Perfect Secrecy in Wireless Networks

1
Perfect Secrecy in Wireless Networks

• Phillip G. Bradford
• Olga V. Gavrylyako
• Randy K. Smith
• The University of Alabama

2
Outline

• Claude Shannons 1949 paper
• Communication theory of secrecy systems
• Unconditional, Computational and Perfect Secrecy
• Perfect Secrecy
• Definition Motivation
• Examples
• Generalizing Perfect Secrecy
• New Definition
• More extensive applications

3
Shannons 1949 Security Paper

• Perhaps the start of modern Computer Security
• Unconditional Security
• Computational Security
• Perfect Security (Secrecy)
• PrA e PrA and e/Pre
• Independence of A and e
• PrA e PrA

4
The Model
A
A
A
A
5
Classical Perfect Secrecy

• Knowing the ciphertext gives no information about
  the plaintext
• ProbPp Cc ProbPp
• What does this mean?
• A cipher so good it gives no evidence of the
  plaintext
• If not perfect, then what?
• Communication issues What about many ciphertexts
  from related keys?

6
Shannons Theorem forPrefect Secrecy

• Assume K P C.
• Each bijection between P and C is chosen by a key
  in K.
• A Cipher has perfect secrecy iff its keys are
  uniformly chosen
• More precisely, let c Ekp
• ProbPp Cc ProbPp iff PrK k 1/K
• How does Shannon prove this?

7
Bayes Theorem Shannons Proof

• Bayes Theorem If Pry gt 0, Then
• Prxy (PryxPrx)/Pry
• One Dir. Assume Perfect Secrecy
• PrPpCc (PrCcPpPrPp)/PrCc
• P-Secrecy PrPpCc PrPp
• PrPp (PrCcPpPrPp)/PrCc
• PrCc PrCcPp PrKk 1/K

8
The Wireless Model
9
Wireless Perfect Secrecy

• Knowing the ciphertexts gives no information
  about the plaintext
• For i?1 to k
• Pr AND Pipi AND Cici ProbAND Pipi
• Pr OR Pipi AND Cici ProbOR Pipi
• What does this mean?
• Cipher so good it gives no evidence of the
  plaintexts

10
Wireless Perfect Secrecy

• Shannons perfect secrecy is about ciphertext
  only attacks
• What does wireless add?
• The possibility of chosen-plaintext attacks
• In wireless sensor devices
• Supply the venue for chosen-plaintext insertion
• Then Observe the ciphertext(s)

11
Wireless Perfect Secrecy

• What else is needed?
• The ciphertexts must be independent of each other
• If an adversary can listen to t wireless devices,
  then we need t-wise independence for the keys ?
  independence of the ciphertexts
• A set of random variables X1,,Xn is t-wise
  independent iff PrXi1,...,Xit PrXi1PrXit
  for all i1,,it subset of 1,2,,n

12
Wireless Perfect Secrecy

• Is t-wise independence cheap?
• Linear-congurential pseudo-random number
  generators 2-wise independent
• Generating t-wise independent random variables
  for large t is expensive!
• Need t uniform independent values!
• Evaluating t-1 degree polynomial for each value
• Solid lower bounds on size of sample-space for
  t-wise independent set of random variables

13
Our Generalized Theorems

• Assume K P C.
• t-perfect security i?1 to t
• Pr AND Pipi AND Cici ProbAND Pipi
• Each key uniquely chooses a bijection between P
  and C.
• A wireless network of n nodes is t-perfectly
  secure iff its key space is t-wise independent
  and the keys are selected randomly and uniformly

14
Our Generalized Theorem

• In a wireless network of n nodes and for i?1 to
  t
• Pr AND Pipi AND Cici ProbAND Pipi
• iff
• the set of keys K is t-wise independent
• PrKi1ki1,...,Kitkit PrKi1ki1PrKitkit
  1/Kt

15
Our Theorems Proof

• Not a straightforward generalization
• Use measure-theoretic definitions of random
  variables to model the encryption functions
• The ? direction is based on Bayes Theorem and
  careful tracking of the bjiections between P and
  C.
• The ? direction is based on t-wise independence
  transitivity by composition of
  measure-theoretic random variables.

16
Other Ramifications of Our Generalization

• Incorporating Noise
• Hammings theory
• Uniform independent bit failures
• Random collision detection
• Actual attacks based on similar (non-independent)
  seed generation?
• Building more secure systems and seeding keys