PAUL CUFFELECTRICAL ENGINEERING
PRINCETON UNIVERSITY
Using Secret Keyto Foil an Eavesdropper
Main Idea
Secrecy for distributed systems
Historic Cryptography Results New Metric for Secrecy
Node A
Node BMessageInformation
Action
Adversary
Distributed System
Attack
Cipher
Plaintext: Source of information: Example: English text: Allerton Conference
Ciphertext: Encrypted sequence: Example: Non-sense text: cu@sp4isit
Encipherer
Decipherer
Ciphertext
Key Key
Plaintext Plaintext
Example: Substitution Cipher
Alphabet A B C D E …
Mixed Alphabet F Q S A R …
Simple Substitution
Example: Plaintext: …RANDOMLY GENERATE A CODEB… Ciphertext: …DFLAUIPV WRLRDFNR F SXARQ…
Caesar Cipher
Alphabet A B C D E …
Mixed Alphabet D E F G H …
Shannon Model
Schematic
Assumption Enemy knows everything about the system except the
keyRequirement
The decipherer accurately reconstructs the information
Encipherer
Decipherer
Ciphertext
Key Key
Plaintext Plaintext
Adversary
C. Shannon, "Communication Theory of Secrecy Systems," Bell Systems Technical Journal, vol. 28, pp. 656-715, Oct. 1949.
For simple substitution:
Shannon Analysis
Perfect Secrecy Adversary learns nothing about the information Only possible if the key is larger than the information
C. Shannon, "Communication Theory of Secrecy Systems," Bell Systems Technical Journal, vol. 28, pp. 656-715, Oct. 1949.
Shannon Analysis
Equivocation vs Redundancy Equivocation is conditional entropy: Redundancy is lack of entropy of the source: Equivocation reduces with redundancy:
C. Shannon, "Communication Theory of Secrecy Systems," Bell Systems Technical Journal, vol. 28, pp. 656-715, Oct. 1949.
Computational Secrecy
Some imperfect secrecy is difficult to crackPublic Key Encryption
Trapdoor Functions
Difficulty not proven Often “cat and mouse” game
Vulnerable to quantum computer attack
W. Diffie and M. Hellman, “New Directions in Cryptography,” IEEE Trans. on Info. Theory, 22(6), pp. 644-654, 1976.
1125897758 834 689
524287
2147483647
X
Information Theoretic Secrecy
Achieve secrecy from randomness (key or channel), not from computational limit of adversary.
Physical layer secrecy Wyner’s Wiretap Channel [Wyner 1975]
Partial Secrecy Typically measured by “equivocation:” Other approaches:
Error exponent for guessing eavesdropper [Merhav 2003]
Cost inflicted by adversary [this talk]
Competitive Distributed System
Node A Node BMessage
Key
Information Action
Adversary
Attack
Encoder:
System payoff: .
Decoder:
Adversary:
Zero-Sum Game
Value obtained by system:Objective
Maximize payoff
Node A Node BMessage
Key
Information Action
Adversary
Attack
Payoff-Rate Function
Maximum achievable average payoff
Markov relationship:
Theorem:
Encoding Scheme
Coordination Strategies [Cuff-Permuter-Cover 10] Empirical coordination for U Strong coordination for Y
K
Theorem:
[Cuff 10]
Lossless Case
Require Y=X Assume a payoff function
Related to Yamamoto’s work [97] Very different result
Also required:
Binary-Hamming Case
Binary Source:Hamming DistortionNaïve approach
Random hashing or time-sharingOptimal approach
Reveal excess 0’s or 1’s to condition the hidden bits
0 1 0 0 1 0 0 0 0 1
* * 0 0 * * 0 * 0 *
Source
Public message
(black line)
(orange line)
What the Adversary doesn’t know can hurt him.
[Yamamoto 97]
Knowledge of Adversary:
[Yamamoto 88]:
No Causal Information (Prior Work)
[Theorem 3, Yamamoto 97]
Theorem:
Choose yields
Summary
Framework for Encryption Average cost inflicted by adversary Dynamic settings where information is available
causally No use of “equivocation” Optimal performance uses both “strong” and
“empirical” coordination.