important aspect to secure end-to-end key establishment with physical layer keys is to carefully assess the attackers strength and to set the parameters of the presented schemes in a reasonable way. In future work, we want to optimize the schemes to enable applicability. One direction of future work is to analyze alternatives to the proposed robust secret sharing schemes, especially algebraic manipulation detection codes (AMD) introduced in [3]. AMD codes perform a probabilistic encoding of a source while decoding is deterministic. Undetectable modifications are only possible with a small error probability. Further, a full implementation would allow for meaningful measurements in terms of energy and speed. Furthermore, we would like to assess the performance in comparison to a common key exchange that incorporates asymmetric cryptography under the consideration of different attacker models. Acknowledgements This work is supported in part by the German Research Foundation (DFG) in the Collaborative Research Center 912 “Highly Adaptive Energy-Efficient Computing”.

References 1. Bishop A, Pastro V (2016) Robust secret sharing schemes against local adversaries. In: Proceedings of the Public-key cryptography-PKC 2016–19th IACR international conference on practice and theory in public-key cryptography, part II 2. Bloch M, Barros J (2011) Physical-layer security: from information theory to security engineering. Cambridge University Press, Cambridge

32

S. Pfennig et al.

3. Boche H, Schaefer RF (2013) Capacity results and super-activation for wiretap channels with active wiretappers. IEEE Trans Inf Forensics Secur 4. Boyd C, Mathuria A (2003) Protocols for authentication and key establishment. Springer, Berlin 5. Cevallos A, Fehr S, Ostrovsky R, Rabani Y (2012) Unconditionally-secure robust secret sharing with compact shares. In: Proceedings of the advances in cryptology—EUROCRYPT 2012–31st annual international conference on the theory and applications of cryptographic techniques 6. Fettweis G, Nagel W, Lehner W (2012) Pathways to servers of the future: highly adaptive energy efficient computing (HAEC). In: Proceedings of the conference on design, automation and test in Europe 7. Liang Y, Poor HV, Shamai S (2009) Information theoretic security. Found Trends Commun Inf Theory 5(4–5):355–580 8. Michael O. Rabin (1983) Randomized byzantine generals. In: Proceedings of the 24th annual symposium on foundations of CS. IEEE Computer Society 9. Nötzel J, Wiese M, H Boche (2016) The arbitrarily varying wiretap channel—secret randomness, stability, and super-activation. IEEE Trans Inf Theory 10. Pfennig S, Franz E, Engelmann S, Wolf A (2016) End-to-End key establishment using physical layer key generation and specific attacker model (Lecture Notes in Electrical Engineering), vol 358, Chap. 6. Springer, Berlin, pp 93–110 11. Rabin T, Ben-Or M (1989) Verifiable secret sharing and multiparty protocols with honest majority. In: Proceedings of the annual ACM symposium on theory of computing. ACM, New York 12. Shamir A (1979) How to share a secret. Commun. ACM 22(11):612–613 13. Zeng K (2015) Physical layer key generation in wireless networks: challenges and opportunities. IEEE Commun Mag 53(6):33–39

Semantically-Secured Message-Key Trade-Off over Wiretap Channels with Random Parameters Invited Paper Alexander Bunin, Ziv Goldfeld, Haim H. Permuter, Shlomo Shamai (Shitz), Paul Cuff and Pablo Piantanida Abstract We study the trade-off between secret message (SM) and secret key (SK) rates simultaneously achievable over a state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) at the encoder. This model subsumes all other instances of CSI availability as special cases, and calls for an efficient utilization of the state sequence both for reliability and security purposes. An inner bound on the semantic-security (SS) SM-SK capacity region is derived based on a novel superposition coding scheme. Our inner bound improves upon the previously best known SM-SK trade-off result by Prabhakaran et al., and to the best of our knowledge, upon all other existing lower bounds for either SM or SK for this setup. The results are derived under the strict semantic-security metric that requires negligible information leakage for all message-key distributions. The achievability proof uses the strong soft-covering lemma for superposition codes.

A. Bunin · S. Shamai (Shitz) (B) Technion—Israel Institute of Technology, Haifa, Israel e-mail: [email protected] A. Bunin e-mail: [email protected] Z. Goldfeld · H.H. Permuter Ben-Gurion University of the Negev, Beersheba, Israel e-mail: [email protected] H.H. Permuter e-mail: [email protected] P. Cuff Princeton University, Princeton, US e-mail: [email protected] P. Piantanida CentraleSupélec-CNRS-Université, Paris-Sud, France e-mail: [email protected] © Springer International Publishing AG 2018 M. Baldi et al. (eds.), Proceedings of the 2nd Workshop on Communication Security, Lecture Notes in Electrical Engineering 447, DOI 10.1007/978-3-319-59265-7_3

33

34

A. Bunin et al.

1 Introduction Modern communication systems usually present an architectural separation between error correction and data encryption. The former is typically realized at the physical layer by transforming the noisy communication channel into a reliable “bit pipe”. The data encryption is implemented on top of that by applying cryptographic principles. The cryptographic approach relies on restricting the computational power of the eavesdropper. The looming prospect of quantum computers (QCs) (some companies have recently reported a working prototype of a QC with over than 1000 qbits [15, 16]), however, would boost computational abilities, rendering some critical cryptosystems insecure and weakening others.1 Post-QC cryptography offers partial solutions that rely on larger keys, but even now considerable efforts are made to save this expensive resource. Physical layer security (PLS) [5, 18, 28], rooted in information-theoretic (IT) principles, is an alternative approach to provably secure communication that dates back to Wyner’s celebrated 1975 paper on the wiretap channel (WTC) [26]. By harnessing randomness from the noisy communication channel and combining it with proper physical layer coding, PLS guarantees protection against computationally-unlimited eavesdroppers with no requirement that the legitimate parties share a secret key (SK) in advance. The eavesdropper’s computational abilities are of no consequence here since the signal he/she observes from the channel carries only negligible information about the secret data.

1.1 Background Two fundamental questions in PLS are those of the best achievable transmission rate of a secret message (SM) over a noisy channel, and the highest attainable SK rate that distributed parties can agree upon.

1.1.1

Secret-Message Transmission

The base model for SM transmission is Wyner’s WTC [26], where two legitimate parties communicate over a noisy channel in the presence of an untrusted eavesdropper. A full characterization of the secrecy capacity of WTCs that are degraded in favor 1 More specifically, asymmetric ciphers that rely on the hardness of integer factorization or discrete

logarithms can be completely broken using QCs via Shor’s algorithm (or a variant thereof) [4, 22]. Symmetric encryption, on the other hand, would be weakened by QC attacks but could regain its strength by increasing the size of the key [20]. This essentially follows since a QC can search n through a space of size 2n in time 2 2 , so by doubling the size of the key a symmetric cryptosystem would offer the same protection versus a QC attack, as the original system did versus a classic attack.

Semantically-Secured Message-Key Trade-off over WTCs with State

35

of the legitimate parties was derived in [26]. The solution was extended to the not necessarily degraded case by Csiszár and Körner [7]. A common method used in IT security proofs that dates back to the early days of Wyner, Csiszàr and Körner, relies on evaluating rather complicated equivocation terms. Recently, however, distribution approximation arguments emerged as a tool of choice for proving security. The core result on which this approach relies is called the soft-covering lemma (SCL), which originated from another 1975 paper by Wyner [25]. Interestingly, while both the WTC and the SCL appear in two works by Wyner from the same year, he did not seem to make a connection between the two results (although he must have been aware of a relation). The SCL states the distribution induced by randomly selecting a codeword from an appropriately chosen codebook and passing it through a discrete memoryless channel (DMC) will be asymptotically indistinguishable from the distribution of random noise. Wyner’s original result was sharpened throughout the years to hold under stricter proximity measure between distributions [10, 11, 13, 14]. Based on these sharper versions, one can make the channel output observed by the eavesdropper in the WTC look like noise and, in particular, be approximately independent of the confidential data. More specifically, a wiretap code assigns a sub-codebook that satisfies the soft-covering phenomenon to each confidential message. To transmit a certain secret message, a codeword from its associated sub-codebook is randomly and uniformly chosen and is fed into the WTC. Consequently, the distribution induced on the output sequence observed by the eavesdropper given each confidential message is indistinguishable from the distribution of random noise. This, in particular, implies that the eavesdropper’s observation is asymptotically independent of the confidential data, which implies security. The notion of soft-covering is key for deriving the results of this work.

1.1.2

Secret-Key Agreement

The study of SK agreement was pioneered by Maurer [19], and independently by Ahlswede and Csiszár [1], who studied the achievable SK rates based on correlated observations at the terminals who may communicate via a noiseless and rate unlimited public link. A characterization of the SK capacity was found in [1] for the case where only one-way public communication is allowed. If the eavesdropper does not observe a correlated source, thus having access only to the public communication, the optimal SK agreement protocol uses Slepian-Wolf coding [23] for lossless reconstruction with side information. When the eavesdropper also observes a correlated source, a superposition coding scheme combined with Wyner-Ziv coding [27] is needed to achieve optimality. The inner layer of the code carries no secret information. It is designed to glut the eavesdropper with redundant information, thereby wasting his/hers resources. The confidential data is encoded in the outer layer of the superposition code and is protected by virtue of random binning. A generalization to the case where the public link is of finite capacity is due to Csiszár and Narayan [8]. If the encoder controls its source (rather than just observing it), this source becomes

36

A. Bunin et al.

a channel input and the setup evolves to a WTC. This is a special case of the so called SK channel-type model that was also studied in [1].

1.2 Model and Contributions A more general framework to consider is a state-dependent (SD) WTC with noncausal encoder channel state information (CSI) (sometimes referred to as the Gelfand and Pinsker (GP) WTC, due to the study of the corresponding point-to-point scenario by the aforementioned authors [9]). The dependence of the channel on the state accounts for the possible availability of correlated sources observations at the terminals. The similarity between the SM transmission and the SK agreement tasks makes their integration in a single model only natural. Adhering to the most general framework, we study the trade-off between the SM-SK rates that are simultaneously achievable over a SD-WTC with non-causal encoder CSI. The scenario where there is only a SM was considered in [6], where an achievable SM rate formula was established. This result was recently improved upon in [12] based on a novel superposition coding scheme. SK agreement over the GP-WTC was the focus of [17], and more recently was also studied in [2] (see also references therein). The combined model was considered by Prabhakaran et al. [21], who derived a benchmark inner bound on the SK-SM capacity region. The result from [21] was shown to be optimal for various special cases. We propose a novel superposition coding scheme for the combined model that not only subsumes [21] as a special case, but also captures [2, 6, 12, 17] and, to the best of our knowledge, all other existing achievability results for SM transmission, SK agreement or both. Our coding scheme uses an over-populated superposition codebook that encodes the entire confidential message in its outer layer. Using the redundancies in the inner and outer layers, the transmission is correlated with the state sequence by means of the likelihood encoder [24]. Although the redundancy indices are chosen as part of the encoding process (rather than by the user), via the strong soft-covering lemma (SCL) for superposing codes [12, Lemma 1], we show that their true distribution is well approximated by a uniform distribution. Consequently, as long as a certain redundancy index is kept secret (along with the confidential message) from the eavesdropper, it may be declared as a SK. The security analysis is based on constructing the inner codebook such that it is better observable by the eavesdropper, making the inner layer index decodable by him. This enhances the secrecy resources that the legitimate parties can extract from the outer layer, which they use to secure the SM and part of the redundancy index of the outer layer. The encoder and decoder then declare the secured redundancy index as the SK. The agreed SK may be used to further boost the SM rate by encrypting part of the message using a one-time pad and transmitting it over the inner (unsecured) layer.

Semantically-Secured Message-Key Trade-off over WTCs with State

37

Our results are derived under the strict metric of semantic-security (SS). The SS criterion is a cryptographic gold standard that was adapted to the informationtheoretic framework (of computationally unbounded adversaries) in [3]. As was shown in [3], SS is equivalent to a negligible mutual information (MI) between the confidential information (in our case, the SM-SK pair) and the eavesdropper’s observations for all message-key distributions. The proof of SS relies on the strong SCL for superposition [12, Lemma 1] and the heterogeneous SCL [10, Lemma 1]. Since most of the past secrecy results mentioned above were derived under the weaksecrecy metric (i.e., a vanishing normalized MI with respect to a uniformly distributed message-key pair), our achievability outperforms the schemes from [2, 6, 17, 21] for the SD-WTC with non-causal encoder CSI not only in terms of the achievable rate pairs, but also in the upgraded sense of security it provides.

1.3 Organization This paper is organized as follows. Section 2 establishes notations and preliminary definitions. Section 3 describes the SD-WTC setting and states an inner bound on SM-SK optimal trade-off region. In Sect. 4 we discuss past results that are captured within our framework. An outline of the proof of our main result is the content of Sect. 5. Finally, Sect. 6 summarizes the main achievements and insights of this work.

2 Preliminaries We use the following notations. As customary N is the set of natural numbers (which does not include 0), while R are the reals. We further define R+ = {x ∈ R|x ≥ 0}.  Given two  real numbers a, b, we denote by [a : b] the set of integers n ∈ N a ≤ n ≤ b . Calligraphic letters denote sets, e.g., X , while |X | stands for its cardinality. X n denotes the n-fold Cartesian product of X . An element of X n is denoted by x n = (x1 , x2 , . . . , xn ); whenever the dimension n is clear from the context, vectors (or sequences) are   denoted by boldface letters, e.g., x. Let X , F, P be a probability space, where X is the sample space, F is the  σ -algebra and P is the probability measure. Random variables over X , F, P are denoted by uppercase letters, e.g., X , with conventions for random vectors similar to those for deterministic sequences. The probability of an event A ∈ F is denoted  by P(A), while P(AB) denotes conditional probability of A given B. We use 1A to denote the indicator function of A ∈ F. The set of all probability mass functions (PMFs) on a finite set X is denoted by P(X ). PMFs are denoted by the letters such as p or q, with a subscript that identifies the random variable and its possible conditioning. For example, for a two discrete correlated random variables X and Y over the same probability space, we use p X , p X,Y and p X |Y to denote, respectively, the marginal PMF of X , the joint PMF of (X, Y ) and the conditional PMF of X

38

A. Bunin et al.

given Y . In particular, p X |Y represents the stochastic matrix whose elements are given by p X |Y (x|y) = P X = x|Y = y . Expressions such as p X,Y = p X pY |X are to be understood to hold pointwise, i.e., p X,Y (x, y) = p X (x) pY |X (y|x), for all (x, y) ∈ X × Y. Accordingly, when three random variables X , Y and Z satisfy p X |Y,Z = p X |Y , they form a Markov chain, which we denote by X − Y − Z . We omit subscripts if the arguments of a PMF are lowercase versions of the random variables. For a sequence of random variable X n , if the entries of X n are drawn in an identically and independently distributed (i.i.d.) manner according to p X , then for every n n p X (xi ) and we write p x ∈ X n we have p X n (x) = i=1 X n (x) = p X (x). Similarly, n n n if for every (x, y) ∈ X × Y we have pY n |X n (y|x) = i=1 pY |X (yi |xi ), then we write pY n |X n (y|x) = pYn |X (y|x). The conditional product PMF pYn |X given a specific sequence x ∈ X n is denoted by pYn |X =x . N (x|x) n nThe empirical PMF νnx of a sequence x ∈ X is νx (x)  n , where N (x|x) = i=1 1{xi =x} . We use Tε ( p X ) to denote the set of letter-typical sequences of length n with respect to the PMF p X and the non-negative number ε, i.e., we have 

  Tεn ( p X ) = x ∈ X n  νx (x) − p X (x) ≤ εp X (x), ∀x ∈ X .

(1)

Definition 1 (Total Variation) Let (X , F) be a measurable space and p and q be two probability measures  on F. The total variation between p and q is || p − q||TV =  space X is countable, the total variation supA∈F  p(A) − q(A). If the sample   reduces to || p − q||TV = 21 x∈X  p({x}) − q({x}).

3 SM-SK Trade-Off over Wiretap Channels with Non-Causal Encoder CSI We study the SD-WTC with non-causal encoder CSI, for which we establish a novel achievable region of semantically-secured message-key pairs that subsumes the previously best known coding schemes for this scenario.

3.1 Problem Setup   Let S, X , Y and Z be finite sets. The S, X , Y, Z, W S , WY,Z |X,S discrete and memoryless SD-WTC with non-causal encoder CSI is illustrated in Fig. 1. A state in a sequence s ∈ S n is generated in an i.i.d. manner according to W S and is revealed  non-causal fashion to the sender, who chooses a message m from the set 1 : 2n R M . The sender then maps the observed state sequence s and message m into a  the chosen channel input sequence x ∈ X n and a key index k ∈ 1 : 2n R K (the mapping may be random). The sequence x is transmitted over the SD-WTC with transition probability WY,Z |X,S . The output sequences y ∈ Y n and z ∈ Z n are observed by the receiver and

Semantically-Secured Message-Key Trade-off over WTCs with State

39

WSn S M

Encoder fn

Y X

ˆ K) ˆ (M,

Decoder φn

n WY,Z|X,S

Z

M,K

Eavesdropper

K Fig. 1 The state-dependent wiretap channel with non-casual encoder channel state information

the eavesdropper, respectively. Based on y, the receiver produces the estimates pair ˆ of (m, k). The eavesdropper tries to glean whatever it can about the message (m, ˆ k) and the generated key from z. Remark 1 (Most General Model) Before rigorously defining the setup and stating the result, we note that the considered model is the most general instance of a SD-WTC with non-causal CSI known at some or all of the terminals. The broadest model one may consider is when the SD-WTC WY˜ , Z˜ |X,S1 ,S2 ,S3 is driven by a triple of correlated state random variables (S1 , S2 , S3 ) ∼ W S1 ,S2 ,S3 , where S1 is known to the transmitter, S2 is known to the receiver and S3 is available at the eavesdropper’s site. However, setting S = S1 , Y = (Y˜ , S2 ), Z = ( Z˜ , S3 ) in SD-WTC with non-causal encoder CSI and defining the channel’s transition probability as WY,Z |X,S = W(Y˜ ,S2 ),( Z˜ ,S3 )|X,S1 = W S2 ,S3 |S1 WY˜ , Z˜ |X,S1 ,S2 ,S3 , one clearly recovers this (prima facie) general SD-WTC from the model with noncausal encoder CSI only. Definition 2 (Code) An (n, R M , R K )-code  cn for the SD-WTC with non-causal  encoder CSI has a message set Mn  1 : 2n R M , a key set Kn  1 : 2n R K , a stochastic encoder f n : Mn × S n → P(Kn × X n ) and a decoder φn : Y n → Mn × Kn . For any message distribution PM ∈ P(Mn ) and any (n, R M , R K )-code cn , the induced joint PMF is: n ˆ = W Sn (s)PM (m) f n (k, x|m, s)WY,Z ˆ k) p (cn ) (s, m, k, x, y, z, m, |X,S (y, z|x, s)  . × 1 (m, (2) ˆ ˆ k)=φ (y) n

The performance of cn is evaluated in terms of its rate pair (R M , R K ), its maximal decoding error probability, the maximal distance of the distribution of K from being uniform and independent of M, and the SS-metric.

40

A. Bunin et al.

Definition 3 (Maximal Error Probability) The maximal error probability of an (n, R M , R K )-code cn is e(cn ) = maxm∈Mn em (cn ), where: em (cn ) =

(s,k,x) ∈S n ×Kn ×X n

W Sn (s) f n (k, x|m, s)

WYn|X,S (y|x, s)

y∈Y : φn (y) =(m,k) n

Definition 4 (Maximal Distance to Key Uniformity) The maximal distance to key cn is δ(cn ) = uniformity and independence of the message  n ) of an(U(n,  R M , R K )-code )  (U ) − p and p is the uniform maxm∈Mn δm (cn ), where δm (cn ) =  p (c K |M=m Kn TV Kn PMF over Kn . Definition 5 (Information Leakage and SS Metric) The information leakage to the eavesdropper under the (n, R M , R K )-code cn and the message-key PMF p M ∈ P(Mn ) is ( p M , cn ) = Icn (M, K ; Z), where Icn denotes that the MI is taken with n) 2 respect to the marginal p (c M,K ,Z of (2). The SS metric with respect to cn is Sem (cn ) = max p M ∈P(Mn ) ( p M , cn ). Definition 6 (Achievability) A pair (R M , R K ) ∈ R2+ is called an achievable SS message-key pair for the SD-WTC with non-causal encoder CSI, if for every ε > 0 and sufficiently large n, there exists a (n, R M , R K )-code cn with e(cn ) ≤ ε, δ(cn ) ≤ ε and Sem (cn ) ≤ ε. Definition 7 (SS-Capacity) The SS message-key capacity region CSem of the SDWTC with non-causal encoder CSI is the closure of the set of achievable rate pairs.

3.2 Main Results The main result of this work is a novel inner bound on the SS message-key capacity region of the SD-WTC with non-causal encoder CSI. Our achievable region is at least as good as the best known achievability results for the considered problem. To state our main result, let U and V be finite alphabets and for any qU,V,X |S : S → P(U × V × X ) define   RA qU,V,X |S ⎧  ⎫  ⎪ ⎪  R M ≤ I (U, V ; Y ) − I (U, V ; S) ⎨ ⎬   (R M , R K ) ∈ R2+  R M + R K ≤ I (V ; Y |U ) − I (V ; Z |U ), , (3)  ⎪ ⎪ ⎩  R M + R K ≤ I (U, V ; Y ) − I (V ; Z |U ) − I (U ; S) ⎭

2 Sem (cn ) is actually the mutual-information-security (MIS) metric, which is equivalent to SS by [3]. We use this representation rather than the formal definition of SS (see, e.g., [3, Eq. (4)]) out of analytical convenience.

Semantically-Secured Message-Key Trade-off over WTCs with State

41

where the MI terms are calculated with respect to the joint PMF W S qU,V,X |S × WY,Z |X,S , i.e., where (U, V ) − (X, S) − (Y, Z ) forms a Markov chain. Theorem 1 (Semantic-Security SM-SK Capacity Inner Bound) The following inclusion holds:    CSem ⊇ RA  (4) RA qU,V,X |S . qU,V,X |S

An extended outline of the proof of Theorem 1 is given in Sect. 5, and is based on a secured superposition coding scheme. An over-populated two-layered superposition codebook is constructed (independently of the state sequence), in which the entire secret message is encoded in the outer layer, meaning no information is carried by the inner layer. The likelihood encoder [24] uses the redundancies in the inner and outer codebooks to correlate the transmitted codewords with the observed state sequence. Upon doing so, part of the correlation index from the outer layer is declared by the encoder as the key. The inner layer is designed to utilize the part of the channel which is better observable by the eavesdropper. This saturates the eavesdropper with redundant information and leaves him/her with insufficient resources to gather any information on the SM-SK pair from the outer layer. The legitimate decoder, on the other hand, decodes both layers of the codebook and declares the appropriate indices as the decoded message-key pair. Remark 2 (Interpretation of Theorem 1) To get some intuition on the result of Theorem 1, we examine RA (qU,V,X |S ) from two different perspectives: when the joint PMF W S qU,V,X |S WY,Z |X,S satisfies I (U ; Y ) ≥ I (U ; S), or when the opposite inequality holds. If I (U ; Y ) ≥ I (U ; S), the third rate bound in RA (qU,V,X |S ) becomes redundant and the dominating bounds are R M ≤ I (U, V ; Y ) − I (U, V ; S) R M + R K ≤ I (V ; Y |U ) − I (V ; Z |U ).

(5a) (5b)

The right-hand side (RHS) of (5a) is the total rate of reliable (secured and unsecured) communication that our superposition codebook supports. This clearly bounds the rate of the SM that may be transmitted. For (5b), the MI difference on the RHS is the total rate of secrecy resources that are produced by the outer layer of the codebook. Since the security of our SM-SK pair all comes from that outer layer, this MI difference is an upper bound on the sum of rates. For the opposite case when I (U ; Y ) < I (U ; S), the second inequality in RA becomes redundant and we are left with R M ≤ I (U, V ; Y ) − I (U, V ; S)





R M + R K ≤ I (V ; Y |U ) − I (V ; Z |U ) − I (U ; S) − I (U ; Y ) .

(6a) (6b)

42

A. Bunin et al.

While the interpretation of (6a) remains as before, to understand (6b), consider the following. Since I (U ; S) is approximately the rate of the inner codebook, I (U ; Y ) < I (U ; S) means that looking solely on the inner layer, the decoder is lacking the resolution to decode it. Yet, the success of our communication protocol relies on the decoder reliably decoding both layers. Therefore, in this case, some of the rate from the outer layer is allocated to convey the inner layer index. Recalling that our security analysis is based on revealing the inner layer to the eavesdropper, this rate allocation effectively results in a loss of I (U ; S) − I (U ; Y ) in the secrecy resources of the outer layer, giving rise to the rate bound from (6b).

4 Past Results as Special Cases 4.1 Prabhakarn’s SM-SK Trade-Off Region The result of Theorem 1 recovers the previously best known achievable SM-SK trade-off region over the SD-WTC with non-causal encoder CSI from [21]. In [21, Theorem 1] the following region was established as an inner bound on the SM-SK trade-off capacity region: RPER 



  RPER qU × qV,X |U,S ,

(7a)

qU ×qV,X |U,S

where for any qU ∈ P(U) and qV,X |U,S : U × S → P(V × X ),   RPER qU × qV,X |U,S     R ≤ I (U, V ; Y ) − I (U, V ; S)  (R M , R K ) ∈ R2+  M , R M + R K ≤ I (V ; Y |U ) − I (V ; Z |U )

(7b)

and the MI terms are taken with respect to W S qU qV,X |U,S WY,Z |X,S , i.e., U and S are independent and (U, V ) − (X, S) − (Y, Z ) forms a Markov chain. First note that Theorem 1 recovers RPER by restricting U to be independent of S in RA . This is since for an independent pair (U, S), we have I (U ; S) = 0, while I (U, V ; Y ) ≥ I (V ; Y |U ) always holds. This makes the third rate bound in RA redundant and RPER is recovered. The result from [21] was derived under the weak-secrecy metric (i.e., a vanishing normalized MI between the SM-SK pair and the eavesdropper’s observation sequence n1 I (M, K ; Z) where the message is assumed to be uniformly distributed). Our achievability, on the other hand, ensures performance with respect to the stringent SS-metric. Since Theorem 1 captures [21, Theorem 1] as a special case, it also upgrades its result to SS.

Semantically-Secured Message-Key Trade-off over WTCs with State

43

4.2 SM Transmission over SD-WTCs In [12, Theorem 1] a lower bound on the SS-capacity of a SM transmission over the considered SD-WTC was established. The model considered in [12] is recovered from the one considered here by removing the SK (R K = 0). The SS-capacity of a SM transmission was shown to be lower bounded as   CSM−Sem ≥ RGCP  max RGCP qU,V,X |S , qU,V,X |S

(8a)

where for any qU,V,X |S : S → P(U × V × X ), ⎧ ⎫ ⎨ I (U, V ; Y ) − I (U, V ; S), ⎬   , RGCP qU,V,X |S  min I (V ; Y |U ) − I (V ; Z |U ), ⎩ ⎭ I (U, V ; Y ) − I (V ; Z |U ) − I (U ; S)

(8b)

and the MI terms are taken with respect to W S qU,V,X |S WY,Z |X,S , i.e., (U, V ) − (X, S) − (Y, Z ) forms a Markov chain. RGCP is the projection in the (R M , R K )-plane of RA from Theorem 1 to the R M axis when R K = 0. Then main difference between the coding scheme from [12] and our superposition code is the introduction of the additional index k ∈ Kn in the outer layer of the codebook (that also encodes the SM m ∈ Mn ). Along with the other redundancy indices, k is used to correlate the transmission with the observed state sequence via the likelihood encoder [24]. Based on distribution approximation arguments we show that K is approximately independent of the message M and approximately uniform. The pair (M, K ) is known to the transmitter (who chooses them) and is reliably decoded by the receiver. Finally, by securing K along with M in our analysis, it is established as a SK. The intuition behind the SK construction is that, unlike the message, the key does not have to be independent of the state sequence nor it is chosen by the user. Therefore, the padding that ensures the correlation with the state sequence is a valid key, as long as it is protected in the security analysis.

4.3 SK Agreement over SD-WTCs In [2] two achievable schemes were proposed for SK agreement over a wiretap channel when the terminals have access to correlated sources. The results from [2] do not imply one another and differ in one scheme being based on source and channel separation [2, Theorem 2], while in the other the coding is done jointly [2, Theorem 3]. The setup in [2] consists of three correlated sources Sx , S y and Sz that are observed by the encoder, decoder and eavesdropper, respectively, and a SD-WTC in which the triple (Sx , S y , Sz ) plays the role of the state. Our general framework is defined through

44

A. Bunin et al.

the state distribution W S and the SD-WTC WY˜ , Z˜ |X,S . Setting S = Sx , Y˜ = (S y , Y ) and Z˜ = (Sz , Z ) recovers the model from [2] (see Remark 1). The first scheme from [2, Theorem 2] operates under the assumption that the SD-WTC decomposes as W(Sy ,Y ),(Sz ,Z )|X,Sx = W Sy ,Sz |Sx WY,Z |X into a product of two WTCs, one being independent of the state, while the other one depends only on it. Thus, the legitimate receiver (respectively, the eavesdropper) observes not only the output Y (respectively, Z) of the WTC WY,Z |X , but also S y (respectively, Sz ) - a noisy version of the state sequence drawn according to the marginal of W Sy ,Sz |S . This scheme shows that the SK capacity CSK is lower bounded as (Separate)

CSK ≥ RBPS

   max I (T ; Y |Q) − I (T ; Z |Q) + I (V˜ ; S y |U˜ ) − I (V˜ ; Sz |U˜ ) (9)

˜ and q Q,T q X |T ∈ where the maximization is over all qV˜ |Sx qU˜ |V˜ : Sx → P(V˜ × U) P(Q × T × X ) that give rise to a joint PMF W Sx ,Sy ,Sz qV˜ |Sx qU˜ |V˜ × q Q,T q X |T WY,Z |X satisfying I (U˜ ; Sx |S y ) ≤ I (Q; Y ) and I (V˜ ; Sx |S y ) ≤ I (T ; Y ). With respect to this distribution (S y , Sz ) − Sx − V − U and Q − T − X − (Y, Z ) form Markov chains and (S y , Sz , Sx , V, U ) are independent of (Q, T, X, Y, Z ). This independence is the essence of separation that uses the channel for two purposes: carrying communication for SK agreement based on the sources, and securing part of this communication using wiretap coding. Setting R M = 0, U = (Q, U˜ ), V = (T, V˜ ) in Theorem 1, and limiting ourselves to joint PMFs that satisfy I (U ; SY , Y ) ≥ I (U ; Sx ), while keeping the above distribution X , recovers (9). The joint coding scheme from [2, Theorem 3] does not require sources and channel independence. i.e., no factorization property of W(Sy ,Y ),(Sz ,Z )|X,Sx is assumed. It lower bounds CSK as   (Joint) CSK ≥ RBPS  max I (V˜ ; S y , Y |U˜ ) − I (V˜ ; Sz , Z |U˜ ) (10) ˜ that give rise where the maximization is over all qV˜ ,X |Sx qU˜ |V˜ : Sx → P(V˜ × X × U) to a joint PMF W Sx qV˜ ,X |Sx qU˜ |V˜ W(Sy ,Y ),(Sz ,Z )|Sx ,X satisfying I (U˜ ; Sx ) ≤ I (U˜ ; S y , Y ) and I (V˜ ; Sx |U˜ ) ≤ I (V˜ ; S y , Y |U˜ ). Inserting into Theorem 1 R M = 0 and (U, V ) = (Joint) , recovers (10). Consequently, (U˜ , V˜ ), where (U˜ , V˜ ) is a valid auxiliary pair in RBPS Theorem 1 unifies the schemes from [2], and since the results from [2] are under the weak-secrecy metric, Theorem 1 also upgrades them to SS (see the discussion from Sect. 4.1).

Semantically-Secured Message-Key Trade-off over WTCs with State

45

5 Outline of Proof of Theorem 1 We give a detailed description of the codebook construction and of the encoding and decoding processes. Due to space limitation, the analysis of reliability and SS is omitted and only the required rate bounds accompanied by broad explenations are provided. Fix a conditional PMF qU,V,X |S . Codebook Cn : We use a superposition codebook where the outer layer carries both the SM and the SK. The codebook is constructed independently of S, but has sufficient redundancy to correlate the transmission with S.   n R1 and Jn  1 : 2n R2 , and let BU(n)   1 : 2 Define the index sets I n   u(i) i∈In be an inner layer codebook generated as i.i.d. samples of qUn . For every i ∈   In , let BV(n) (i)  v(i, j, k, m) ( j,k,m)∈Jn ×Kn ×Mn be a collection of |Jn ||Kn ||Mn | vectors of length n drawn according to the distribution qVn |U =u(i) . We use Cn to denote our superposition codebook, i.e., the collection of the inner and all the outer layer codebooks. The encoder and decoder are described next for a fixed superposition codebook Cn . Encoder fn (Cn ) : The encoding phase is based on the likelihood-encoder [24], which, in turn, allows us to approximate the (rather cumbersome) induced joint distribution by a much simpler distribution which we use for the analysis. Given m ∈ Mn and s ∈ S n , the encoder randomly chooses (i, j, k) ∈ In × Jn × Kn according to (Cn ) pLE (i,

j, k|m, s) =

  n su(i), v(i, j, k, m) q S|U,V    qn su(i  ), v(i  , j  , k  , m)

(i  , j  ,k  ) ∈In ×Jn ×Kn

(11)

S|U,V

where q S|U,V is the conditional marginal of q S,U,V defined by q S,U,V (s, u, v) =  x∈X W S (s)qU,V,X |S (u, v, x|s), for every (s, u, v) ∈ S × U × V. The encoder (Cn ) declares the index k ∈ Kn chosen by the by pLE as the key. Furthermore, the channel input sequence is generated by feeding the chosen u- and v-codewords along with the state sequence into the DMC q Xn |U,V,S . Decoder φn (Cn ) : Upon observing y ∈ Y n , the decoder searches for a unique tuple ˆ v(i, ˆ j, ˆ k, ˆ m), ˆ j, ˆ k, ˆ m) ˆ y ∈ Tεn (qU,V,Y ). (i, ˆ ∈ In × Jn × Kn × Mn such that u(i),   ˆ kˆ ; otherwise, φn(Bn ) (y) = If such a unique quadruple is found, then set φn(Cn ) (y) = m, (1, 1). The quadruple (Mn , Kn , f n(Cn ) , φn(Cn ) ) defined with respect to the codebook Cn constitutes an (n, R M , R K )-code cn . Main ideas for the analysis: The key step is to approximate (in total variation) the joint PMF induced by the above encoding and decoding scheme, say p (Cn ) , by a new distribution Γ (Cn ) , which lands itself easier for the reliability and security analyses. For any p M ∈ P(Mn ), Γ (Cn ) is

46

A. Bunin et al.

Γ (Cn ) (m, i, j, k, u, v, s, x, y, z, m) ˆ = p M (m)

1  1 |In ||Jn ||Kn | u=u(i),v=v(i, j,k,m)  . (12) (y, z|x, s)1 (C )

n n (s|u, v)q Xn |U,V,S (x|u, v, s)WY,Z × q S|U,V |X,S

φn

n

ˆ (y)=(m, ˆ k)

Namely, with respect to Γ (Cn ) , the indices (i, j, k) ∈ In × Jn × Kn are uniformly drawn from their respective ranges. Then, the sequence s is generated by feeding the n . Based on [12, Lemma 1], corresponding u- and v-codewords into the DMC q S|U,V it can be shown that with respect to a random superposition codebook Cn , p (Cn ) and Γ (Cn ) are close in total variation in several senses (both in expectation and with high probability), if R1 > I (U ; S) R1 + R2 + R K > I (U, V ; S).

(13a) (13b)

Having this, standard properties of total variation imply that K is indeed approximately uniform and independent of M. Furthermore, based on the approximation of p (Cn ) with Γ (Cn ) , both the reliability and the security analysis are executed with respect to Γ (Cn ) rather than p (Cn ) . Standard joint-typicality decoding arguments for superposition codes show that reliability follows provided that R2 + R K + R M < I (V ; Y |U ),

(14a)

R1 + R2 + R K + R M < I (U, V ; Y ).

(14b)

With the help of the heterogeneous strong SCL from [10, Lemma 1], SS is ensured if R2 > I (V ; Z |U ).

(15)

The rate bound in (15) ensures that the distribution of the eavesdropper’s observation given the inner layer codeword and each SM-SK pair is asymptotically indistinguishable form random noise. This asymptotic independence, in turn, implies semantic security. Finally, applying the Fourier-Motzkin   Elimination on (13), (14) and (15) to remove R1 and R2 , shows that RA qU,V,X |S is achievable.

6 Summary and Concluding Remarks We studied the trade-off between SM and SK rates simultaneously achievable over a SD-WTC with non-causal CSI at the encoder. This model subsumes all other instances of CSI availability as special cases. An inner bound on the semantic-security SM-SK capacity region was derived based on a novel superposition coding scheme, the likelihood encoder and soft-converging arguments. We showed that our inner

Semantically-Secured Message-Key Trade-off over WTCs with State

47

bound recovers the previously best known SM-SK trade-off region by Prabhakaran et al. [21]. Furthermore, our result recovers the best lower bounds that we are aware of for either SM or SK rates achievable in this setup [2, 12]. Unlike most of the previous results that were derived under the weak secrecy metric, our derivations ensure semantic-security. It would be interesting to demonstrate a strict improvement of the scheme presented here over the results in [21]. Acknowledgements The work of Alexander Bunin and Shlomo Shamai was supported by the European Union’s Horizon 2020 Research And Innovation Programme, grant agreement No. 694630. The work of Z. Goldfeld and H. H. Permuter was supported by the Israel Science Foundation (grant no. 684/11), an ERC starting grant and the Cyber Security Research Grant at Ben-Gurion University of the Negev. The work of Paul Cuff was supported by the National Science Foundation—grant CCF-1350595, and the Air Force Office of Scientific Research—grant FA9550-15-1-0180.

References 1. Ahlswede R, Csiszár I (1993) Common randomness in information theory and cryptography. part i: secret sharing. IEEE Trans Inf Theory 39(4):1121–1132 2. Bassi G, Piantanida P, Shamai (Shitz) S (2016) Secret key generation over noisy channels with common randomness. ArXiv preprint arXiv.org/abs/1609.08330 3. Bellare M, Tessaro S, Vardy A (2012) A cryptographic treatment of the wiretap channel. In: Proceedings of the advances in cryptology (CRYPTO 2012), Santa Barbara, CA, USA 4. Bernstein DJ (2009) Introduction to post-quantum cryptography. In: Post-quantum cryptography. Springer, Berlin, pp 1–14 5. Bloch M, Barros J (2011) Physical-layer security: from information theory to security engineering. Cambridge University Press, Cambridge, UK 6. Chen Y, Vinck AJH (2008) Wiretap channel with side information. IEEE Trans Inf Theory 54(1):395–402 7. Csiszár I, Körner J (1978) Broadcast channels with confidential messages. IEEE Trans Inf Theory 24(3):339–348 8. Csiszár I, Narayan P (2000) Common randomness and secret key generation with a helper. IEEE Trans Inf Theory 46(2):344–366 9. Gelfand SI, Pinsker MS (1980) Coding for channel with random parameters. Problemy Pered Inform (Probl Inf Trans) 9(1): 19–31 10. Goldfeld Z, Cuff P, Permuter HH (2016) Arbitrarily varying wiretap channels with type constrained states. IEEE Trans Inf Theory 62(12):7216–7244 11. Goldfeld Z, Cuff P, Permuter HH (2016) Semantic-security capacity for wiretap channels of type II. IEEE Trans Inf Theory 62(7):3863–3879 12. Goldfeld Z, Cuff P, Permuter HH (2016) Wiretap channel with random states non-causally available at the encoder. Submitted to IEEE Trans Inf Theory 13. Han T, Verdú S (1993) Approximation theory of output statistics. IEEE Trans Inf Theory 39(3):752–772 14. Hou J, Kramer G (2013) Informational divergence approximations to product distributions. In: Proceedings of the 13th Canadian Workshop Information Theory (CWIT), Toronto, Ontario, Canada 15. Johnson MW et al (2011) Quantum annealing with manufactured spins. Nature 473(7346):194– 198 16. Jones N (2013) Google and NASA snap up quantum computer D-Wave two. http://www. scientificamerican.com/article.cfm?id=google-nasa-snap-up-quantum-computer-dwave-two

48

A. Bunin et al.

17. Khisti A, Diggavi SN, Wornell GW (2011) Secret-key agreement with channel state information at the transmitter. IEEE Trans Inf Forensics Secur 6(3):672–681 18. Liu Y, Chen HH, Wang L (First quarter 2017) Physical layer security for next generation wireless networks: theories, technologies, and challenges. IEEE Commun Surv Tut 19(1): 347–376 19. Maurer UM (1993) Secret key agreement by public discussion from common information. IEEE Trans Inf Theory 39(3):733–742 20. Perlner RA, Cooper DA (2009) Quantum resistant public key cryptography: a survey. In: Proceedings of symposium on identity and trust on the internet (IDtrust). pp. 85–93. ACM, Gaithersburg, Maryland 21. Prabhakaran V, Eswaran K, Ramchandran K (2012) Secrecy via sources and channels. IEEE Trans Inf Theory 85(11):6747–6765 22. Shor PW (1999) Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM review 41(2):303–332 23. Slepian D, Wolf J (1973) Noiseless coding of correlated information sources. IEEE Trans Inf Theory 19(4):471–480 24. Song E, Cuff P, Poor V (2016) The likelihood encoder for lossy compression. IEEE Trans Inf Theory 62(4):1836–1849 25. Wyner AD (1975) The common information of two dependent random variables. IEEE Trans Inf Theory 21(2):163–179 26. Wyner AD (1975) The wire-tap channel. Bell Sys. Techn. 54(8):1355–1387 27. Wyner AD, Ziv J (1976) The rate-distortion function for source coding with side information at the decoder. IEEE Trans Inf Theory 1:1–10 28. Zeng K (2015) Physical layer key generation in wireless networks: challenges and opportunities. IEEE Commun Mag 53(6):33–39

Hash-then-Encode: A Modular Semantically Secure Wiretap Code Setareh Sharifian, Fuchun Lin and Reihaneh Safavi-Naini

Abstract We propose a modular construction of a semantically secure wiretap code that achieves secrecy capacity for a large class of wiretap channels. Security of the construction is proved by interpreting the construction as an instance of an invertible extractor, and use the framework in Bellare et al. [1] to complete the proof. The construction has computation for encoding and decoding equivalent to hashing, and the smallest effective transmission rate among known modular capacity achieving constructions. We also give a modular construction of invertible Universal Hash Functions (UHF) from an XOR Universal Hash Functions that is of independent interest.

1 Introduction Consider a scenario where Alice wants to send a message to Bob over a (noisy) channel that is eavesdropped by Eve. Alice and Bob do not share a key and Eve is computationally unbounded. Wyner [2] made the ingenious observation that noise in the Eve’s channel can be used as the cryptographer’s resource to provide security, while providing reliability for the communication. In Wyner wiretap model, and its extension by Cziszár and Körner [3], the sender is connected to the receiver and the eavesdropper (wiretapper) through two noisy channels, referred to as the receiver channel, T, (also called the main channel) and the wiretapper channel, W, respectively. It has been proved [2, 3] that communication with secrecy and reliability is possible if the wiretapper channel is “noisier” than the receiver channel. Wiretap model captures wireless communication scenarios where a sender’s transmitted message can be intercepted by a nearby eavesdropper, and so the sent message is received by the intended receiver and the wiretapper through the two channels T and W, respectively. The model has intrigued the research community and has generated

S. Sharifian (B) · F. Lin · R. Safavi-Naini The University of Calgary, Calgary, Canada e-mail: [email protected] © Springer International Publishing AG 2018 M. Baldi et al. (eds.), Proceedings of the 2nd Workshop on Communication Security, Lecture Notes in Electrical Engineering 447, DOI 10.1007/978-3-319-59265-7_4

49

50

S. Sharifian et al.

Fig. 1 a Wiretap channel with main channel T and the wiretapper’s channel W ; b Degraded wiretap channel with main channel T and the wiretapper’s channel W that is the concatenation of two channels

a huge amount of research because of the promise of information theoretic security without the need for a shared secret key. The wiretap model. In the wiretap model (See Fig. 1) the sender uses a randomized encoding (also called encryption) algorithm Enc : {0, 1}b→ {0, 1}n that encodes (encrypts) a message m and generates a codeword (ciphertext) X , that is the input to the receiver’s channel T and the wiretapper’s channel W. The receiver will use a decoding (decryption) function Dec : {0, 1}n → {0, 1}b on Y , to recover a message m . The decryption will be in error if m = m. The wiretapper’s view of the communication is denoted by Z . The goal of the encryption system is to provide secrecy and reliability for the receiver. Wyner defined security and reliability as asymptotic values of I (M; Z )/b, and Pr[Dec(Y ) = M] when b → ∞, respectively, assuming messages are uniformly distributed. Here I (A; B) is the mutual information between the two random variables A and B, and M denotes the random variable corresponding to message space. Security definition of wiretap model has been strengthened by replacing the rate of leakage of information, I (M; Z )/b, with the total information leakage I (M; Z ) [4], and more recently with max PM I (M; Z ) [1], which is shown to be equivalent to semantic security [5]. Transmission efficiency of wiretap encryption systems is measured by the rate, R = nb , of sending messages with secrecy and reliability. Secrecy capacity of a wiretap channel is denoted by Csec , and is the highest achievable rate of communication, satisfying the security and reliability requirements. It has been shown that when T and W are symmetric and W is degraded with respect to T, secrecy capacity is given by Csec = CT − CW , where CT and CW are Shannon (reliability) capacity of the receiver’s and the wiretapper’s channels, respectively. Explicit construction of capacity-achieving wiretap encryption systems, with efficient encoding and decoding, has been a long standing open problem. The first explicit capacity-achieving construction for a large class of wiretap channels was by using polar codes [6]. More recently, capacity-achieving modular constructions, with efficient encoding and decoding, have been proposed [1, 7, 8]. These constructions, can

Hash-then-Encode: A Modular Semantically Secure Wiretap Code

51

use any capacity-achieving error correcting code and because of the flexibility in the choice of the error correcting code, are attractive in practice. In existing modular constructions, wiretap encoding has two steps: the first step is a randomized coding using an invertible seeded extractor, and the second step is an Error Correcting Code (ECC) that encodes the output of the first step. The extractor is implemented using a Universal Hash Family (invertible UHF). The seed for the UHF may be pre-shared by the sender and the receiver [7], or sent reliably (without secrecy) across the main channel [1, 8]. In this latter case, the seed can be used for many blocks. And its required transmission is thus amortized over many blocks of the message. Thus all known wiretap encoder constructions require inverting a hash function. The commonly used construction for invertible UHF uses multiplication over finite fields for forward hashing, and inversion amounts to finding the inverse of a field element followed by a finite field multiplication. Wiretap codes are evaluated in asymptotic regime; that is, when the message length approaches infinity. In practice, however, wiretap codes will be primarily used for sending finite length messages. This will be the common setting in networks of small devices which commonly occurs in the future Internet of Things. In such settings the seed must be sent with each message and its length will not be amortized over many blocks. Hence the effective rate of communication must take the seed length into account.

1.1 Our Work We start by giving a modular construction of invertible UHF from any XOR-UHF. A hash function h : X → Y maps elements of a domain X to elements of Y. In our applications |Y| < |X | and so y ∈ Y corresponds to a set h Inv (y) of pre-images. An inverter function for h is a randomized function that, for any y ∈ Y outputs, randomly (and uniformly), an element of the pre-image set h Inv (y). A UHF (Definition 3) is a family of hash functions with the same domain and range that is indexed by seed, and has the property that for any pair of different elements x, x ∈ X , we have Pr[h S (x) = h S (x )] ≤ ε where probability is over the random choice of the seed. The family is invertible if there is an inverter function for each member of the family. A modular construction of invertible UHF. In Sect. 3 we show a modular construction of an invertible UHF. The construction uses an XOR-UHF (Definition 4) that maps X → Y, and the XOR property requires that for any pair of different elements x, x ∈ X , we have Pr[h S (x) ⊕ h S (x ) = a] ≤ ε for any a ∈ Y, where probability is over the random choice of the seed. The resulting invertible UHF maps X × Y → Y and has the same ε. Leftover Hash Lemma (Lemma 2) shows that a UHF family can be used as a seeded extractor. Our result thus, gives an invertible seeded extractor from any XOR-UHF with the property that the inversion operation of a hash function is simply computing a hash function (a member of UHF). Invertible extractors (and invertible UHF) are

52

S. Sharifian et al.

Fig. 2 Hash-then-Encode (HtE) construction

of interest because of their applications in the construction of wiretap codes (both Wyner wiretap and wiretap II) and secret sharing schemes from codes [9]. A new modular construction of capacity-achieving wiretap encryption system. Our main contribution is a new modular construction of a semantically secure wiretap encryption system with efficient encoding and decoding, that for a large family of channels achieves the channel secrecy capacity. We call the construction Hash-thenEncode (HtE) as wiretap encoding amounts to calculating a hash function (from the XOR UHF family), followed by using an ECC. This makes our wiretap encoding operation the most efficient among existing modular constructions of wiretap codes. We prove semantic security and capacity-achieving properties of our construction by showing that it fits within the framework of [1] and so their approach can be used to prove the required properties. We consider application of wiretap codes in practice, and define the effective rate of the codes as the total transmission, including the seed, divided by the message length. The first (and the only) other construction of capacity-achieving wiretap code with semantic security, called Invert-then-Encode (ItE), is in [1, 8]. We show that for the same level of semantic security and reliability, our construction needs a shorter seed and so has higher effective rate, compared in the construction in [1, 8]. Our construction is shown in Fig. 2.

1.2 Related Works Wiretap channel is a widely studied area. Wyner’s original model [2] considers a degraded channel (See (i) of Fig. 1) where W is the concatenation of T and a second noisy channel W . Csiszár and Körner [3] extended this model to the broadcast setting (See (ii) of Fig. 1). The known modular constructions of wiretap codes result in capacity-achieving constructions for Wyner’s original model. Hayashi and Matsumoto [7] used invertible universal hash functions to construct capacity-achieving modular wiretap encryption systems where security was proved for uniformly distributed messages. Bellare et al. [1] introduced the notion of semantic security for wiretap codes and gave the first modular construction that achieves this level of security. They also gave a construction [10], referred to as XtX, whose encoding resembles our construction, but the capacity-achieving property of the construction was left as an open question. Our work answers this question using a new interpretation of the construction in terms of invertible UHF. Section 4.2.1 provides more details.

Hash-then-Encode: A Modular Semantically Secure Wiretap Code

53

2 Preliminary Probability Distributions. We use uppercase letters X to denote random variables and bold lowercase letters x to denote their corresponding realization. UΩ denotes the uniform random variable over Ω. In particular U denote the uniform variable over {0, 1} . The calligraphic letters X are used for sets of elements. |X | denotes the number of elements in a set. By X ∈ X we mean random variable’s distribution $

is over X . In particular, x ← X means element x is chosen with probability

1 , |X |

$

and X ← X means X is a variable with uniform distribution over X . Pr[X = x] (or PX (x)) denotes the probability of the random variable X = x. For two random variables X and Y , PX |Y denotes their conditional distribution. For a random variable X ∈ X with distribution PX (x), the Shannon entropy is  H (X ) = − x∈X PX (x) log PX (x). The min-entropy H∞ (X ) is given by H∞ (X ) = − log(max(PX (x))). The average conditional min-entropy [11] is defined as, x

H˜ ∞ (X |Y ) = − log Ey∈Y max PX |Y (x|y). The statistical distance of two random varix∈X 1 |Pr(X = ω) − Pr(Y = ω)|. We ables X, Y ∈ Ω is given by, SD(X ; Y ) = 2 ω∈Ω say X and Y are ε-close if SD(X ; Y ) ≤ ε. ε Lemma 1 [12] The ε-smooth min-entropy H∞ (P) of a distribution P is defined by ε (P) = H∞

max

Q:SD(P;Q)≤ε

H∞ (Q).

Let X 1 , . . . , X n be independent samples from a distribution X on a finite set X and let δ > 0. Then for ε = 2

2

− 2 log2nδ (|X |+3)

ε one has H∞ (X 1 , . . . , X n ) ≥ n H (X ) − nδ.

A random source is a random variable with lower bound on its min-entropy. We say a random variable X ∈ {0, 1}n is an (n, d)-source if H∞ (X ) ≥ d. Randomness extractors. Randomness extractors extract close to uniform randomness from a random source with some guaranteed entropy. Randomness extractors have found wide applications in cryptography. For more details on randomness extractors see [13]. Definition 1 A function Ext : {0, 1}n × S → {0, 1} is a strong (seeded) (d, ε)extractor if for any (n, d)-source X , we have SD((S, Ext(X, S)); (S, U )) ≤ ε, where S is chosen uniformly from S. Definition 2 Let V be a random variable possibly dependent on X , Ext is called a (d, ε)-average case strong extractor, if for all (V, X ) with H˜ ∞ (X |V ) ≥ d, SD((S, V, Ext(X, S)); (S, V, U )) ≤ ε, where S denotes a random seed chosen uniformly from S.

54

S. Sharifian et al.

Randomness extractors can be constructed from (2-)Universal Hash Families (UHF) using the so called Leftover Hash Lemma (LHL) [14]. Definition 3 A family {h s |s ∈ S} of functions h s : X → Y is a Universal Hash  Family if for any x = x , 

Pr[h S (x) = h S (x )] ≤

1 , |Y|

where S denotes a random seed chosen uniformly from S. Definition 4 A family {h s |s ∈ S} of functions h s : X → Y = {0, 1} is an XOR Universal Hash Family if for any x = x , 

Pr[h S (x) ⊕ h S (x ) = a] ≤

1 , for all a ∈ {0, 1} , |Y|

where S denotes a random seed chosen uniformly from S. Remark 1 XOR-UHF implies UHF. The UHF family Hmult is defined using finite field multiplication. Let X = {0, 1}n , Y = {0, 1} and S = {0, 1}n . Then Hmult = {h s |s ∈ S} with h s : X → Y defined as follows, is an XOR-UHF. h s (x) = (s  x)| ,

(1)

where  is the finite field multiplication and | is the  lower order (index) components of the vector representation of a finite field element. The following average case version of LHL is due to [11]. Lemma 2 Let {h s |s ∈ S} be a UHF with h s : {0, 1}n → {0, 1} . Let X and Z be random variables over {0, 1}n and {0, 1}∗ , respectively satisfying H˜ (X |Z ) ≥  + 2 log 1ε − 2. Let S be uniform over S. Then SD((S, Z , h S (x)); (S, Z , U )) ≤ ε. This, according to Definition 2, says that UHF is an average case ( + 2 log 1ε − 2, ε)-strong extractor. Modular constructions of wiretap encryption systems use invertible extractors, first used in the construction of wiretap II codes [15]. Definition 5 [15] Let Σ be a finite alphabet and consider the mapping f : Σ n → Σ  . A function f Inv : Σ  × {0, 1}r → Σ n is called an inverter for f if the following conditions hold: 1. (Inversion) Given y ∈ Σ  such that the pre-image set f I nv (y) is nonempty, for every r ∈ {0, 1}r we have f ( f Inv (y, r)) = y. 2. (Uniformity) f Inv (UΣ  , Ur ) = UΣ n .

Hash-then-Encode: A Modular Semantically Secure Wiretap Code

55

An inverter is called efficient if there is a randomized algorithm that runs in worst case polynomial time and, given y ∈ Σ  and the randomness r, computes f Inv (y, r). A mapping is invertible if it has an efficient inverter. A family of functions is invertible if all its members is invertible. In [1], invertibility is defined for regular extractors. A seeded extractor is regular if for every seed s, every point in the range of Ext(·, s) has the same number of pre-images. An inverter of a regular extractor takes a seed s and a point y in the range of Ext(·, s) as input, and returns a uniformly selected element of the pre-image set of y under that seed. The two definitions of invertibility become the same when each map f in Definition 5 is surjective. This is the case for our construction. Definition 6 (Seeded Randomized Encryption E [S] ) Let {E [s] |s ∈ S} be a family of randomized encoders with E [s] : M × {0, 1}r → X . A seeded randomized encryp$

tion E [S] is a probabilistic encryption algorithm that uniformly samples a seed s ← S and encrypts using the function E [s] . For each E [s] there exists a decoder D [s] such that D [s] (E [s] (m)) = m, for any m ∈ M. Modular constructions of wiretap encryption consist of a seeded randomized encryption step and an ECC step.

3 A Modular Construction of Efficiently Invertible UHFs (ei-UHF) Let H = {h s |s ∈ S} be a family of (possibly non-invertible) XOR-UHF. We propose a modular construction for an invertible UHF, G, called ei-UHF, that expands the domain of H while keeping the range the same. The important property of the construction is that inversion of ei-UHF has almost the same computational cost as (forward) hashing in H. Lemma 3 (ei-UHF) Let H = {h s |s ∈ S} be a family of XOR-Universal hash functions h s : X → Y. Define gs : X × Y → Y as follows. gs (x, y) = h s (x) ⊕ y.

(2)

The set G = {gs |s ∈ S} is a family of universal hash functions. gsInv (y, r) = (r, h s (r) ⊕ y).

(2’)

Moreover, for y ∈ Y, and any r ∈ X define, Then {gsInv |s ∈ S} is the set of inverter functions for G. The computation cost of inversion of ei-UHF is equal to the forward hashing of XOR-UHF together with an XOR.

56

S. Sharifian et al. 



Proof For any (r, y) = (r , y ), we first show that, 



Pr[g S (r, y) = g S (r , y )] ≤

1 . |Y|

According to (2), 







g S (r, y) = g S (r , y ) ⇔ h S (r) ⊕ h S (r ) = y ⊕ y . 

If r = r , from the XOR-Universality of H = {h s |s ∈ S} we have, 



Pr[h S (r) ⊕ h S (r ) = y ⊕ y ] ≤ 



1 . |Y|





If r = r , by the assumption (r, y) = (r , y ), we have y = y . This implies 



Pr[h S (r) ⊕ h S (r ) = y ⊕ y ] = 0, which concludes the first part of the proof. To verify that gsInv is an inverter of gs , we first verify inversion: gs (r, h s (r) ⊕ y) = h s (r) ⊕ (h s (r) ⊕ y) = y, for any r ∈ X . To show uniformity, by (2’), for every r there is a pre-image. If r is sampled uniformly from X , then gsInv (UY × UX ) = UX ×Y . For efficiency, we note that computing gsInv consists of computing h s and XOR, which are both efficient operations. ei-UHF is regular because for each y the size of the pre-image set is |X |. We use an instance of ei-UHF where the XOR hashing is based on Hmult . The original Hmult uses the same set for domain and seed. The lemma below shows a modification of Hmult that removes this restriction. Lemma 4 Let X = {0, 1}r and Y = {0, 1}b . Let S = {0, 1}r if r ≥ b and S = {0, 1}b , otherwise. Let h s : X → Y be defined as follows:  h s (x) =

if r ≥ b, (s  x)|b , s  (x||0b−r ), otherwise,

(3)

where  is the finite field multiplication, and |b denotes the first b bits of the vector representation of a finite field element. Then G = {gs |s ∈ S} with gs : X × Y → Y defined in (2), is a family of ei-UHF. The proof is given in the Appendix.

Hash-then-Encode: A Modular Semantically Secure Wiretap Code

57

4 HtE (Hash-then-Encode) Construction The ei-UHF construction, together with an ECC, give a modular construction of wiretap codes (single block seeded encryption [1]) from an XOR-UHF and an ECC.

4.1 Hash-then-Encode (HtE) Let H = {h s |s ∈ S}, where h s : {0, 1}k → {0, 1}b , be an XOR-UHF satisfying h s (0k ) = 0b , and ECC be an error correcting code. HtE construction assuming the seed is available at the receiver, works as follows. To encode a message m ∈ {0, 1}b , $

1. Seed selection: s ← S; seed is available to the decoder. $ 2. Encoding: HtE(k, s, m) = ECC(k||h s (k) ⊕ m), where k ← {0, 1}k . 3. Decoding: The received block is decoded using the decoder of ECC, and parsed to obtain (x, y). The message m = h s (x) ⊕ y. In practice, the seed is sent to the receiver reliably using an error correcting code. This reduces the transmission efficiency of the system as the total required transmission for a single message grows. To prove security of HtE construction and also address the inefficiency of sending the seed we follow the approach in [1]. In the following we provide an outline of this appoach, and then use it to complete security and efficiency proofs of HtE construction.

4.1.1

Invert-then-Encode (ItE) and Repeated ItE (RItE).

In [1] a modular construction of wiretap codes that provides semantic security, the strongest notion of cryptographic security for encryption systems, is proposed. The construction is a seeded encryption system and its security and efficiency is proven using two components. The first component is a single block seeded encryption system that assumes the random “seed” is known to the decryption function, and with this assumption proves semantic security of the construction. To remove the assumption of known seed, the seed can be reliably (using error correction) sent over the channel. Authors show that for long messages, the same seed can be used for many message blocks, and so the transmission cost of sending the seed will become negligible for long messages. The modular construction, called ItE (Invert-then-Encode), uses two building blocks: an invertible extractor and an ECC. For long messages RItE (Repeat Invertthen-Encode) construction is used that repeatedly uses ItE on consecutive blocks of a message, using the same seed. Semantic security of RItE is then reduced to the semantic security of ItE [1, Lemma 12]. This proof is general and applicable to any seeded encryption with semantic security.

58

S. Sharifian et al.

Semantic security of ItE construction is proved in two steps: in the first step [1, Lemma 13] a weaker notion of security known as random message security (RDS), for the construction is proved. This result is general and is applicable when the extractor is regular and the adversary’s channel is symmetric. The next step [1, Lemma 14] proves that RDS implies semantic security, when the seeded encryption satisfies two properties: being separable and message linear.

4.1.2

Security and Efficiency of HtE

Using an approach similar to [1], we will use Repeat-Hash-then-Encode, to amortize the seed length over many message blocks. The security reduction of RHtE to HtE follows from Lemma 2 in [1]. To prove semantic security of HtE when the seed is shared, the main observation is that the HtE construction can be seen as using the inverter function of ei-UHF construction, to obtain a pre-image for the message m, and then using an ECC. Thus the construction fits the ItE framework, and to prove semantic security we must show that HtE(k, s, m) is separable and message linear. (We noted that the construction of ei-UHF results in a regular invertible extractor.) Lemma 5 HtE(k, s, m) satisfies the following two properties. 1. (separable): HtE(k, s, m) = HtE(k, s, 0b ) ⊕ HtE(0k , s, m), for any k ∈ {0, 1}k , s ∈ S and m ∈ {0, 1}b ; 2. (message linear): HtE(0k , s, m1 ⊕ m2 ) = HtE(0k , s, m1 ) ⊕ HtE(0k , s, m2 ), for any s ∈ S and m1 , m2 ∈ {0, 1}b . Proof We show HtE(k, s, m) = ECC(k||h s (k) ⊕ m) satisfies these two properties. Note that ECC is linear and ei-UHF is constructed from an XOR-UHF that satisfies h s (0k ) = 0b . 1. Separable:   ECC (k||h s (k) ⊕ m) = ECC (k||h s (k) ⊕ 0b) ⊕ (0k ||0b ⊕ m)  = ECC k||h s (k) ⊕ 0b  ⊕ ECC 0k ||0b ⊕ m  = ECC k||h s (k) ⊕ 0b ⊕ ECC 0k ||h s (0k ) ⊕ m , where the second equality follows from the linearity of ECC and the last equality from h s (0k ) = 0b ; 2. Message linear:     ECC 0k ||h s (0k ) ⊕ (m1 ⊕ m2 ) = ECC 0k ||m1 ⊕ m2   = ECC 0k ||m1 ⊕ ECC 0k ||m2 = ECC 0k ||h s (0k ) ⊕ m1  ⊕ECC 0k ||h s (0k ) ⊕ m2 ,

Hash-then-Encode: A Modular Semantically Secure Wiretap Code

59

where the first and the last equalities follow from h s (0k ) = 0b , and the second equality from the linearity of ECC.

4.2 Achieving Capacity The RDS advantage Advr ds of HtE with respect to a wiretapper channel W : X → Z is defined as, Advr ds (HtE, W) = E[SD((W(HtE(K , S, M)), M)); (W(HtE(K , S, M  )), M))] where E() denotes the expectation over all choices of S ∈ S, and M and M  are two messages that are chosen from the message space, independently and with uniform distribution. Let ECC(·) be an error correcting code from n = k + b, to N bits; using [16, Lemma 5.5], Advr ds (HtE; W) is bounded as, −nδ 2

Advr ds (HtE, W) ≤ 2 · 2 2 log2 (|Z|+3) + 2−

n−N (log |Z|−H (W)+δ)−b+2 2

.

−nδ 2

The right hand side is 2ε1 + ε2 where ε1 = 2 2 log2 (|Z|+3) is from entropy smoothing n−N (log |Z|−H (W)+δ)−b+2 2 Lemma (Lemma 1), and ε2 = 2− is from the extractor (Lemma 2). The parameter 0 < δ < 1 bounds the difference between the smooth min-entropy of multiple independent samples, and n times Shannon entropy of an individual sample (See Lemma 1). In the second expression, H (W) = H (Z |X = x) for any x ∈ X . Note that since W is a symmetric channel, H (W) is independent of the choice of x. Moreover, the symetry of channel implies H (Z |X ) = H (Z |X = x) = H (W). As long as b ≤ n − N (log |Z| − H (W) + δ) + 2, for any δ chosen as above, one can choose sufficiently large n and N , to achieve arbitrarily small Advr ds . Therefore, the maximum achievable rate is: lim N →∞

n − N (log |Z| − H (W) + δ) + 2 n = lim N →∞ [ − (log |Z| − H (W))]. N N

When both the receiver and the wiretapper channels are symmetric and W is degraded with respect to T, secrecy capacity is given by the difference between Shannon’s capacities of two channels: CT − CW . The construction achieves secrecy capacity when (i) lim N →∞ Nn = CT , and (ii) log |Z| − H (W) = CW . The first condition is satisfied when we use an error correcting code that achieves secrecy capacity of T, and the second condition is satisfied if the uniform input to the wiretapper channel produces uniform output. An extension of ItE construction that achieves secrecy capacity for an arbitrary symmetric wiretapper channel, including continuous output alphabet channels is proposed in [17]. The extension uses a letter splitting function on the wiretapper

60

S. Sharifian et al. XtX:

ECC1 (kXtX )

Randomness extraction from

k ZXtX

W1

k ) (kXtX |ZXtX

ECC2 (hs (kXtX ) ⊕ m)

W2

HtE: ECC((kHtE hs (kHtE ) ⊕ m)

ZXtX

W

ZHtE

Semantic Secure Block

One-time Pad/Secure Block

Fig. 3 The encoded blocks in XtX and HtE

channel output1 that effectively copies the wiretapper channel output symbols so that the more probable symbols are repeated more. This creates an almost uniform distribution over the splitting function output symbols. The combination of the splitting function and the wiretapper channel is equivalent to the original wiretapper channel. Hence, the letter splitting function indeed creates an equivalent channel with almost uniform output, and application of ItE over this channel asymptotically achieves secrecy capacity. This extension can also be used for HtE construction with similar results, that is the construction achieves capacity for any symmetric channel. To obtain concrete parameters and derive exact expressions for the secrecy capacity, we consider the case that the main channel is noiseless, and W is a B SC p . In this case we have X = Z = {0, 1} and H (W) = h 2 ( p), where h 2 (·) is the binary entropy n−n (1−h 2 ( p)+δ )−b+2

2 function. Now as n grows, ε1 goes to 0. Moreoever, ε2 = 2− will also b go to 0 as long as we have h 2 ( p) − δ − R > 0, where R = n is the information rate of HtE in this special case. As noted earlier, δ can be chosen arbitrarily small, and so we have R approaching h 2 ( p) which is the secrecy capacity of the wiretap channel.

4.2.1

Comparison of XtX and HtE

Figure 3 shows the two constructions eXtract-then-Xor (XtX) [10] and HtE. However, a subtle difference between the two constructions results in the latter to be capacity achieving, while the former is not. The main reason is that XtX does not use all the noise in the adversary’s channel and so effectively overprotect the message. To better explain this difference, we first review XtX. XtX construction uses a family of hash functions H = {h s |s ∈ S}, together with two capacity achieving error correcting codes En 1 and En 2 (for the main channel). For a hash function h s : {0, 1}k X t X → {0, 1}b in H, the encoder output consists of two blocks, En 1 : {0, 1}k X t X → {0, 1}n 1 and En 2 : {0, 1}b+|S| → {0, 1}n 2 . The two encoding blocks of XtX are defined as ([10], Sect. 5.2):

1 The

paper [17] constructs an optimal letter splitting function using a greedy algorithm.

Hash-then-Encode: A Modular Semantically Secure Wiretap Code

61

En 1 = ECC1 (k X t X ), En 2 = ECC2 (h s (k X t X ) ⊕ m). Assuming that the receiver’s and the wiretapper channels are splittable, the channel is independently applied to the output of En 1 and En 2 . Let W1 : {0, 1}n 1 → {0, 1}d1 and W2 : {0, 1}n 2 → {0, 1}d2 denote applications of the wiretapper’s channel on En 1 and En 2 , respectively. The generalized leftover hash lemma [10, Lemma 5.1] is used to extract randomness from k X t X , given the wiretapper view Z kX t X . Thus h s (k X t X ) results in an (almost) random pad that (almost) perfectly hides the message m. Note that although k X t X is sent over the channel, because of the noise in the adversary’s channel W1 , its value will be seen with uncertainty by the adversary, and this uncertainty is extracted in the form of the pad. This shows that the available noise in W2 does not contribute to security, and the scheme uses only part of the channel noise. In HtE construction, the adversary’s channel is applied on the whole encoded block. This enables us to use extractable noise of the channel on the whole block, for providing security, and (asymptotically) achieve the secrecy capacity.

4.3 Effective Rate for Short Messages In application scenarios such as communication between an RFID (Radio Frequency Identification) tag and a reader, a single message must be protected against wiretappers. There are four seeded constructions of wiretap codes, three capacity-achieving. We define the effective communication rate of a seeded encryption with σ bits security by, R σ =(mess. len.)/(enc. block len. + seed len.). Here σ bit security means that the adversary’s advantage is bounded by 2−σ . Table 1 compares these constructions, and clearly show that HtE has the most efficient encoding and decoding computation, and achieves the highest effective rate in finite length regime.

5 Concluding Remarks We proposed a new modular construction of wiretap codes with semantic security, that enjoys efficient encoding and decoding, and achieves capacity for a large class of channels. To prove security, we used the framework of [16] which uses a number of steps. Providing a compact security proof for the construction is an interesting open problem. Our construction has the interesting property that the computational costs of encoding and decoding are almost the same and is equivalent to the cost of finding a hash value. Thus, with an appropriate choice of the hash function, one could

62

S. Sharifian et al.

Table 1 Comparing the encryption step of seeded wiretap codes (assume main channel is noise free and the hashing is multiplication in finite field). [7] assume a pre-shared seed and only consider strong secrecy. The length of R in XtX [10] is chosen such that limn→∞ |m| |R| = C sec and only

Csec < Csec . ItE and HtE are both semantically secure and capacityachieves asymptotic rate 1+C sec achieving with efficient encoding/decoding. Scheme CapacitySemantic security Enc/Dec Effective rate (encryption step) achieving computation

[7]: Inv(h S )(m)

×



F2b+r mult.,F2b+r

pre-shared seed

inv. XtX: × R  (h S (R) ⊕ m) ItE: Inv(h S )(m)  HtE: K  (h S (K ) ⊕ m)





F2b+r mult.,XOR

b 2(b+r )+b



F2b+r mult.,F2b+r

b 2(b+r )



inv. F2max{b,r } mult., XOR

b (b+r )+max{b,r }

construct a linear-time wiretap code. We will explore this in our future work.

Acknowledgements This work in part is supported by Natural Sciences and Engineering Research Council of Canada.

Appendix Proof of Lemma 4 Proof According to Lemma 3, we only need to show that {h s |s ∈ S} is XORUniversal, which is easily verified. 

• When r ≥ b, h s (x) ⊕ h s (x ) = a if and only if there exists an e ∈ {0, 1}r −b sat   isfying s  (x ⊕ x ) = (a||e). Since we assume x = x , s = (a||e)  (x ⊕ x )−1 is uniquely determined by the right hand side. The number of s satisfying  h s (x) ⊕ h s (x ) = a is exactly the number of e ∈ {0, 1}r −b , which is 2r −b . The  total number of seeds |S| in this case is 2r . Hence Pr[h s (x) ⊕ h s (x ) = a] ≤ 21b for  any x = x ∈ X and a ∈ Y.   • When r < b, h s (x) ⊕ h s (x ) = a if and only if s  (x ⊕ x ||0b−r ) = a. Since we   assume x = x , s = a  (x ⊕ x ||0b−r )−1 is uniquely determined by the right hand  side. The number of s satisfying h s (x) ⊕ h s (x ) = a is exactly 1. The total number   of seeds |S| in this case is 2b . Hence Pr[h s (x) ⊕ h s (x ) = a] ≤ 21b for any x = x ∈ X and a ∈ Y.

Hash-then-Encode: A Modular Semantically Secure Wiretap Code

63

References 1. Bellare M, Tessaro S, Vardy A (2012) Semantic security for the wiretap channel. In: Advances in cryptology (CRYPTO 2012). Springer, Berlin, Heidelberg, pp 294–311 2. Wyner AD (1975) The wire-tap channel. Bell Syst Tech J 54(8):1355–1387 3. Csiszár I, Körner J (1978) Broadcast channels with confidential messages. IEEE Trans Inf Theory 24(3):339348 4. Maurer U (1994) The strong secret key rate of discrete random triples. In: Blahut RE (ed) Communication and cryptography—two sides of one tapestry. Kluwer, Dordrecht, pp 271–285 5. Goldwasser S, Micali S (1984) Probabilistic encryption. J Comput Syst Sci, 28(2):270–299 6. Mahdavifar H, Vardy A (2010) Achieving the secrecy capacity of wiretap channels using polar codes. In: Proceedings of the 2010 IEEE international symposium on information theory (ISIT 2010). IEEE, pp 913–917 7. Hayashi M, Matsumoto R (2010) Construction of wiretap codes from ordinary channel codes. In: Proceedings of the 2010 IEEE international symposium on information theory (ISIT 2010). IEEE, pp 2538–2542 8. Himanshu Tyagi and Alexander Vardy. “Semantically-secure Coding scheme achieving the capacity of a Gaussian wiretap channel”. arXiv:1412.4958v2 [cs.IT] 9. Cramer R, Damgard IB, Döttling N, Fehr S, Spini G (2015) Linear secret sharing schemes from error correcting codes and universal hash functions. In: Eurocrypt 2015, Part II. LNCS, vol 9057, pp 313–336 10. Bellare M, Tessaro S, Vardy A (2012) A cryptographic treatment of the wiretap channel. arXiv preprint arXiv:1201.2205 11. Dodis Y, Ostrovsky R, Reyzin L, Smith A (2008) Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J Comput 38(1):97–139 12. Holenstein T, Renner R (2011) On the randomness of independent experiments. IEEE Trans Inf Theory 57(4):1865–1871 13. Nisan N, Zuckerman D (1996) Randomness is linear in space. J Comput Syst Sci 52(1):43–52 14. Impagliazzo R, Levin LA, Luby M (1989) Pseudo-random generation from one-way functions. In: Proceedings of the twenty-first annual ACM symposium on Theory of computing. ACM 15. Cheraghchi M, Didier F, Shokrollahi A (2012) Invertible extractors and wiretap protocols. IEEE Trans Inf Theory 58(2):1254–1274 16. Bellare M, Tessaro S (2012) Polynomial-time, semantically-secure encryption achieving the secrecy capacity. arxiv.org/abs/1201.3160 and Cryptology Eprint Archive Report 2012/022 17. Tal I, Vardy A (2013) Channel upgrading for semantically-secure encryption on wiretap channels. In: 2013 IEEE International Symposium on Information Theory Proceedings (ISIT). IEEE

A CCA-Secure Cryptosystem Using Massive MIMO Channels Thomas Dean and Andrea Goldsmith

Abstract We describe the technique of physical-layer cryptography based on using a massive MIMO channel as a key between the sender and desired receiver, which need not be secret. The goal is for low-complexity encoding and decoding by the desired transmitter-receiver pair, whereas decoding by an eavesdropper is hard in terms of prohibitive complexity. The decoding complexity is analyzed by mapping the massive MIMO system to a lattice. We show that the eavesdropper’s decoder for the MIMO system with M-PAM modulation is equivalent to solving standard lattice problems that are conjectured to be of exponential complexity for both classical and quantum computers. Hence, under the widely-held conjecture that standard lattice problems are hard to solve, the proposed encryption scheme has a more robust notion of security than that of the most common encryption methods used today such as RSA and Diffie-Hellman. Additionally, we show that this scheme could be used to construct a cryptosystem that achieves security under Chosen-Ciphertext Attack, without the use of a pre-shared secret and little computational overhead. Thus, by exploiting the physical layer properties of the radio channel, the massive MIMO system provides for low-complexity encryption commensurate with the most sophisticated forms of application-layer encryption that are currently known.

1 Introduction The decoding of massive MIMO systems forms a complex computational problem. In this paper, we demonstrate how to exploit this complexity to allow a transmitter-receiver pair to transmit confidential messages over a wireless channel in the presence of an adversary. Explicitly, we present a cryptographic construction that is secure under chosen-ciphertext attack. We present a model where a given T. Dean (B) · A. Goldsmith Stanford University, 350 Serra Mall, Stanford, CA 94305, USA e-mail: [email protected] A. Goldsmith e-mail: [email protected] © Springer International Publishing AG 2018 M. Baldi et al. (eds.), Proceedings of the 2nd Workshop on Communication Security, Lecture Notes in Electrical Engineering 447, DOI 10.1007/978-3-319-59265-7_5

65

66

T. Dean and A. Goldsmith

transmitter-receiver pair is able to efficiently encode and decode messages in a reliable manner, but an eavesdropper who has a physically different channel must perform an exponential number of operations in order to decode. This allows for confidential messages to be exchanged without a key agreement scheme or pre-shared key. Rather, the encryption exploits physical properties of the massive MIMO channel. Our MIMO wiretap channel model for communication is shown in Fig. 1. Here, a parallel channel decomposition allows for the intended receiver, Bob, to compute a maximum-likelihood estimate of the transmitter, Alice, with an overhead of only performing linear precoding and receiver shaping of their respective MIMO channel, assumed known to both of them. To an eavesdropper, Eve, who has a different channel, this decomposition does not aid in the ability to decode the channel with linear complexity. In particular, we prove that it is exponentially hard1 for the eavesdropper to decode Alice’s transmitted vector in our system model even if it knows the channel between Alice and Bob. We refer to the channel encryption key as a Channel State Information- or CSI-key. The model requires both the transmitter and receiver to have perfect knowledge of the channel, but this knowledge does not need to be kept secret. For decoding by Eve to be hard, our model requires a maximum on the SNR that Eve maintains and that Alice and Bob use a large constellation size, where the required constellation size is related to the number of transmit antennas. We exploit this complexity to allow Alice and Bob to securly (and reliably) communicate under the precise cryptographic notion of IND − CCA1. In the extended version of this work, available at [4], it is shown that, under proper conditions, the complexity of decoding MIMO systems by an eavesdropper can be related to solving standard lattice problems. The connection between MIMO and lattices is not new: for example, see Damen et al. [2], where the maximum-likelihood

Fig. 1 A MIMO wiretap channel model, defined by a channel gain matrix A = UΣVH , where A is known to both Alice and Bob. This allows Bob to efficiently decode Alice’s message. If Eve is not physically co-located, then knowledge of A, which we call the channel state information key, does not aid her in decoding the message with low complexity. Through the use of reductions we show that the complexity of Eve decoding Alice’s message to Bob is at least as hard as standard lattice problems. Hence, this complexity is conjectured to be exponentially hard in the number of transmitter antennas Alice uses. In particular, no existing algorithms, including those of a quantum computer, have been shown to solve such problems in sub-exponential time

1 More precisely, we prove that it is at least as hard as solving standard lattice problems in the worst

case, which are conjectured to be exponentially hard.

A CCA-Secure Cryptosystem Using Massive MIMO Channels

67

decoder is related to solving the Closest Vector Problem. Problems on lattices have been widely studied in cryptography and other fields and many standard lattice problems are conjectured to be hard [10, 11]. Lattice problems are also conjectured to be hard even when solved using quantum computers when they exist [11, 16]. Creating efficient cryptosystems that achieve security given the presence of quantum computers is currently an active area of research, since most cryptosystems today, such as RSA (a public-key algorithm named after its inventors, Rivest, Shimir, and Adleman, [17]) or the Diffie-Hellman key exchange (see [5]), could efficiently be broken by a quantum computer [14, 21]. Our physical-layer cryptosystem provides quantumresistant cryptography by exploiting the hardness associated with the eavesdropper’s decoding in a massive MIMO system. The idea of exploiting properties of the physical layer to achieve secrecy is not new and dates back to Shannon’s notion of information theoretic secrecy [19] and Wyner’s wiretap channel [24] (for a survey on the subject see [13]). In information theoretic secrecy, the goal is to communicate in a manner such that legitimate users may communicate at a positive rate, while the mutual information between the eavesdropper and the sender is negligibly small. Note that since in our model Bob and Eve have statistically-identical channels, information theoretic secrecy is not possible without a key rate, coding, or using properties of Alice’s and/or Bob’s channel in the transmission strategy. Along these lines, Shimizu et al. [20], have suggested using properties of the radio propagation channel to achieve information theoretic secrecy. These notions all differ from ours as we consider encryption based on computational complexity at the eavesdropper’s decoder rather than through equivocation at the eavesdropper related to entropy and mutual information. We believe this work makes significant progress in addressing some of the challenges that have been identified in applying physical layer security to existing and future systems [23]. The remainder of this paper is organized as follows. Section 2 outlines our system model. In Sect. 3 we state then main theorem and provide an outline of the proof, which is given in [4]. In Sect. 4 we show how to use this result to construct a cryptosystem that is secure under Chosen-Ciphertext Attack in the Random Oracle Model. A preliminary version of this work [3] was presented at the Information Theory Workshop in 2013. The proofs for the results in this work appear in the extended version of this paper, which is available at [4]. The extended version of this paper also includes an overview of lattice-based cryptography and a discussion of the computational complexity of lattice problems.

2 System Model Consider an n × m real-valued MIMO system consisting of n transmit antennas and m receive antennas: y = Ax + e, (1)

68

T. Dean and A. Goldsmith

where x ∈ Rn , and A ∈ Rn×m is the channel gain matrix. Each entry of the channel gain matrix is√drawn i.i.d. from the Gaussian distribution with zero mean and standard deviation k/ 2π. This distribution is henceforth written Ψk . The vector e ∈ Rm is the channel noise with each entry i.i.d. Ψα . It is assumed that A is known to both the transmitter and receiver. If we constrain the vector x to use a discrete, periodic constellation, then the set of received points becomes analogous to points on a lattice, perturbed by a Gaussian random variable. We assume that there are an arbitrary number of receive antennas, restricted to an amount within a polynomial factor of the number of transmit antennas, n. By making this assumption, we are considering the advantage an eavesdropper would gain by having an arbitrarily large number of receive antennas, but we are assuming that building a receiver with an exponential number of antennas relative to those at the legitimate user’s transmitter would be prohibitively expensive. Assuming that certain requirements on SNR and constellation size are met, as described below, the security of the system can be quantified solely by the number of transmit antennas. We consider real systems with the transmitted signal constellation, X , defined as the set of integers [0, M). Lattices can easily be scaled and shifted, so we use this constellation without loss of generality over all possible M-PAM constellations. Let user A have n transmit antennas which are used to send a message to user B who has a number of receive antennas that is within a polynomial factor of n. Let the channel between A and B be represented by A, where each entry is i.i.d. Gaussian Ψk . The noise at each receive antenna is drawn from Ψ Mα . The results in this paper show that MIMO decoding can be related to solving standard lattice problems when a certain minimum noise level and constellation size are met. If the noise power is below the required level, efficient decoding methods such as the zeroforcing decoder could be applied to our system. In other words, if these conditions are not met, then our results provide no insight on the complexity of decoding, and hence on the security of the MIMO wiretap channel. Specifically, for some arbitrary m > 0, we require the following constraints on the transmission from user A to user B: √ (2) Minimum Noise: mα/k 2 > n Constellation Size: M > m 2n log log n/ log n

(3)

where the parameter m may be chosen by a user or system designer in order to trade off the SNR requirement for the size of the constellation. Now consider an eavesdropper, E , which has poly(n) receive antennas, and receives message x with channel represented by B, where each entry is again i.i.d. Ψk . Let the channel have noise be drawn from Ψ Mβ , where β ≥ α. In other words, the eavesdropper must meet at least the minimum noise requirement stated above. In order to send message x to user B, user A performs a linear precoding as described in [7]. Let the singular value decomposition of A be given as A = UΣV H . A now sends x˜ = Vx. Upon receiving a transmission from user A , user B computes y˜ = U H y. It is easy to show that this expands to y˜ = Σx + e˜ . Since Σ, representing

A CCA-Secure Cryptosystem Using Massive MIMO Channels

69

the singular values of A, is a diagonal matrix, B can efficiently estimate x with linear complexity in n. Notice that U is unitary so e = ˜e. Now consider the message received by E : y˜ = BVx + e˜ .

(4)

Note that V consists of the right singular vectors of A, which is independent of B and unitary. Gaussian random matrices are orthogonally invariant, so since V is unitary, multiplying by V returns the matrix to an identical, independent distribution. In other words, the entries of BV are i.i.d., following the same distribution as B. We define the distribution A M,α,k to be the distribution induced at each receive antenna for a fixed message x. A receiver with n r antennas receives n r independent samples from this distribution. We now precisely define the MIMO decoding problem for any n r = poly(n). An algorithm solves this problem if it returns the correct answer with a probability greater than 1 − n −c , for some c > 0. Problem Definition 1. MIMO − Search M,α,k . Let M ≥ 2, α ∈ (0, 1), k ∈ R, n > 0. Given a polynomial number of samples of A M,α,k , output x.

3 Main Theorem In this section we state our main theorem regarding the computational hardness of MIMO − Search M,α,k and give an outline of the proof. The full proof is available in [4]. We show that given an efficient algorithm that can solve this problem, there exist efficient solutions to the problems of GapSVPn/α and SIVPn/α .The relation between the reductions used to show the hardness of MIMO decoding and the reductions used to show the hardness of LWE is shown in Fig. 2. Examples of parameters that meet the requirements stated in Theorem 1 are shown in Table 1. For a full description of the underlying lattice problems referenced here and their complexity, we refer the reader to [4] or [16]. It is widely conjectured that the underlying lattice problems cannot be approximated to within even polynomial factors by both classical and quantum computers, and hence, by contrapositive, Theorem 1 implies that the MIMO-Search problem is also hard. Theorem 1 MIMO − Search M,α,k to GapSVPn/α and SIVP √ n/α . Let m > 0, α ∈ R, k ∈ R, M > m 2n log log n/ log n , be such that mα/k 2 > n. Assume we have an efficient algorithm that solves MIMO − Search M,α,k , given a polynomial number of samples from A x,α,k . Then there exists an efficient quantum algorithm that, given an n-dimensional lattice L (A), solves the problems GapSVPn/α and SIVPn/α . Hence, since GapSVPn/α and SIVPn/α are conjectured to be hard, it is also conjectured that MIMO-Search is hard.

70

T. Dean and A. Goldsmith

Fig. 2 A map of reductions relating MIMO decoding to solving standard lattice problems and the LWE problem. If there exists an efficient algorithm to solve the MIMO decoding problem, then this implies solutions to standard lattice problems. Since lattice problems are conjectured to be hard, this conjecture follows for the hardness of the MIMO decoding problem. In this figure, M refers to the constellation size used in the MIMO system Table 1 Maximum SNRs n 80 128 196 256

log2 M

SNR (dB)

33.7 51.3 75.4 96

87.1 139.2 210.7 272.2

Example sets of parameters for various numbers of transmit antennas. In order for the security proofs contained in this paper, the system must meet these minimum constellation size and maximum SNR values. Here we set m = 1

The steps used to prove the theorem are outlined as follows: • We first show that, given an oracle that can solve MIMO − Search M,α,k , we can solve problems where the coefficients of the channel gain matrix are drawn from a discrete Gaussian distribution rather than a continuous one. • We reduce the lattice basis, formed by the channel gain matrix A, by using the Lensta-Lensta-Lovsz (LLL) lattice-basis reduction algorithm [9]. Then, using the procedure described in [6], create a discrete Gaussian distribution on this lattice, with a second moment around the length of the largest vector given in the reduced basis. We use this as the starting point for the iterative portion of the algorithm. • The main step in the proof uses the MIMO decoding oracle to solve the BDD problem given access to a DGS oracle. This allows us to directly use the results from Regev [16] and Peikert [15].

A CCA-Secure Cryptosystem Using Massive MIMO Channels

71

• Borrowing Lemma 8, from [16], the BDD oracle is used to (quantumly) solve DGS L ∗ ,√n/(√2d ) , that is return samples of D L ∗ ,r . Note that we can efficiently sample from D L√,r for r > η (L). If we set the value of d in the BDD oracle so that √ 2d > n, then we can reduce the value of r to below the value for which we could previously efficiently sample, that is we can construct a distribution that is more narrow than previously possible. • The BDD and DGS oracles can now be applied iteratively, shrinking the second moment of the discrete Gaussian distribution with each iteration. Eventually, the distribution becomes narrow enough to reveal information about the shortest vectors of the lattice, thereby solving the GapSVPn/α and SIVPn/α problems.

4 A CCA-Secure Cryptosystem In the previous sections we have shown that the MIMO wiretap model is secure in the sense that the decoding complexity of any eavesdropper is of exponential time complexity with respect to the number of transmit antennas. In this section, we show how this result can be used to construct a cryptosystem that is secure under Chosen-Ciphertext Security. Until this section, we have referred to the third user on Alice and Bob’s public channel to be an eavesdropper. This implies that the eavesdropper is passive and has no ability but to receive and decode information. In practice, this model is limited and, in order to provide more practical and robust notions of security, a more powerful adversarial model should be considered. The need for using more robust security models in the study of physical-layer security was recently discussed in [23]. In this work the author suggests bridging the gap between notions of security in information theory and cryptography in order to make physical-layer schemes more widely accepted by the security community. Considering an adversary that, for example, has the ability to manipulate, inject, alter or duplicate information is considered essential when a cryptographer develops and designs a cryptosystem, but is rarely, if ever, considered in information-theoretic settings. In this section, we discuss stronger adversarial models that are commonly considered in cryptography and show how to use the hardness result in Sect. 3 in order to construct secure schemes under these models. The scheme in Sect. 4.1 requires the use of the Random Oracle Model, a framework that allows for the tractable analysis of cryptographic constructions that use hash functions. See [8] for a more complete construction of the Random Oracle Model, Chosen-Ciphertext Security and other cryptographic notions of security.

72

T. Dean and A. Goldsmith

4.1 A CCA Secure Framework We have shown that it is computationally infeasible for Eve to exactly recover Alice’s transmitted message, but Bob can decode in polynomial time. This implies that (assuming lattice problems are hard) the MIMO channel naturally forms what cryptographers call a secure one-way trapdoor function. In this subsection, we construct a secure cryptosystem by using a standard cryptographic construction, known as OAEP+. OAEP+ (Optimal Asymmetric Encryption Padding, Improved) was introduced in [22]. The results of [22] allow for the construction of a secure cryptographic system given any one-way permutation. The results imply that, in the random oracle model, the resulting system has the properties of Chosen Ciphertext (CCA) Security and Chosen Plaintext (CPA) Security. Precisely, the security of our system follows from the following theorem, which is proved in [22] for any one way permutation. The fact that the MIMO-Search problem is one way, under the assumption that lattice problems are hard, is given by Theorem 1.2 This result allows us to leverage the OAEP+ framework to create a CCA-secure cryptosystem. Theorem 2 ([22], Theorem 3) If the underlying trapdoor permutation is one way, then OAEP+ is secure against adaptive chosen ciphertext attack in the random oracle model. Formally, the OAEP+ framework, and Algorithm 1 as presented below, acheive the notion of IND-CCA1. Under the CCA adversarial model, an adversary first gets access to a decryption oracle (but not the secret key) and is allowed to present his choice of ciphertext to the oracle and learn the corresponding plaintext. Then after loosing access to this oracle, the adversary is then challenged to match pairs of plaintext and ciphertext. This is also referred to as a “lunchtime”, non-adaptive CCA security, or IND-CCA1. In a stronger notion of CCA security (known as adaptive CCA or IND-CCA2), the adversary can continue to submit queries to the oracle after being presented with the challenge plaintext and ciphertext pairs, under the condition that he does not submit the challenge ciphertext to the oracle. In our system model, the necessity for CCA security is not entirely apparent, since such a device cannot exist: the ability for Bob to decode Alice’s messages depends on both Alice and Bob to be at certain spatial locations and not on the possession of a key. In fact, when Eve receives a message through the wiretap channel, she receives the vector BVx + e, which was precoded for Bob’s channel. There is no way for anyone to efficiently decode this vector. Nonetheless, our system is still secure if such an oracle were to exist, as adaptive CCA security (and hence CPA security) follows from using the OAEP+ construction.

2 The

MIMO channel maps messages from bits to real values and thus is a function and not a permutation. However, the MIMO search problem asks Eve to decode a MIMO signal back to bits, and thus we can view the process of transmitting, detecting and decoding as a permutation of the message bits.

A CCA-Secure Cryptosystem Using Massive MIMO Channels

73

Algorithm 1: MIMO-OAEP+ Let K = n log M be the number of bits transmitted per MIMO channel use. Alice wishes to send Bob a message, m, that is η = K − 2n bits. Assume Alice and Bob both have access to three random oracle functions: G : {0, 1}n → {0, 1}η , H  : {0, 1}n+η → {0, 1}n , H : {0, 1}n+η → {0, 1}n . Alice computes s ∈ {0, 1}n+η , t ∈ {0, 1}n , x ∈ {0, 1} K as shown under Encrypt below. Alice then multiplies x by the right singular vectors of Bob’s channel and transmits the message to Bob. Bob recovers x through his channel and then recovers m using the procedure shown under Decrypt. Bob verifies that c = H  (r m). If these quantities are not equal then Bob has not properly received Alice’s message and he rejects. Encrypt Decrypt s = (G(r ) ⊕ m) H  (r m) s = x[0, . . . , η + n − 1] t = H (s) ⊕ r t = x[η + n, . . . , k] x = st r = H (s) ⊕ t m = G(r ) ⊕ s[0, . . . , η − 1] c = s[η . . . , η + n − 1] ?

c = H  (r m)

We note that this algorithm requires Bob to receive a perfect copy of the message x through the MIMO channel. However, Bob receives this message through a channel with Gaussian noise and thus has some probability of error that he does not receive this message perfectly. In fact, given the large noise requirement in Theorem 1, it can be shown that the symbol error rate at Bob’s location will be close to one, even when Bob has a large number of antennas. In order to allow Alice and Bob to communicate, we must reduce the rate of communication between them; however, in order to allow for Theorem 1 to hold, we must still maintain the large constellation size and noise requirement. Both of these objectives can be accomplished through the use of error correcting codes. Note, however, that if we encode the message x with a code that can correct up to e errors, then this also aids Eve in recovering the plaintext. Because Eve cannot apply ML decoding, she will experience an increased error rate over Bob. We can use this fact to construct a code that Bob can decode but Eve cannot.

74

T. Dean and A. Goldsmith

4.2 Eve’s Decoding Performance In this section, we consider the limits to which Eve can estimate the message x that is not precoded for her channel. The analysis in this section describes how much Eve’s estimate of x differs from its maximum-likelihood, which we denote as xˆ . We obtain a lower bound on this distortion by considering state-of-the-art algorithms that are used to attack lattice-based cryptography schemes. See [11] or [12] for a more complete discussion on cryptanalysis of lattice-based cryptography. Eve receives this message through her channel and can apply her favorite latticebasis reduction algorithm to decode the message, but is unable to obtain a lattice basis that is within a polynomial factor of the shortest basis. She can use this shorter basis along with Babai’s nearest plane algorithm [1] to recover a vector, x , that is a superpolynomial distance away from xˆ , that is x − xˆ  > 2ω(log n) . In [12], the authors suggest that, given a realistic amount of computational resources, the √ closest Eve can 2 n log M log 1.005  decode relative to the original message is bounded by x − xˆ  > 2 . In order to prevent Eve from being able to recover a coded version of the message √ x, we apply a code that has a minimum distance dmin ≤ 22 n log M log 1.005 . With high probability, Eve will be unable to recover an error-free estimate of x, and will be unable learn any information about the message m sent using Algorithm 1.

4.3 Correctness We now show that,√if Alice encodes the output of Algorithm 1 with an error-correcting code of dmin = 22 n log M log 1.005 then, given a sufficient number of receive antennas, Bob will be able to receive and decode the vector x without error, thus allowing him to recover the message m from Algorithm 1. This constitutes a proof of correctness for Algorithm 1. We proceed by choosing the parameters M = 2n log log n/ log n , m = 1, α = 1, and k = 1, but this analysis is easily generalized to other parameters that meet our security condition. Assume that Bob has nr = t · n receiver antennas for some t > 2. Using a deviation inequality for extreme singular values given in [18] (specifically see Eq. 2.3), we can establish a lower bound on the smallest singular value in the channel gain matrix −n/2 , the smallest singular value between Alice √ and Bob. With probability at most 2e is at least (t − 2)n. This implies that the noise variance in each of the decomposed √ channels between Alice and Bob will decrease by at least of a factor of (t − 2)n compared to the ambient channel noise. For Bob to be able to decode, we now require the following condition to hold with some reasonable probability: √

√ Mα < 22 n log M log 1.005 , (t − 2)n

(5)

A CCA-Secure Cryptosystem Using Massive MIMO Channels

75

where the left-hand side is an upper bound of the noise variance in each of Alice and Bob’s parallel channels, and the right-hand side is the minimum distance of the error correcting code employed by Alice. Substituting the values of our constants, this gives us 2.86 (6) t> n and thus, for any t > 2, the probability of having a symbol error when Bob decodes is bounded below as  n  r erfc = negl(n), (7) 2.86 where erfc(·) represents the complimentary error function. We note that the condition that t > 2 is only necessary so that, with overwhelming probability, there will be no illconditioned channels in the parallel decomposition between Alice and Bob. For large n, the probability of error will remain small for values of t close to 1.

5 Conclusion We have demonstrated that the complexity of an eavesdropper decoding a large-scale MIMO systems with M-PAM modulation can be related to solving certain lattice problems that are widely conjectured to be hard. This suggests that the complexity of solving these problems grows exponentially with the number of transmitter antennas. Unlike the computationally hard problems underlying many of the most common encryption methods used today, such as RSA and Diffie-Hellman, it is believed that the underlying lattice problems are hard to solve using a quantum computer, and thus this scheme presents a practical solution to post-quantum cryptography. It is not new to exploit properties of a communication channel to achieve security; however, to our knowledge, this is the first scheme that uses physical properties of the channel to achieve security based on computational complexity arguments. Indeed, the notion of the channel is not typically considered by cryptographers. We thus describe our system as a way of achieving physical-layer cryptography. Further novel to our scheme is the role that the channel gain matrix plays in decoding. A transmitted message can only be decoded by a user with the corresponding channel gain matrix. The channel gain matrix, or more specifically the precoding of the message using the right-singular vectors of the channel gain matrix, essentially plays the role of a secret key in that it allows for efficient decoding at the receiver. However, this value does not need to be kept secret, nor does it play the traditional role of a public key. We term this type of key as the Channel State Information- or CSI-key. In cryptography terminology, this system is a trapdoor function, for which the trapdoor varies both spatially and temporally. The fact that this is a new type of cryptographic primitive suggests the possibility of entirely new cryptographic constructions.

76

T. Dean and A. Goldsmith

We have used the hardness result, to construct a communication scheme in which Alice and Bob can reliably communicate and that is secure under Chosen-Ciphertext Attack without requiring the use of a preshared key. We relate the parameters required to maintain security to SNR requirements and constellation size and show that they are practical to achieve assuming a system with enough transmitter antennas and the corresponding number of receivers, and relatively large constellation sizes. Acknowledgements The authors would like to thank Dan Boneh for his discussions on latticebased cryptography, Martin Hellman for his comments on a preliminary version of this work, Shlomo Shamai for discussions regarding information-theoretic secrecy in the context of our model, Mainak Chowdhury for discussions on algorithms for MIMO decoding and linear codes, and Yonathan Morin for his discussions on MIMO decoding and comments on a preliminary version of this work.

References 1. Babai L (1986) On Lovasz’ lattice reducition and the nearest lattice point problem. Combinatorica 6(1):1–13 2. Damen MO, El Gamal H, Caire G (2003) On maximum likelihood detection and the search for the closest lattice point. IEEE Trans Inf Theory 49(10):2389–2402 3. Dean T, Goldsmith A (2013) Physical-layer cryptography through massive MIMO. In: IEEE Information Theory Workshop (ITW), pp 1–5 4. Dean T, Goldsmith A (2015) Physical-layer cryptography through massive MIMO. arXiv preprint arXiv:cs-it/1310.1861 5. Diffie W, Hellman M (1976) New directions in cryptography. IEEE Trans Inf Theory 22(6):644– 654 6. Gentry C, Peikert C, Vaikuntanathan V (2008) Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the 38th annual ACM symposium on theory of computing (STOC), pp 197–206 7. Goldsmith A (2004) Wireless communications. Cambridge University Press, Cambridge, MA 8. Katz J, Lindell Y (2007) Introduction to modern cryptography. Chapman & Hall/CRC, New York 9. Lenstra A, Lenstra H Jr, Lovasz L (1982) Factoring polynomials with rational coefficients. Math. Ann. 261(4):515–534 10. Micciancio D, Goldwasser S (2002) Complexity of lattice problems: a cryptographic perspective. Kluwer Academic Publishers, Boston, MA 11. Micciancio D, Regev O (2009) Lattice-based cryptography. In: Post-quantum cryptography, Berlin, German. Springer, Berlin/Heidelberg, pp 147–191 12. Micciancio D, Walter M (2016) Practical, predictable lattice basis reduction. In: Proceedings of EUROCRYPT. LNCS, vol 9665. Springer, Berlin, p 1123 13. Mukherjee A, Fakoorian SAA, Huang J, Swindlehurst AL (2010) Principles of physical-layer security in multiuser wireless networks: survey. Commun Surv Tuts 16(3):1550–1573 14. Nielson MA, Chuang IL (2000) Quantum computation and quantum information. Cambridge University Press, Cambridge, MA 15. Peikert C (2009) Public-Key cryptosystems from the worst-case shortest vector problem. In: Proceedings of the 41st annual ACM symposium on Theory of computing, pp 333–342 16. Regev O (2005) On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th ACM symposium on theory of computing (STOC), pp 84–93 17. Rivest R, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126

A CCA-Secure Cryptosystem Using Massive MIMO Channels

77

18. Rudelson M, Vershynin R (2010) Non-asymptotic theory of random matrices: extreme singular values. arXiv preprint arXiv:1003.2990 19. Shannon CE (1949) Communication theory of secrecy systems. Bell Syst Tech J 28:656–715 20. Shimizu T, Iwai H, Sasaoka H, Paulraj A (2010) Secret key agreement based on radio propagation characteristics in two-way relaying systems. In: Proceedings of the 2010 IEEE global Communications Conference, pp 1–6 21. Shor PW (1997) Polynomial-time algorithsm for prime factorization and discrete logarithms on a quantum computer. SIAM J Comp 26(5):1484–1509 22. Shoup V (2001) OAEP reconsidered. In: Annual international cryptology conference. Springer, Berlin Heidelberg 23. Trappe W (2015) The challenges facing physical layer security. IEEE Commun Mag:16–20 24. Wyner AD (1975) The wire-tap channel. Bell Syst Tech J 54:1355–1387

You Are How You Play: Authenticating Mobile Users via Game Playing Riccardo Spolaor, Merylin Monaro, Pasquale Capuozzo, Marco Baesso, Mauro Conti, Luciano Gamberini and Giuseppe Sartori

Abstract Nowadays, user authentication on mobile devices is principally based on a secret (e.g., password, PIN), while recently two-factors authentication methods have been proposed to make more secure such secret-based methods. Two-factors authentication methods typically combine knowledge factors with user’s characteristics or possessions, obtaining high authentication performances. In this paper, we propose a novel two-factors authentication method based on users’ cognitive skills. Cognitive abilities are caught through the users’ performance to small games, which replicated the classical attentional paradigms of cognitive psychology. In particular, we introduced three games that rely on selective attention, attentional switch and Stroop effect. While users were solving a game on their smartphones, we collected cognitive performance (in terms of accuracy and reaction times), touch features (interactions with touch screen), and sensors features (data from accelerometer and gyroscope). Results show that our cognitive-based games can be used as a two-factors authentication mechanism on smartphones. Relying on touch and sensors features as behavior biometrics, we are able to achieve an authentication accuracy of 97%, with a Equal Error Rate of 1.37%. R. Spolaor · M. Monaro · P. Capuozzo · M. Baesso · M. Conti (B) · L. Gamberini · G. Sartori University of Padua, Padua, Italy e-mail: [email protected] R. Spolaor e-mail: [email protected] M. Monaro e-mail: [email protected] P. Capuozzo e-mail: [email protected] M. Baesso e-mail: [email protected] L. Gamberini e-mail: [email protected] G. Sartori e-mail: [email protected] © Springer International Publishing AG 2018 M. Baldi et al. (eds.), Proceedings of the 2nd Workshop on Communication Security, Lecture Notes in Electrical Engineering 447, DOI 10.1007/978-3-319-59265-7_6

79

80

R. Spolaor et al.

1 Introduction Currently smartphone authentication systems, when enabled, are based on passwords or unlock patterns. Unfortunately, these type of systems have an inherent security limitation: they only rely on a secret, which an adversary may unveil, and thus getting access to victims smartphone. To cope with such limitation, in recent years researchers effort focused on biometric authentication methods. In particular, a specific branch of such research focus on biometrics that profile users behavior, This branch of research is also known as behavioral biometrics. The purpose of our research is to develop a smartphone authentication system that combines traditional authentication methods based on secrets, with behavioral features of the user. We aim to design such system to be both usable, and perceived by the user as safe. Therefore, we propose three novel unlocking methods based on tasks designed to have a convenient degree of interaction between user and device. The authentication system we propose in this paper consists of short games based on the principles of the human cognitive system. The reasons behind our choice are based on recent studies that indicate the existence of individual differences in the behavior of users interacting with a mobile device [14, 32]. An example is keystroke dynamics, i.e., timing information that describes exactly when each key was pressed and when it was released as a person is typing at a computer keyboard [24]. Moreover, other researchers introduced behavioral features derived from human-smartphone interaction as unlocking methods [30]. Inspired by these studies, we have implemented three simple games1 with the purpose of authenticating the user according her behavior while solving them. In particular, we collect time features, touch features e sensors features. The choice of using games has the purpose to make the tasks more exciting and to increase the pleasantness of user experience. This aspect is new in the context of mobile security authentication. Furthermore, to the best of our knowledge, this is the first work in the literature that explores the use of tasks based on principles of cognitive functioning for user authentication. We studied how the subjects interact while solving our games to check if, according to collected data, we can distinguish a person from the others. The games were built using classical paradigms that derive from the study of mechanisms of functioning of our cognitive system. In particular, we used attentional tasks that exploit the ability of selective attention, divided attention, task switching and inhibiting interference. In this study, we want to verify if, in addition to the classic biometric features (touch and sensors features), the features based on the cognitive system (time features and errors) are sensitive to discrimination between subjects. According to scientific literature, we expect that touch and sensors features show an individual variability in performing the tasks. These act as biometric measures and they should be able to identify the owner by the adversary with high accuracy. Furthermore, we want to verify if time features and errors, which are the more 1 Home

page of “You Are How You Play” project: http://spritz.math.unipd.it/projects/youarehowyouplay/index.html.

You Are How You Play: Authenticating Mobile Users via Game Playing

81

representative of the user’s cognitive skills, bring any advantage on authentication accuracy. The rest of the paper is organized as follow. In Sect. 2, we survey the work related to two-factors authentication methods on mobile devices and briefly present some aspects of gamification. We describe in detail the experimental design in Sect. 3. Then, we report implementation details and the results our analysis in Sect. 4. Finally, we draw some conclusions in Sect. 5.

2 Related Work In the following sections we underline the importance of having stronger authentication methods. We focus on a review of the two factors authentication systems currently available for smartphones. Finally, we discuss the importance of gamification to have authentication systems with a high usability and user experience.

2.1 Two Factors Authentication on Smartphones Traditional password authentication is actually the more widespread system to authenticate users on smartphones. However, it jeopardizes the user privacy, because the knowledge of a secret (the password) is enough to have access to the device. For example, some studies demonstrated that a hacker can infer the position in which the screen was touched using sensors information, such as accelerometer and gyroscope [9, 10, 17, 35]. The residues of finger halos on the smartphone screen can also be used to infer the authentication password in [8]. The weakness of the system has allowed, in recent years, the spread of multifactors authentication (MFA) systems. These methods guarantee the users access only if she is able to present to the system two or more information of different nature. Typically, two different information are required, as the most common MFA are two-factors authentication methods (2FA). The type of information that is required to the user may belong to three different categories: knowledge (something that she knows, e.g., the pin code), possession (something that she has, e.g., the bankcard) or inherence (something that she is, e.g., the fingerprint) [16]. One pioneering work on two-factors authentication on mobile devices was carried out by Clarke et al. in [3] relying on keystrokes on a numeric keyboard. In particular, the authors considered the keystroke latency, the time range between two consecutive keys and the key pressure time. The authors were able to authenticate the user while input her PIN. The results achieved by their authentication scheme was an Equal Error Rate (EER) of 12.8%. In [29], the authors combined the use of a password with the detection of the user’s behavioral characteristics, such as the way she interacts with the keyboard. They showed that each user has a unique specific writing pattern on a smartphone

82

R. Spolaor et al.

keyboard, so the keystroke analysis technique (time-based features) can be used for user identification. By repeating the same text string, the user can be authenticated with a False Acceptance Rate (FAR) ≤ 0.005 and a Genuine Acceptance Rate (GAR)  92%. In [21] the authors integrate the PIN based authentication systems with the analysis of size and pressure features. In [14] Giuffrida et al. proposed an authentication system based on keystroke analysis and smartphone sensors. During the authentication procedure, the system required a fixed text input by the user; the performance verification phase takes into account both the typing rhythm and the data from the device sensors (accelerometer and gyroscope). Results demonstrated that the contribution made by the sensors is relevant in terms of performance (i.e., EER  0.08%). In [32], Stanciu et al. assessed the resistance of the keystroke based authentication systems in [14] against intruders attacks. Results showed that these systems are resistant to attacks considering only the features derived from smartphone sensors. Conversely, the systems proved to be weak when the features considered are those linked to the touch dynamism. Another non-intrusive 2FA authentication method has been reported in [25]. The user verification system in this paper is based on PIN input, but it also records the touch and the sensors features. The system has been proven to be most effective for 4 digits long PIN instead of 8 digits long PIN, reaching an EER  3.65%. More recently, some studies have been conducted to assess the accuracy of the gesture-based systems [34]. These systems analyze the user-device interaction when she is tracing the gesture on the screen. It can be noticed that different users have a unique pattern to perform a unlock gesture with a high level of stability over the time. These systems achieve an accuracy of 77% using the touch features only [1], even if they are easily subject to shoulder surfing attacks and smudge attacks. Another interesting type of authentication systems based on behavioral features, are the continuous authentication systems. These exploit the user interactions with the smartphone during the entire duration of its use. For example, some studies [18, 19] have considered, as features, the different types of touch movement: sliding-up, sliding-down, sliding-left, sliding-right. These systems are considered as implicit authentication systems, as they do not require the user to explicitly provide information. In [15] the authors reached a performance of GAR = 92% and FAR = 1% measuring the user’s keystroke pattern while she types text messages. In [20] a continuous authentication system based on touch gestures has been tested; those gestures were derived from simple browsing activities or smartphone usage, achieving an E E R ≤ 4%. In [7], Shi et al. created an implicit authentication system based on features extracted from text messaging, voice calls, browser history, and the geographic location of the smartphone. Sandnes et al. in [11] developed an authentication system by tracking features related to the handle (with the right hand, with the left hand, with both hands) and considering touch areas and movement speed during the device usage. An interesting study has been presented by [22]. The idea of the authors consists in authenticating the user through the use of free gesture (single or multi-touch). They

You Are How You Play: Authenticating Mobile Users via Game Playing

83

reached an 3.34% ≤ E E R ≤ 13.16% in identifying the users. Physiological features have been widely used in two-factors authentication. However, these features suffer from the interference and the variability of the external environment. For example, the facial recognition may fail as a result of little lighting or different angles [26]. The speech recognition can be degraded by the background noise [12]. Furthermore, it is difficult to integrate in all smartphones these sophisticated biometric technologies.

2.2 Gamification In [2], the authors analyze the conflict between safety and usability of authentication systems. Usability and user experience define the learnability of the task, the ease of use of the system and the user’s reactions during the interaction with the system. Security focuses on reducing the probability of a hacker to break the system. However, increasing the security, the system usability and the user experience often decrease. Security experts identify users as the weak point of the system [28]. In fact, the best security algorithm is useless if the user is lazy to use it [31]. Therefore, the current challenge is to produce new safe authentication systems that show, at the same time, a high level of usability and user experience. In this perspective, we believe that introducing gamification in the domain of two-factors authentication systems may contribute to a substantial improvement in both safety and usability.

3 Methods In this section, we present the design of experimental tasks (in Sect. 3.1) and their resiliency against random guess attacks (in Sect. 3.2). Then, we discuss the features extracted during task solving by a user (in Sect. 3.3).

3.1 Experimental Tasks We developed each task inspired by the mechanisms underneath the human cognition system, with goal of bringing out behavioral measures (touch, time and sensors features), peculiar to each individual user. We designed three tasks in the form of mobile games inspired by the concepts of selective attention, divided attention, task switching and inhibition of interference. Task 1: Moles Game This task is divided into four rounds. In each round four moles of different color will come out simultaneously from their holes and the task consists to tap the mole of a specific color. The color sequence of the moles to tap represents the secret (see Fig. 1).

84

R. Spolaor et al.

(a) Task configuration interface. It is shown the color sequence of moles the user has to tap for each round (four rounds in total) in order to complete the task correctly.

(b) Starting screen of the task. Moles are still in their holes. The user is not allow to tap anywhere (i.e., taps are ignored).

(c) Screen during execution of the task. Moles come out from their holes at the same time and the user is allow to tap the one with the right color for that specific round.

Fig. 1 Screens of Moles Game task

The task has two versions: • Fixed version: for each iteration the secret does not change (the sequence of colors to be tapped is always the same) and the moles come out always by the same holes. • Random version: for each iteration the secret does not change (the sequence of colors to be tapped is always the same), however the moles come out from the holes in random sequence. The task is based on the concept of selective attention that is the activity consisting in focusing, among the many available stimuli, those from time to time relevant to the task or the situation, while the others are left in the background [6]. A famous task that investigates selective attention is the Trail Making Test A (TMT -A) that consists to connect a series of consecutively numbered circles in a limited time [13]. In order to successfully complete the task, the subject has to focus his attention on one number at a time within the sequence, ignoring others. Moles Game may be considered a selective attention task because, similarly to TMT - A, the subject has to focus his attention on one mole at a time within a given sequence, ignoring the other moles. The user must remember the sequence of colors (i.e., the secret to solve the game) and tap the mole of the right color among “distractors” (i.e., moles with a color that is different from target color).

You Are How You Play: Authenticating Mobile Users via Game Playing

(a) Task configuration interface. It is shown the starting cell for the first round (i.e., cells in a row) and the starting cell for the second round (i.e., cells in a column).

(b) Starting screen of the task. The user is prompted with the 5x5 grid of cells. The user is allow to tap anywhere.

85

(c) Screen during execution of the task. In this example, the user tapped on a cell and it has became black to give a brief visible feedback.

Fig. 2 Screens of Stroop Effect task

Task 2: Stroop Effect The second task relies on the cognitive effect known as Stroop Effect. The Stroop Effect is famous in experimental psychology and affirms that when the name of a color (e.g., “blue”, “green”, or “red”) is printed in a color that is not denoted by the name (e.g., the word “red” printed in blue ink instead of red ink), naming the color of the word takes longer and is more prone to errors than when the color of the ink matches the name of the color [33]. As shown in Fig. 2, this task is composed of a 5 × 5 grid. Each cell is formed by a colored background and by a written word of a color name, different from the background color. The colors used are five and the columns on which the test is performed are second and fourth. The task consists to read the first word written in the second column and tap the color corresponding to the word read in the same column and continue in this manner completing the column, and subsequently the fourth. Thus, the secret is made up of two indexes: one from the line (the written word) and one from the column (the cell background color). The task has two versions: • Fixed version: in each iteration the secret does not change (the row and column indexes are always the same) and the color grid does not change configuration between different runs. • Random version: in each iteration the secret does not change (the row and column indexes are always the same), however, the color grid is modified by the system in order to change the resolution of the task.

86

(a) Task configuration interface. (b) Starting screen of the task. On the bottom it is reported the No colored bubble have been sequence of colored bubbles the tapped yet. user has to tap.

R. Spolaor et al.

(c) Screen during execution of the task. The colored bubbles marked in black have been tapped by the user.

Fig. 3 Screens of Color Shades task

Task 3: Color Shades The Color Shades task prompts a screen with 24 colored bubbles (see Fig. 3). There are six colors (i.e., red, black, purple, green, blue and yellow) and for each of them there are four shades sortable by color vibrancy. The task consists in simultaneously order two shades of color: the first from lightest to darkest, and the second from the darkest to the lightest. This task is based on the principle of divided attention and task switching. Divided attention is the activity consisting of care at the same time to multiple classes of stimuli without that one of them is bound “in the background”, or perform two tasks simultaneously, delivering the attention on them [6]. Example of use of this attentional capacity is the dictation: we need to selectively perceive stimuli through the ear canal and, at the same time, translating them into graphic symbols that make up the writing. Task switching is the ability that involves alternation between two attentional fires: they should not be attentioned simultaneously (as in divided attention) but must quickly switch between them when the task requires. A test that typically detect the ability of task switching is the Trail Making Test B (TMT B) that consists to connect a series of numbered and lettered circles, alternating between the two sequences [13]. The Color Shades task proposed by us involves both divided attention and task switching. In fact, during the task, subject’s attention is focused alternately between ordering the shades of one color from the lightest to the darkest and ordering the other color from the darkest to the lightest.

You Are How You Play: Authenticating Mobile Users via Game Playing

87

3.2 Resilience to Random Guess Attack In this section, we discuss the resiliency of each task to random guess attacks. We designed the tasks described above to offer the user to select the sequence of taps to solve each task. This sequence of taps can be considered as the secret (i.e., the first factor) in our two-factors authentication system. In other words, such sequence is comparable to passwords or PIN used in traditional authentication system based on secret. Moreover, behavioral features (i.e., the second factor) are used to cope with smudge attacks and shoulder surfing attacks. Moles Game task—This task in composed of four rounds and for each round four moles with different colors pop up from their holes at the same time. Hence, there are 44 possible combinations of colors. This leads to a 0.39% of success for a random guess attack. Stoop Effect task—The secret for this task is given a starting cell and a direction (i.e., column or row) on a grid of 5 × 5 cells; this repeated for two rounds. For each round, we have 25 starting cells and two possible directions, hence 100 possible combination and a random guess of 1%. Color Shades task—In this task, the user can chose two colors out of the six available. An attacker has to guess both colors and shade variations (i.e., from light to dark, or vice versa), hence a total of 120 possible combinations and a 0.83% of random guess success.

3.3 Features Extraction In this section, we describe the features collected and the procedure of features extraction from each task. The data features we collect while a user is performing a task are categorized in three typologies: • Sensors features are features collected from built-in accelerometer and gyroscope sensors on smartphone. • Touch features are features that regard to user interaction with touch screen on smartphone. • Time features are features related to user performance in terms of reaction time and reflex in task solving. Sensors features are in common to all tasks and are in a form of time series, hence with variable length. In our analysis, we need vectors fixed length. For this reason we extract a fixed number of statistics from sensors features. For each time series given by a sensor axis (e.g., y-axis of accelerometer, z-axis of gyroscope), we produce an array made of statistics computed on such time series: maximum, minimum, mean and standard deviation. As sensors features, touch features are common to all tasks, but they are related to a specific items in a task (e.g., a mole in Moles Game task, a cell in Stroop Effect

88

R. Spolaor et al.

task). Similarly to keystrokes in a keyboard, a tap on touch-screen starts when a finger lies on screen surface (i.e., tap down) and ends when a finger detaches (i.e., tap up). Touch features take also into account the area of pressure, and the distance between a tap down coordinates and a tap up coordinates on the same item. Similarly to sensors features, we extract a fixed length vector with listed above statistics listed above for both x and y coordinates of touch-screen. Time features are common among tasks, but some features related to rounds are specific to a task mechanism. In fact, Color Shades task involves a single round, Stroop Effect task involves two rounds (i.e., two starting cells), while Moles Game involves four rounds. In case of a task of multiple rounds (e.g., Moles Game), we extract statistics vectors considering time features of rounds as element of a time series. Time features we take into account are: task overall duration, time between the beginning of a task and the first tap, single round duration, press time (i.e., time between a tap down and a tap up), flight time (i.e., time between a tap up and a tap down).

4 Experimental Results In this section, we report the details about our analysis and results of such analysis on the data collected. In Sect. 4.1, we provide demographic details about the participants involved in our experiments. Then, we describe the implementation details of our prototype in Sect. 4.2 and we present the details regarding the framework we developed for data analysis in Sect. 4.3. Finally, we report the results obtained from our analysis in Sect. 4.4.

4.1 Participants The sample of participants is composed of students from the University of Padua and consists of 60 participants (46 women, 14 men) aged between 20 and 30 years (Mean 23.6; Standard Deviation 1.7) and years of education comprised between 15 and 21 (Mean 17.6; Standard Deviation 1.0). All the participants are Italians. No reward for carrying out the experiment was provided and all participants gave written informed consent before and after the test run. Each task was performed by ten subjects. Each subject repeated the task for ten times in two different experimental sessions (i.e., one session on one day and the second the next day). A training session was performed before starting the experiment, to allow the subjects to familiarize with the task.

You Are How You Play: Authenticating Mobile Users via Game Playing

89

4.2 Tasks Implementation In this section, we give details about the implementation of the prototype that runs the tasks described in Sect. 3.1. We used Java programming language to develop the app that run the task for Android operating systems. We optimized the user interface for smartphones for portrait mode and we disable landscape mode. Since we designed the experiments to be carried out on two days, we had to implement a system to allow users to log with their credentials and take trace of their configurations (see Fig. 4a). For this reason, our prototype also includes on a web service, which collects data and manage participants’ accounts. We developed the interface of such web service in HTML and PHP, while we used MySQL as database management system. Moreover, our prototype app also prompts the user with detailed instructions (in written and visual format) to properly solve a task (see Fig. 4b). Regarding data collection, we relied on DELTA logging tool [4] for Android. While we used DELTA’s default plugings for sensors (i.e., accelerometer, gyroscope) and touch data, we developed an ad-hoc plugin for DELTA to log time features.

4.3 Framework for Data Analysis Our analysis framework aims to train a solid classifier for user authentication. In order to do so, we performed the following three steps: (i) data normalization; (ii)

(a) Log in form.

(b) Instruction to solve Stroop Effect task.

Fig. 4 Screens for implementation details of our prototype

90

R. Spolaor et al.

feature selection; and (iii) model selection. We implemented our analysis framework using scikit-learn [27] and scipy [5] libraries for Python. In particular, the former one provides useful tools for machine learning and data mining. Moreover, we perform these steps for each task separately. In what follows, we describe in detail each of the steps above. Data Normalization Since data involved in our analysis comes from different users, we have to normalize the samples in our dataset in order to be able to compare them. In order to do so, we apply normalization across the features extracted in the training set. In particular, we normalize each feature using MinMaxScaler method [27], which maps the values into an interval between 0 and 1. Feature Selection In this step of our analysis, we perform a selection of the most significant features for user authentication using our proposed tasks. We have to perform features selection since, as well known in data mining, a high number of features often leads to a phenomenon called “curse of dimensionality”. Due to this phenomenon, some features can lead to misclassification since they could result not significant for classification. In order to avoid such phenomenon, we measure the correlation of extracted features and the classes of our classification and select the features with a high correlation. To select the most promising features, we rely on analysis of variance (ANOVA). According to ANOVA, the variance in groups of data (i.e., classes) is given by the variance within the same group and the variance among groups. To select the most K significant features based on ANOVA, we rely on SelectKBest method [27]. For each proposed task in Sect. 3.1, we investigated the performance of classifier varying parameter K , in order to find the optimal number of features to select. Model Selection In our analysis, we chose a suitable model for classification taking into account different proposal in the state of the art of machine learning [23]. Since we aim to obtain a classifier for user authentication, given an example, we need our classifier to output a binary prediction: a tested sample has been generated or not by the target user. In order to determine the model which offers the best trade off between a wide hypothesis space and fitting time (i.e., the time needed to obtain a trained classifier), we used cross validation approach on our dataset. Cross validation is a method widely used for model selection and hyper-parameters tuning. This method is particularly useful on classification problems on dataset with a limited number of examples. Cross validation consists in an iterative subdivision of a set of examples into N subsets with approximately the same amount of elements. On each one of the N iterations, one subset becomes a validation set, while the remainder N − 1 subsets act as training set. In particular, in our analysis we used Leave-K-Out variant of cross validation, which we assumes for each iteration a single element N = number o f examples − K . In our analysis, we investigated the following classification models: Support Vector Machines (SVM) with Kernel functions, Decision Tree (DT), and K-Nearest Neighbor (k-NN) algorithms. We ran cross validation our dataset using a wide set of hyper-parameters for each of the above models. In particular, since we collected 150 examples (i.e., 15 for each user for a total of 10 users) per task configuration (see

You Are How You Play: Authenticating Mobile Users via Game Playing

91

Sect. 3.1), we run a “balanced” Leave-K-Out cross validation with K = {1, 2, 3}, where is referred to the number of examples of the target user in the test set. In practice, this means that for K = 2, the test set for a cross validation iteration will be composed of 2 positive examples (i.e., examples belonging to the target user) and 18 negative examples (i.e., examples belonging to the 9 non-target users). In the evaluation phase of each round of cross validation, we applied the features normalization on the test set according to the same instance of MinMaxScaler we used for the training set. While we achieved the best performance using k-NN with k = 1 and Euclidean distance, we obtained poor performance using SVN and DT. This difference in performance may be due to the type of hypothesis space offered by such models. We underline that another work identify k-NN as a good binary classifier for authentication [14, 32].

4.4 Results of the Analysis In this section, we analyze the results obtained from our analysis. First, in Sect. 4.4.1 we analyze the results of ANOVA on features extracted from each task (described in Sect. 3.3). Then, we report and discuss the classification results in Sect. 4.4.2.

4.4.1

Features Importance

Performing the ANOVA on the extracted features, we are able to measure the relevance of a feature on a specific task. In Fig. 5, we report the ANOVA results regrouping the features in the three types of features: touch, sensors and time. As we can notice, the features extracted from sensors are the most relevant for Moles Game (both fixed and random configurations) and Color Shades tasks. Regarding Stroop Effect task, the relevance of touch and sensors features is almost equal around the 50%. It is worth noting that time features only have a little significance (i.e., around the 5%) on Stroop Effect task with fixed configuration, while for all the other tasks it is close to zero. This is a clear evidence that we cannot authenticate a user relying on the timing of interactions in performing our tasks.

4.4.2

Classification Results

In Table 1, we report the results of our classification models for each task configuration. The results are the mean performance of the classifier in terms of False Acceptance Rate (FAR), False Rejection Rate (FRR), Accuracy and Equal Error Rate (EER). In second and third columns, we specify the number of positive and negative examples used in the dataset for the cross validation (as discussed in Sect. 4.3).

92

R. Spolaor et al.

Fig. 5 Significance of sensor, touch and time features

Moreover, in the last column we report the number of features considered to obtain such results. As we can notice from Table 1, The best task suitable for user authentication is Stroop Effect task with random configuration, which has an EER = 1.38% (i.e., FAR = 0% and FRR = 2.77%) and an accuracy of 97%. Given an analysis on the number of positive examples (i.e., belonging to the target user), we can notice that increasing positive examples we are able to improve accuracy and lower down EER for almost all tasks (Stroop Effect with random configuration remains constant). This incremental improvement given by an increasing number of positive examples is encouraging for further work on cognitive games for user authentication. As far as concern the two-factors authentication of our proposal, the results are comparable with state-of-the-art two-factors authentication methods. Considering fixed configuration tasks, which are similar to the ones proposed in the literature, we achieve an EER ≤ 4.72 (with 30 positive examples). This results are in line with other proposals in the literature, but the one in [14], which achieves an excellent EER = 0.08%.

5 Conclusions In this paper, we presented a novel two-factors authentication method on smartphones based on cognitive games. At the best of our knowledge, we are the first that investigated a possible application of cognitive games as a user authentication meth-

10 20 30 10 20 30 10 20 30 10 20 30 10 20 30

Moles game (fixed config.)

Color shades

Stroop effect (random config.)

Stroop effect (fixed config.)

Moles game (random config.)

Number of positive examples

Tasks

135 135 135 135 135 135 135 135 135 135 135 135 135 135 135

Number of negative examples 9.44 9.44 9.44 15.55 15.55 14.40 7.22 5.55 6.11 0.00 0.00 0.00 3.33 0.00 0.00

FAR (%)

10.00 10.00 0.00 3.33 0.00 0.00 3.33 5.00 0.00 2.77 2.77 2.77 11.11 11.11 11.60

FRR (%)

90.50 90.50 91.00 86.00 86.00 91.00 93.00 94.00 94.00 97.00 97.00 97.00 90.00 90.00 88.00

Accuracy (%)

Table 1 Mean performance in user authentication in terms of FAR, FRR, Accuracy and EER for each task configuration

9.72 9.72 4.72 9.44 7.77 7.22 5.27 5.27 3.05 1.38 1.38 1.38 7.22 5.55 5.83

EER (%)

40 40 40 40 40 40 50 50 50 50 50 50 60 60 60

Number of features selected

You Are How You Play: Authenticating Mobile Users via Game Playing 93

94

R. Spolaor et al.

ods through behavioral biometric. We proposed three tasks based on user cognitive abilities: Moles Game, Stroop Effect, and Color Shades tasks. As far as concern the first factor in two-factors authentication (i.e., the secret), we designed such tasks in order to obtain a good trade-off between usability and resiliency to random guess attacks (at most 1%). For each task, we fully implemented a prototype for Android and we carried out extensive experiments to collect data from participants. From the analysis of data, we obtained significant insights. We assessed that our proposed tasks are effective to trigger user specific behavioral patterns (i.e., the second factor in two-factors authentication). We extracted such behavioral patterns from touch and sensors data collected while a user is solving a task. Among the proposed tasks, Stroop effect task with random configuration is the task in which our system achieves the best performance, achieving an accuracy of 97% and an EER of 1.36%. In the light of such results, we can state that the performance of our system are comparable with other state-of-the-art two-factors authentication methods. The results of our analysis was also useful to learn a lesson about users’ cognitive ability in authentication. We argue that it is not possible to discriminate a user only relying on her performance (i.e., time features) solving the proposed cognitive games. As a clear evidence, ANOVA results revealed a low correlation between user and time features. Regarding the usability of our proposal in terms of time required to solve a task, in our experiments users spend an average time of 2 seconds on Moles Game task, 8 seconds on Stroop Effect task, and 4 seconds on Colors Shades task. Being a twofactors authentication system, we argue that such amount of time is acceptable. We also observed that for most of tasks, increasing the number of repetition by a user, thus increasing the positive examples provided to the classifier, we achieve a progressive reduction of EER. This encourage us to proceed with further investigations. Acknowledgements Mauro Conti is supported by a Marie Curie Fellowship funded by the European Commission (agreement PCIG11-GA-2012-321980). This work is also partially supported by the EU TagItSmart! Project (agreement H2020-ICT30-2015-688061), the EU-India REACH Project (agreement ICI+/2014/342-896), “Physical-Layer Security for Wireless Communication”, and “Content Centric Networking: Security and Privacy Issues” funded by the University of Padua. This work is partially supported by the grant n. 2017-166478 (3696) from Cisco University Research Program Fund and Silicon Valley Community Foundation. This work is also partially funded by the project CNR-MOST/Taiwan 2016–17 “Verifiable Data Structure Streaming”.

References 1. Alexander DL, Alina H, Frederik B, Christian L, Heinrich H (2012) Touch me once and i know its you! implicit authentication based on touch screen patterns. In: Proceedings of the SIGCHI conference on human factors in computing systems. ACM, pp 987–996 2. Christien K, Martin SO (2012) Gamifying authentication. In: 2012 Information security for South Africa. IEEE, pp 1–8 3. Clarke NL, Furnell SM (2007) Authenticating mobile phone users using keystroke analysis. Int J Inf Secur 6(1):1–14

You Are How You Play: Authenticating Mobile Users via Game Playing

95

4. Conti M, Santo ED, Spolaor R (2016) Delta: data extraction and logging tool for android. arXiv:1609.02769 5. S. developers (2016) scipy documentation 6. Di Nuovo S (2006) La valutazione dell’attenzione. Dalla ricerca sperimentale ai contesti applicativi, vol 284. FrancoAngeli 7. Elaine S, Yuan N, Markus J, Richard C (2011) Implicit authentication through learning user behaviour. Springer International Publishing 8. Emanuel VZ, Anton K, Alexander DL, Heinrich H (2013) Making graphic-based authentication secure against smudge attacks. In: Proceedings of the 2013 international conference on Intelligent user interfaces. ACM, pp 277–286 9. Emiliano M, Alexander V, Suhrid B, Romit Roy C (2012) Tapprints: your finger taps have fingerprints. In: Proceedings of the 10th international conference on mobile systems, applications, and services. ACM, pp 323–336 10. Emmanuel O, Jun H, Sauvik D, Adrian P, Joy Z (2012) Accessory: password inference using accelerometers on smartphones. In: Proceedings of the twelfth workshop on mobile computing systems and applications. ACM 11. Frode Eika S, Xiaoli Z (2012) User identification based on touch dynamics. In: 2012 9th international conference on Ubiquitous intelligence and computing and 9th international conference on autonomic and trusted computing (UIC/ATC) 12. Frdric B, Jean-Franois B, Corinne F, Guillaume G, Sylvain M (2004) A tutorial on textindependent speaker verification. EURASIP J Appl Signal Proc 430–451:2014 13. Giovagnoli AR, Del Pesce M, Mascheroni S, Simoncelli M, Laiacona M, Capitani E (1996) Trail making test: normative values from 287 normal adult controls. Ital J Neurol Sci 17(4):305–309 14. Giuffrida C, Majdanik K, Conti M, Bos H (2014) I sensed it was you: authenticating mobile users with sensor-enhanced keystroke dynamics. Springer International Publishing 15. Hugo G, Sebastian U, Christopher W (2014) Continuous authentication on mobile devices by analysis of typing motion behavior. In: Proceedings GI SICHERHEIT 2014. CiteSeerX 16. Kennedy E, Millard C (2016) Data security and multi-factor authentication: analysis of requirements under eu law and in selected eu member states. Comput Law Secur Rev 32:91–110 17. Liang C, Hao C (2011) Touchlogger: inferring keystrokes on touch screen from smartphone motion. In: Proceedings of the sixth USENIX workshop on hot topics in security. USENIX, p 9 18. Lingjun L, Xinxin Z, Guoliang X (2013) Unobservable re-authentication for smartphone. In: Proceedings of the 20th network and distributed system security symposium 19. Lingjun L, Xinxin Z, Guoliang X (2013) Unobservable reauthentication for smartphones. In: NDSS’13. Internet Society 20. Mario F, Ralf B, Eugene M, Ivan M, Dawn S (2012) Touchanalytics: on the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans Inf Forens Secur 8(1):136–148 21. Matthias T, Frank O (2012) Biometric authentication through a virtual keyboard for smartphones. Int J Comput Sci Inf Technol 4(5) 22. Michael S, Gradeigh C, Yulong Y, Shridatt S, Arttu M, Janne L, Antti O, Teemu R (2014) Usergenerated free-form gestures for authentication: security and memorability. In: Proceedings of the 12th annual international conference on mobile systems, applications, and services. ACM, pp 176–189 23. Michalski RS, Carbonell JG, Mitchell TM (2013) Machine learning: an artificial intelligence approach 24. Moskovitch R, Feher C, Messerman A, Kirschnick N, Mustafic T, Camtepe A, Lohlein B, Heister U, Moller S, Rokach L et al (2009) Identity theft, computers and behavioral biometrics. In: IEEE international conference on intelligence and security informatics, 2009 ISI’09. IEEE, pp 155–160 25. Nan Z, Kun B, Hai H, Haining W (2014) You are how you touch: user verification on smartphones via tapping behaviors. In: 2014 IEEE 22nd international conference on network protocols. IEEE, pp 221–232

96

R. Spolaor et al.

26. Jonathon PP, Ross BJ, Bruce AD, Geof G (2011) An introduction to the good, the bad, & the ugly face recognition challenge problem. In: 2011 IEEE international conference on automatic face & gesture recognition and workshops (FG 2011). IEEE, pp 346–353 27. Pedregosa F, Varoquaux G, Gramfort A, Michel V, Thirion B, Grisel O, Blondel M, Prettenhofer P, Weiss R, Dubourg V, Vanderplas J, Passos A, Cournapeau D, Brucher M, Perrot M, Duchesnay E (2011) Scikit-learn: machine learning in python. J Mach Learn Res 12:2825–2830 28. Sasse MA, Brostoff S, Weirich D (2001) Transforming the weakest linka human/computer interaction approach to usable and effective security. BT Technol J 19(3):122–131 29. Saurabh S, Madhavi S (2013) Pattern construction by extracting user specific features in keystroke authentication system. In: 2013 4th international conference on computer and communication technology (ICCCT). IEEE, pp 181–184 30. Shahzad M, Liu AX, Samuel A (2013) Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it. In: Proceedings of the 19th annual international conference on mobile computing & networking. ACM, pp 39–50 31. Sharp H, Rogers Y, Preece J (2007) Interaction design: beyond human-computer interaction 32. Stanciu V-D, Spolaor R, Conti M, Giuffrida C (2016) On the effectiveness of sensor-enhanced keystroke dynamics against statistical attacks. In: Proceedings of the sixth ACM conference on data and application security and privacy. ACM, pp 105–112 33. Stroop JR (1935) Studies of interference in serial verbal reactions. J Exp Psychol 18(6):643 34. Weizhi M, Wenjuan L, Duncan SW, Jianying Z (2016) TMGuard: a touch movement-based security mechanism for screen unlock patterns on smartphones. Springer International Publishing 35. Zhi X, Kun B, Sencun Z (2012) Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the fifth ACM conference on security and privacy in wireless and mobile networks. ACM, pp 113–124

Fuzzy Authentication Using Rank Distance Alessandro Neri, Joachim Rosenthal and Davide Schipani

Abstract Fuzzy authentication allows authentication based on the fuzzy matching of two objects, for example based on the similarity of two strings in the Hamming metric, or on the similiarity of two sets in the set difference metric. Aim of this paper is to show other models and algorithms of secure fuzzy authentication, which can be performed using the rank metric. A few schemes are presented which can then be applied in different scenarios and applications.

1 Introduction Recent years have seen a lot of research around the problem of authentication using approximate matching under a certain metric of similarity, while still enabling a secure storage of sensible authentication data. The typical, but not the only scenario, where such a system is needed, is in the use of biometric features, like fingerprints, for authentication purposes. Several models have been proposed that may be more appropriate for different applications. For example the fuzzy commitment scheme [8] models data as bit strings and compares strings in the Hamming metric; the fuzzy vault [7] models data as sets of elements and compares sets in the set difference metric. In this paper we present fuzzy authentication schemes using the rank metric by generalizing the schemes mentioned above for other model scenarios and highlighting possible applications. The structure of the paper is the following. Section 2 recalls some mathematical concepts and definitions concerning rank metric codes and linearized polynomials. Section 3 presents the fuzzy commitment scheme in the rank A. Neri (B) · J. Rosenthal · D. Schipani Institute of Mathematics, University of Zurich, Winterthurerstr. 190, 8057 Zurich, Switzerland e-mail: [email protected] J. Rosenthal e-mail: [email protected] D. Schipani e-mail: [email protected] © Springer International Publishing AG 2018 M. Baldi et al. (eds.), Proceedings of the 2nd Workshop on Communication Security, Lecture Notes in Electrical Engineering 447, DOI 10.1007/978-3-319-59265-7_7

97

98

A. Neri et al.

distance, a model whereby the tolerance needed in the authentication is not based on the number of different bits between two strings but on the similarity of two matrices, more precisely on the rank of their difference. Section 4 is devoted to a fuzzy vault scheme using linearized polynomials, which relates the set difference with the rank metric. The scheme is an alternative to the standard fuzzy vault based on Reed-Solomon decoding. Section 5 gives hints on possible applications and model scenarios of the schemes presented in the previous sections.

2 Rank Metric Codes and Linearized Polynomials Let q be a prime power and let Fq denote the finite field with q elements. Recall that Fq m is isomorphic (as a vector space over Fq ) to the vector space Fqm . One then easily obtains the isomorphic description of matrices over the base field Fq as vectors over the extension field, i.e. Fqm×n ∼ = Fqn m . Definition 1 The rank distance d R on Fqm×n is defined by d R (X, Y ) := rk(X − Y ),

X, Y ∈ Fqm×n .

In the same way it is possible to define the rank distance between two elements x, y ∈ Fqn m as the rank of the difference of the respective matrix representations in Fqm×n . A rank metric code C is a subset of Fqm×n (or Fqn m ) equipped with the rank distance. The minimum distance of a rank metric code C is the quantity d R (C ) := min {d R (u, v) | u, v ∈ C , u = v} . We can define special classes of rank metric codes introducing linearity. An Fq m -linear rank metric code of dimension k is a rank metric code that is also a k-dimensional subspace of the Fq m -vector space Fqn m . An Fq -linear rank metric code of dimension k  is a rank metric code that is also a k  -dimensional subspace of the Fq -vector space Fqn m ∼ = Fqm×n . Observe that an Fq m -linear rank metric code of dimension k is also an Fq -linear code of dimension mk. We will use the notation [n, k, d]-code for a k-dimensional Fq m -linear code with minimum distance d, and [nm, k  , d  ]-code for a k  -dimensional Fq -linear code with minimum distance d  . Theorem 1 (Singleton-like Bound) Let C ⊆ Fqm×n be a rank metric code. Then   |C | ≤ min q m(n−d+1) , q n(m−d+1) .

Fuzzy Authentication Using Rank Distance

99

Proof See [5], or [14, Theorem 1]. Definition 2 Codes attaining the Singleton-like bound are called Maximum Rank Distance (MRD) Codes. When n ≤ m a class of codes attaining the Singleton-like bound was first proposed in [5] and then generalized in [9]. These codes are Fq m -linear rank metric codes. Let (v1 , . . . , vn ) ∈ Fqn m be a vector, we denote the k × n s-Moore matrix by ⎛ ⎜ ⎜ Ms,k (v1 , . . . , vn ) := ⎜ ⎝

v1 v1[s] .. .

v2 v2[s]

... ...

vn vn[s] .. .

⎞ ⎟ ⎟ ⎟, ⎠

v1[s(k−1)] v2[s(k−1)] . . . vn[s(k−1)] where [i] := q i . Definition 3 Let g1 , . . . , gn ∈ Fq m be linearly independent over Fq and let s be coprime to m. We define a generalized Gabidulin code C ⊆ Fqn m of dimension k as the linear block code with generator matrix Ms,k (g1 , . . . , gn ). Using the isomorphic matrix representation we can interpret C as a matrix code in Fqm×n . These codes are optimum for rank distance, since they are [n, k, n − k + 1]-codes. Moreover, for this class of codes there exist polynomial-time decoding algorithms 

, [10, 13, 17]. decoding up to their error-correcting capability t = n−k 2 Observe that when s = 1, this definition of Gabidulin codes is the q-analog of Reed-Solomon codes with the Hamming distance. Here, a set of distinct elements j is replaced by a set of linearly independent elements, and the power gi is replaced [ j] by the Frobenius power gi . Reed-Solomon codes can also be seen as evaluation of polynomials of degree less than k in n distinct points. We can give a q-analog of this interpretation for Gabidulin codes, as evaluation of linearized polynomials in n linearly independent elements. Definition 4 A linearized polynomial over Fq m is a polynomial f (x) ∈ Fq m [x]/ m (x q − x) of the form m−1 f i x [i] . i =0

We denote by Lm (Fq m ) the space of linearized polynomials over Fq m . Let Gk,s ⊆ Lm (Fq m ) be the set defined as   Gk,s := f 0 x + f 1 x [s] + · · · + f k−1 x [s(k−1)] | f i ∈ Fq m .

100

A. Neri et al.

Proposition 1 Let g1 , . . . , gn ∈ Fq m be linearly independent over Fq and let s be an integer coprime to m. Let moreover C be the generalized Gabidulin code whose generator matrix is Ms,k (g1 , . . . , gn ). Then   C = ( f (g1 ), f (g2 ), . . . , f (gn )) | f ∈ Gk,s . From now on we will write Gk,s (g1 , . . . , gn ) for such a code. For many years Gabidulin codes have been the only known MRD codes over Fq m . Recently some construction of non-Gabidulin MRD codes have been discovered [2, 3], but many of these codes are not linear over Fq m . Some constructions of linear non-Gabidulin MRD codes can be found in [6] and as a special class of the codes presented in [16]. Although there are few known constructions of MRD codes, it was shown in [12] that most linear rank metric codes are MRD and that Gabidulin codes are only a small franction among the MRD codes.

3 Fuzzy Commitment Scheme with the Rank Distance In 1999 Juels and Wattenberg [8] proposed a fuzzy commitment scheme to allow fuzzy authentication with secure storage of biometric data in binary form. In [15] the authors revisited the scheme in the setting of an arbitrary finite field by focusing on implementations and security concerns. In [1] they proposed a dual version of the scheme, called fuzzy syndrome hashing, featuring some advantages in terms of security and use of iterative decoding. In [4] they presented scenarios involving burst error correction and higher dimensional data. Here we are going to describe a new fuzzy commitment scheme using the rank metric. In a following section about applications, we will describe a few scenarios where this scheme can be applied. In our authentication model, we wish to consider two vectors b, b ∈ Fqn m (or, equivalently, their matrix representations B, B  ∈ Fqm×n ) as belonging to the same person or entity as long as their rank distance is less than a certain predetermined threshold. And for security concerns we do not want to store vectors (or matrices) unencrypted. Suppose now that we have a rank metric code C ⊆ Fqn m whose minimum distance is d = 2t + 1 and assume there exists an efficient algorithm for decoding up to t errors. Let h : Fqm×n → Fqm×r be a collision resistant hash function, i.e. such that it is not feasible to compute an u ∈ h −1 (v) for any v ∈ Fqm×r . Observe that a hash function h  : Fqn m → Frq m can be defined starting from h, as the diagram

Fuzzy Authentication Using Rank Distance

c Fqm×n

Fqn m

101 h

Fqm×r

h

Frq m

shows. As in the standard fuzzy commitment scheme, we select at random a codeword cb ∈ C and we store the tuple (l, h(cb )) where l = b − cb . This scheme is essentially the analogue of the standard fuzzy commitment with the difference that we use rank metric codes instead of Hamming codes. Analogously as in [15] one can show the following result. Theorem 2 If b ∈ Fqn m can be chosen uniformly over the entire ambient space Fqn m , then computing b ∈ Fqn m from the stored data (l, h(cb )) is computationally equivalent to invert the restricted hash function h |C : C −→ Frq m .

4 A Linearized Polynomial Fuzzy Vault Scheme The polynomial fuzzy vault (PFV) scheme was introduced in [7] and allows fuzzy authentication in the set-difference metric. In [11] the authors proposed a fuzzy vault scheme using codes in another metric, relating the set difference with the subspace distance on the set of Grassmanians. The PFV scheme can also be generalized in a natural way using linearized polynomials and codes over the rank metric as follows. First, we make the following assumption about the set of features used for authentication, both the set initially used to build the vault and the one submitted later for authentication. Assumption 1 Assume that the set of features ( A or W in the following) is given by n Fq -linearly independent elements in Fq n , i.e. it is an Fq -basis for Fq n . This is usually not a restrictive assumption given the following result: Lemma 1 If the features are chosen with uniform distribution, then Assumption 1 is satisfied with probability n−1

n−1 (q n − q i ) ≥ (1 − q i−n ). n − i) (q i =0 i =0

102

A. Neri et al.

Proof The number of Fq -basis of Fq n is  n Fq n with cardinality n is qn .

n−1

i = 0 (q

n

−q i )

n!

, while the number of subsets of

Now, let  < n be two positive integers and let 0 < s < n be another integer coprime with n. Let (k0 , . . . , k−1 ) ∈ Fq n be the secret key and κ(x) = k0 x + k1 x [s] + · · · + k−1 x [s(−1)] ∈ Ln (Fq n ) be the corresponding linearized polynomial. Consider a set of features A = {g1 , . . . , gn } ⊆ Fq n given by n Fq -linearly independent elements. Choose a random map λ : Fq n −→ Fq n such that λ(x) = κ(x) for all x ∈ B, where B = Fq n  A. Following the classical PFV scheme, we define the sets Pauth = {(x, κ(x)) | x ∈ A} , Pcha f f = {(x, λ(x)) | x ∈ B} , V = Pauth ∪ Pcha f f . Pauth is called set of authentic points, Pcha f f is the set of chaff points, and V is called set of vault points. The last ingredients of the fuzzy vault scheme are the code C = G,s (g1 , . . . , gn ) and an error correction decoding algorithm for C . For our constructions of the Linearized Polynomial Fuzzy Vault (LPFV), it is convenient to consider a Gabidulin code as a code whose codewords consist of evaluations of a linearized polynomial f ∈ G,s over any set of n linearly independent n , elements in Fq n . Concretely, we think of a codeword as a set of pairs {(gi , yi )}i=1 where gi ∈ Fq n , are linearly independent over Fq , and yi = f (gi ), for a linearized polynomial f ∈ G,s . In this framework, suppose that a witness attempts to gain access to the key, and submits a set of features W ⊂ Fq n . Given Assumption 1, if Z ⊆ V is the subset of vault points (x, y) with x ∈ W , we can consider the Fq -linear map L Z : Fq n −→ Fq n such that L Z (x) = y for all (x, y) ∈ Z . Now, think of the received word c as consisting of the set of pairs {(gi , L Z (gi ))}in= 1 , for gi ∈ A. The secret codeword of the LPFV scheme is instead c, given by the set of pairs {(gi , κ(gi ))}in= 1 . With this notation it is easy to see that d R (c, c ) = rk(κ − L Z ). The following results relate the rank distance with the set difference, showing that the rank metric can be a good approximation of the set-difference metric. Let dΔ (A, W ) := |(A\W ) ∪ (W \A)| denote the set-difference between A and W .

Fuzzy Authentication Using Rank Distance

103

Proposition 2 In the setting of the LPFV scheme, suppose that the values λ(x), for x ∈ B are chosen at random uniformly and independently in Fq n  {κ(x)}. Then 1. 2d R (c, c ) ≤ dΔ (A, W ). 2. Let 0 ≤ u ≤ n be an integer. Then

(q n − q i )   n−u−1 Pr 2d R (c, c ) = dΔ (A, W ) | |A ∩ W | = u = = 1 + O(q −u−1 ). (q n − 1) i =0

Proof 1. Let W be the set of features submitted, and let u = |A ∩ W |. Then we have dΔ (A, W ) = 2n − 2|A ∩ W | = 2n − 2u. Consider now the Fq -linear map L Z : Fq n −→ Fq n such that L Z (x) = y for (x, y) ∈ Z . The set of first coordinates of Z is an Fq -basis of Fq n and the linear map κ − L Z is 0 on A ∩ W . Therefore d R (c, c ) = rk(κ − L Z ) ≤ n − u =

dΔ (A, W ) . 2

2. Since the λ(x), for x ∈ B, are chosen at random uniformly and independently in Fq n  {κ(x)}, then the values (L Z − κ)(x), for x ∈ W  (A ∩ W ), are chosen at random uniformly and independently in Fq n  {0}. Furthermore, the condition 2d R (c, c ) = dΔ (A, W ) is equivalent to the condition that the values (L z − κ)(x), for x ∈ W  (A ∩ W ), are linearly independent. Hence,     n×(n−u) | rk(A) = n − u   A ∈ Fq   Pr 2d R (c, c ) = dΔ (A, W ) | |A ∩ W | = u = . (q n − 1)(n−u)

Theorem 3 Under the same hypothesis of Proposition 2, the following statements hold.

 1. If dΔ (A, W ) ≤ 2 n− , then the vault recovers the key κ(x). 2 2.   Pr 2d R (c, c ) = dΔ (A, W ) = 1 + O(q −1 ).

 Proof 1. By Proposition 2 we have 2d R (c, c ) ≤ dΔ (A, W ) ≤ 2 n− . Therefore 2 we are within the error-correction capability and we can correctly obtain the codeword c, andhence the key κ(x).  2. We can write Pr 2d R (c, c ) = dΔ (A, W ) as n

  Pr 2d R (c, c ) = dΔ (A, W ) | |A ∩ W | = u Pr {|A ∩ W | = u}

u =0 n   1 + O(q −u−1 ) Pr {|A ∩ W | = u} =

=

u =0 n u =0

  1 + O(q −1 ) Pr {|A ∩ W | = u}

104

A. Neri et al. n   = 1 + O(q −1 ) Pr {|A ∩ W | = u} u =0

= 1 + O(q −1 ). Remark 1 Probabilistic results in Proposition 2 and Theorem 3 do not depend on the probability distribution of the choice of the features. We are only assuming that our construction of the Linearized Polynomial Fuzzy Vault is made by choosing at random uniformly and independently the values λ(x) for x ∈ B.

4.1 Generalization of the LPFV Scheme In our construction of the LPFV we considered Gabidulin codes of length n over Fq n . The motivation is that given a set of features W satisfying Assumption 1, the map L Z : Fq n → Fq n is uniquely determined, and hence also the received word c . We can generalize our LPFV considering Gabidulin codes of length n over the field Fq m , where n < m, but we need to define the map L Z in a suitable way. Before explaining how to construct L Z , we can observe that an analogue of Lemma 1 holds and it can be proved in the same way, but in this case the probability that the set of features is made of linearly independent elements is equal to n−1

(q m − q i ) = 1 + O(q −1−m+n ). m − i) (q i =0 Now, let W and A be the Fq -subspaces of Fq m spanned respectively by W and A. First, we can observe that, in order to build the received word c as the set {(gi , L Z (gi ))}in= 1 , we only need to define the map L Z on A . We propose the following construction. We first define the application L Z on W as L Z (x) = y for all (x, y) ∈ Z . Then we complete W to a basis B of A + W , by adding the elements gi in increasing i order with respect to the indices i. For those gi , we set L Z (gi ) = κ(gi ) + α q , where  i m−1 α ∈ Fq m and α q is a normal basis of Fq m as an Fq -vector space. i =0 In this way, our map is uniquely determined on A + W , and in particular on A . Let again c be the codeword given by the set of pairs {(gi , κ(gi ))}in= 1 . With this notation it is easy to see that d R (c, c ) = rk(κ − L Z )|A ≤ rk(κ − L Z ). The following results are the analogues of Proposition 2 and Theorem 3, and they relate the rank distance of c and c with the set difference of A and W .

Fuzzy Authentication Using Rank Distance

105

Proposition 3 In the setting of the generalized LPFV scheme, suppose that the values λ(x), for x ∈ B, are chosen at random uniformly and independently in Fq m  {κ(x)}. 1. Let the subspace distance be d S (A , W ) := dimFq (A ) + dimFq (W ) − 2 dimFq (A ∩ W ). Then d S (A , W ) ≤ 2d R (c, c ) ≤ d S (A , W ) + 2 rk(κ − L Z )|A ∩W ≤ dΔ (A, W ). 2. Let 0 ≤ u ≤ v ≤ n be two integers. Then

(q m − q i )   n−u−1 Pr 2d R (c, c ) = dΔ (A, W ) | |A ∩ W | = u, dim(A ∩ W ) = v = . qm − 1 i = n−v

Proof 1. Following the construction of the map L Z , we can write the subspace A as the direct sum of A ∩ W and the subspace A, where A = gi | i ∈ I  and I ⊂ {1, . . . , n} with |I | = n − dimFq (A ∩ W ). Therefore we can write rk(κ − L Z )|A ≤ rk(κ − L Z )|A ≤ rk(κ − L Z )|A + rk(κ − L Z )|A ∩W .

(1)

Let r = dimFq (A). By definition of the L Z , we have i1

ir

rk(κ − L Z )|A = rk(α q , . . . , α q ). i

By construction {α q }im−1 = 0 is a normal basis of Fq m over Fq , and hence we can conclude that rk(κ − L Z )|A = r = dimFq (A) = n − dimFq (A ∩ W ) =

d S (A , W ) . 2

Substituting this equation in (1) we obtain the first two inequalities. For the last inequality we notice that the map (κ − L Z )|A ∩W is 0 on |A ∩ W |, and therefore rk(κ − L Z )|A ∩W ≤ dimFq (A ∩ W ) − |A ∩ W |. Hence we can conclude that d S (A , W ) + 2 rk(κ − L Z )|A ∩W ≤ 2n − 2|A ∩ W | = dΔ (A, W ). 2. Let u = |A ∩ W |, v = dim(A ∩ W ). Then we can write   W = u 1 , . . . , u n−v , wn−v+1 , . . . , wn−u , g j1 , . . . , g ju , / A for i = 1, . . . , n − v and wi ∈ A  A for i = n − v + 1, . . . , n − where u i ∈ u. Therefore 2 rk(κ − L Z )|A = 2n − 2v, and the condition

106

A. Neri et al.

rk(κ − L Z )|A = rk(κ − L Z )|A + rk(κ − L Z )|A ∩W = n − u is equivalent to the condition i1

rk(α q , . . . , α q

i n−v

, (κ − L Z )(wn−v+1 ), . . . , (κ − L Z )(wn−u )) = n − u.

By hypothesis the values (L Z − κ)(wi ), for i = n − v + 1, . . . , n − u are chosen at random uniformly and independently in Fq m  {0}, and we can conclude that the probability we are looking for is equal to    A ∈ Fm×(v−u) | rk(A | X ) = n − u  q (q m − 1)(v−u)

, i

where X is the matrix representation over Fq of the vector (α q 1 , . . . , α q Since

  n−u−1  A ∈ Fm×(v−u) | rk(A | X ) = n − u  = (q m − q i ), q

i n−v

).

i = n−v

this concludes the proof. Theorem 4 Under the same hypothesis of Proposition 3, the following statements hold.

 1. If dΔ (A, W ) ≤ 2 n− , then the vault recovers the key κ(x). 2 2.   Pr 2d R (c, c ) = dΔ (A, W ) = 1 + O(q −1−m+n ). Proof 1. The proof is essentially the same as the proof of Theorem 3.1, using Proposition 3.1. 2. In order we introduce the events Du = {|A  to simplify the notation   ∩ W | = u}, for 0 ≤ u, v ≤ n, and X = 2d R (c, c ) = E v = dimFq (A ∩ W ) = v dΔ (A, W )}. Then we have Pr {X } =



Pr {X | Du ∩ E v } Pr {Du ∩ E v }

0≤u≤v≤n

=

  1 + O(q −1−m−u+n ) Pr {Du ∩ E v }

0≤u≤v≤n

=

  1 + O(q −1−m+n ) Pr {Du ∩ E v }

0≤u≤v≤n

  Pr {Du ∩ E v } = 1 + O(q −1−m+n ) 0≤u≤v≤n

= 1 + O(q

−1−m+n

).

Fuzzy Authentication Using Rank Distance

107

Remark 2 Suppose one wants to use a generalized LPFV scheme with n genuine features, and suppose moreover that a field Fq and an extension field Fq m , with m ≥ n, are given. By part 2 of Theorem 4 we can see that the bigger is m the better is the approximation of the set difference with the rank distance. On the other hand, increasing m implies an increase of the computational cost of the operations. Then one can choose the best m based on the application and the particular requirements of the context.

5 Applications The schemes presented above can be applied in several scenarios for different purposes. In this section we would like to give just a few examples. One scenario for the fuzzy commitment scheme in the rank metric is the following. Suppose B is the matrix used to create the stored tuple and imagine it as an image. It may happen for some reason that B gets somehow damaged in a way that a few rows (or columns) are erased or anyway not the same as before. One can then authenticate with the new matrix B  as long as not too many rows (or columns) are different. In another situations the matrix B may be slightly changed into B  by having all elements increased by a common error, and again the difference between the two matrices is a matrix of low rank, exactly 1 in this case. Another scenario involves a multi-factor authentication problem. Suppose that in order to perform authentication one needs a large number of conditions fulfilled, namely imagine a matrix with a large number of columns whereby condition number i is fulfilled whenever column number i equals a predetermined vector vi . If you want to allow authentication as long as a certain big enough number of conditions are satisfied, then the fuzzy commitment scheme in the rank metric can be used. Indeed having two matrices A and A that both satisfy a certain condition corresponds to a zero column in the difference A − A which directly affects the rank distance between the two. Applications for the linearized polynomial fuzzy vault scheme overlap with those of the standard fuzzy vault, i.e. we are considering authentication based on the set difference metric. It may be preferable to use the linearized version and decoding in the rank metric for certain choices and combinations of parameters which are usually dependent on the application. Also, the use of linear maps may be preferred for certain implementations. Acknowledgements The authors were supported by Swiss National Science Foundation grant n.169510.

108

A. Neri et al.

References 1. Baldi M, Bianchi M, Chiaraluce F, Rosenthal J, Schipani D (2011) On fuzzy syndrome hashing with LDPC coding. In: 4th International symposium on applied sciences in biomedical and communication technologies (ISABEL). ACM, pp 1–5 2. Cossidente A, Marino G, Pavese F (2016) Non-linear maximum rank distance codes. Des Codes Cryptogr 79(3):597–609 3. de la Cruz J, Kiermaier M, Wassermann A, Willems W (2016) Algebraic structures of MRD codes. Adv Math Commun 10:499–510 4. Fontein F, Marshall K, Rosenthal J, Schipani D, Trautmann A-L (2012) On burst error correction and storage security of noisy data. In: 20th International symposium on mathematical theory of networks and systems (MTNS), pp 1–7 5. Gabidulin EM (1985) Theory of codes with maximum rank distance. Probl Pereda Inf 21(1):3– 16 6. Horlemann-Trautmann A, Marshall K (2017) New criteria for MRD and gabidulin codes and some rank-metric code constructions. In: Advances in mathematics of communications. arXiv:1507.08641, (to appear) 7. Juels A, Sudan M (2006) A fuzzy vault scheme. Des Codes Cryptogr 38(2):237–257 8. Juels A, Wattenberg M (1999) A fuzzy commitment scheme. In: 6th ACM conference on computer and communications security, CCS’99, pp 28–36 9. Kshevetskiy A, Gabidulin E (2005) The new construction of rank codes. Int Symp Inf Theory (ISIT) 2005:2105–2108 10. Loidreau P (2006) A Welch–Berlekamp like algorithm for decoding gabidulin codes. In: Coding and cryptography. Springer, pp 36–45 11. Marshall K, Schipani D, Trautmann A-L, Rosenthal J (2016) Subspace fuzzy vault. In: Physical and data-link security techniques for future communication systems. Springer, pp 163–172 12. Neri A, Horlemann-Trautmann A-L, Randrianarisoa T, Rosenthal J (2017) On the genericity of maximum rank distance and gabidulin codes. Designs Codes and Cryptography, pp. 1–23. doi:10.1007/s10623-017-0354-4 13. Richter G, Plass S (2004) Error and erasure decoding of rank-codes with a modified BerlekampMassey algorithm. In: ITG FACHBERICHT, pp 203–210 14. Roth R (1991) Maximum-rank array codes and their application to crisscross error correction. IEEE Trans Inf Theory 37(2):328–336 15. Schipani D, Rosenthal J (2010) Coding solutions for the secure biometric storage problem. Inf Theory Worksh (ITW) 2010:1–4 16. Sheekey J (2016) A new family of linear maximum rank distance codes. Adv Math Commun 10:475–488 17. Silva D, Kschischang F (2009) Fast encoding and decoding of Gabidulin codes. Int Symp Inf Theory (ISIT) 2009:2858–2862

A McEliece-Based Key Exchange Protocol for Optical Communication Systems Joo Yeon Cho, Helmut Griesser and Danish Rafique

Abstract The McEliece cryptosystem is one of the public-key cryptosystems that do not have known vulnerabilities to attacks using quantum computers. However, the McEliece cryptosystem has not been widely used for practical applications due to the large key size. We present an authenticated key exchange protocol based on the McEliece cryptosystem. We show that the proposed protocol is well suited for the G.709 Optical Transport Network (OTN) framework and satisfies a typical key refreshing rate used in industry. The proposed protocol addresses known weaknesses of the McEliece cryptosystem under a framework of the PACE protocol. The proposed protocol is implemented in software and demonstrated in a commercial optical communication system. Keywords Quantum-resistant cryptography · McEliece public key cryptosystem · Secure optical communication · Authenticated key exchange protocol

1 Introduction Optical communication is commonly used for high bandwidth applications such as data center interconnections since a large amount of data can be efficiently transmitted over the optical channel with low latency. In contrast to common perception, it is not a significant technical hurdle to physically tap into an optical fiber link, allowing to listen to many data streams on a single fiber. There have been two approaches to realize the security of optical communication: information theoretic approach and computationally secure approach. An informaJ.Y. Cho (B) · H. Griesser · D. Rafique ADVA Optical Networking SE, Fraunhoferstrasse 9a, 82152 Martinsried, Germany e-mail: [email protected] H. Griesser e-mail: [email protected] D. Rafique e-mail: [email protected] © Springer International Publishing AG 2018 M. Baldi et al. (eds.), Proceedings of the 2nd Workshop on Communication Security, Lecture Notes in Electrical Engineering 447, DOI 10.1007/978-3-319-59265-7_8

109

110

J.Y. Cho et al.

tion theoretic approach is to analyze the characteristics of the physical channel, and study codes that would actually achieve perfect secrecy without the need for exchanging secret keys [27]. This approach is in general impractical due to the requirement of infinite codeword. On the other hand, a computational security approach is to use cryptographic methods relying on the computational complexity of underlying mathematical problems (such as the integer factorization or the discrete log problem) and the assumption that adversaries have limited computing power. Even though this approach does not provide a proven security, the computationally secure cryptographic methods (e.g. RSA or Elliptic curve cryptosystem) are widely used for network security in practice. We study the security of optical communication systems by taking the computational security approach. Optical communication, which employs optical fibers as transmission channels, is operated at the lowest network layer with very high speed (e.g. 100 Gb/s). In order to ensure low latency, the data payload is continuously encrypted using a symmetric key crypto algorithm such as the AES [28], and this symmetric key is regularly refreshed by performing a key exchange protocol using an asymmetric (or public) key cryptosystem on a dedicated channel embedded in the frame overhead. In contrast to cryptographic protocols on higher layers, encryption on OSI layer 1 can be done with extremely low latency, high throughput and low overhead. While conventional public key cryptosystems such as Diffie–Hellman (DH) key exchange over multiplicative groups or Diffie-Hellman key exchange over elliptic curve groups (ECDH) are commonly used for a key exchange [3], there is a growing concern on quantum attacks with regarding to long term security due to recent significant progress in quantum computing hardware [14]. Since most public cryptosystems used today such as Diffie-Hellman key exchange or elliptic curve cryptosystem can be broken in a polynomial time by quantum computers using Shor’s algorithm [34], quantum attacks become an important threat which should be protected for long-term secure optical communication. In this paper, we propose a new secure key exchange protocol which can be used even when large-scale quantum computers are available in the future. The proposed protocol is based on the McEliece cryptosystem, a public key cryptosystem based on error correcting codes, presented in 1978 by McEliece [25]. It remains unbroken since proposed, including attacks using quantum computers. The McEliece cryptosystem with appropriate parameters was recommended by the PQCRYPT project for postquantum public key encryption [13]. Our Contribution Our main contribution is twofold: firstly, we present an authenticated key exchange protocol based on the McEliece cryptosystem and the framework of the PACE (Password Authenticated Connection Establishment) protocol. The PACE protocol was specified by the Federal Office for Information Security (BSI) in Germany and currently uses DH or ECDH as a public key crypto primitive [17]. However, as far as we know, there is no previous research on a McEliece-based authenticated key exchange protocol for optical communication systems; secondly, we investigate how the pro-

A McEliece-Based Key Exchange Protocol for Optical Communication Systems

111

posed protocol can be implemented efficiently in the optical communication system. Since the data is transmitted with very high speed in optical communication systems, it is important to refresh a data encryption key (a symmetric key) regularly within a short time interval1 (e.g. 1 s). The drawback of the McEliece cryptosystem is that the size of the key is quite large. For example, 260 kilobytes of public key is needed for a security level of 2129 [7]. However, we show that the McEliece cryptosystem is still applicable to the high speed optical communication where the benefits of security and speed are more important than the costs of communicating and storing the keys. Note that we do not provide a detailed security proof of the proposed protocol. Our security analysis mainly relies on that of the PACE protocol presented in [5] and that of the McEliece cryptosystem presented in [30]. Related Work The original McEliece cryptosystem does not provide semantic security (also called indistinguishability) under chosen-ciphertext attacks (IND-CCA).2 Several schemes have been proposed to convert the McEliece cryptosystem into the one which provides IND-CCA security [4, 16, 21, 33]. We review these schemes and show the difference to our proposal in Sect. 5. In [31], an IND-CCA secure hybrid encryption scheme using the Niederreiter cryptosystem was proposed. Being a hybrid encryption scheme, it allows efficient encryption of large plaintexts without requiring to share a symmetric secret key beforehand. Still it is not clear how efficient such a system is in practice. In addition, this scheme does not provide a user authentication feature which is critical in practice to prevent a man-in-the-middle attack. Recently, a few key exchange protocols based on the lattice problem have been proposed, for instance, the NewHope key exchange protocol [1]. Even though they are also quantum resistant, it has proven difficult to give precise estimates of the security of lattice schemes [14].

2 Background In this section, we briefly introduce the McEliece public key cryptosystem and the Password Authenticated Connection Establishment (PACE) protocol.

2.1 The McEliece Cryptosystem The McEliece cryptosystem is a public key encryption scheme based on a binary Goppa code. The idea behind this scheme is to first select a particular code for which 1 We

refer to [24] for the limit of AES-GCM key usage. public key cryptosystem is indistinguishable in the CCA model if the attacker has no advantage in determining for a given ciphertext and two plaintexts which of them was encrypted [30].

2A

112

J.Y. Cho et al.

an efficient decoding algorithm is known, and then to create a trapdoor function by disguising the code as a general linear code. Since the problem of decoding a linear code is NP-complete, a description of the original code serves as the secret key, while a description of the transformed code serves as the public key. The McEliece cryptosystem consists of three parts: a key generation algorithm which produces a public/secret key pair, an encryption algorithm and a decryption algorithm. The secret key consists of a generator matrix G, which is randomly chosen for a Goppa code from the key space, a k × k invertible binary matrix S and a random n × n permutation matrix P. The matrix Gˆ = S · G · P and the error correcting capability t forms the public key. To encrypt a message, a k-bit message is multiplied by the public key (a matrix) to produce an n-bit codeword and adds t random errors to the codeword to produce a ciphertext. See Eq. (1). The vector e is a random n-bit error vector with the Hamming weight t. Without knowledge of the specific code used, errors can not be corrected and therefore the original message cannot be recovered. Since S is invertible, the receiver can reverse the transformations of G and correct the errors by using the decoding algorithm of the code. See Eq. (2). c = m · Gˆ + e = m · S · G · P + e c · P −1 = m · S · G · P · P −1 + e · P −1 = m · S · G + e · P −1

(1) (2)

With the decoding algorithm, the receiver can correct all t errors and get m  = m · S because the Hamming weight of e · P −1 is still t. To restore the original message m, the receiver performs a multiplication with S −1 which results in m  · S −1 = m · S · S −1 = m.

2.2 PACE Protocol The Password Authenticated Connection Establishment (PACE) protocol is a security protocol that establishes a mutually authenticated (and encrypted) channel between two parties based on passwords. The protocol uses a weak password (possibly of low entropy), verifies the password, and generates cryptographically strong session keys, based on a Diffie-Hellman key agreement protocol. The PACE protocol can be roughly divided into four phases. In the first phase Alice sends a random nonce encrypted with the password to Bob. In the second phase both parties execute an interactive protocol mapping the nonce to a random generator of a group, e.g. an elliptic curve. In the third phase two parties run a Diffie-Hellman (DH) key agreement on the generator and use the DH key to derive the actual keys. Finally, both parties conclude the execution by sending some authentication data. For details, see [17].

A McEliece-Based Key Exchange Protocol for Optical Communication Systems

113

It is shown that the PACE protocol provides the highest possible level of security [5]. The PACE protocol is currently used in an international standard for digital travel documents [17].

3 System Model The schematic diagram of a security-enabled optical communication system is shown in Fig. 1. The wiretap model is based on Wyner’s wiretap channel [37]. A role of the public key crypto block is to derive a common symmetric key between Alice and Bob via a key exchange protocol. Using this key, symmetric key encryption is performed for bulk data encryption. The encrypted data is transmitted over an optical fiber channel and the intended receiver, Bob, can decrypt the transmitted data with the symmetric key which was already shared with Alice. The unintended receiver, Eve, may wiretap the encrypted data but should perform attacks to recover the original data without knowledge of the key. FEC (forward error correction) is used to recover channel errors which may occur during data transmission over noisy communication channel. Hence, FEC encoding is performed after the data stream is encrypted. In the same way, FEC decoding is performed before the transmitted data is decrypted.

4 A Proposed Key Exchange Protocol The proposed protocol comprises four phases: key setup, public key exchange, key derivation and key verification. The proposed protocol is summarized in Fig. 2.

Fig. 1 A system model for secure optical communication system in the presence of an eavesdropper

114

J.Y. Cho et al. Alice

Bob

Password π Public key: Gˆ 1 = S1 · G1 · P1 Secret key: {S1−1 , G1 , P1−1 }

Password π Public key: Gˆ 2 = S2 · G2 · P2 Secret key: {S2−1 , G2 , P2−1 }

kπ = H(π ||0)

kπ = H(π ||0)

r ∈ Fn2 z = E(kπ , r) m1 ∈ Fk2 c1 = m1 · Gˆ 2 + e1 c1 = c1 + r Recover m2 kenc = H(m1 ||m2 ||r) kMAC = H(kenc ||const) tag1 = MAC(kMAC , Gˆ 2 )

z, Gˆ 1 Gˆ 2



c1   c2

tag1 -

 tag2

r = E−1 (kπ , z) m2 ∈ Fk2 c2 = m2 · Gˆ 1 + e2 c2 = c2 + r Recover m1 kenc = H(m1 ||m2 ||r) kMAC = H(kenc ||const) tag2 = MAC(kMAC , Gˆ 1 )

Fig. 2 Proposed key exchange protocol based on the McEliece cryptosystem; E is a symmetric key crypto function, H is a hash function, MAC is a message authentication code, || is a concatenation operation, and + is a bitwise modulo two addition

Key setup: Alice and Bob have a pre-shared password π , and their own public/secret key pair. The secret key consists of an n × n permutation matrix P, a non-singular k × k matrix S, and a k × n generator matrix G for a binary Goppa code of length n and dimension k capable of correcting up to t errors. The public key is the matrix Gˆ = S · G · P and the error correcting capability t. Public key exchange: Alice and Bob compute a key kπ = H (π ||0) where H is a cryptographic hash function such as SHA-256 or SHA3-256. Then, Alice generates a random number r ∈ Fn2 , encrypts it with kπ and sends it to Bob, together with her public key Gˆ 1 . Bob performs a decryption with kπ and restores r . He sends his public key Gˆ 2 to Alice. Note that r is encrypted with a symmetric key crypto algorithm such as AES-256. r is a nonce, i.e. only used once. Key derivation: Alice generates a random number m 1 ∈ Fk2 and computes c1 = m 1 · Gˆ 2 + e1 where e1 is a random error vector of weight t. Then, she sends c1 = c1 + r to Bob. Bob generates a random number m 2 ∈ Fk2 and computes c2 = m 2 · Gˆ 1 + e2 where e2 is a random error vector of weight at most t. Then, he sends c2 = c2 + r to Alice. Alice adds r to c2 and gets c2 . Then, she computes c2 · P1−1 = m 2 · S1 · G 1 + e2 · P1−1 . By using the decoding algorithm, she recovers m 2 = m 2 · S1 . Then, by performing

A McEliece-Based Key Exchange Protocol for Optical Communication Systems

115

m 2 · S1−1 she obtains m 2 . In a similar way, Bob computes c1 = c1 + r and c1 · P2−1 = m 1 · S2 · G 2 + e1 · P2−1 . By using the decoding algorithm, he recovers m 1 = m 1 · S2 . Then, by performing m 1 · S2−1 he obtains m 1 . In the end, both Alice and Bob can compute a common encryption key kenc = H (m 1 ||m 2 ||r ). Key verification: Let MAC be a Message Authentication Code (MAC) algorithm e.g. HMAC [29] and const be a pre-defined non-zero constant value. Alice derives an ephemeral MAC key k M AC as k M AC = H (kenc ||const) where H is a hash function. Then, she computes tag1 by tag1 = MAC(k M AC , Gˆ 2 ) and sends tag1 to Bob. In a similar way, Bob derives an ephemeral MAC key k M AC = H (kenc ||const) and computes tag2 by tag2 = MAC(k M AC , Gˆ 1 ) and sends tag2 to Alice. Finally, Alice and Bob perform an independent computation of the tag and confirm the received tag is valid. The shared key kenc is aborted if tag1 or tag2 are invalid.

5 Security Analysis In this section, we review currently known attacks to the McEliece cryptosystem and discuss how the proposed protocol can avoid such attacks. Then, we compare the proposed protocol with other conversion schemes which provide IND-CCA security. Information-set decoding attacks The most effective attack known against the McEliece cryptosystems is informationset decoding. A simple form of the attack was introduced by McEliece in his original paper [25]. The idea of information-set decoding attack is as follows: an adversary randomly chooses k columns of a matrix Gˆ and builds a k × k submatrix. If there is no error in the chosen columns of the error vector and a k × k submatrix is invertible, the adversary can easily determine m by multiplying the encrypted vector by the inverse of the submatrix [25]. There are many variants to improve this attack, e.g. [22], [23], [35], [36], [11] and [9]. Several papers have suggested to use base fields other than F2 , e.g. [20] and [6]. The best information-set decoding attack for a non-binary McEliece scheme is presented in [32], which generalizes Lee-Brickells algorithm [22] and Sterns algorithm [35] to decoding algorithms for codes over an arbitrary field, and extends the improvements from [9] and [15]. With state-of-the-art information-set decoding attacks, the original McEliece system, which was designed for 264 security, can be compromised by around 260 operations [9]. The detailed description of these attacks is omitted since these attacks can be easily avoided by scaling up the parameters of the McEliece scheme, as proposed in [9]. In Sect. 6, we propose the parameter set targeting at least 2128 post-quantum security, which provides a sufficient security margin to render information-set decoding attacks impractical.

116

J.Y. Cho et al.

Weaknesses of the McEliece cryptosystem The original McEliece cryptosystem does not resist chosen-ciphertext attacks. This weakness mainly stems from the malleability of its ciphertexts (property of linear code); adding codewords to a ciphertext yields another valid ciphertext [30]. As a consequence from the malleability, an adversary can decrypt any given ciphertext c by a chosen ciphertext attack as follows. First, an adversary generates a new ciphertext c = c + Δm · Gˆ whose plaintext is m  = m + Δm. Then, the adversary asks an decryption oracle to decrypt c and recovers m  . Since the adversary knows Δm, he/she can recover the plaintext m. Furthermore, if an adversary takes advantage of the known relation between messages, the following two attack scenarios are applicable. Firstly, an adversary may use two ciphertexts which are produced by encrypting the same message with two different error vectors. Suppose that c1 = m · Gˆ + e1 and c2 = m · Gˆ + e2 where e1 = e2 . Then, c1 + c2 = e1 + e2 . Since the Hamming weight of the error vector e is far smaller than n/2, the zero coordinates of c1 + c2 are likely to be those of e1 and e2 . This enables an adversary to guess error bits efficiently. This is referred to as the message-resend attack [10]. Secondly, this attack can be further extended to the case where two messages have a linear relation such as m 1 + m 2 = Δm. Then, c1 + c2 + Δm · Gˆ = e1 + e2 and a similar attack scenario can be applied. A reaction attack is another CCA attack using a weaker assumption; an adversary can observe only the receiver’s reaction on the potential ciphertexts, but does not require any decryption [19]. In this scenario, the adversary repeats the following procedure; intercepting ciphertexts, flipping a few bits and observing the reaction of the receiver on the modified ciphertexts. If the receiver can successfully decode, the modified ciphertext does not exceed t errors, which means that the flipped bits are in error bits of the original error vector. By repeating this procedure, the adversary can determine the error vector. Note that these attacks can be avoided when a suitable conversion scheme to the McEliece cryptosystem is adapted. In our proposed protocol, an adversary can access only blinded ciphertexts, i.e. c = c + r . Since a random number r is used only once (nonce) every key exchange session, the adversary cannot derive any linear relation of blinded ciphertexts from multiple sessions. Hence, the attacks based on the malleability and the message-resend attacks are avoided. A reaction attack is also not applicable since each ciphertext is blinded by a random nonce, an adversary cannot obtain any valid information on the error vectors from repeated attacks. McEliece with a systematic public key In order to reduce the key size and to speed up the encryption and decryption of ˆ which is a k × n matrix, is converted to the McEliece cryptosystem, a pubic key G, a systematic form Gˆ sys = {Ik | Q}, where Ik is a k × k identity matrix. Then, only the k × (n − k) matrix Q becomes the public key. The drawback is that, since the first k columns of Gˆ sys form the identity matrix, the first k positions of ciphertext equal those of the plaintext bits. Hence, the first k symbols of Gˆ sys , which are called

A McEliece-Based Key Exchange Protocol for Optical Communication Systems

117

information symbols, can be used for general attacks using information-set decoding algorithm. In the proposed protocol, however, this type of weakness has been removed since a random nonce r is added to the ciphertext c. An adversary can access only c = c + r instead of c (see Fig. 2), hence, no information symbols are available to the adversary. Comparison to other conversion schemes In the literature, there are many conversion schemes which possibly provide INDCCA security to the McEliece cryptosystem, e.g. [4, 16, 21, 33]. In [21], Kobara and Imai reviewed these conversion schemes and tailored them specifically for the McEliece cryptosystem. Two generic conversions are applicable to the McEliece cryptosystem: one presented by Pointcheval [33] and the other by Fujisaki-Okamoto [16]. However, these conversions require extra strings added after the McEliece ciphertext, thus the data overhead becomes large. In [21], Kobara and Imai proposed their own conversion schemes to decrease such data overhead under the random oracle model. We refer to [21] for a detailed description. Note that there is a basic difference between these conversion schemes and our proposal; since our proposal provides a user authentication property, an n-bit random number (which is refreshed every key exchange session) is shared between two parties before the McEliece cryptosystem is initiated. This random nonce is used to destroy the malleability of the ciphertexts of the McEliece cryptosystem. Hence, there is no data overhead added to the ciphertext; Instead, it is required to share a random nonce r beforehand. Furthermore, it was pointed out in [7] that straightforward implementations of any of the decryption procedures presented in the Kobara and Imai conversion scheme [21] would abort if the original McEliece decryption step fails; the resulting timing leak leads to devastating attacks. Whereas, in our proposal, any failure of the decryption does not reveal any useful information on the corresponding plaintext and a final secret key kenc . Other attacks The proposed protocol is secure against a man-in-the-middle attack since the proposed protocol provides a user authentication property; a random nonce r is encrypted with the password-derived key and shared between two parties. Later r becomes a part of the inputs to create a common secret key kenc . Hence, unless an adversary knows the right password or r , a man-in-the-middle attack does not work. Furthermore, a replay attack is not applicable since random numbers r , m 1 and m 2 are freshly generated every key exchange session. Since Grover’s algorithm speeds up brute-force searches twice, a key exhaustive search attack using quantum computers is always applicable. Hence, it is recommended for the symmetric key algorithm E to use AES-256, which provides 2128 post-quantum security. For the same reason, it is recommended to use SHA256/SHA3-256 for the cryptographic hash function H . The security level of these cryptographic functions are well matched with the parameter setup of the McEliece cryptosystem which is presented in Sect. 6.

118

J.Y. Cho et al.

Table 1 Amount of data to be exchanged in the proposed protocol Exchanged data Data size (byte) AES encrypted data (z) McEliece public key (Gˆ1 , Gˆ2 ) Encrypted data (c1 , c2 ) Authentication tag Total amount

16 1,046,739 870 32 1,047,657

6 Implementation McEliece encryption can be done as follows: multiplying the public key Gˆ by a k-bit message to produce an n-bit codeword and adding t random errors to the codeword to produce a ciphertext. Hence, the parameter set (n, k, t) of the McEliece cryptosystem is critical to determine the security level and the size of the keys. In order to provide quantum-resistant security, it is recommended in [13] to use the McEliece public key encryption using a Goppa code with parameters (n, k, t) = (6960, 5413, 119) over 263 pre-quantum security and at least 2128 F13 2 . This parameter set can provide a 2 post-quantum security. We take these parameters for long-term security. The public key Gˆ needs naively k × n/8 = 4, 709, 310 bytes. However, if Gˆ is converted to a systematic form Gˆ sys = {Ik | Q}, as discussed in Sect. 5 and also in [9, 30], the size of the public key is reduced to the that of Q, which is k(n − k)/8 = 1, 046, 739 bytes. The rest of the data is listed in Table 1. In total, the amount of data to be exchanged in our protocol becomes 1, 047, 657 bytes. The Optical Transport Network (OTN) frame structure is defined in the ITU-T G.709 standard [18]. The OTN signal formats and overhead structure are briefly described in the Appendix. The data shown in Table 1 can be exchanged via the OTN frame overhead (see Fig. 4). Suppose N is the amount of bytes to be exchanged, f k is the ODUk frame period and b is the number of ODU overhead bytes being used for the key exchange protocol. Then, the transmission time Tk required for a single key exchange session is computed as follows: Tk = N /b × f k

(3)

where k = 1, 2, 3, 4. For instance, the ODU4 frame period is f 4 = 1.168 µsec according to the G.709 standard [18]. Let us take b = 3. Since N = 1, 047, 657, the data transmission time T4 = 1, 047, 657/3 × 1.168 ≈ 0.41 s. This fits well for a typical key refreshing rate, e.g. every second, for optical communication systems. Table 2 summarizes the data transmission time for the proposed McEliece-based key exchange protocol, depending on the frame period of the ODU frame and the number of overhead bytes. Tk is tuned for a one-second key refreshing rate. Note

A McEliece-Based Key Exchange Protocol for Optical Communication Systems

119

Table 2 A comparison of the transmission time Tk of different key exchange protocols Parameter McEliece-based protocol DH ECDH N (byte) ODU f k (μs) b (byte) Tk Pre-quantum security Quantum security

1,047,657 ODU4 (100GE) 1.168 3 0.41 sec 2263 2128

ODU3 (40GE) 3.035 4 0.79 sec

ODU2 (10GE) 12.191 13 0.98 sec

1,968 ODU4 (100GE) 1.168 3 0.77 ms 2256 broken

80 ODU4 (100GE) 1.168 3 0.03 ms 2256 broken

that there is a limitation of the OTN overhead bytes to be used for a key exchange purpose. Hence, there is a tradeoff between Tk and b, depending on the application. Table 2 also shows the transmission time for the DH and ECDH key exchange protocols for comparison. Note that only the transmission time using the ODU4 frame is compared. According to NIST [2], for 2256 security level, the size of the public key is 15360/8 = 1920 bytes for DH and 512/8 = 32 bytes for ECDH. Due to an additional data transmission for r and a tag, the DH and ECDH need 1920 + 16 + 32 = 1968 bytes and 32 + 16 + 32 = 80 bytes, respectively, in total. Even though the McEliece-based key exchange protocol takes much more time, compared to the key exchange protocol using conventional public key cryptosystems such as DH and ECDH, it is still affordable for the key refreshing rate of optical communication, as shown in Table 2. More importantly, the proposed McEliecebased key exchange protocol provides quantum-resistant security, whereas both DHand ECDH-based key exchange protocols can be easily broken in a polynomial time by quantum attacks. In addition, recent benchmarks suggest that the McEliece cryptosystem provides extremely fast encryption and reasonably fast decryption, compared to the DH and ECDH cryptosystems [8]. Experiment We implemented the proposed key exchange protocol in software and performed an authenticated key exchange on a commercial optical networking system. We selected a 10GE (ODU2) DWDM module as a test platform. According to the G.709 standard [18], the ODU2 frame period for 10GE is f 2 = 12.191 μsec. If b = 3, then T2 = 1, 047, 657/3 × 12.191 ≈ 4.3 seconds. The experiment was done using a pair of the 10GE modules which were connected back-to-back. Each frame transmission time was measured by an embedded processor timer. We verified the total transmission time as expected. Channel conditions While the McEliece cryptosystem relies on the difficult problem of decoding an unknown Goppa code, it also depends on the channel errors due to noise and other dis-

120

J.Y. Cho et al.

tortions in the channel. Without FEC, an actual McEliece encryption is described as c = m · Gˆ + e + e

(4)

where e is an error vector of the optical channel error. Suppose that the binary Goppa code can correct up to t1 and the FEC can correct up to t2 channel errors. Then, the McEliece decryption is successful if the following condition is satisfied: w H (e) < t1 and w H (e ) < t2

(5)

where w H is a Hamming weight counting function. In our system model, it is assumed that the channel error is perfectly corrected by the FEC. If FEC would not be present in the system, then McEliece decryption is successful if the following condition is satisfied: w H (e + e ) < t1

(6)

7 Conclusion In this work we presented an authenticated key exchange protocol for optical communication, based on the McEliece public key cryptosystem. The proposed protocol is secure even when large-scale quantum computers are available to the attackers. Since the achievable key refreshing rate fits for a typical key exchange rate in use, the proposed protocol can easily replace DH or ECDH in current optical communication systems. Our work can be extended to variants of the McEliece cryptosystem based on non-Goppa codes, e.g. quasi-cyclic moderate density parity check codes (QCMDPC) [12, 26], which have a more compact key size and are promising candidates for quantum-resistant cryptosystems. Acknowledgements The authors would like to thank anonymous reviewers of WCS 2017 for very helpful feedback and comments. This work has been performed in the framework of the CELTIC EUREKA project SENDATE-Secure-DCI (Project ID C2015/3–4), and it is partly funded by the German BMBF (Project ID 16KIS0477K).

Appendix This section describes the signal format of the OTN (Optical Transport Network) signal and the frame structure. Note that we present only partial information which is relevant to this paper. For details, we refer to [18]. There are four currently defined OTU (Optical Transport Unit) rates and five OPU (Optical Payload Unit) / ODU (Optical Data Unit) rates. An OPU, ODU, or OTU of a particular rate is referred to

A McEliece-Based Key Exchange Protocol for Optical Communication Systems

121

Fig. 3 G.709 OTN signal frame structure

Fig. 4 G.709 ODUk overhead format

as an OPUk, ODUk, or ODUk with k = 0, 1, 2, 3, or 4. The OPU, ODU, and OTU frame structure is partially shown in Fig. 3. The ODU frame is structured as four rows by 3824 columns, regardless of the signal rate. The OPU payload area consists of columns 17-3824 for all four rows. The overhead information for the OPU is contained in the D and E areas of Fig. 3. The ODUk overhead location is shown in Fig. 4. The ODU consists of the OPU and the ODU overhead. The ODU overhead is area C in Fig. 3. It contains the overhead for path performance monitoring (PM), fault type and fault location (FTFL), two generic communications channels (GCC), an automatic protection switching and protection communications channel (APS/PCC), six levels of tandem connection monitoring (TCM), and a set of bytes reserved for experimental purposes (RES).

References 1. Alkim E, Ducas L, Pöppelmann T, Schwabe P (2015) Post-quantum key exchange—a new hope, Cryptology ePrint Archive, Report 2015/1092. http://eprint.iacr.org/2015/1092 2. Barker E (2016) Recommendation for key management, NIST SP 800-57, Part 1, Revision 4 3. Barker E, Chen L, Roginsky A, Smid M (2013) Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography, NIST Special Publication 800-56A, Revision 2 4. Bellare M, Rogaway P (1995) Optimal asymmetric encryption - how to encrypt with RSA, EUROCRYPT’94. Lecture Notes in Computer Science, vol. 950. Springer, pp 92–111 5. Bender J, Fischlin M, Kügler D (2009) Security analysis of the PACE key-agreement protocol information security. In: Information security conference (ISC). LNCS 5735:33–48

122

J.Y. Cho et al.

6. Berger T, Loidreau P (2005) How to mask the structure of codes for a cryptographic use. Des Codes Cryptogr 35(1):63–79 7. Bernstein D, Chou T, Schwabe P (2013) McBits: fast constant-time code-based cryptography. Cryptogr Hardw Embed Syst CHES. LNCS 8086:250–272 8. Bernstein D, Lange T (ed) (2017) eBACS: ECRYPT benchmarking of cryptographic systems. http://bench.cr.yp.to. Accessed 28 March 2017 9. Bernstein D, Lange T, Peters C (2008) Attacking and defending the McEliece cryptosystem, Cryptology ePrint Archive, Report 2008/318. http://eprint.iacr.org/2008/318 10. Berson T (1997) Failure of the McEliece public-key cryptosystem under message-resend and related-message attack. In: 17th Annual international cryptology conference on advances in cryptology—CRYPTO’97, pp 213–220 11. Canteaut A, Sendrier N (1998) Cryptanalysis of the original McEliece cryptosystem. In: Advances in cryptology—ASIACRYPT’98. Lecture Notes in Computer Science, vol. 1514. Springer, Heidelberg 12. Chou T (2016) QcBits: constant-time small-key code-based cryptography, pp 280–300 13. Augot D et al (2015) Initial recommendations of long-term secure post-quantum systems, PQCRYPTO. http://pqcrypto.eu.org/docs/initial-recommendations.pdf 14. Chen L et al (2016) Report on post-quantum cryptography, NISTIR vol. 8105. http://nvlpubs. nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf 15. Finiasz M, Sendrier N (2009) Security bounds for the design of code-based cryptosystems, pp 88–105 16. Fujisaki E, Okamoto T (1999) Secure integration of asymmetric and symmetric encryption schemes. In: 19th annual international cryptology conference on advances in cryptology— CRYPTO’99, pp 537–554 17. Bundesamt fur Sicherheit in der Informationstechnik (BSI) (2015) Advanced security mechanisms for machine readable travel documents and eIDAS token, BSI Technical Report (TR03110), Version 2.20 18. Gorshe S A tutorial on ITU-T G.709 optical transport networks (OTN) 19. Hall C, Goldberg I, Schneier B (1999) Reaction attacks against several public-key cryptosystem. In: Second international conference on information and communication security, ICICS’99. Springer, Heidelberg, pp 2–12 20. Janwa H, Moreno O (1996) McEliece public key cryptosystems using algebraic-geometric codes. Des Codes Cryptogr 8(3):293–307 21. Kobara K, Imai H (2001) Semantically secure McEliece public-key cryptosystems— conversions for McEliece PKC. In: Proceedings of the 4th international workshop on practice and theory in public key cryptography: public key cryptography, pp 19–35 22. Lee P, Brickell E (1988) An observation on the security of McEliece’s public-key cryptosystem. In: Advances in cryptology—EUROCRYPT’88 (Berlin, Heidelberg). Lecture Notes in Computer Science, vol 330. Springer, Heidelberg 23. Leon J (1988) A probabilistic algorithm for computing minimum weights of large errorcorrecting codes. IEEE Trans Inf Theory 34(5):1354–1359 24. Luykx A, Paterson K (2016) Limits on authenticated encryption use in TLS. www.isg.rhul.ac. uk/~kp/TLS-AEbounds.pdf 25. McEliece RJ (1978) A public-key cryptosystem based on algebraic coding theory. Deep Space Netw Progr Rep 44:114–116 26. Misoczki R, Tillich JP, Sendrier N, Barreto PSLM (2013) MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: 2013 IEEE international symposium on information theory, pp 2069–2073 27. Mukherjee A, Fakoorian SAA, Huang J, Swindlehurst AL (2014) Principles of physical layer security in multiuser wireless networks: a survey. IEEE Commun Surv Tutor 16(3):1550–1573 28. NIST (2001) Advanced encryption standard (AES), FIPS PUB 197 29. NIST (2008) The keyed-hash message authentication code (HMAC), FIPS 198-1 30. Overbeck R, Sendrier N (2009) Code-based cryptography, Post-quantum cryptography. In: Bernstein D, Buchmann J, Dahmen E (eds). Springer, Oxford, pp 95–145

A McEliece-Based Key Exchange Protocol for Optical Communication Systems

123

31. Persichetti E (2013) Secure and anonymous hybrid encryption from coding theory, postquantum cryptography. In: 5th International workshop, PQCrypto (2013). Lecture Notes in Computer Science, vol. 7932. Springer, pp 174–187 32. Peters C (2009) Information-set decoding for linear codes over Fq, Cryptology ePrint Archive, Report 2009/589. http://eprint.iacr.org/2009/589 33. David Pointcheval (2000) Chosen-ciphertext security for any one-way cryptosystem, public key cryptography. In: Third international workshop on practice and theory in public key cryptosystems, PKC (2000). Springer, Heidelberg, pp 129–146 34. Shor PW (1994) Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th annual symposium on foundations of computer science, Nov 1994, pp 124– 134 35. Stern J (1989) A method for finding codewords of small weight, coding theory and applications. Lecture Notes in Computer Science, vol. 388. Springer, Heidelberg 36. Tilburg J (1990) On the McEliece public-key cryptosystem. In: Advances in cryptology— CRYPTO’88. Lecture Notes in Computer Science, vol 403. Springer, New York 37. Wyner AD (1975) The wire-tap channel. Bell Syst Tech J 54(8):1355–1387

An ICN-Based Authentication Protocol for a Simplified LTE Architecture Alberto Compagno, Mauro Conti and Muhammad Hassan

Abstract Nowadays, the most diffused approach for supporting device mobility is to implement specific mechanisms at link-layer (e.g., tunneling) supported by a dedicated architecture (e.g., LTE architecture). While this approach can handle mobility well within a singular network, it fails to provide a seamless Internet connectivity when mobility occurs among different networks. To achieve inter-networks mobility, researchers proposed to implement mobility management protocols at the network layer. However, the current IP network layer has not been designed for handling mobility, with the result that none of the proposed IP-based methodologies is able to provide a satisfactory solution. Information Centric Networking (ICN) is an emerging networking paradigm that provides a better support for mobility than IP, enabling full mobility management at network layer. In this paper, we take a fresh look on mobility management and propose a simplified LTE infrastructure that exploits the mobility support provided at the ICN network layer. We revise the current device authentication protocol for LTE, and we present a novel handover protocol that exploits the ICN communication style. Compared to the protocol adopted in the current LTE, our proposals are able to reduce the number of messages required to authenticate or re-authenticate a device during mobility.

1 Introduction One obvious failure of IP is mobility management. Initially designed for the existing static wired network technology, IP failed to chase the technology evolution which allows nowadays wireless connectivity and mobile devices. Different research A. Compagno Cisco Systems, Paris, France e-mail: [email protected] M. Conti (B) · M. Hassan University of Padova, Padova, Italy e-mail: [email protected] M. Hassan e-mail: [email protected]; [email protected] © Springer International Publishing AG 2018 M. Baldi et al. (eds.), Proceedings of the 2nd Workshop on Communication Security, Lecture Notes in Electrical Engineering 447, DOI 10.1007/978-3-319-59265-7_9

125

126

A. Compagno et al.

efforts [1–3] tried to overcome the lack of mobility in the IP design, however none of them was really able to provide a cost-effective mobility mechanism. For this reason, mobility management is nowadays provided at link-layer, enabled only for specific wireless technologies (e.g., LTE, Wi-Fi) and confined in singular networks. Information Centric Networking (ICN) is an emerging networking paradigm with a natural support for mobility at network layer. In particular, in ICN the host-centric communication (IP) approach is replaced with a content-centric approach. Communication in ICN is triggered by consumer entities, who express interest for specific content. The network will then deliver the consumers interest to the producer entitled for generating the corresponding content, as well as forward the content back to the consumers. Two important ICN design choices provide to ICN a natural support for consumer mobility. First, content is addressed by location-independent human readable names, namely they do not express any reference to source or the destination of packets (both interest and content). Second, neither consumers nor producers require a network address (e.g., the IP address) to communicate. Only the name of content is used to forward consumer’s interests towards the corresponding content, and the content back to the requesting consumer. This allows consumers to forward interests as soon as an interface is available, as opposed to IP in which a host is forced to wait for a mapping between the interface address and its layer-3 address. Such contentbased, location-independent communication style has been shown to improve device mobility support with respect to the current IP [4], thus raising ICN as a possible future solution to manage mobility at network layer. In this paper, we propose a simplified LTE infrastructure that exploits the ICN architecture to manage device mobility. Inspired by recent proposals that manage mobility at ICN network layer [5, 6], we propose a simpler LTE architecture that does not require the Mobility Management Entity (MME); i.e., the entity that guarantees an uninterrupted device connection during mobility events. We use the ICN communication style to design a revised device authentication protocol and a novel handover authentication protocol that reduce the number of exchanged messages between the authenticating entities. In particular, our handover authentication protocol exploits the ICN synchronization protocol [7] to move the device security context (i.e., cryptographic material established during the mobile device authentication) during the handover mechanism from the old to the new base station. Our analytical evaluation shows that our authentication and handover authentication protocols can reduce the device authentication delay when compared with the current LTE authentication protocols. Organization In Sect. 2 we briefly introduce ICN. In Sect. 3 we review the LTE authentication protocol and the handover mechanism. Then, in Sect. 4 we present our simplified LTE infrastructure onto which we review the authentication protocol, proposed in Sect. 4.1, and the handover mechanism, detailed in Sect. 4.2. In Sect. 5 we evaluate

An ICN-Based Authentication Protocol for a Simplified LTE Architecture

127

our proposed authentication protocols comparing to LTE authentication protocols with respect to authentication delay. In Sect. 6 we provide a security discussion of our protocol and we propose the adoption of the physical-security authentication to counter replay attacks. Finally, we conclude in Sect. 7.

2 ICN Overview Communication in ICN is achieved via content distribution. ICN directly names content, making it addressable and routable at network layer. NDN [8] and CCNx [9] are considered by the research community to be two reference projects implementing the ICN paradigm. The ICN communication model can be characterized as using a pull model: content is delivered to consumers only upon (prior) explicit requests for that content, i.e., each content delivery is triggered by a request for that content. Content is generated by producers which are also responsible for announcing its availability to the network. Consumers request desired content by name, via interest packets. Names consist of one or more components with a hierarchical structure, e.g., /icn/cnn/politics. After receiving an interest, an ICN router forwards the interest towards the content producer responsible for the requested name, using longest name-prefix matching for routing information. Then, after the interest is delivered to the content producer, the producer responds by sending the content into the network, thus satisfying the interest. The requested content packet is then forwarded towards the consumer, traversing—in reverse—the path of the preceding interest. Security in ICN follows a data-centric model. Each content is signed by the producer, allowing consumers to verify integrity and data-origin authentication.

3 Authentication and Mobile Management in LTE The 3GPP consortium [10] defines Long Term Evolution (LTE) and System Architecture Evolution (SAE) to be composed of two main architectural components: the Evolved Terrestial Radio Access Network (E-UTRAN) and the Evolved Packet Core (EPC) network [11]. The LTE architecture is depicted in Fig. 1. The E-UTRAN is composed of a number of enhanced node base station, called eNodeB, that provide wireless connectivity to the mobile devices (henceforth called user equipment—UE). The EPC contains different entities used to manage mobility and that compose the SAE. Two notable SAE entities that are of interest for this work are: • The Mobile Management Entity (MME). MME plays a central role for management in LTE/SAE architecture. It contributes mainly in security, authentication, ID allocation of mobile devices (henceforth user equipment—UE) and roaming control in mobility scenarios.

128

A. Compagno et al.

Fig. 1 LTE architecture [12]

Non-3GPP Access Network

Internet

PGW

HSS

SGW MME

Evolved Packet Core E-UTRAN

eNodeB

UE

UE

• The Home Subscriber Server (HSS). HSS serves as home environment for the whole SAE/LTE architecture containing all the credentials of devices regarding authentication, security, identity and Quality of service (QoS). Despite these above entities, the core network also have a Serving Gateway (SGW) and a Packet Data Network Gateway (PGW). The role of SGW is to serve the UE by sending and receiving packet data coming from and going to eNodeB, acting also as a limited anchor of mobility service for UE. While PGW connects the core network with other Packet Data Networks such as Internet [13]. In the following, we describe the authentication protocol currently adopted by the LTE infrastructure, the EAP-AKA protocol, and the handover protocol used to manage mobility of the nodes.

3.1 Authentication Protocol The authentication protocol adopted in LTE networks is a four-party protocol based on a pre-shared secret key that provides: (i) mutual authentication between UE and the Network, (ii) distributes the necessary cryptographic material to enable ciphering and integrity protection between the UE and the MME, as well as the UE and the eNodeB. The entities involved in the EAP-AKA protocol are: 1. The UE that authenticates to the network. 2. The eNodeB towards which the UE is connecting to the network.

An ICN-Based Authentication Protocol for a Simplified LTE Architecture eNodeB

UE

MME

129 HSS

Attach Request User ID Request User ID Response

User Auth. Req. (RES)

User Auth. Req. RAND, AUTN

User Auth. Req. IMSI, MME Auth. Data Res. AVs

Check if RES = XRES EAP Success +MSK

Fig. 2 EAP-AKA authentication protocol [12]

3. The MME which plays the role of an Authentication Center (AuC) that authenticates the UE. 4. The HSS that stores the pre-shared key k with the UE. The protocol provides mutual authentication between the UE and the network by running the EAP-AKA protocol between the UE and the MME. The HSS will act as an Authorization, Authentication and Accounting (AAA) server, providing to the MME the needed information to perform the EAP-AKA protocol with the UE. Figure 2 shows the full authentication phase in the LTE/SAE infrastructure. The process of mutual authentication starts when UE enters in the radio range of an eNodeB and issues an attach request to the MME. After receiving such request, the MME requests to UE the International Mobile Subscriber Identity (IMSI).1 Then, the MME requests to the HSS the proper authentication vector (AV) to continue the authentication protocol (i.e., perform the UE authentication and derive further keys to secure the communication with the device). The AV is made of: an token AU TN, a random number RAND, an expected authentication result RES and a symmetric key KASME . The triplet AU TN, RAND and XRES will be used to mutually authenticate the UE and the network. The key KASME will be later used by UE and MME to derive further ciphering and integrity keys. Once the MME receives the AV, it issues a user authentication message to the UE passing the value AU TN and RAND. Then, the UE derive its own AU TN from the two value k and RAND, and it compare its value of AU TN with the value received from the MME. The matches of these two values authenticates the network. The protocol concludes with UE deriving the XRES and forwarding it back to the MME

1 IMSI

uniquely identifies a user in a cellular network. IMSI is stored in the Subscriber Identity Module (SIM).

130

A. Compagno et al.

which matches it against RES. In this case, if the two values matches, the UE is considered to be authentic. Along with XRES, the UE derives KASME too. Once the mutual authentication is completed, both UE and MME can derive the needed keys to enable ciphering and integrity protection for the communication between the UE and the MME (i.e., Non access stratum security). Moreover, the UE and the eNodeB will both derive ciphering and integrity to protect the message delivery between them (i.e., Access stratum security) [14]. To perform this last step, the MME will share a key KeNodeB with the eNodeB, which will be calculated in the UE too. Such key will be then used to derive the integrity and ciphering keys between UE and eNodeB.

3.2 Handover Protocol LTE implements two different handover schemes. The first is a centralized approach in which the MME acts as a connection point receiving the handover requests from the source eNodeB (i.e., the eNodeB the UE is going to leave) and forwarding it to the target eNodeB (i.e., the eNodeB the UE is going to connect to). The second is a distributed approach in which the source eNodeB directly communicate with the target eNodeB exploiting a direct link between them called X2 link. Each of the two handover approaches goes with its own KeNodeB derivation mechanisms, i.e., every time a UE moves to a different eNodeB, a new key KeNodeB is generated to prevent previous eNodeB (honest or controlled) to decrypt or modify the packet exchanged between the new eNodeB and UE. In the centralized approach, the new KeNodeB is sent from the MME to the target eNodeB, while in the distributed approach the source eNodeB generates and send the new KeNodeB to the target eNodeB.

4 Simplified LTE Architecture for ICN In this section, we propose a revised LTE infrastructure in which both the access network and the core network implement the ICN stack. Mobility is managed at network layer in a distributed way as proposed in [5]. Such approach does not require any central entity for managing mobility, such as the MME. For this reason, in our revised LTE infrastructure the MME entity is no longer part of the architecture. The only available entities are: • HSS. Like in the original LTE architecture, HSS contains all the UE information regarding authentication, security, identity and Quality of service (QoS). In our revised LTE, the HSS is a producer that provides for the content it is storing. We assume that the HSS published its content under the namespace /UE/login • UE. A UE represents the device that wants to connect to the cellular network.

An ICN-Based Authentication Protocol for a Simplified LTE Architecture

131

• eNodeB. The network will be formed of many eNodeBs, acting as point of access to the network for the UEs. • ICN Core Router. In our simplified LTE architecture, the core network is ICN routers. We assume that all the eNodeBs and ICN routers have the necessary routing and forwarding information to deliver interests to the HSS. Moreover, eNodeBs and ICN routers trust the HSS as the producer for the UE credentials. This can be achieve either by installing the public key of the HSS in each eNodeB or by involving a root of trust who sign the public key of the HSS, i.e., it creates a certificate for the HSS. In the latter case, an eNodeB has only to verify the HSS certificate once and we assume it to be at bootstrapping time.

4.1 Authentication Protocol in ICN We propose an UE authentication protocol in our revised LTE infrastructure that exploits the ICN communication style. Similarly to the LTE authentication protocol, our protocol adopts the EAP-AKA to provide: • Mutual authentication between the UE and the cellular network. • Distribution of the cryptographic material to provide integrity and ciphering between UE and the eNodeB connected to the eNodeB. Our proposal simplifies the original LTE authentication protocol in at least two aspects: (i) it involves three entities (i.e., UE, eNodeB and the HSS) rather than four, thus reducing the communication delay, (ii) it performs the main part of the protocol between the UE and the eNodeB in order to minimize the overall network overhead. While UE and MME are usually multi-hops away one from the each other, UE and eNodeB are instead separated only from one hop. Therefore, running the most of the protocol among UE and eNodeB will reduce the number of messages that travels in the network (i.e., from the eNodeB to the HSS). The work in [15] has already shown the advantage of a similar approach. Figure 3 depicts our authentication protocol over ICN. The protocol starts with UE issuing an interest requesting to access the network (Step 1). The last component of the interest contains the UE’s identity; the IMSI. Once eNodeB knows the UE’s IMSI, it issues an interest to retrieve the AV from the HSS (Step 2). In our proposal, AV is made of: AU TN, RAND, XRES and a key for access eNodeB KANB . While the first three are the same parameters used in the original LTE authentication protocol, KANB is specific for our proposal. Its purpose is allows UE and eNodeB to derive integrity and ciphering key, even in case of handover. The protocol then continues with the HSS that satisfies the interest issued in Step 2 with a content carrying the AV (Step 3), thus allowing the eNodeB to satisfy the first interest issued by UE with a content carrying AU TN, RAND (Step 4). Like in

132

A. Compagno et al. UE 1

eNodeB

Interest UE/login/authrequest/IMSI 2

HSS

Interest UE/login/authrequest/IMSI Generates RAND, XRES, KANB and AUTN

Content UE/login/authrequest/IMSI Content Payload: AUTN, RAND UE/login/authrequest/IMSI XRES, KANB 3 Payload: AUTN, RAND 4 Signature: SIGN( SK HSS ) Signature: MAC( KANB ) Verifies AUTN, derives RES and session key Interest UE/login/RES Content UE/login/RES Payload: Success Signature: MAC( KANB )

5

6

Fig. 3 EAP-AKA over ICN

the original LTE authentication protocol, UE calculates its own version of AU TN and match it over the AU TN received from the eNodeB. This check authenticates the network. The protocol then concludes with the eNodeB requesting the authentication from UE (Step 5), which will reply with a content transporting XRES in its payload (Step 6). It is worth mentioning that every content packet in ICN must be authenticated with the producer’s key (either symmetric or its private key). Therefore, in our protocol we use the HSS’s private key, SKHSS to sign each content generated by the HSS, while we use KANB to authenticate the content exchanged between UE and eNodeB (steps 4 and 6 in Fig. 3).

4.2 Handover Protocol in ICN The handover mechanism in our proposal is performed through an authentication handover module (AHM). AHM is an application running on every eNodeB that prepares relevant eNodeBs (i.e., stores and shares the crypto material to authenticate UE) before UE arrives. In particular, AHM predicts the future location of user [16] and estimates the next area that UE will pass through [17–20]. Once the area has been

An ICN-Based Authentication Protocol for a Simplified LTE Architecture

133

calculated, it identifies the group of eNodeBs, namely relevant eNodeBs, covering such area and shares with them the information to authenticate UE.

4.2.1

Handover and UE Re-authentication

The authentication handover module predicts the set of relevant eNodeBs extrapolating the movement of UE using physical attributes i.e. location, velocity and direction. Moreover, AHM maintains a dataset related to each UE containing its relevant authentication material. Once the relevant eNodeBs have been identified, AHM exploits ChronoSync [7] to share with them the dataset related to the UE. After the EAP-AKA protocol has been completed, the authenticated UE and eNodeB share KANB . At this point, AHM starts predicting the set of relevant eNodeBs and it stores and shares a new key KANB ∗ calculated as follows: KANB ∗ = KDF(KANB , RAND).

(1)

When the UE moves to one of the relevant eNodeB, it derives KANB ∗ and it authenticates to the new eNodeB by sending an interest carrying a new random number RAND∗ and a message authentication code (MAC) calculated from the interest name (and RAND∗, later used again) with KANB ∗. The eNodeB then replies with a content authenticated with KANB ∗. If both interest and content are authentic, then UE and the eNodeB are authenticated by each other and they can further derive ciphering and integrity key for securing their communication. At this point, AHM running in the eNodeB starts predicting the set of relevant eNodeBs and it shares a new key KANB ∗ calculated as described in Eq. (1) (in this case, the previous value of KANB ∗ will replace KANB and RAND∗ will replace RAND in the equation).

4.2.2

Synchronization of the Key Access eNodeB in the Relevant eNodeBs

Synchronization of KANB ∗ is performed through the ChronoSync protocol. ChronoSync synchronizes the state of a given dataset among multiple ICN entities [7]. The protocol works on the idea to encode the state of the dataset of each entity into crypto digest form (i.e., SHA256) called statedigest, or digest in short. These state digests are then exchanged among all the entities participating in particular synchronization group. Each entity depending upon the state of its own dataset calculates the state digest, and sends a broadcast interest to all the other entities in that group, containing that state digest. On receiving such interest, if the value of the incoming digest is identical comparing to the value maintained locally, no action will be taken and called as stable state. Otherwise, the difference of the dataset state is directly inferred and sent in response to the sync interest [7]. With the knowledge of the up-to-date state dataset, an ICN entity (or one of its running application) can then decide to fetch the new content in the dataset.

134

A. Compagno et al. eNodeB

Sync interest Sync data UE attachment K

KANB*= KDF (KANB,RAND)

AN

B*

eNodeB

eNodeB

KANB*

Source eNodeB UE

Target eNodeB UE

Fig. 4 Synchronization Fig. 5 Application data name

In our proposal, ChronoSync synchronizes the state of UE’s dataset, i.e., the key KANB ∗, on each relevant eNodeB predicted by the AHM. Therefore, the AHM’s dataset running on each relevant eNodeB will be notified of the new key KANB ∗ and will fetch it from the eNodeB sending the notification. After the new KANB ∗ is fetched, a relevant eNodeB is ready to authenticate UE and to perform the handover as explained in Sect. 4.2.1. Figure 4 shows the communication between relevant eNodeBs during the synchronization process. The synchronization of the dataset state and the fetching of KANB ∗ require the definition of two namespaces, namely the sync data namespace and the application data namespace. The sync data namespace is used to carry interests and contents used to synchronize the dataset state using ChronoSync. The purpose of application data namespace is to have routable name prefixes, so that interests can be forwarded towards the relevant eNodeBs directly, as AHM behaves like a producer in each eNodeB. Figures 5 and 6 show an example of content name in the sync data namespace and in the application data namespace respectively. Figure 5 shows a content in the application data namespace. The first part of the application data name (indicated as 1) represents the routable prefix for particular eNodeB with its unique ID. Part (2) represents the name of a particular application to synchronized. It shows the name of the process which is responsible for handling that particular interests. The data generated by eNodeB is named sequentially, for example with the initial value of KANB ∗ computed by AHM has a sequence number zero. Whenever a new value of KANB ∗ is generated, this sequence number is incremented by one. So, the last part (3) is the sequence number of the latest KANB ∗.

An ICN-Based Authentication Protocol for a Simplified LTE Architecture

135

Fig. 6 Sync data name

Sync data namespace, depicted in Fig. 6, also consists of three parts. Part (1) is the prefix ensuring the broadcast namespace for the given domain created by AHM ascending index. In particular, such prefix will be shared among all the eNodeBs along propagating path of the user (index i.e., eNodeB1, eNodeB2, eNodeB3,…). This will allow a synchronization interest to reach all the relevant eNodeB. In the Part (2) similarly as application data names defines the name of application, which shows that particular interest are responsible for authentication request of specific user. The last part notifies the recent state digest of the interest sender, i.e., the digest of its current KANB ∗.

5 Evaluation In this section we compare the performance of UE authentication in our proposed LTE infrastructure for ICN with today’s LTE infrastructure. The performance comparison evaluates the delay occurred during authentication of a UE, and also re-authentication during handover comparing to handover authentication in LTE, particularly in the distributed handover.

5.1 Authentication Delay Evaluation In order to evaluate the authentication delay required in the two infrastructure we define the time taken by the method to complete the authentication process as the total authentication delay (Dauth ). Dauth can be further divided into three components: the delay of the EAP messages transmission (Dtrans ), the EAP messages treatment delay (Dtre ) considering data base access, key and tag generation, computation, encryption/decryption, and the propagation delay (Dprop ) [21]. Dtre is the delay occurred during EAP messages treatment/processing on each node, which depends on LTE servers and UE performance (e.g., CPU, memory). We assume that our proposed protocol and standard EAP-AKA use same key encryption with similar key sizes. Therefore we can say that treatment delay is identical in both protocols, and also considering performance of LTE servers, we assume transmission delay is insignificant. Thus total authentication delay depends upon the propagation delay Dprop [21]. Dprop can be divided in four sets: Dprop(U E−eNodeB) propagation delay between UE and eNodeB, Dprop(eNodeB−MME) propagation delay between eNodeB and MME, and

136

A. Compagno et al.

Table 1 Authentication delay comparison Authentication protocol EAP-AKA ICN(EAP-AKA)

Authentication delay ms 1244 1019

Dprop(MME−HSS) propagation delay between MME and HSS. The total authentication delay for EAP-AKA in the current LTE then can be expressed as [21, 22]: Dauth(EAP−AKA) = Dtre(EAP−AKA) + 5Dprop(U E−eNodeB) +5Dprop(eNodeB−MME) +2Dprop(MME−HSS).

(2)

From Fig. 2 and Eq. (2) we calculated that total number of messages exchanged between entities i.e. UE, eNodeB and MME (which are 5, 5 and 2 respectively) multiplies the propagation delay between them. Also, the total authentication delay of EAP-AKA in our ICN based architecture can be expressed as, Fig. 3: Dauth−ICN(EAP−AKA) = Dtre(EAP−AKA) + 4Dprop(U E−eNodeB) + 2Dprop(eNodeB−HSS).

(3)

From Eqs. (2) and (3), we note that our approach reduces the propagation delay between UE and eNodeB by one. This is because EAP-AKA over ICN requires one message less that the EAP-AKA protocol adopted in the current LTE. Another improvement in the authentication delay is due the removal of the MME in our approach. This, in turn, reduces the number of messages exchanged with the UE and entities in the EPC. In particular, our approach exchanged only two messages between the UE and the HSS, with a propagation delay that is indicated as 2Dprop(eNodeB−HSS) in the Eq. (3). Instead, the current LTE requires 5 messages exchanged from the UE and the MME, and 2 messages exchanged from MME and HSS. The propagation of those messages is indicated in Eq. (2) as 5Dprop(eNodeB−MME) and 2Dprop(MME−HSS) , respectively. Table 1 compares the authentication delay of the EAP-AKA in LTE and our EAPAKA over ICN. We assume that Dprop(eNodeB−HSS) ∼ = Dprop(eNodeB−MME) + Dprop(MME−HSS) which we consider to be a pessimistic assumption for our approach. We expect that an architecture without MME will not increase the propagation delay between the UE and the HSS, but in the best case it will reduce it. However, since we cannot evaluate such improvement, we compare the authentication delay under the worst case scenario for our mechanism. To evaluate the authentication delay we used the experimental values found in [21, 23]. In [21] the average value for complete EAP-AKA authentication delay is 1244 ms. In [23] authors approximated the propagation delay between eNodeB to MME is 75 ms. We used such value to calculate the average authentication delay in our protocol, which results 1019 ms.

An ICN-Based Authentication Protocol for a Simplified LTE Architecture

137

5.2 Handover Authentication Delay While calculating re-authentication delay using same Eq. (3), we found that it depends on the propagation delay between source to target eNodeBs. The handover scenario we have assumed during evaluation for LTE is the X2-based handover. In X2 handover, authentication material derived during full EAP-AKA is transferred by source eNodeB directly to target eNodeB exploiting the direct X2 link. This scenario, also named as horizontal handover is fair to compare with our proposed protocol, as we also proposed a network infrastructure without the MME. Therefore for LTE re-authentication delay during inter eNodeB/X2 handover can be calculated as the number of messages exchanged from source to target eNodeBs. Dhand−auth(EAP−AKA) = Dprop(SrceNodeB −TrgeNodeB ).

(4)

From the work in [24], we calculate the total number of messages between eNodeBs and therefore: (5) Dhand−auth(EAP−AKA) = 5Dprop(SrceNodeB −TrgeNodeB ). Also using same equation for calculating handover authentication in our proposed protocol Fig. 4, we found: Dhand−auth−ICN(EAP−AKA) = 3Dprop(SrceNodeB −TrgeNodeB ).

(6)

From Eqs. (5) and (6), we evaluated that our re-authentication protocol is requires two less messages propagated between eNodeBs than the handover in LTE. We expect that decreasing the number of messages will produce a lower handover authentication delay. To confirm it, we estimate the two handover authentication delays and we report our comparison in Table 2. To evaluate the two handover authentication delay, we estimated the propagation delay from source eNodeB to target eNodeB on X2 link. From [25], we calculated that the propagation delay is approximately 6.86 ms. Using Eqs. (5) and (6) we evaluate that our handover authentication protocol reduces the authentication delay by the value of approximately 13.72 ms.

Table 2 Handover authentication delay comparison Handover authentication protocol Authentication delay ms EAP-AKA ICN(EAP-AKA)

34.30 20.58

138

A. Compagno et al.

6 Security Discussion In this section we provide a security discussion about the two protocols that we propose: the authentication protocol and the handover protocol.

6.1 Authentication Protocol We argue that the security of our authentication protocol is comparable to the security provided by the authentication protocol in LTE. Both the authentication protocols exploit the standard EAP-AKA protocol without changing any of the steps described in the EAP-AKA specification. Therefore, all the security considerations made for EAP-AKA are still valid for our EAP-AKA over ICN [26].

6.2 Handover Protocol Our handover protocol is resilient to an external adversary (i.e., an adversary that does not own a valid IMSI for the HSS) with the goal of authenticating itself to an eNodeB. In order to achieve it goal, the adversary must be able to issue an interest with a valid MAC to the eNodeB. However, to be able to successfully generate the MAC for the interest the adversary must know, or obtain, a valid KANB ∗. Our handover authentication protocol make it unfeasible for an external adversary to obtain a valid KANB ∗. This due to the fact that KANB ∗ is never transmitted between UE and the target eNodeB, but rather calculated from KANB and RAND. Only RAND is transmitted between a UE and the target eNodeB, therefore as long as the key derivation function requires only KANB to be secret, the adversary has no way to derive KANB ∗. Unfortunately, the adversary might eavesdrop and replay RAND to another eNodeB and authenticate to it as a genuine UE. While this attach will not let the adversary to communicate through the network (it will not be able to generate the correct integrity and ciphering keys, which are derived from KANB ), it can temporarily waste some state in the eNodeB. In fact, every time an eNodeB authenticate and UE (genuine or not), it must reserve the necessary state to handle a communication with it (e.g., the integrity and ciphering key). To protect the network from such replay attack, we propose to adopt a physical-layer authentication. Physical-layer authentication uses the subtle features of the physical-layer signal to provide a secure device authentication between two trusted nodes in the presence of an adversary/eavesdropper with unlimited computational power [27, 28]. We exploit the RF finger printing technique [29] to provide physical layer authentication in our handover authentication protocol. The RF finger print mainly depends on the differences of each trusted transmitter components, power supplies and environmental factors, which are extracted from RF signal. From [28] different equipment/nodes

An ICN-Based Authentication Protocol for a Simplified LTE Architecture

139

(UEs) can be identified by measuring the specific value extracted from their unique RF fingerprints denoted as |A(t)|. In our handover authentication protocol we use |A(t)| as an entity replacing RAND to provide physical-layer authentication. So in Eq. (7), KANB ∗ is the key derivation function of key for source eNodeB and RF finger print of the UE authenticated initially to mitigate the presence of eavesdropper. However, the functioning of AHM for predicting the relevant eNodeBs and ChronoSync protocol to synchronize the dataset among multiple ICN entities will follow the same as described above. (7) KANB ∗ = KDF(KANB , |A(t)|).

7 Conclusion In this work we propose a revised LTE infrastructure that exploits the ICN communication paradigm to manage UE authentication and transporting the UE security context from the old eNodeB to the new one. We design a new handover mechanisms that does not require any central entity, e.g., the MME, to distribute the cryptographic material to the new eNodeB. Our approach reduces the complexity of the LTE infrastructure thus making it simpler, easier to manage and more cost-effective for network providers. We believe that this is a valid reason that would lead network provides for deploying ICN in their cellular infrastructure. Acknowledgements Mauro Conti is supported by a Marie Curie Fellowship funded by the European Commission (agreement PCIG11-GA-2012-321980). This work is also partially supported by the EU TagItSmart! Project (agreement H2020-ICT30-2015-688061), the EU-India REACH Project (agreement ICI+/2014/342-896), and by the projects “Physical-Layer Security for Wireless Communication”, and “Content Centric Networking: Security and Privacy Issues” funded by the University of Padua. This work is partially supported by the grant n. 2017-166478 (3696) from Cisco University Research Program Fund and Silicon Valley Community Foundation. This work is also partially funded by the project CNR-MOST/Taiwan 2016-17 “Verifiable Data Structure Streaming”.

References 1. Perkins CE (1997) Mobile ip. IEEE Commun Mag 35(5):84–99 2. Valkó AG (1999) Cellular ip: a new approach to internet host mobility. ACM SIGCOMM CCR 29(1):50–65 3. Das S et al (2000) Telemip: telecommunications-enhanced mobile ip architecture for fast intradomain mobility. IEEE Pers Commun 7(4):50–58 4. Ravindran R et al (2012) Supporting seamless mobility in named data networking. In: IEEE international conference on communications, pp 5854–5869 5. Augé J et al (2015) Anchor-less producer mobility in icn. In ACM Proceedings of the 2nd international conference on information-centric networking, pp 189–190

140

A. Compagno et al.

6. Zhang Y, Zhang H, Zhang L (2014) Kite: a mobility support scheme for ndn. In: ACM conference on information-centric networking. ACM, pp 179–180 7. Zhu Z et al (2013) Let’s chronosync: decentralized dataset state synchronization in named data networking. In: IEEE international conference on network protocols, pp 1–10 8. Zhang L et al (2014) Named data networking. ACM SIGCOMM CCR 44(3):66–73 9. Jacobson V et al (2009) Networking named content. In: ACM international conference on emerging networking experiments and technologies, pp 1–12 10. 3gpp consortium. http://www.3gpp.org/ 11. Purkhiabani M et al (2011) Enhanced authentication and key agreement procedure of next generation evolved mobile networks. In: IEEE international conference on communication software and networks, pp 557–563 12. Alezabi KA et al (2014) An efficient authentication and key agreement protocol for 4g (lte) networks. In: IEEE region 10 symposium, pp 502–507 13. Cao J, Ma M, Li H, Zhang Y, Luo Z (2014) A survey on security aspects for lte and lte-a networks. IEEE COMST 16:283–302 14. Kien GM (2011) Mutual entity authentication for lte. In: International wireless communications and mobile computing conference, pp 689–694 15. Compagno A et al (2016) OnboardICNg: a secure protocol for on-boarding IoT devices in ICN. In: ACM conference on information-centric networking, pp 166–175 16. Zeng K et al (2010) Non-cryptographic authentication and identification in wireless networks [security and privacy in emerging wireless networks]. IEEE Wirel Commun 17:56–62 17. Hyeyeon K et al (2008) Handover prediction strategy for 3g-wlan overlay networks. In: IEEE network operations and management, pp 819–822 18. General Packet Radio Services (GPRS) Service description stage. 3GPP TS 33.060 19. Pollini GP (1996) Trends in handover design. IEEE Commun Mag 34:82–90 20. Chan J et al (1999) A practical user mobility prediction algorithm for supporting adaptive qos in wireless networks. In: IEEE international conference on networks, pp 104–111 21. Idrissi YEHE et al (2012) Security analysis of 3gpp (lte)—wlan interworking and a new local authentication method based on eap-aka. In: International conference on future generation communication technologies, pp 137–142 22. Al Shidhani A et al (2008) Reducing re-authentication delays during umts-wlan vertical handovers. In: IEEE international symposium on personal, indoor and mobile radio communications, pp 1–5 23. Al Shidhani A, Leung VCM (2007) Local fast re-authentication protocol for 3g-wlan interworking architecture. In: 2007 wireless telecommunications symposium, pp 1–8 24. Md Mehedi Masud (2015) Survey of security features in lte handover technology. System 1:2 25. Xiao Z, Perros H (2015) Response time of the s1 and x2 handover procedures between (h)enbs in a virtualized environment 26. Arkko J, Lehtovirta V, Eronen P (2009) Improved extensible authentication protocol method for 3rd generation authentication and key agreement (eap-aka’) 27. Yener A, Ulukus S (2015) Wireless physical-layer security: lessons learned from information theory. Proc IEEE 103(10):1814–1825 28. Ming Y (2013) Analysis of physical-layer security in future mobile communication. In: Proceedings 2013 international conference on mechatronic sciences, electric engineering and computer (MEC), pp 3144–3147 29. Ureten O, Serinken N (2007) Wireless security through rf fingerprinting. Can J Electr Comput Eng 32(1):27–33

Author Index

B Baesso, Marco, 79 Bunin, Alexander, 33

C Capuozzo, Pasquale, 79 Cho, Joo Yeon, 109 Chorti, Arsenia, 1 Compagno, Alberto, 125 Conti, Mauro, 79, 125 Cuff, Paul, 33

D Dean, Thomas, 65

E Engelmann, Sabrina, 15

L Lin, Fuchun, 49

M Monaro, Merylin, 79

N Neri, Alessandro, 97

P Permuter, Haim H., 33 Pfennig, Stefan, 15 Piantanida, Pablo, 33

R Rafique, Danish, 109 Rosenthal, Joachim, 97

F Franz, Elke, 15

G Gamberini, Luciano, 79 Goldfeld, Ziv, 33 Goldsmith, Andrea, 65 Griesser, Helmut, 109

S Safavi-Naini, Reihaneh, 49 Sartori, Giuseppe, 79 Schipani, Davide, 97 Shamai, Shlomo, 33 Sharifian, Setareh, 49 Spolaor, Riccardo, 79

K Khan, Muhammad Hassan, 125

W Wolf, Anne, 15

© Springer International Publishing AG 2018 M. Baldi et al. (eds.), Proceedings of the 2nd Workshop on Communication Security, Lecture Notes in Electrical Engineering 447, DOI 10.1007/978-3-319-59265-7

141