An InformationTheoretic Analysis of the Security of Communication Systems Employing the EncodingEncryption Paradigm
Abstract
This paper proposes a generic approach for providing enhanced security to communication systems which encode their data for reliability before encrypting it through a stream cipher for security. We call this counterintuitive technique the encodingencryption paradigm, and use as motivating example the standard for mobile telephony GSM. The enhanced security is based on a dedicated homophonic or wiretap channel coding that introduces pure randomness, combined with the randomness of the noise occurring over the communication channel. Security evaluation regarding recovery of the secret key employed in the keystream generator is done through an information theoretical approach.
We show that with the aid of a dedicated wiretap encoder, the
amount of uncertainty that the adversary must face about the
secret key given all the information he could gather during
different passive or active attacks he can mount, is a decreasing
function of the sample available for cryptanalysis. This means
that the wiretap encoder can indeed provide an information
theoretical security level over a period of time, but after a
large enough sample is collected the function tends to zero,
entering a regime in which a computational security analysis is
needed for estimation of the resistance against the secret key
recovery.
Keywords: errorcorrection coding, security evaluation,
stream ciphers, randomness, wireless communications, homophonic
coding, wiretap channel coding.
1 Introduction
Most communication systems take into account not only the reliability but also the security of the data they transmit. This is particularly true in wireless environment, where the data is inherently more sensible to security threats. Consequently, the design of such systems need to include both coding schemes for providing errorcorrection and ciphering algorithms for encryptiondecryption. It is common practice to first encrypt the data to ensure its safety, and then to encode it for reliability. In this paper, we consider the reverse scenario, namely systems which first encode the data, and then encrypt it, which we call the encodingencryption paradigm.
Though counterintuitive at first, there are actually many real life applications where the encoding encryption paradigm is used. A famous illustrative example is the most widespread standard for mobile telephony GSM, standing for “Global System for Mobile Communications” (see [2] and [1], for the coding, respectively security details). In the GSM protocol, the data is first encoded using an errorcorrection code so as to withstand reception errors, which considerably increases the size of the message to be transmitted. The encoded data is then encrypted to provide privacy (secrecy of the communications) for the users.
It is interesting to mention that block ciphers are not suitable in the context of the encodingencryption paradigm, since the receiver needs to first decrypt the data despite the noise, before performing the decoding. This leads to use of stream ciphers and thus when we refer to the security of systems using the encodingencryption paradigm, we implicitly mean the security of the keystream generator and the users’ secret key.
From a security perspective, there are of course pros and cons to the encodingencryption paradigm. Since it implies encryption of redundant data (introduced by errorcorrection), it could be an origin for mounting attacks against the employed keystream generator. Undesirability of redundant data from a cryptographic security point of view has indeed been already pointed out in the seminal work by Shannon [18], where cryptography as a scientific topic has been established. On the other hand, the encodingencryption paradigm has the advantage to offer protection in the case of a known plaintext attacking scenario, since an adversary can only learn a noisy version of the keystream, which makes the cryptanalyis of the employed keystream generator more complex.
Security evaluation can be performed under two attacking scenarios, depending on whether one considers an active or passive adversary.
A passive adversary’s ability is limited to monitoring (and recording) communications between the legitimate parties, so as to use the recorded data as input for mounting a known plaintext attack against the considered system.
Stronger attacks come from active adversaries, which can possibly include many attacking settings. In this paper, we consider active attacks motivated by the class of socalled Hopper and Blum (HB) authentication protocols [8],[9], [10],[6],[5]. Following the original work by [8], HB authentication protocols are challengeresponse based, where the response could be considered as the encoded and encrypted version of the challenge, which is deliberately degraded by random noise. A simple active attack on the improved HB authentication protocol [10] was provided in [4], where it is assumed that an adversary can manipulate challenges sent during the authentication exchange, and thus learn whether such manipulations give an authentication failure. The attack consists of choosing a constant vector and using it to perturb the challenges by computing the XOR of the selected vector with each authentication challenge vector, and that for each of the authentication rounds. To summarize, the active attacker has the following abilities: (i) he can modify the data in the communication channel between the legitimate parties; and (ii) he can can learn the effect of the performed modification at the receiving side. This is the model that will be adopted in this work.
To evaluate the security of systems using the encodingencryption paradigm under threats of both passive and active adversaries as described above, both computational and information theoretical analyses are valid. In this paper, we focus on the latter. We propose a security enhanced approach which employs a dedicated coding, following the frameworks of homophonic [11, 12, 17] and wiretap channel coding [20, 19]. The improved security is a consequence of combining the pure randomness introduced by the wiretap coding and the random noise which is inherent in the communication channel.
We measure the security increase with respect to the secret key in terms of its equivocation, that is the amount of uncertainty that the adversary has on the key, given all the information he can collect. A preliminary study of the security enhancement has been provided in [16] in the case of a passive adversary. The enhancement is based on the constructions reported in [14, 15], and also motivated by the fact that in the computational complexity evaluation scenarios, this approach provides resistance against the generic timememory tradeoff based attacking approaches [7, 13], and particular powerful techniques like the correlation attacks [3].
Motivation for the Work. The aim of this work is to propose and elaborate a model for the security evaluation of communication systems which employ the encodingencryption paradigm together with a dedicated wiretap encoder for security enhancement. In a general security evaluation scenario, both passive and active attacks should be treated, and while the enhanced system should be resistant to these, it should be with a slight/moderate increase of the implementation complexity and the communications overhead. It may be worth emphasizing that our target is to increase the security of existing schemes, such as GSM, which is why we have a small margin of freedom in designing the security scheme, since we cannot touch most of the existing components of the system.
Summary of the Results. This paper proposes and analyzes from the informationtheoretic point of view the security of communications systems based on the encodingencryption paradigm under passive and active attacks, when equipped with an additional wiretap encoder. We show that with the aid of a dedicated wiretap encoder, the amount of uncertainty that the adversary must face about the secret key given all the information he could gather during different passive or active attacks he can mount, is a decreasing function of the sample available for cryptanalysis. This means that the wiretap encoder can indeed provide an information theoretical security level over a period of time, but after a large enough sample is collected the function tends to zero, entering a regime in which a computational security analysis is needed for estimation of the resistance against the secret key recovery.
Organization of the Paper. In Section 2, we start by describing precisely the system model together with its security enhanced version and we dedicate Subsection 2.2 to the design of the wiretap encoder. The security analysis is done in two parts: first the passive adversary is studied in Section 3, while the active one is investigated in Section 4. Practical implications of the given security analysis and some guidelines for design of security enhanced encodingencryption based systems are pointed out in Section 5. Concluding remarks including some directions for future work are given in Section 6.
2 System Model and Wiretap Coding
We consider a class of communication systems which, to provide both reliability and security, employs the encoding and then encryption paradigm, namely: the message is first encoded, and then encrypted using a stream ciphering.
The detailed model is shown in Figure 1. The transmitter first encodes a binary message/plain text
using an errorcorrecting code
that maps a dimensional plain text to an dimensional encoded message, . The encryption is done using a keystream generator, which takes as input the secret key of the transmitter, and outputs
yielding
(1) 
as the message to be sent over the noisy channel, where denotes XOR or modulo 2 addition. We denote the noise vector by
where each is the realization of a random variable such that and . Upon reception of the corrupted encrypted binary sequence of ciphertext
the receiver who shares the secret key with the transmitter can decrypt first the message
and then decode despite of the noise thanks to the errorcorrection code. We remark that in practice a keystream generator can be considered as a finite state machine whose initial state is determined by the secret key and some public data. For simplicity, and because it does not affect our analysis, we can ignore the existence of the known data, and focus on the secret key. In this setting the output of the keystream generator is determined uniquely by the secret key, and it is enough to assume that the transmitter and receiver only share the key.
Note further that the trick of reversing the order of encryption and errorcorrection would not have been possible if a block cipher was used for encryption, since decryption must be done before removing the channel noise.
We finally assume that there is a noiseless feedback link that connects the receiver to the transmitter, so that the receiver can either acknowledge the reception of the message, or inform of the decoding failure, so as to get the missing message sent back.
2.1 Enhanced model
Origins for the construction given in this paper are the approaches for stream ciphers design recently reported in [14, 15], though the focus of this paper is very different, since its goal is enhancing the security of existing encryption schemes. This difference has a number of implications regarding the security issues and implementation complexity of the scheme.
The construction proposed in this paper employs the following main underlying ideas for enhancing security:

Involve pure randomness into the coding&ciphering scheme so that the decoding complexity without knowledge of the secret key employed in the system approaches the complexity of the exhaustive search for the secret key.

Enhance security of the existing stream cipher via joint employment of pure randomness and coding theory, and particularly a dedicated encoding following the homophonic or wiretap channel encoding approaches.

Allow a suitable tradeoff between the security and the communications rate: Increase the security towards the limit implied by the secretkey length at the expense of a lowmoderate decrease of the communications rate.
Regarding the homophonic and wiretap channel coding, note the following. The main goals of homophonic coding are to provide: (i) multiple substitutions of a given source vector via randomness so that the coded versions of the source vectors appear as realizations of a random source; (ii) recoverability of the source vector based on the given codeword without knowledge of the randomization. The main goals of wiretap channel coding are: (i) amplification of the noise difference between the main and wiretap channel via randomness; (ii) a reliable transmission in the main channel and at the same time to provide a total confusion of the wiretapper who observes the communication in the main channel via a noisy channel (wiretap channel). Accordingly, homophonic coding schemes and wiretap channel ones have different goals and belong to different coding classes, the source coding and the errorcorrection ones, but they employ the same underlying ideas of using randomness and dedicated coding for achieving the desired goals.
For enhancing the security we exploit the underlying approaches of universal homophonic coding [12] and generic wiretap coding when the main channel is errorfree (see [20] and [19], for example). Accordingly, we may say either “homophonic coding” or “wiretap channel coding” to address the dedicated coding that enhances security. The main feature of the dedicated coding is that the encoding is based on randomness and that the legitimate receiving party who shares a secret key with the corresponding transmitting one can perform decoding without knowledge of the randomness employed for the encoding. For simplicity of the terminology we mainly (but not always) say “wiretap channel coding” to describe the dedicated coding which provides the enhanced security.
Let denote a wiretap or homophonic code encoder. To enhance the security of the system considered, it is added at the transmitter end (see Figure 2) involving a vector of pure randomness
that is, each is the realization of a random variable with distribution . Note that is invertible. The wiretap encoding is done prior to errorcorrecting encoding, thus out of the bits of data to be sent, are replaced by random data, letting actually only bits
of plaintext, to get as in (1)
(2) 
as codeword to be sent.
As before, the receiver obtains
(3) 
and starts with the decryption
He then first decodes
If the decoding is successful, he computes using and let the transmitter know he could decode. Otherwise he informs the transmitter than retransmission is required.
Similarly to a linear errorcorrection code where can be represented by multiplying the data vector by the generator matrix of the code, we can write , following the socalled coset encoding proposed by Wyner [20], as follows:
(4) 
where

is a generator matrix for a linear errorcorrection code with rows ,

are linearly independent row vectors from ,

and is a binary matrix corresponding to .
In words, to each bit message is associated a coset determined by
Though this correspondence is deterministic, a random codeword is chosen inside the coset by:
where is a uniformly distributed random bit vector.
2.2 A Dedicated Wiretap Encoder
In our scenario, we need to combine wiretap encoding with errorcorrection encoding, both being linear operations. Recall that the encoded vector at the transmitter is
where is a dimensional data vector, and is a random vector. Using generic coset coding as discussed above with a code, we now know that
where is an matrix, and thus
(5)  
where is an binary generator matrix corresponding to , and is an binary matrix summarizing the two successive encodings at the transmitter.
Since multiplies the vector where is an dimension vector and an dimension vector, it makes sense to write the matrix by blocks of size depending on and :
(6) 
where is an matrix, is an matrix, denotes the identity matrix, and finally is an matrix.
Requirements on the matrix are:

Invertibility. The matrix should be an invertible matrix, so that the receiver can decode the wiretap encoding.

Security. The matrix should map so that in the resulting vector each bit of data from is affected by at least one random bit from , to make sure that each bit of data is protected.

Sparsity. Both the matrices and should be as sparse as possible, in order to avoid too much computation and communication overheads.
Since by (4), the last rows of form a generator matrix of a error correction code in systematic form, it has rank . The first rows are then obtained by adding linearly independent vectors not in , thus completing a basis of , resulting automatically in an invertible matrix. A simple way to do so is to choose and , so that (6) becomes
Since
and has no column with only zeroes (it is a block of an error correction code), we have that indeed each bit of data from is affected by at least one random bit from .
The choice of and makes the first rows of as sparse as possible.
Example 1
Take , so that , and
Clearly is invertible. The error correction code described by rows 3 and 4 is simply the repetition code.
3 Security against a Passive Adversary
This section analyzes the security of the proposed scheme against a passive adversary, that is an adversary limited to monitoring and recording communications. The system we consider already uses a keystream generator to protect the confidentiality of the data. Thus though a passive adversary may try to still discover confidential messages, more dangerous is an attack against the secret key, which would endanger all the transmissions. Based on what a passive adversary can do, this means mounting a known plaintext attack in order to recover the secret key. In the passive known plaintext attacking scenario, with no enhanced security, the adversary possesses the pair
from which he calculates
He can then use for further processing in an attempt to recover the key which generated . We will show how the introduction of the wiretap encoding increases the protection of the key against such attacks.
In what follows, we use as notation that

, random bits used in the wiretap encoder,

, output bits of the keystream generator,

, random components of the additive noise
are realizations of certain random variables , and , respectively, . We can further assume that the plaintext is generated randomly, and thus see as a realization of a random variable as well. The corresponding vectors of random variables are denoted as follows: , , , and .
Recall from (3) and (5) that the received vector at the receiver is given by
where is an matrix containing both the wiretap and the error correction encoding.
Let , so that can be written componentwise as
and appears as the realization of a random variable :
We further denote , and
(7) 
From (6), we have
and we can rewrite the wiretap encoder as
where and are the operators for the wiretap encoding restricted to , resp. :
Since the error correcting encoding is also linear, we finally get
(8) 
The lemma below gives a bound on the resistance of the scheme to a known plain text attack where the adversary knows the pair .
Lemma 1
The equivocation of the keystream output knowing the plaintext and the received signal can be lower bounded as follows:
where
since .
Repeating the entropy chain rule but with another decomposition, we further get that
noticing that using again from (7).
By combining the two decompositions, we deduce that
We now reformulate and . First, using this time (8), we have that . Since and are invertible, note that , so that
On the other hand, conditioning reduces entropy, namely,
and in order to make explicit the role of the extra randomness brought by the wiretap encoder, we can write that
since and are mutually independent.
Similarly, again using (8) to get that and combining with
we obtain that
which distinguishes the randomness coming from the channel noise and the keystream entrpy.
We are finally left with bounding . Recovering when , and are given is the decoding problem of removing the noise employing the code with error probability . This can be bounded using Fano’s inequality:
since by design of the system, we may assume . This concludes the proof.
The interpretation of the lemma is a bound on the resistance of the scheme to a passive known plain text attack. This clearly depends on two parameters:

the keystream generator: if the output of the keystream generator has a very high entropy , then the lemma tells that

the pure randomness put in the wiretap encoder: if we do not add it in the system, the lemma shows that
that is the informationtheoretic security of the keystream depends on the channel noise.
We illustrate this last claim with an example.
Example 2
Consider the case of a known plaintext attack when . We then have
Without the wiretap encoding, the keystream is corrupted and so protected as well by the noise on the channel, while with addition of the wiretap encoder, it is further protected by the pure randomness added.
The special case where the channel is noisefree is detailed in the corollary below. This further illustrates the effect of pure randomness involved in the wiretap channel coding.
Corollary 1
In a noisefree channel, we have
So far, we have discussed the security of a given keystream generator output, for one instance of transmission. We now move to a more realistic scenario. Transmission takes place over time , and the keystream generator uses a secret key (or just a key) based on which it computes its outputs in a deterministic way depending on for a time period of length :
Note that is an expansion of the secret key via a finite state machine and can be considered as an encoding of bits into a long binary codeword. Correspondingly, we can rewrite the whole system in terms of realizations of random variables that depends on time, over the time interval :

for the plain text,

for the pure randomness used in the wiretap encoder,

for the channel noise,

for the received signal.
Similarly as above, we have
The key is represented as a vector of random variables drawn independently from a uniform distribution over , so that . We further use the following block notations:
We can now state the main theorem of this section, which describes the security of the enhanced system against a passive adversary regarding the secret key recovery.
Theorem 1
When , , , there exists a threshold such that
Proof. When , and accordingly , thus Lemma 1 directly implies that is achievable.
When grows, we employ the following analysis.
By using two different decompositions of via the entropy chain rule as done in Lemma 1, we get
(9)  
Note that knowing , can be considered as a length degraded version of a binary codeword with information bits which is corrupted by a noise vector . Indeed, without knowing the key, decoding is not possible, so the adversary also needs to try to decode . Assuming that the decoding error probability of this code is , Fano’s inequality implies that
Combining the decoding ability of with a minimum distance decoding yields a decoding error for the aggregated code of size that tends to zero provided long enough codewords, that is , and accordingly when is large enough.
In a similar manner and employing
the decoding ability of with a minimum distance decoding as used above implies that when is large enough.
To take care of , we again use a decoding argument, since is known. However, it is important to note here that is known too. Thus even though we look at a block
the knowledge of makes each block independent, and thus we can decode each of them separately and the probability of error is . Fano’s equality finally yields
and
(10) 
since by design of .
The above consideration of the cases and also implies the existence of a threshold .
The statement is intuitively clear. The security depends on the length of the key noting that this length is fixed in the system. Accordingly, when the keystream generator is used for a period that varies, as long as , the key is protected by the randomness of the noisy channel and of the wiretap encoder, but that protection cannot last forever if the adversary collects too much data.
Note that all this analysis is true for “realistic channels” where the noise is not uniformly distributed. The uniformly distributed noise in the communication channel makes errorcorrection infeasible, which explain the assumption in the above theorem.
Theorem 1 directly implies the following corollary for noiseless channels.
Corollary 2
When and the parameter is large enough we have:
(11) 
4 Security against an Active Adversary
We now consider an active and therefore more powerful adversary. There are many possible scenarios for an active adversary. We assume in this work that

he can modify the data on the communication channel, that is, inject controlled noise,

he can learn the effect of the modified channel at the receiving side, by listening to the feedback link that tells whether decoding was successful.
Let us be more precise. While the transmitter sends
in an already security enhances setting (2), the receiver sees its noisy version
The active adversary is allowed to inject some extra noise over the channel, so that now, the legitimate receiver sees , where contains both the noise coming from the channel and the noise controlled by the adversary:
(12)  
As earlier (Section 2), the receiver first decrypts its message using its secret key and locally generated keystream
and then try to decode :
under the assumption that the error correcting code can correct the errors introduced by , so as to get
Because of the extra noise , the probability of decoding correctly at the receiver may decrease. In the meantime, the active attacker can listen to the feedback channel so that he knows whether the decoding failed or was successful. His goal is again to find the key. His strategy then consists in adding different noise vectors and to observe the feedback channel to see whether the chosen noise made the decoding fail, in order to gather information.
We keep our earlier notation, that is

, random bits used in the wiretap encoder,

, output bits of the keystream generator,

, random components of the additive noise ,

, bits of the plain text,

, bits of the received message
are realizations of certain random variables , , , , , , and , . The corresponding vectors of random variables are denoted as follows: , , , , , , and . Similarly to (8),