物理层安全剑桥大学英文.pptx

《物理层安全剑桥大学英文.pptx》由会员分享，可在线阅读，更多相关《物理层安全剑桥大学英文.pptx（44页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、1.IntroductionThe main ways of key sharing:a)Transmission the keys over secure (encrypted)channels or a delivering them by special messengers;b)Using public key concept;c)Key sharing based on a presence of any noisy channel if adversary is passive,(wire-tap channel type I and II)1,2,3d)Key sharing b

2、ased on a presence of active adversary if its channel is less noisy than channel of legal users.4,5e)Key sharing using quantum channels.6f)Key sharing based on a concept of anonymous channel.g)Key sharing based on a concept of broadcasting channel.h)Key sharing based on ESPAR-like radiator over mult

3、ipath channels.7,81第1页/共45页Because method a)is trivial and b)is well known,we consider briefly methods c)g)and method h)in more details as a subject of our presentation.c)Source model with a passive eavesdropping.Aplication Key distribution via a satellite.Fact(Maurer 3)2第2页/共45页4Privacy amplificati

4、on(Bennett,Brassard,Crepeau,Maurer 9,10)The feature of keyless cryptography is:(i )Share the secret key by legal parties using this concept(ii)Use key-cryptography after receiving this key by legal parties(including perfect cipher)To share secret key,A and B perform the following steps1.A sends to B

5、 a truly random string x over public noisy channel.2.A sends to B the check symbols to x chosen in line with some error correcting code V3.A sends to B a truly random hash function h taken from universal class,which mapsa string x of length n to string K of length k.4.B corrects errors in the string

6、 x using check symbols transmitted by A.5.Both A and B produce the key string as K=h(x).Then the amount of information leaking over the wire-tap channel to eavesdropperE has the following upper bound 9,11 where n is the length of x,k-is the length of the key K,r-is the number of check symbols,t-is t

7、he amount of collision(Renyi)information leaking over the wire-tap channel to eavesdropper E.for BSC-wire-tap channel with BER=第3页/共45页5Wire-tap channel type 2.(Wyner 2)An eavesdropper can observe a subset of his(her)choice of size t n,where n is the block lengthMain applications-quantum cryptograph

8、y(see in the sequel),optical fiber multiplexing,computer network containing eavesdroppers in some nodesRegular coding(noiseless main channel)The key shared by A and B is the following:where H is the check matrix of some binary(n,n-k)code V,x is a binary string of length n radomly chosen by A and tra

9、nsmitted over the main public channel from A to B.Then the amount of information leaking over the wire-tap channel type 2 to easvesdropper is zero(no easvesdropping at all!)providing the following inequality is true where is the minimum code distance of the code which is dual of code V.第4页/共45页6Exam

10、ple.V is(15,11)Hamming code.Then we have no easvesdropping about the key of length 4 if This concep can be exteded to noisy main channel(Korjik,Kushnir 12).Privacy amplification 9If A and B follow to the protocol described in the case type 1 in order to produce secret key,the amount of information l

11、eaking to eavesdropper has the following upper bound where n is the length of x,K is the length of the key,P is the number of check symbols,t is the maximum number of bits that cavesdropper can obseved of each block.第5页/共45页7d)A cryptographic scenario for source model(active illegal users)SatelliteA

12、liceBobEveSY()X()Z()B BAEe ee ee e1.-Initialization phase(S (X,Y,Z)over BSC-s with BER-s:eeeA B E,respectively)第6页/共45页8e =e +e (e )=e +e (e )2.-Authentication phase:(M,a),where M-a string consisting of k information bits,a-authenticatora=f(M,X),where f(,)is a public function.Intruders activity(Upon

13、 receiving the pair(M,a)and knowing theauthentication algorithm,to form a pair(M,a),where M=M-substitution attack)P -To be cheating by intruder(the pair(M,a)is accepted by Bobas the original one)P -To be rejection the original message by Bob when an intruder hasnot intervented into transmission at a

14、ll.(The length of the string ,a as well as the length of the string X(Y)arevery important parameters.)BER-s between corresponding bits of X and Y,X and Z,Y and Z are,respectively:ChRe =e +e (e )=e +e (e )AB A B A B A B1-21-2AE A E A E A E1-21-2e =e +e (e )=e +e (e )BE B E B E B E1-21-2第7页/共45页9e e e

15、 e A E AB B E(It is easy to show that this inequality results in impossibility for Bob toauthenticate message sent by Alice)b)(It offers a positive solution for the authentication problem)a)A E AB B Ee e e e k nMMM k122uuu122Code words of somebinary block code oflength n.The value 1 in the i-th posi

16、tion of some code word indicates that i-th bit of the string X should be taken as a bit of the autheticator corresponding tothe message compared with this code word.i-th positionk第8页/共45页10MMvvaaZBob accepts the message as original if and only if the fraction of bits in the received authenticator th

17、at agree with the corresponding bits of his string Yis not much smaller than 1-(In non-asymptotic case some fixed thresholdl should be chosen).The best substitution attackABeXXKeep the authenticators bits as they were in a ,Put bits of Z-stringorThe positions of the authenticator can beremoved0第9页/共

18、45页11vvxxx=011 0 0101v=11110111The probability of substituting the message Mfor M without detecting this fact by Bob is determind by 0 1 distance between the code words and .(This distance property differsfrom the ordinary Hamming distance)vvDefinition 1.Definition 2.Constant weight authentication c

19、ode:vl if=/,第10页/共45页12ifdl010(,the upper limit in the first sum in()should be changed to A simple construction of constant weigth codes (due to Maurer-Wolf 4)Take some linear binary (n,K,d)code and replace every bit in its code wordsby pair of bits following the rule:001110 第11页/共45页13It has been p

20、roved in 13第12页/共45页It gives the authentication code with parameters:ddlnXYnkk012=,/,Example 1.BCH (1023,208,231)code.Let:eeABBE=,andthenOptimization procedure.Given the parameters minimize the length l of the authenticator over all (n,K,d)linear codes.130,01770,2第13页/共45页15Relative date rate(R=k/(w

21、+k)as a function of information block length k for different BE and fixed parametrs AB=0.01 ,PRe10-4,PCh10-4 Rk1.BE=0.452.BE=0.403.BE=0.354.BE=0.305.BE=0.256.BE=0.207.BE=0.158.BE=0.109.BE=0.05123456789第14页/共45页16Relative date rate(R=k/(w+k)as a function of information block length k for different BE

22、 and fixed parametrs AB=0.03 ,PRe10-4,PCh10-4Rk234567891.BE=0.452.BE=0.403.BE=0.354.BE=0.305.BE=0.256.BE=0.207.BE=0.158.BE=0.109.BE=0.051第15页/共45页17Basic quantum key distribution protocol.1.A sends a random sequence of photons polarized horizontal(),vertical(),right-circular(),and left-circular().2.

23、B measures the photons polarization in a random sequence of bases,rectlinear(+)and circular(o).3.Results of Bs measurments(some photons may not be recived at all).4.B tells A whicj bases be used for each photons he recived.5.A tells him which bases were correct.6.A and B keep only the data from thes

24、e correctly-measured photons,discarding all the rest.7.This data is interpreted as binary sequence according to the coding scheme:e)Quantum cryptography第16页/共45页18f)Anonymous ChannelEavesdropper learns all bits transmitted between legitimate users A and B but does not know who(A or B)is an“author of

25、 any bit.Application.Key agreement protocol第17页/共45页SatelliteABEFig.1.The case g.g)Key sharing based on a concept of broadcasting channel.18第18页/共45页h)Key sharing based on ESPAR-like radiators over multipath channels(general theory)2.1 Real word justification 7Legal user A transmits a series of pack

26、ets each with a different beam pattern generated by electronically steerable parasitic array radiator(ESPAR)The packets are received by legal user B,which builds up a sequence of received signal strength indicator(RSSI).After that B transmits packets back to A,where A builds up a sequence of RSSI da

27、ta.Thanks to the reciprocity theorem of radio wave propagation between uplink and downlink,the sequence in A and B should be identical except for the random noise.Fig.2.Key sharing procedure19第19页/共45页Security of such key sharing is based on an assumption that the space locations of the eavesdropper

28、 and legal users are different.This results in a much greater disagreements key bits between legal users and eavesdropper.Raw disagreement bit distribution taken from 7 is shown in Fig.3.Sketch of experimental room is presented in Fig.4.Fig.3.Raw disagreement bit distributionFig.4.Sketch of experime

29、ntal room20第20页/共45页2.2.Our contribution.We present general theory based on some model in order to prove security of the key sharing system with the use of privacy amplification.We propose space diversity technique for increasing of security because our simulation of ESPAR-like system showed that th

30、e use of single omnidirectional antenna is not sufficiently for high security level.In order to present a disagreement in key bits of legal users we propose to use both“threshold-based”and“code-based”methods.It is interesting to note that there exist here two“seeming paradoxes”:-we do not need in a

31、presence of noise at eavesdroppers point to provide security,-large eavesdroppers probability of bit error can be provided even so if mutual correlation between legal and illegal RSSI is rather significant.21第21页/共45页2.3.Model of key sharing setting(without additive noise).Here are the key j-th bits

32、 of legal users and eavesdropper,respectively,are quadrature components of j-th RSSI of legal users and eavesdropper,respectively the attenuations on the i-th beam of legal user and eavesdropper,respectively,the number of beams(pathes of wave propagations)the radiation coefficients of the ESPAR-like

33、 system on the i-th beam in the j-th packet for legal user and eavesdropper,respectively.otherwiseotherwisewherecorrelation matrices which are givenon index22第22页/共45页Assumption:and model(1),(2)are public.Particular case:(if an eavesdropper is located near the legal user)Correlation coefficient(gene

34、ral case):Particular case:where If ,then we get by(4)that (nothing security)If ,then in general.In a particular case when ,then if N.B.(“Paradox”1)23第23页/共45页More strong model(for KDP designer)Eavesdropper is able to separate beams;e.q.he(or she)has:Then this means that for a particular case()an eav

35、esdropper is able to find and hence to calculate the legal key bits exactly.This is not the case generally if Let us prove the key bit error probability for eavesdropper given the correlation coefficient and varianceThen we have after simple transforms(see Appendix 1):24第24页/共45页It follows from(5):(

36、i)does not depend on but only on (ii)If ,then ;if ,then (in line with our intuition)The graph of versus is plotted in Fig.5.We can conclude that it is sufficiently to provide .(This is seeming“Paradox”2).See Section 3 for detail.Fig.5.Dependence versus 25第25页/共45页2.4.Two beam model.ESPARAEB(pathes 1

37、)Fig.6.Two beam model of KDPGeneral model:(we drop index“j”for notation simplicity)Particular case:E is located very close to B.New setting with a separation of beams by eavesdropper.given pathes 226第26页/共45页If E(as in Fig.6 )is between A and B,then ,that is reasonable.Particular cases:If r=1,then t

38、hat is reasonable;If r=0,then ;If ,then .27where第27页/共45页2.5.Simulation results of two beam model with ESPAR-like system:1.Using a random exciting of ESPAR-like system*elements results in a random beam-forming antenna diagram.(The number of radiation patterns can be provided as untractable by approp

39、riated choice of the number ESPAR-like system elements“m”and the number of the bias voltage bits“”:)2.Radiation pattern amplitude can be approximated by Gaussion distribution with variable expectation and variance.3.Radiation pattern amplitudes of ESRR with 6 radiators are uncorrelated for angle int

40、erval more than 1-4 degree.The last point gives a chance to justify a general model in contrast to particular model(see slide 6).28*In our experiment we do not use ESPAR but electronically steerable ring radiator(ESRR)with 6 radiators equaly located on the circle of the radius 6 cm.We believe that E

41、SRR gives more narrow beams than ESPAR第28页/共45页Let us consider two beam model(see slide(27)If ESRR system generates signal ,then using two beam wave propagation scheme we get:where -is the attenuation of the signal s(t)over the path 1 from A to B(see Fig.6)-is the attenuation of the signal s(t)over

42、the path 2 from A to B,-is the attenuation of the signal s(t)over the path 1 from A to E,-is the attenuation of the signal s(t)over the path 2 from A to E.We let for simplicity that 29第29页/共45页 Substituting(9)into(8)and using the relation(3),where the matrices are determined by ESRR system simulatio

43、n results(depending on the users location),we can calculate the correlation coefficients as a function of interval between locations of legal user B and eavesdropper E.(The results are presented on Appendix 2)From these results we can do the following important conclusions:1.Correlation coefficients

44、 are changing by periodical manner depending on in the full interval(0,)with the frequency propertional to (the radiated wave length).2.It is can not be taken for granted that there exists some interval between legal user B and eavesdropper E outside of which correlation is less than some threshold,

45、that could provide in turn a large probability of bit key error for E.(See slide 26).We can say only about a probability of such event.These results somewhat contradict to a very optimistic conclusion presented in 7.30第30页/共45页 In order to find a way out from this situation we propose to use antenna

46、 diversity.Then legal user B has m omnidirectional antennas which are randomly located in some area around of his presence.(The radius can be chosen of order ,where is the length of radio wave used for communication)The protocol of key sharing has to be slight changed:The user B selects randomly one

47、 of m antennas and use it for a receiving and transmiting a series of packets.We can claim that if the probability of a random event is that the key bit error probability for E is at least for each antenna,then the probability that after“m”consequtive chosen antennas we get in all cases the probabil

48、ity less than ,is less than .(See Table 1.)31第31页/共45页The probability(in percentages)of the occurrence thatfor all points of eavesdropper presence at line between A and B dNumber of receiving antennas Number of receiving antennas123123h1=3m h2=3mh1=4m h2=2m/27.8/3.46/2.54.2/1.79/4.78.9/4.77.8/4.14.9

49、/22.4/18.5/4.58.5/4.52 3/0.91.5/0.58/4.48/4.44 1.4/00.5/06.3/2.46.3/2.4Apathes 1,2l1=25 metersE(Path 1)(Path 2)B1Ant 3Ant2Antddh2h1Table 1.第32页/共45页2.6.Privacy Amplification Theorem for local binomical channel.12mwhere is the total number of bits,n is the length of single substring,m is the number o

50、f substrings equal to the number of antennas,If legal channel is noisy with the error bit probability ,then in order to correct errors we have to send over noiseless channel check bits,where .Then the inequality(10)has to be transformed to the following:33第33页/共45页We can optimize the parameters n an