An Information-Theoretic Analysis of the Security of Communication Systems Employing the Encoding-Encryption Paradigm

An Information-Theoretic Analysis of the Security of Communication Systems Employing the Encoding-Encryption Paradigm

Abstract

This paper proposes a generic approach for providing enhanced security to communication systems which encode their data for reliability before encrypting it through a stream cipher for security. We call this counter-intuitive technique the encoding-encryption paradigm, and use as motivating example the standard for mobile telephony GSM. The enhanced security is based on a dedicated homophonic or wire-tap channel coding that introduces pure randomness, combined with the randomness of the noise occurring over the communication channel. Security evaluation regarding recovery of the secret key employed in the keystream generator is done through an information theoretical approach.

We show that with the aid of a dedicated wire-tap encoder, the amount of uncertainty that the adversary must face about the secret key given all the information he could gather during different passive or active attacks he can mount, is a decreasing function of the sample available for cryptanalysis. This means that the wire-tap encoder can indeed provide an information theoretical security level over a period of time, but after a large enough sample is collected the function tends to zero, entering a regime in which a computational security analysis is needed for estimation of the resistance against the secret key recovery.
Keywords: error-correction coding, security evaluation, stream ciphers, randomness, wireless communications, homophonic coding, wire-tap channel coding.

1 Introduction

Most communication systems take into account not only the reliability but also the security of the data they transmit. This is particularly true in wireless environment, where the data is inherently more sensible to security threats. Consequently, the design of such systems need to include both coding schemes for providing error-correction and ciphering algorithms for encryption-decryption. It is common practice to first encrypt the data to ensure its safety, and then to encode it for reliability. In this paper, we consider the reverse scenario, namely systems which first encode the data, and then encrypt it, which we call the encoding-encryption paradigm.

Though counter-intuitive at first, there are actually many real life applications where the encoding encryption paradigm is used. A famous illustrative example is the most widespread standard for mobile telephony GSM, standing for “Global System for Mobile Communications” (see [2] and [1], for the coding, respectively security details). In the GSM protocol, the data is first encoded using an error-correction code so as to withstand reception errors, which considerably increases the size of the message to be transmitted. The encoded data is then encrypted to provide privacy (secrecy of the communications) for the users.

It is interesting to mention that block ciphers are not suitable in the context of the encoding-encryption paradigm, since the receiver needs to first decrypt the data despite the noise, before performing the decoding. This leads to use of stream ciphers and thus when we refer to the security of systems using the encoding-encryption paradigm, we implicitly mean the security of the keystream generator and the users’ secret key.

From a security perspective, there are of course pros and cons to the encoding-encryption paradigm. Since it implies encryption of redundant data (introduced by error-correction), it could be an origin for mounting attacks against the employed keystream generator. Undesirability of redundant data from a cryptographic security point of view has indeed been already pointed out in the seminal work by Shannon [18], where cryptography as a scientific topic has been established. On the other hand, the encoding-encryption paradigm has the advantage to offer protection in the case of a known plaintext attacking scenario, since an adversary can only learn a noisy version of the keystream, which makes the cryptanalyis of the employed keystream generator more complex.

Security evaluation can be performed under two attacking scenarios, depending on whether one considers an active or passive adversary.

A passive adversary’s ability is limited to monitoring (and recording) communications between the legitimate parties, so as to use the recorded data as input for mounting a known plaintext attack against the considered system.

Stronger attacks come from active adversaries, which can possibly include many attacking settings. In this paper, we consider active attacks motivated by the class of so-called Hopper and Blum (HB) authentication protocols [8],[9], [10],[6],[5]. Following the original work by [8], HB authentication protocols are challenge-response based, where the response could be considered as the encoded and encrypted version of the challenge, which is deliberately degraded by random noise. A simple active attack on the improved HB authentication protocol [10] was provided in [4], where it is assumed that an adversary can manipulate challenges sent during the authentication exchange, and thus learn whether such manipulations give an authentication failure. The attack consists of choosing a constant vector and using it to perturb the challenges by computing the XOR of the selected vector with each authentication challenge vector, and that for each of the authentication rounds. To summarize, the active attacker has the following abilities: (i) he can modify the data in the communication channel between the legitimate parties; and (ii) he can can learn the effect of the performed modification at the receiving side. This is the model that will be adopted in this work.

To evaluate the security of systems using the encoding-encryption paradigm under threats of both passive and active adversaries as described above, both computational and information theoretical analyses are valid. In this paper, we focus on the latter. We propose a security enhanced approach which employs a dedicated coding, following the frameworks of homophonic [11, 12, 17] and wire-tap channel coding [20, 19]. The improved security is a consequence of combining the pure randomness introduced by the wire-tap coding and the random noise which is inherent in the communication channel.

We measure the security increase with respect to the secret key in terms of its equivocation, that is the amount of uncertainty that the adversary has on the key, given all the information he can collect. A preliminary study of the security enhancement has been provided in [16] in the case of a passive adversary. The enhancement is based on the constructions reported in [14, 15], and also motivated by the fact that in the computational complexity evaluation scenarios, this approach provides resistance against the generic time-memory trade-off based attacking approaches [7, 13], and particular powerful techniques like the correlation attacks [3].

Motivation for the Work. The aim of this work is to propose and elaborate a model for the security evaluation of communication systems which employ the encoding-encryption paradigm together with a dedicated wire-tap encoder for security enhancement. In a general security evaluation scenario, both passive and active attacks should be treated, and while the enhanced system should be resistant to these, it should be with a slight/moderate increase of the implementation complexity and the communications overhead. It may be worth emphasizing that our target is to increase the security of existing schemes, such as GSM, which is why we have a small margin of freedom in designing the security scheme, since we cannot touch most of the existing components of the system.

Summary of the Results. This paper proposes and analyzes from the information-theoretic point of view the security of communications systems based on the encoding-encryption paradigm under passive and active attacks, when equipped with an additional wire-tap encoder. We show that with the aid of a dedicated wire-tap encoder, the amount of uncertainty that the adversary must face about the secret key given all the information he could gather during different passive or active attacks he can mount, is a decreasing function of the sample available for cryptanalysis. This means that the wire-tap encoder can indeed provide an information theoretical security level over a period of time, but after a large enough sample is collected the function tends to zero, entering a regime in which a computational security analysis is needed for estimation of the resistance against the secret key recovery.

Organization of the Paper. In Section 2, we start by describing precisely the system model together with its security enhanced version and we dedicate Subsection 2.2 to the design of the wire-tap encoder. The security analysis is done in two parts: first the passive adversary is studied in Section 3, while the active one is investigated in Section 4. Practical implications of the given security analysis and some guidelines for design of security enhanced encoding-encryption based systems are pointed out in Section 5. Concluding remarks including some directions for future work are given in Section 6.

2 System Model and Wiretap Coding

We consider a class of communication systems which, to provide both reliability and security, employs the encoding and then encryption paradigm, namely: the message is first encoded, and then encrypted using a stream ciphering.

Figure 1: Communication system model.

The detailed model is shown in Figure 1. The transmitter first encodes a binary message/plain text

using an error-correcting code

that maps a -dimensional plain text to an -dimensional encoded message, . The encryption is done using a keystream generator, which takes as input the secret key of the transmitter, and outputs

yielding

(1)

as the message to be sent over the noisy channel, where denotes XOR or modulo 2 addition. We denote the noise vector by

where each is the realization of a random variable such that and . Upon reception of the corrupted encrypted binary sequence of ciphertext

the receiver who shares the secret key with the transmitter can decrypt first the message

and then decode despite of the noise thanks to the error-correction code. We remark that in practice a keystream generator can be considered as a finite state machine whose initial state is determined by the secret key and some public data. For simplicity, and because it does not affect our analysis, we can ignore the existence of the known data, and focus on the secret key. In this setting the output of the keystream generator is determined uniquely by the secret key, and it is enough to assume that the transmitter and receiver only share the key.

Note further that the trick of reversing the order of encryption and error-correction would not have been possible if a block cipher was used for encryption, since decryption must be done before removing the channel noise.

We finally assume that there is a noiseless feedback link that connects the receiver to the transmitter, so that the receiver can either acknowledge the reception of the message, or inform of the decoding failure, so as to get the missing message sent back.

2.1 Enhanced model

Origins for the construction given in this paper are the approaches for stream ciphers design recently reported in [14, 15], though the focus of this paper is very different, since its goal is enhancing the security of existing encryption schemes. This difference has a number of implications regarding the security issues and implementation complexity of the scheme.

The construction proposed in this paper employs the following main underlying ideas for enhancing security:

  • Involve pure randomness into the coding&ciphering scheme so that the decoding complexity without knowledge of the secret key employed in the system approaches the complexity of the exhaustive search for the secret key.

  • Enhance security of the existing stream cipher via joint employment of pure randomness and coding theory, and particularly a dedicated encoding following the homophonic or wire-tap channel encoding approaches.

  • Allow a suitable trade-off between the security and the communications rate: Increase the security towards the limit implied by the secret-key length at the expense of a low-moderate decrease of the communications rate.

Regarding the homophonic and wire-tap channel coding, note the following. The main goals of homophonic coding are to provide: (i) multiple substitutions of a given source vector via randomness so that the coded versions of the source vectors appear as realizations of a random source; (ii) recoverability of the source vector based on the given codeword without knowledge of the randomization. The main goals of wire-tap channel coding are: (i) amplification of the noise difference between the main and wire-tap channel via randomness; (ii) a reliable transmission in the main channel and at the same time to provide a total confusion of the wire-tapper who observes the communication in the main channel via a noisy channel (wire-tap channel). Accordingly, homophonic coding schemes and wire-tap channel ones have different goals and belong to different coding classes, the source coding and the error-correction ones, but they employ the same underlying ideas of using randomness and dedicated coding for achieving the desired goals.

For enhancing the security we exploit the underlying approaches of universal homophonic coding [12] and generic wire-tap coding when the main channel is error-free (see [20] and [19], for example). Accordingly, we may say either “homophonic coding” or “wire-tap channel coding” to address the dedicated coding that enhances security. The main feature of the dedicated coding is that the encoding is based on randomness and that the legitimate receiving party who shares a secret key with the corresponding transmitting one can perform decoding without knowledge of the randomness employed for the encoding. For simplicity of the terminology we mainly (but not always) say “wire-tap channel coding” to describe the dedicated coding which provides the enhanced security.

Let denote a wiretap or homophonic code encoder. To enhance the security of the system considered, it is added at the transmitter end (see Figure 2) involving a vector of pure randomness

that is, each is the realization of a random variable with distribution . Note that is invertible. The wiretap encoding is done prior to error-correcting encoding, thus out of the bits of data to be sent, are replaced by random data, letting actually only bits

of plaintext, to get as in (1)

(2)

as codeword to be sent.

Figure 2: Communication system model enhanced with a wire-tap encoder.

As before, the receiver obtains

(3)

and starts with the decryption

He then first decodes

If the decoding is successful, he computes using and let the transmitter know he could decode. Otherwise he informs the transmitter than retransmission is required.

Similarly to a linear error-correction code where can be represented by multiplying the data vector by the generator matrix of the code, we can write , following the so-called coset encoding proposed by Wyner [20], as follows:

(4)

where

  • is a generator matrix for a linear error-correction code with rows ,

  • are linearly independent row vectors from ,

  • and is a binary matrix corresponding to .

In words, to each -bit message is associated a coset determined by

Though this correspondence is deterministic, a random codeword is chosen inside the coset by:

where is a uniformly distributed random -bit vector.

2.2 A Dedicated Wiretap Encoder

In our scenario, we need to combine wiretap encoding with error-correction encoding, both being linear operations. Recall that the encoded vector at the transmitter is

where is a -dimensional data vector, and is a random vector. Using generic coset coding as discussed above with a code, we now know that

where is an matrix, and thus

(5)

where is an binary generator matrix corresponding to , and is an binary matrix summarizing the two successive encodings at the transmitter.

Since multiplies the vector where is an -dimension vector and an dimension vector, it makes sense to write the matrix by blocks of size depending on and :

(6)

where is an matrix, is an matrix, denotes the identity matrix, and finally is an matrix.

Requirements on the matrix are:

  1. Invertibility. The matrix should be an invertible matrix, so that the receiver can decode the wiretap encoding.

  2. Security. The matrix should map so that in the resulting vector each bit of data from is affected by at least one random bit from , to make sure that each bit of data is protected.

  3. Sparsity. Both the matrices and should be as sparse as possible, in order to avoid too much computation and communication overheads.

Since by (4), the last rows of form a generator matrix of a error correction code in systematic form, it has rank . The first rows are then obtained by adding linearly independent vectors not in , thus completing a basis of , resulting automatically in an invertible matrix. A simple way to do so is to choose and , so that (6) becomes

Since

and has no column with only zeroes (it is a block of an error correction code), we have that indeed each bit of data from is affected by at least one random bit from .

The choice of and makes the first rows of as sparse as possible.

Example 1

Take , so that , and

Clearly is invertible. The error correction code described by rows 3 and 4 is simply the repetition code.

3 Security against a Passive Adversary

This section analyzes the security of the proposed scheme against a passive adversary, that is an adversary limited to monitoring and recording communications. The system we consider already uses a keystream generator to protect the confidentiality of the data. Thus though a passive adversary may try to still discover confidential messages, more dangerous is an attack against the secret key, which would endanger all the transmissions. Based on what a passive adversary can do, this means mounting a known plaintext attack in order to recover the secret key. In the passive known plaintext attacking scenario, with no enhanced security, the adversary possesses the pair

from which he calculates

He can then use for further processing in an attempt to recover the key which generated . We will show how the introduction of the wiretap encoding increases the protection of the key against such attacks.

In what follows, we use as notation that

  • , random bits used in the wiretap encoder,

  • , output bits of the keystream generator,

  • , random components of the additive noise

are realizations of certain random variables , and , respectively, . We can further assume that the plaintext is generated randomly, and thus see as a realization of a random variable as well. The corresponding vectors of random variables are denoted as follows: , , , and .

Recall from (3) and (5) that the received vector at the receiver is given by

where is an matrix containing both the wiretap and the error correction encoding.

Let , so that can be written componentwise as

and appears as the realization of a random variable :

We further denote , and

(7)

From (6), we have

and we can rewrite the wiretap encoder as

where and are the operators for the wiretap encoding restricted to , resp. :

Since the error correcting encoding is also linear, we finally get

(8)

The lemma below gives a bound on the resistance of the scheme to a known plain text attack where the adversary knows the pair .

Lemma 1

The equivocation of the keystream output knowing the plaintext and the received signal can be lower bounded as follows:

where

since .

Proof.   Employing the entropy chain rule, we have that

since , using that from (7).

Repeating the entropy chain rule but with another decomposition, we further get that

noticing that using again from (7).

By combining the two decompositions, we deduce that

We now reformulate and . First, using this time (8), we have that . Since and are invertible, note that , so that

On the other hand, conditioning reduces entropy, namely,

and in order to make explicit the role of the extra randomness brought by the wiretap encoder, we can write that

since and are mutually independent.

Similarly, again using (8) to get that and combining with

we obtain that

which distinguishes the randomness coming from the channel noise and the keystream entrpy.

We are finally left with bounding . Recovering when , and are given is the decoding problem of removing the noise employing the code with error probability . This can be bounded using Fano’s inequality:

since by design of the system, we may assume . This concludes the proof.  

The interpretation of the lemma is a bound on the resistance of the scheme to a passive known plain text attack. This clearly depends on two parameters:

  • the keystream generator: if the output of the keystream generator has a very high entropy , then the lemma tells that

  • the pure randomness put in the wiretap encoder: if we do not add it in the system, the lemma shows that

    that is the information-theoretic security of the keystream depends on the channel noise.

We illustrate this last claim with an example.

Example 2

Consider the case of a known plaintext attack when . We then have

Without the wiretap encoding, the keystream is corrupted and so protected as well by the noise on the channel, while with addition of the wiretap encoder, it is further protected by the pure randomness added.

The special case where the channel is noisefree is detailed in the corollary below. This further illustrates the effect of pure randomness involved in the wire-tap channel coding.

Corollary 1

In a noisefree channel, we have

Proof.   Since the channel is noisefree, and consequently . Lemma 1 can be rewritten as

 

So far, we have discussed the security of a given keystream generator output, for one instance of transmission. We now move to a more realistic scenario. Transmission takes place over time , and the keystream generator uses a secret key (or just a key) based on which it computes its outputs in a deterministic way depending on for a time period of length :

Note that is an expansion of the secret key via a finite state machine and can be considered as an encoding of bits into a long binary codeword. Correspondingly, we can rewrite the whole system in terms of realizations of random variables that depends on time, over the time interval :

  • for the plain text,

  • for the pure randomness used in the wiretap encoder,

  • for the channel noise,

  • for the received signal.

Similarly as above, we have

The key is represented as a vector of random variables drawn independently from a uniform distribution over , so that . We further use the following block notations:

We can now state the main theorem of this section, which describes the security of the enhanced system against a passive adversary regarding the secret key recovery.

Theorem 1

When , , , there exists a threshold such that

Proof.   When , and accordingly , thus Lemma 1 directly implies that is achievable.

When grows, we employ the following analysis.

By using two different decompositions of via the entropy chain rule as done in Lemma 1, we get

(9)

Note that knowing , can be considered as a -length degraded version of a binary codeword with information bits which is corrupted by a noise vector . Indeed, without knowing the key, decoding is not possible, so the adversary also needs to try to decode . Assuming that the decoding error probability of this code is , Fano’s inequality implies that

Combining the decoding ability of with a minimum distance decoding yields a decoding error for the aggregated code of size that tends to zero provided long enough codewords, that is , and accordingly when is large enough.

In a similar manner and employing

the decoding ability of with a minimum distance decoding as used above implies that when is large enough.

To take care of , we again use a decoding argument, since is known. However, it is important to note here that is known too. Thus even though we look at a block

the knowledge of makes each block independent, and thus we can decode each of them separately and the probability of error is . Fano’s equality finally yields

and

(10)

since by design of .

The above consideration of the cases and also implies the existence of a threshold .

 

The statement is intuitively clear. The security depends on the length of the key noting that this length is fixed in the system. Accordingly, when the keystream generator is used for a period that varies, as long as , the key is protected by the randomness of the noisy channel and of the wiretap encoder, but that protection cannot last forever if the adversary collects too much data.

Note that all this analysis is true for “realistic channels” where the noise is not uniformly distributed. The uniformly distributed noise in the communication channel makes error-correction infeasible, which explain the assumption in the above theorem.

Theorem 1 directly implies the following corollary for noiseless channels.

Corollary 2

When and the parameter is large enough we have:

(11)

4 Security against an Active Adversary

We now consider an active and therefore more powerful adversary. There are many possible scenarios for an active adversary. We assume in this work that

  1. he can modify the data on the communication channel, that is, inject controlled noise,

  2. he can learn the effect of the modified channel at the receiving side, by listening to the feedback link that tells whether decoding was successful.

Let us be more precise. While the transmitter sends

in an already security enhances setting (2), the receiver sees its noisy version

The active adversary is allowed to inject some extra noise over the channel, so that now, the legitimate receiver sees , where contains both the noise coming from the channel and the noise controlled by the adversary:

(12)

As earlier (Section 2), the receiver first decrypts its message using its secret key and locally generated keystream

and then try to decode :

under the assumption that the error correcting code can correct the errors introduced by , so as to get

Because of the extra noise , the probability of decoding correctly at the receiver may decrease. In the meantime, the active attacker can listen to the feedback channel so that he knows whether the decoding failed or was successful. His goal is again to find the key. His strategy then consists in adding different noise vectors and to observe the feedback channel to see whether the chosen noise made the decoding fail, in order to gather information.

We keep our earlier notation, that is

  • , random bits used in the wiretap encoder,

  • , output bits of the keystream generator,

  • , random components of the additive noise ,

  • , bits of the plain text,

  • , bits of the received message

are realizations of certain random variables , , , , , , and , . The corresponding vectors of random variables are denoted as follows: , , , , , , and . Similarly to (8),