Sage Journals: Discover world-class research

Abstract

Noise is a powerful resource for the implementation of cryptographic primitives, especially in wireless networks. In general, a key agreement protocol is tailored to the channels and relies on the assumption that knowledge on the eavesdropper's channel is available. This is not practical. In this paper, we focus on the problem of developing key agreement schemes for secure communication across wireless channels and propose a key evolution scheme to alleviate the assumption. Keys evolve continuously based on the transmitted messages over the noisy wireless channel. Even if the eavesdropper's channel is superior to the legitimate receiver, the legitimate parties can establish secret keys. To further confuse the eavesdropper, we present a strategy for legitimate parties to send artificial noise if the eavesdropper cannot distinguish the sources of messages. Finally, we propose a k-resistant encryption scheme that can use different keys to encrypt and decrypt messages if there are no more than k bits which differ between the encryption and decryption keys.

1. Introduction

Traditionally, security in wireless channels is regarded as an independent feature addressed above the physical layer, and all widely used cryptographic protocols are designed and implemented assuming the physical layer has already been established. An alternative notion of communication security, information theoretic security, was introduced by Wyner [1] and later by Csiszar and Korner [2]. The basic principle of information theoretic security calls for the combination of cryptographic scheme with channel coding techniques that exploit the randomness of communication channels to guarantee that the messages sent cannot be decoded by a third party maliciously eavesdropping on the wireless channel. In a wiretap channel, the honest parties Alice and Bob are separated by a channel called the main channel; any eavesdropper Eve observes information transmitted by Alice through another channel called the wiretapper's channel. Suppose Alice and Bob try to communicate a k-bit message M across the main channel; Alice encodes M into an n-bit codeword X. The legitimate receiver Bob and an eavesdropper Eve receive X through two different channels and their observations are denoted as Y and Z, respectively. Alice's encoding should achieve two objectives: (1) security: Z should provide no information about M; (2) reliability: Y can be decoded into M with negligibly small probability of error. Wyner showed that both objectives can be attained if the channels satisfy some conditions. The advent of wireless communication, which is particularly susceptible to eavesdropping, has motivated a renewed interest for information theoretic security, which has recently emerged as a very active research area, such as in [3–13].

The key distribution problem in wiretap channels has been studied in [14, 15]. The objective of key distribution is for Alice and Bob to agree on a common k-bit key about which Eve's entropy is maximal. Most key agreement protocols require some level of interactive communications between Alice and Bob to arrive at a common yet secret key [14], where the exchange of information is by way of a parallel, error-free public channel between Alice and Bob used during the key agreement phase [16].

In general, the lower bound of the eavesdropper's equivocation about the key generated by a key agreement protocol is valid only if the protocol is tailored to the channels, which requires knowledge of the channel statistics. The assumption that the main channel is known is usually reasonable; however, it is hardly realistic to assume that the eavesdropper's channel statistics are known exactly. In this paper, we propose a key evolution scheme which can alleviate the stringent requirement. The basic idea of key evolution is that keys evolve continuously based on the transmitted messages over the noisy wireless channel. If Eve cannot avoid at least a small bit error probability, her equivocation about the current key will be accumulated, and eventually she has no information about the new key. On the other hand, as the keys are continuously refreshed, the on-going cryptanalytic attacks can be thwarted. It also forces Eve to keep monitoring communications all the time after compromising a key; otherwise, she will lose control of it. We begin by discussing a special wiretap channel with a noiseless main channel and a binary symmetric channel (BSC) as the wiretapper's channel and then extend it to a more generalized wiretap channel that have BSCs as both the main and wiretapper's channel. We show that Alice and Bob can transform a wiretap channel that is advantageous to Eve into a channel in which Eve suffers more errors than Alice and Bob.

Cooperative jamming techniques, by which one or more legitimate transmitters send jamming signals to increase the confusion of Eve, can be used to increase the secrecy capacity in multiuser channels [17, 18]. If Bob can impersonate Alice to send forged messages, Alice and Bob can exploit the reciprocity of the channel to their advantage to further confuse the eavesdropper. Finally, we propose a k-resistant encryption scheme (k-RES) that can use different keys to encrypt and decrypt messages. Consider that Alice and Bob use a symmetric encryption algorithm to exchange confidential messages, but some errors occur to Bob's secret key during storage or transmission. In general, Bob cannot recover the message encrypted by Alice and they need to negotiate a new shared key. The objective of k-RES is to utilize the slightly different keys to encrypt a relatively small size message. If a pair of keys only has at most k-bit different, the receiver can recover the message; otherwise, he obtains no information about the message. In this setting, a k-RES can be viewed as a conceptual wiretap channel that has a main channel and a worse wiretap channel.

Key evolution can be used in sensor networks. The large number of sensors makes it hard to change code or data stored in every sensor; it is much easier to mass-produce sensors that are identical even on fireware and data level and are deployed in batches. To secure the communication between sensors, they can use key evolution scheme to obtain a relatively secret key and refresh it as quickly as possible.

2. Preliminaries

Throughout the sequel, a random variable X induces a probability distribution $P_{X}$ over an alphabet $X$ . Random variables are denoted by capital letters. Furthermore, we let $[x]^{+} = m a x {0, x}$ . All logarithms in this paper are to base 2. The cardinality of a set S is denoted by $|S|$ . $H (X)$ is the entropy function of a random variable X, and $h (p)$ is the binary entropy function defined as $h (p) = - p l o g p - (1 - p) l o g (1 - p)$ .

In general wiretap channel, the main channel and the wiretap channel are discrete memoryless channels (DMCs). The main channel is denoted as $X \to Y$ , where X is a random variable denoting an input symbol to the main channel and Y is a random variable denoting an output symbol from the main channel. Similarly, the wiretapper's channel is denoted as $X \to Z$ .

The notion of secrecy introduced by Wyner [1] has an operational meaning of being the maximum possible rate of information transmission between Alice and Bob that still enables Eve to be kept totally ignorant. The secrecy capacity $C_{S}$ for a wiretap channel can be calculated as follows [2]:

\begin{matrix} C_{S} = \underset{V \to X \to (Y, Z)}{m a x} {[I (V; Y) - I (V; Z)]}^{+}, \end{matrix}

(1)

where the inner maximum is over all possible random variables V in joint distribution with X, Y, and Z such that

V \to X \to (Y, Z)

is a Markov chain.

If $I (V; Y) \geq I (V; Z)$ for all Markov chains $V \to X \to (Y, Z)$ , the main channel is said to be less noisy than the wiretap channel. If the main channel is less noisy than the wiretap channel, then

\begin{matrix} C_{S} = \underset{P_{X} (x)}{m a x} [I (X; Y) - I (X; Z)], \end{matrix}

(2)

where the maximum is over all possible distributions

P_{X} (x)

of X. If

I (X; Y)

and

I (X; Z)

are individually maximized by the same

P_{X} (x)

and the main channel

(X \to Y)

is less noisy than the wiretap channel

(X \to Z)

, then

\begin{matrix} C_{S} = C a p a c i t y (X ⟶ Y) - C a p a c i t y (X ⟶ Z), \end{matrix}

(3)

where

C a p a c i t y (\cdot)

refers to the usual channel capacity.

3. Key Evolution

3.1. Noiseless Main Channel and Binary Symmetric Wiretapper's Channel WTC $(ϵ = 0, δ > 0)$

We begin with a simpler wiretap channel with a binary symmetric channel as the wiretapper's channel and a noiseless main channel, that is, WTC $(ϵ = 0, δ > 0)$ .

The heart of key evolution is a rekeying protocol that continuously refreshes the secret key based on transactional data. Let a message set $M = [1, 2^{n}]$ . Messages are represented by random variables $M_{1}, \dots, M_{i}$ uniformly distributed in $M$ . Suppose that Alice encodes message $M_{i} \in {0,1}^{n}$ into codeword $X_{i} \in {0,1}^{n}$ with key $K_{i} \in {0,1}^{n}$ as a one-time pad:

\begin{matrix} X_{i} = M_{i} \oplus K_{i}, \end{matrix}

(4)

and let

K_{1}

be the initial secret key shared between Alice and Bob. The key evolution protocol,

C_{K E}

, can be illustrated as follows:

\begin{array}{l} K_{1} = 0 \\ M_{1}, X_{1} = M_{1} \oplus K_{1}, K_{2} = K_{1} + M_{1} \\ M_{2}, X_{2} = M_{2} \oplus K_{2}, K_{3} = K_{2} + M_{2} \\ M_{3}, X_{3} = M_{3} \oplus K_{3}, K_{4} = K_{3} + M_{3} \\ ⋮ ⋮ ⋮ \\ M_{i}, X_{i} = M_{i} \oplus K_{i}, K_{i + 1} = K_{i} + M_{i} \\ ⋮ ⋮ ⋮ \end{array}

(5)

where

K_{1} = 0

means that Alice and Bob do not share any secret key initially; ⊕ denotes the bit-wise sum operation, and + is modulo addition with respect to the corresponding alphabet size.

Remarks 1.

(1) In the key evolution protocol, Alice and Bob compute a new key $K_{i + 1} = K_{i} + M_{i} = M_{1} + \dots + M_{i}$ as a function of $M^{i} = [M_{1}, \dots, M_{i}]$ . In general, any universal hash function $G : K_{i} \times M_{i} \to K_{i + 1}$ can be chosen to compute the new key.

(2) As will be discussed later, under certain condition,

\begin{array}{l} H (M_{1} | Z_{1}) \leq H (M_{2} | Z_{1} Z_{2}) \\ \leq \dots \leq H (M_{i} | Z_{1}, \dots, Z_{i}) \end{array}

(6)

means that as more messages are transmitted, Eve's equivocation on messages increases. From a practical perspective, before transmitting confidential messages, we could transmit some random messages to confuse Eve and generate a relatively secret key.

(3) $M_{i}$ is uniformly distributed over $M$ and is independent of $M_{1}, \dots, M_{i - 1}$ . Based on the crypto lemma [19], $K_{i} = M_{1} + \dots + M_{i - 1}$ is uniformly distributed over $M$ .

The objective of key evolution is for Alice and Bob to distill a secret key about which Eve has negligible information. Note that, if $K_{1} = 0$ , $X_{1} = M_{1} \oplus K_{1} = M_{1}$ , and $K_{2} = M_{1} + K_{1} = M_{1}$ , $X_{2} = M_{2} \oplus K_{2} = M_{1} \oplus M_{2}$ . From Fano's inequality, $H (X_{1} | Z_{1}) = H (X_{2} | Z_{2}) \leq n h (δ)$ ; that is, $H (M_{1} | Z_{1}) = H (M_{1} \oplus M_{2} | Z_{2}) \leq n h (δ)$ . Intuitively, $H (M_{1} | Z_{1}) \leq H (M_{2} | Z_{1} Z_{2})$ , which means that key evolution can increase Eve's uncertainty about messages as more messages are transmitted. Before we investigate the key evolution protocol, we first show that $H (M_{1} | Z_{1}) \leq H (M_{2} | Z_{1} Z_{2})$ is achievable under certain condition.

Suppose Alice generates random bit strings $M_{1}$ and $M_{2}$ and then transmits $M_{1}$ and the bit-wise sum $M_{1} \oplus M_{2}$ over a noisy channel. The receiver, Eve, uses her observations $Z_{1}$ and $Z_{2}$ (with a and b bits errors, resp.) to recover $M_{1}, M_{2}$ . The optimal strategy of Eve is to compute $Z_{1} \oplus Z_{2}$ as the estimation of $M_{2}$ .

Let $M_{1} = [m_{1}^{1}, m_{2}^{1}, \dots, m_{n}^{1}]$ , $M_{1} \oplus M_{2} = [m_{1}^{2}, m_{2}^{2}, \dots, m_{n}^{2}]$ , $M_{2} = [m_{1}^{3}, m_{2}^{3}, \dots, m_{n}^{3}]$ , and $Z_{1} \oplus Z_{2} = [z_{1}, z_{2}, \dots, z_{n}]$ , where $m_{i}^{1}$ , $m_{i}^{2}$ , $m_{i}^{3}$ , and $z_{i}$ are the ith bit of $M_{1}$ , $M_{1} \oplus M_{2}$ , $M_{2}$ , and $Z_{1} \oplus Z_{2}$ , respectively. If $m_{i}^{1}$ in $M_{1}$ and $m_{i}^{2}$ in $M_{1} \oplus M_{2}$ are correctly received, or both of them are error, then $z_{i} = m_{i}^{3}$ , which means that Eve recovers the ith bit of $M_{2}$ successfully. Let $A_{i}$ be a random variable that denotes the event that Eve can successfully recover the ith bit of message $M_{2}$ . For $a, b ≪ n$ , we use balls and bins model to estimate the probability $P (A_{i})$ as follows:

\begin{array}{l} P (A_{i}) = {(1 - \frac{1}{n})}^{a} {(1 - \frac{1}{n})}^{b} \\ + [1 - {(1 - \frac{1}{n})}^{a}] [1 - {(1 - \frac{1}{n})}^{b}] . \end{array}

(7)

For $P ({\bar{A}}_{i}) = 1 - P (A_{i})$ , the expectation of ${\bar{A}}_{i}$ (the event that the ith bit of $M_{2}$ the receiver obtains is error) is

\begin{matrix} E ({\bar{A}}_{i}) = 1 - P (A_{i}) . \end{matrix}

(8)

Therefore, the uncertainty of $M_{2}$ on the condition of the observations $Z_{1}$ and $Z_{2}$ can be estimated as

\begin{array}{l} H (M_{2} | Z_{1} Z_{2}) \\ = n E ({\bar{A}}_{i}) = n \{1 - {(1 - \frac{1}{n})}^{a} {(1 - \frac{1}{n})}^{b} \\ - [1 - {(1 - \frac{1}{n})}^{a}] [1 - {(1 - \frac{1}{n})}^{b}]\} \\ = n [{(1 - \frac{1}{n})}^{a} + {(1 - \frac{1}{n})}^{b} - 2 {(1 - \frac{1}{n})}^{a} {(1 - \frac{1}{n})}^{b}] . \end{array}

(9)

In the same way, we can estimate $H (M_{1} | Z_{1})$ as

\begin{matrix} H (M_{1} | Z_{1}) = n [1 - {(1 - \frac{1}{n})}^{a}] . \end{matrix}

(10)

Let $Δ = H (M_{2} | Z_{1} Z_{2}) - H (M_{1} | Z_{1}) \geq 0$ ; we have

\begin{matrix} 2 {(1 - \frac{1}{n})}^{a} - 1 \geq 0, \end{matrix}

(11)

so we obtain the result

a \leq 1 / l o g (n / (n - 1))

If $X_{1} = M_{1} \oplus K_{1} = M_{1}$ is chosen uniformly at random, we have $H (M_{1} | Z_{1}) = n h (δ)$ . Additionally, since the receiver's observation $Z_{1}$ has a-bit different from $M_{1}$ , we can also represent the value $H (M_{1} | Z_{1})$ as $H (M_{1} | Z_{1}) = n h (δ) = a$ . Therefore,

\begin{matrix} a = n h (δ) \leq \frac{1}{l o g (n / (n - 1))} . \end{matrix}

(12)

Let $f (δ) = 1 / l o g (n / (n - 1)) - n h (δ)$ . If $f (δ) > 0$ , $H (M_{1} | Z_{1}) \leq H (M_{2} | Z_{1} Z_{2})$ holds. As expected, as long as δ is small, the function $f (δ)$ is positive, which implies $H (M_{1} | Z_{1}) \leq H (M_{2} | Z_{1} Z_{2})$ . For instance, if $n = 1000$ , $f (δ)$ is positive provided that $0 < δ < 0.1859$ ; for n = 10,000, when $0 < δ < 0.1860$ , $f (δ) > 0$ . Since the key obtained in the first round of key evolution is used as the one-time pad key for the sequence round, Eve's uncertainty about the message transmitted will increase.

Because $H (M_{1} | Z_{1}) \leq H (M_{2} | Z_{1} Z_{2})$ and $M_{1}, \dots, M_{i}$ are independent and uniformly distributed over $M$ , we can have the following result by similar derivation:

\begin{matrix} H (M_{i} | Z_{1}, \dots, Z_{i}) \leq H (M_{i + 1} | Z_{1}, \dots, Z_{i} Z_{i + 1}) . \end{matrix}

(13)

As to the key

K_{i}

, we exploit a hash function G to distill a secret key

K_{i} = G (M_{1}, \dots, M_{i - 1})

, where G is a hash function chosen uniformly at random from a universal family of hash function. Consequently, by virtue of (13), we can obtain

\begin{matrix} H (K_{i} | Z_{1}, \dots, Z_{i - 1}) \leq H (K_{i + 1} | Z_{1}, \dots, Z_{i}), \end{matrix}

(14)

which ensures that as more messages are transmitted, Eve gradually loses her ability to estimate the messages transmitted, as well as the keys distilled. In other words, for sufficiently large number of rounds of key evolution, we get an equivocation approximate to the entropy of the message as well as the entropy of the key.

Next we want to analyze the secrecy performance of key evolution in terms of advantage distillation rate. Since hash function G can be chosen arbitrarily, it is difficult to model and analyze $C_{K E}$ directly. We focus on a simpler protocol $C_{\hat{K E}}$ as follows:

\begin{array}{l} K_{1}^{'} = 0 \\ M_{1}, X_{1}^{'} = M_{1}, K_{2}^{'} = M_{1} \\ M_{2}, X_{2}^{'} = M_{2}, K_{3}^{'} = M_{1} \oplus M_{2} \\ ⋮ ⋮ ⋮ \\ M_{i}, X_{i}^{'} = M_{i}, K_{i + 1}^{'} = M_{1} \oplus \dots \oplus M_{i} \\ ⋮ ⋮ ⋮ \end{array}

(15)

In $C_{\hat{K E}}$ , the main channel is noiseless, and the wiretapper's channel is a binary symmetric channel with crossover probability $δ \in (0,1)$ . Alice generates message $M_{i}$ and transmits $X_{i}^{'} = M_{i}$ to Bob. The observations of Bob and Eve are $Y_{i}^{'} = X_{i}^{'} = M_{i}$ and $Z_{i}^{'}$ , respectively. The key is computed as $K_{i}^{'} = M_{1} \oplus \dots \oplus M_{i - 1}$ .

Note that the wiretap channel in $C_{\hat{K E}}$ is discrete memoryless channel:

\begin{matrix} H (M_{1} | Z_{1}^{'}) = H (M_{2} | Z_{2}^{'}) = \dots = H (M_{i} | Z_{i}^{'}) . \end{matrix}

(16)

However, in $C_{K E}$ , we have $H (M_{1} | Z_{1}) \leq H (M_{2} | Z_{1} Z_{2}) = H (M_{2} | Z_{2})$ , for $Z_{1}$ and $M_{2}$ are independent of each other. Therefore,

\begin{matrix} H (M_{1} | Z_{1}) \leq H (M_{2} | Z_{2}) \leq \dots \leq H (M_{i} | Z_{i}) . \end{matrix}

(17)

Because $H (M_{1} | Z_{1}^{'}) = H (M_{1} | Z_{1})$ , then

\begin{matrix} \begin{matrix} H (M_{2} | Z_{2}^{'}) \leq H (M_{2} | Z_{2}), \\ H (M_{3} | Z_{3}^{'}) \leq H (M_{3} | Z_{3}), \\ ⋮ \\ H (M_{i} | Z_{i}^{'}) \leq H (M_{i} | Z_{i}) . \end{matrix} \end{matrix}

(18)

Notice that $M_{1}, M_{2}, \dots, M_{i}$ are mutually independent and uniformly distributed over $M$ , so we can obtain

\begin{array}{l} H (M_{1}, \dots, M_{i - 1} | Z_{1}^{'}, \dots, Z_{i - 1}^{'}) \\ \leq H (M_{1}, \dots, M_{i - 1} | Z_{1}, \dots, Z_{i - 1}) . \end{array}

(19)

For the secret key is a function of $M_{1}, M_{2}, \dots, M_{i - 1}$ , that is, $K_{i} = G (M_{1}, \dots, M_{i - 1})$ , we have

\begin{matrix} H (K_{i}^{'} | Z_{1}^{'}, \dots, Z_{i - 1}^{'}) \leq H (K_{i} | Z_{1}, \dots, Z_{i - 1}), \end{matrix}

(20)

which implies that the key evolution

C_{K E}

has an advantage over the protocol

C_{\hat{K E}}

in terms of the secrecy of key.

The protocol $C_{\hat{K E}}$ can be viewed as an advantage distillation protocol; for example, Alice and Bob exchange messages over the public channel to process their observations and to “distill” observations for which they have an advantage over Eve. By repeating the process multiple times, Alice and Bob distill a new realization of the channels with components $X^{'}$ , $Y^{'}$ , and $Z^{'}$ with an advantage over Eve in the sense that

\begin{matrix} I (X^{'}; Y^{'}) \geq I (X^{'}; Z^{'}) o r I (X^{'}; Y^{'}) \geq I (Y^{'}; Z^{'}) . \end{matrix}

(21)

Hence, it is natural to measure the performance of the protocol

C_{\hat{K E}}

in terms of the quantity

R (C_{\hat{K E}})

; that is,

\begin{array}{l} \frac{1}{n} m a x [I (X^{'}; Y^{'}) - I (X^{'}; Z^{'}), \\ I (X^{'}; Y^{'}) - I (Y^{'}; Z^{'})], \end{array}

(22)

which is called the advantage distillation rate.

In $C_{\hat{K E}}$ , after t messages $M_{1}, \dots, M_{t}$ have been exchanged, $X^{'} = Y^{'} = {X_{1}^{'}, \dots, X_{t}^{'}} = {M_{1}, \dots, M_{t}}$ , $Z^{'} = {Z_{1}^{'}, \dots, Z_{t}^{'}}$ , and $K_{t} = M_{1} \oplus \dots \oplus M_{t}$ . Hence, the advantage distillation rate satisfies

\begin{array}{l} \underset{n \to \infty}{l i m} R (C_{\hat{K E}}) \\ = \underset{n \to \infty}{l i m} \frac{1}{n} [I (X^{'}; Y^{'}) - I (X^{'}; Z^{'})] \\ = \underset{n \to \infty}{l i m} \frac{1}{n} H (X^{'} | Z^{'}) \\ = t \cdot h (δ), \end{array}

(23)

for

H (X^{'} | Z^{'}) = n \cdot t \cdot h (δ)

, if

M_{1}, \dots, M_{t}

are chosen uniformly at random. Note that, on choosing t large enough (

t > 1 / h (δ)

), the protocol achieves an advantage distillation rate of approximately 1. However, if δ is quite low, the advantage distillation rate is relatively low. On the other hand, we can also estimate the equivocation of key

K_{t}

in terms of

\begin{array}{l} E (C_{\hat{K E}}) \\ = \underset{n \to \infty}{l i m} \frac{1}{n} H (K_{t} | Z_{1}^{'}, \dots, Z_{t}^{'}) \\ \overset{(a)}{\approx} \underset{n \to \infty}{l i m} \frac{1}{n} n [1 - {(1 - \frac{1}{n})}^{n t δ}] \\ \overset{(b)}{\approx} t δ . \end{array}

(24)

Here, (

a

) holds because the optimal strategy for Eve to guess

K_{t} = M_{1} \oplus \dots \oplus M_{t}

is to compute

\hat{Z} = Z_{1}^{'} \oplus \dots \oplus Z_{t}^{'}

. For each

Z_{i}^{'}

differs from

M_{i}

n δ

positions on average, by balls and bins model,

\hat{Z}

has about

n [1 - (1 - 1 / n)^{n t δ}]

different positions from

K_{t}

. So we have

H (K_{t} | Z_{1}^{'}, \dots, Z_{t}^{'}) = n [1 - (1 - 1 / n)^{n t δ}]

; (

b

) follows from

1 - (1 - 1 / n)^{x} \to x / n

n \to \infty

Remark 2.

$E (C_{\hat{K E}}) \approx t δ$ means that Eve can get approximately no information about $K_{t}$ as t is large enough ( $t > 1 / δ$ ).

3.2. Noisy Main Channel and Wiretapper's Channel WTC $(ϵ > 0, δ > 0)$

In this subsection, we consider a realistic wireless communication system where both the wiretapper's channel and the main channel are BSCs. More specifically, the wiretapper's channel is a BSC with crossover probability δ, and the main channel is another BSC with crossover probability ϵ.

As discussed in Section 3.1, if the main channel is noiseless, Bob can receive messages sent by Alice without any bit error and refresh their secret key in the same way as Alice does. If the main channel is noisy, Alice and Bob can use an appropriate error-detecting code C and a repeating transmission strategy to alleviate the transmission error. Consider now Alice sending $X_{i} = (M_{i}, C_{i})$ to Bob over the noisy channel, where $M_{i}$ is the message to be sent and $C_{i}$ is the error-detecting code of $M_{i}$ . If a transmission error is detected, Alice retransmits it again until Bob receives the message correctly.

Assume the length of a message is n bits. The probability that a message is received correctly by Bob is $(1 - ϵ)^{n}$ . Let random variable T be the number of transmissions required until the message is correctly received by Bob; T is a geometric random variable with parameter $p = (1 - ϵ)^{n}$ . Its probability mass function is

\begin{matrix} P \{T = i\} = {[1 - {(1 - ϵ)}^{n}]}^{i - 1} {(1 - ϵ)}^{n}, i = 1,2, \dots, \end{matrix}

(25)

and its expectation is

\begin{matrix} t = E (T) = \frac{1}{{(1 - ϵ)}^{n}} . \end{matrix}

(26)

Eve, on the other hand, eavesdrops messages sent by Alice via the wiretapper's channel with bit error probability δ. The probability that a message is correctly eavesdropped by Eve is $(1 - δ)^{n}$ . If Alice retransmits a message M to Bob t times, Eve will get t noisy versions of the message M over the wiretapper's channel. Hence, the probability $P (t)$ that a message is correctly eavesdropped by Eve after it is retransmitted t times is

\begin{matrix} P (t) = 1 - {[1 - {(1 - δ)}^{n}]}^{t} . \end{matrix}

(27)

The main channel from Alice to Bob may be viewed as a noiseless channel after the message is transmitted t times, since after t times of retransmission on average Bob will get the message correctly; the wiretapper's channel thus corresponds to a BSC with bit error probability $δ^{'}$ which satisfies

\begin{matrix} {(1 - δ^{'})}^{n} = 1 - {[1 - {(1 - δ)}^{n}]}^{t} . \end{matrix}

(28)

Therefore,

\begin{matrix} δ^{'} = 1 - {\{1 - {[1 - {(1 - δ)}^{n}]}^{t}\}}^{1 / n}, \end{matrix}

(29)

where

t = 1 / (1 - ϵ)^{n}

Obviously, $δ^{'} < δ$ , which means a WTC ( $ϵ > 0$ , $δ > 0$ ) can be transformed into a WTC ( $ϵ = 0$ , $δ^{'} > 0$ ) with a noiseless conceptual main channel and a conceptual wiretapper's channel with smaller bit error probability $δ^{'} < δ$ . Even when the wiretapper's channel is much more reliable than the main channel, Eve cannot avoid at least a small bit error probability.

Examples 3.

Assume $n = 10000$ and $ϵ = 1 \times 1 0^{- 4}$ . When $δ = 1 \times 1 0^{- 4}$ , then $δ^{'} = 3.3887 \times 1 0^{- 5}$ ; when $δ = 1 \times 1 0^{- 3}$ , $δ^{'} = 9.0009 \times 1 0^{- 4}$ ; when $δ = 1 \times 1 0^{- 5}$ , $δ^{'} = 1.6727 \times 1 0^{- 7}$ .

However, for each message m, Eve can get $t = 1 / (1 - ϵ)^{n}$ received strings, the noisy versions of the message m. Any n-bit string can be reconstructed with high probability by using sufficient traces [20]. In a BSC with bit error probability δ, to reconstruct an unknown sequence $x = (x_{1}, \dots, x_{n}) \in {0,1, \dots, q - 1}^{n}$ when knowing N different sequences $y_{1}, \dots, y_{N} \in {0,1, \dots, q - 1}^{n}$ , where each of which differs from x in at most k components, the minimum number N equals

\begin{matrix} N = q \sum_{i = 1}^{k - 1} (\begin{pmatrix} n - 1 \\ i \end{pmatrix}) {(q - 1)}^{i} + 1 . \end{matrix}

(30)

Therefore, if Eve has eavesdropped N different traces of message m and satisfies the condition

\begin{matrix} \frac{1}{{(1 - ϵ)}^{n}} < \sum_{i = 1}^{k - 1} (\begin{pmatrix} n - 1 \\ i \end{pmatrix}) + 1, w h e r e k ≃ n δ, \end{matrix}

(31)

then Eve cannot reconstruct the message with high probability.

4. Artificial Noise to Confuse Adversaries

Cooperative jamming, or artificial noise [17, 18], by which one or more legitimate transmitters send jamming signals to increase the confusion of the adversaries, can be used effectively to increase the secrecy capacity in multiuser channels.

Along this line, if Bob can impersonate Alice to send forged messages and Eve cannot distinguish the sources of messages, Bob can cause further confusion of Eve. Eve receives a mixture of messages from Alice and forged messages from Bob. From her perspective, every message is equally likely and she cannot do better than randomly guessing the sources of each message.

For simplicity, let $ϵ = δ = 0$ . If Alice has transmitted i messages $M = {M_{1}, \dots, M_{i}}$ and Bob has injected j forged messages $\bar{M} = {{\bar{M}}_{1}, \dots, {\bar{M}}_{j}}$ , the legitimate parties can distill a secret key $K = M_{1} + \dots + M_{i}$ . Let $t = i + j$ ; Eve has to guess K out of $T = \sum_{k = 1}^{t} (\begin{smallmatrix} t \\ k \end{smallmatrix})$ alternative keys. For instance, if $t = 3$ and $i = 1$ , $T = 9$ , Eve only has to guess 9 times to get the secret keys, that is, $H (K | M \bar{M}) = l o g 9$ bits. Hence, it is natural to increase T to enhance the security.

For $T = \sum_{k = 1}^{t} (\begin{smallmatrix} t \\ k \end{smallmatrix}) = 2^{t} - 1$ ,

\begin{matrix} H (K | M \bar{M}) = l o g (2^{t} - 1) \approx t . \end{matrix}

(32)

Therefore, if

t > n

and the forged messages

\bar{M}

are distributed uniformly among all messages

M + \bar{M}

, the secret key is perfect secret.

For some cases, Eve may not choose all subset of messages received to construct secret keys. Without loss of optimality she can choose all subset of messages whose cardinality is less than $t / 2$ if she knows a priori that there are at most $t / 2$ forged messages in $M + \bar{M}$ . For example, if $i = |M| = 1$ , she can obtain the secret key with probability $1 / t$ ; that is, $H (K | M \bar{M}) = l o g t$ .

For simplicity, let $i \leq t / 3$ , $T_{i} = \sum_{k = 1}^{i} (\begin{smallmatrix} t \\ k \end{smallmatrix}) < n$ . It is straightforward that $(\begin{smallmatrix} n \\ i - 1 \end{smallmatrix}) = (i / (n - i + 1)) (\begin{smallmatrix} n \\ i \end{smallmatrix})$ and therefore $(\begin{smallmatrix} n \\ i - 1 \end{smallmatrix}) < (1 / 2) (\begin{smallmatrix} n \\ i \end{smallmatrix})$ for $i \leq n / 3$ . This implies $(\begin{smallmatrix} n \\ i - j \end{smallmatrix}) < 2^{j} (\begin{smallmatrix} n \\ i \end{smallmatrix})$ for $i \leq n / 3$ and $0 \leq j \leq i$ , from which the bound

\begin{matrix} \sum_{i = 1}^{k} (\begin{pmatrix} n \\ i \end{pmatrix}) < (\begin{pmatrix} n \\ k \end{pmatrix}) \sum_{i = 1}^{k} 2^{- i} < 2 (\begin{pmatrix} n \\ k \end{pmatrix}), \end{matrix}

(33)

for any

k \leq n / 3

, holds. The approximation of

(\begin{smallmatrix} n \\ i \end{smallmatrix})

, by the binary entropy function

\begin{matrix} \frac{1}{\sqrt{8 i (1 - i / n)}} \leq (\begin{pmatrix} n \\ i \end{pmatrix}) 2^{- n h (i / n)} \leq \frac{1}{\sqrt{π i (1 - i / n)}}, \end{matrix}

(34)

implies that

(1 / \sqrt{3 n}) 2^{n h (i / n)} \leq (\begin{smallmatrix} n \\ i \end{smallmatrix}) \leq 2^{n h (i / n)}

for

i \leq n / 3

. Thus,

\begin{matrix} \sum_{i = 1}^{k} (\begin{pmatrix} n \\ i \end{pmatrix}) < 2 (\begin{pmatrix} n \\ k \end{pmatrix}) \leq 2 \cdot 2^{n h (i / n)} = 2^{n h (i / n) + 1} . \end{matrix}

(35)

By applying result (35), we have

\begin{matrix} T_{i} = \sum_{k = 1}^{i} (\begin{pmatrix} t \\ k \end{pmatrix}) < 2^{t h (i / t) + 1} . \end{matrix}

(36)

Therefore,

\begin{matrix} H (K | M \bar{M}) < l o g T_{i} < t h (\frac{i}{t}) + 1 . \end{matrix}

(37)

In general, Bob's optimal strategy to generate noise is to inject j forged messages ${\bar{M}}_{1}, \dots, {\bar{M}}_{j}$ into messages $M_{1}, \dots, M_{i}$ uniformly and let $i = j$ on average. Consequently, on reception of a message $M_{i}$ from Alice, Bob chooses a random value $q \in (2, t)$ and generates F forged messages, where F is a random variable, taking on one of the values $0,1, 2, \dots, t - 1$ and $P {F = i} = 1 / q$ for $i = 0,1, 2, \dots, t - 1$ .

5. k-Resistant Encryption

Symmetric encryption algorithm uses a secret key shared between the legitimate parties to encrypt and decrypt messages. If some bit errors occur to the secret key held by one of parties, we have to discard it and negotiate a new secret key. Unlike a symmetric encryption scheme, in which the legitimate parties are in possession of a shared secret key, a k-resistant encryption scheme (k-RES) uses different keys to encrypt and decrypt messages provided there are at most k discrepancies of n-bit between two keys.

5.1. Problem Description

Let $V = {0,1}$ and let $V^{n}$ be the set of n-tuples over V; that is,

\begin{matrix} V^{n} = \{[x_{1}, x_{2}, \dots, x_{n}] | x_{i} \in V, i = 1,2, \dots, n\} . \end{matrix}

(38)

For

X = [x_{1}, x_{2}, \dots, x_{n}] \in V^{n}

and

Y = [y_{1}, y_{2}, \dots, y_{n}] \in V^{n}

, the Hamming distance

d_{H} (X, Y)

between X and Y is the number of coordinates in which they differ; that is,

d_{H} (X, Y) = |{i | x_{i} \neq y_{i}}|

Formally, a k-resistant encryption scheme (k-RES) is defined as follows.

Definition 4 (k-resistant encryption scheme).

An encryption scheme is called k-resistant if the following conditions are satisfied. (1)

Decodable Condition. Alice encrypts a plaintext message $M \in {0,1}^{m}$ to a ciphertext $C \in {0,1}^{q}$ using her secret key $K_{A} \in {0,1}^{n}$ ( $n > m$ ), and Bob can decrypt C with his key $K_{B} \in {0,1}^{n}$ if there are at most k bits which differ between $K_{A}$ and $K_{B}$ ; that is,

\begin{matrix} H (M | K_{A} C) = H (M | K_{B} C) = 0 \end{matrix}

(39)

if $d_{H} (K_{A}, K_{B}) \leq k .$

(2)

Security Condition. Eve can only obtain a negligible amount of information about M if her key $K_{E}$ satisfies $d_{H} (K_{A}, K_{E}) > k$ ; that is,

\begin{matrix} H (M | K_{E} C) = H (M) i f d_{H} (K_{A}, K_{E}) > k . \end{matrix}

(40)

The decodable condition guarantees that anyone with a key K satisfying $d_{H} (K_{A}, K) \leq k$ can recover the message. The security condition, on the other hand, ensures that Eve can obtain no information about the message if $d_{H} (K_{A}, K_{E}) > k$ .

Intuitively, a k-RES can be viewed as a wiretap channel in which Alice sends secret information to Bob virtually in the main channel, and the adversary Eve receives Alice's output through an independent wiretapper channel.

To send a message X to Bob, Alice sends $X \oplus K_{A}$ instead. Bob computes $Y = X \oplus K_{A} \oplus K_{B}$ and thus obtains X with error pattern $K_{A} \oplus K_{B}$ and bit error probability $ϵ = a / n$ for $d_{H} (K_{A}, K_{B}) = a$ . Eve, on the other hand, can compute $Z = X \oplus K_{A} \oplus K_{E}$ , which is equivalent to receiving X over a wiretapper's channel with bit error probability $δ = b / n$ (for $d_{H} (K_{A}, K_{E}) = b$ ). Thus, the bit error probabilities of the conceptual main channel and Eve's conceptual channel are $ϵ = a / n$ and $δ = b / n$ , respectively. Because $a \leq k$ and $b > k$ , then $ϵ < δ$ , which implies that the main channel is less noisy than the wiretapper's channel; therefore, the secrecy capacity $C_{S}$ of the conceptual wiretap channel [2]

\begin{matrix} C_{S} = \underset{P_{X} (x)}{m a x} [I (X; Y) - I (X; Z)] . \end{matrix}

(41)

It was further shown in [21] that if $I (X; Y)$ and $I (X; Z)$ are individually maximized by the same $P_{X} (x)$ , and the main channel is less noisy than the wiretapper's channel, $C_{S} = C a p a c i t y (X \to Y) - C a p a c i t y (X \to Z)$ . Consider a k-RES; it can be viewed as a broadcast channel in which the main channel and the wiretapper's channel are binary symmetric channels with bit error probabilities ϵ and δ, respectively, and $ϵ < δ$ . The secrecy capacity is $C_{S} = h (δ) - h (ϵ) .$

Suppose Alice and Bob try to securely communicate a m-bit message M across the main channel; Alice encodes $M \in {0,1}^{m}$ into an n-bit word $X \in {0,1}^{n}$ . We have

\begin{matrix} \frac{m}{n} = C_{S} = h (δ) - h (ϵ), \end{matrix}

(42)

and then

\begin{matrix} m = n [h (δ) - h (ϵ)] = n [h (\frac{b}{n}) - h (\frac{a}{n})] . \end{matrix}

(43)

Notice that $k < b \leq n / 2$ , $h (k / n) < h (b / n)$ ; we have

\begin{matrix} m > n [h (\frac{k}{n}) - h (\frac{a}{n})] . \end{matrix}

(44)

The secrecy capacity of k-RES depends on parameters a and k. The less the value $d_{H} (K_{A}, K_{B}) = a$ is, the more the information can be encrypted. On the other hand, there are situations in which the bound is tighter. If we know the value b exactly, we can get the upper bound of m; that is, $m \leq n [h (b / n) - h (a / n)]$ , since $h (δ) - h (ϵ)$ is the upper bound of $C_{S}$ .

5.2. Construction Methods

A trivial k-RES can be constructed by a classic error-correcting code. We can choose (n, m) error-correcting code, which maps a message $M \in {0,1}^{m}$ to a codeword $C \in {0,1}^{n}$ and can correct at most k-bit errors. In order to encrypt a message M of m-bit, Alice transmits $C \oplus K_{A}$ to Bob. Bob computes $\bar{C} = C \oplus K_{A} \oplus K_{B}$ which differs from C in $d_{H} (K_{A}, K_{B})$ bits. If $d_{H} (K_{A}, K_{B}) < k$ , Bob can correct the errors and recover the message M.

Eve, on the other hand, cannot get the message correctly, since what she can obtain is $\hat{C} = C \oplus K_{A} \oplus K_{E}$ which differs from C in $d_{H} (K_{A}, K_{E}) > k$ bits.

Next we estimate the amount of information that this solution of k-RES can handle. In general, a linear ( $n, m$ ) block code, such as Hamming code, which can correct k-bit errors should satisfy the following bound:

\begin{matrix} n - m \geq l o g [\sum_{i = 0}^{k} (\begin{pmatrix} n \\ i \end{pmatrix})] . \end{matrix}

(45)

Hence, if $k ≪ n$ , $(\begin{smallmatrix} n \\ k - 1 \end{smallmatrix}) < (\begin{smallmatrix} n \\ k \end{smallmatrix})$ , and $2 (\begin{smallmatrix} n \\ k \end{smallmatrix}) > \sum_{i = 1}^{k} (\begin{smallmatrix} n \\ i \end{smallmatrix}) > (\begin{smallmatrix} n \\ k \end{smallmatrix})$ , we obtain

\begin{array}{l} m \leq n - l o g [\sum_{i = 0}^{k} (\begin{pmatrix} n \\ i \end{pmatrix})] < n - l o g (\begin{pmatrix} n \\ k \end{pmatrix}) \\ \overset{(a)}{\approx} n - n h (\frac{k}{n}) = n [1 - h (\frac{k}{n})], \end{array}

(46)

where (

a

) follows from

(\begin{smallmatrix} n \\ k \end{smallmatrix}) ~ 2^{n h (k / n)}

for

k ≪ n

This solution can be used to construct k-RES when few errors are more likely to occur. The error-correcting code may also give some side information to Eve. From a practical perspective, the design of a k-RES turns out to be a problem of the construction of codes for a wiretap channel, so we can use the method that was introduced by Wyner and Ozarow [1, 22] to construct k-RES.

Consider a stochastic coding method consisting of a linear code and its cosets. To transmit m-bit message, we first select a ( $n, n - m$ ) linear binary code C; let each message correspond to a chosen coset out of the $2^{m}$ cosets of C. The overall encoding operation can be described as a matrix multiplication. Suppose $G \in G F (2)^{(n - m) \times n}$ is a generator matrix for C, and its parity-check matrix is $H \in G F (2)^{m \times n}$ . We select m linearly independent vector $h_{1}, \dots, h_{m}$ from ${0,1}^{n} ∖ C$ . A m-bit message $S = [s_{1}, \dots, s_{m}]$ is encoded into a n-bit word randomly selected from the coset C corresponding to S. Formally, an encoder maps S to a word as

\begin{matrix} S ⟼ ({G^{'}}^{T} G^{T}) (\begin{pmatrix} S \\ V \end{pmatrix}), \end{matrix}

(47)

where the transpose of G is denoted by

G^{T}

, the vector

V \in G F (2)^{n - m}

is chosen uniformly at random, and

G^{'}

is a matrix whose rows are the vectors

h_{1}^{T}, \dots, h_{m}^{T}

A decoder maps a word X to a message as $x \mapsto H x$ .

Though the above correspondence is deterministic, the encoding procedure has a random component in the selection of the transmitted word. The message S can be determined without error across the main channel, and every S is equally likely across the wiretapper's channel. For an eavesdropper who can observe a set of μ bits, if all submatrices of G with μ columns have rank μ, the above coset coding guarantees perfect secrecy against the eavesdropper [22]. Guided by this result, we could choose C as a capacity-achieving code to design a k-RES.

Remarks 5.

A binary wiretap channel model in which the wiretapper is known to access no more than μ of n transmitted bits is called a wiretap channel of type II. The equivalent wiretap channel of k-RES differs from wiretap channel of type II in that the eavesdropper cannot in principle choose which μ bits are observed. In a k-RES, for $K_{A} \oplus K_{E}$ is constant, the eavesdropper can only observe $μ = n - b$ bits in fixed positions ( $i_{1}, \dots, i_{μ}$ ).

According to [22], let $C_{0}$ be a (n, $n - m$ ) binary linear code with generator matrix G, and let $g_{i}$ denote the ith column of G. Let z be an observation of the eavesdropper with μ unerased bits in positions ( $i_{1}, \dots, i_{μ}$ ); then z is secured by $C_{0}$ if and only if the matrix $G_{μ} ≜ (g_{i_{1}}, \dots, g_{i_{μ}})$ has rank μ.

Theoretically, if we use coset coding to construct a k-RES, we only need to select a generator matrix G whose submatrix $G_{μ}$ has rank $μ = n - k$ . Nevertheless, for we do not know the error pattern $K_{A} \oplus K_{E}$ of Eve, that is, the positions ( $i_{1}, \dots, i_{μ}$ ) are unknown, we have to select a generator matrix G whose submatrices with $μ = n - k$ columns all have rank μ.

Note that Eve's observation contains a number of bits in fixed positions; her ability is restricted compared with the eavesdropper in a wiretap channel of type II. Intuitively, a code designed for this wiretap channel may achieve rates arbitrarily approximate to the secrecy capacity, but how to design such code is still unknown.

In [23, 24], Dodis et al. considered a notion of fuzzy extractor. Their construction can be rephrased to give a construction of k-RES. fuzzy extractors allow one to extract some randomness R from ω and then successfully reproduce R from any string $ω^{'}$ that is close to ω. The reproduction uses the helper string P produced during the initial extraction; yet P need not remain secret, because R looks truly random even given P.

Construction ofk-RES from Fuzzy Extractors. On input of a message $M \in {0,1}^{m}$ , and $K_{A}, K_{B} \in {0,1}^{n}$ , select an $(n, e, q, k, ε)$ -fuzzy extractor with a pair of randomized procedures, Gen and Rep. (i)

The generation procedure Gen on input $K_{A} \in {0,1}^{n}$ outputs an extracted string $R \in {0,1}^{q}$ and a helper string $P \in {0,1}^{*}$ . Then we obtain the encrypted message $\bar{M} = M \oplus R$ and a public string P.

(ii)

To decrypt $\bar{M}$ , the reproduction procedure Rep takes $K_{B} \in {0,1}^{n}$ and the public string $P \in {0,1}^{*}$ as inputs. If $d_{H} (K_{A}, K_{B}) \leq k$ , then Rep $(K_{B}, P) = R$ ; otherwise, no guarantee is provided about the output of Rep. Then we get message $M = \bar{M} \oplus R$ .

(iii)

The security property of fuzzy extractor guarantees that, for any distribution $K_{A}$ or $K_{B} \in {0,1}^{n}$ of min-entropy e, the string R is nearly uniform even for those who observe P: if $(R, P) \leftarrow$ Gen $(K_{A})$ , then $S D ((R, P), (U_{l}, P)) < ε$ , where $S D (A, B) = (1 / 2) \sum_{v} ‖P r (A = v) - P r (B = v)‖$ is the statistical distance between two probability distributions A and B and $U_{l}$ denotes the uniform distribution on l-bit binary strings.

6. Conclusions

Key evolution seems realistic because current wireless communication is prevailing and the channel is noisy. Even if Eve uses a much better receiving antenna she cannot avoid at least a small bit error probability. The noise allows for the construction of information theoretically secure cryptographic protocols.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors would like to thank the reviewers for their valuable comments and discussions. This work is partly supported by the Key Program of NSFC-Guangdong Union Foundation (U1135002) and National Natural Science Foundations of China (61100235, 61173135, 61100230, 61100233, 61202389, and 61202390).

References

Wyner

A. D.

The wire-tap channel

The Bell System Technical Journal 1975 54 8 1355 1387

10.1002/j.1538-7305.1975.tb02040.x

MR0408979

ZBL0316.94017

2-s2.0-0016562514

Csiszar

Korner

Broadcast channels with confidential messages

IEEE Transactions on Information Theory 1978 24 3 339 348

10.1109/TIT.1978.1055892

MR493646

2-s2.0-0017973511

Bloch

Barros

Rodrigues

M. R. D.

McLaughlin

S. W.

Wireless information-theoretic security

IEEE Transactions on Information Theory 2008 54 6 2515 2534

10.1109/TIT.2008.921908

MR2449259

2-s2.0-45249104850

Shiu

Y.-S.

Chang

S. Y.

H.-C.

Huang

S. C.-H.

Chen

H.-H.

Physical layer security in wireless networks: a tutorial

IEEE Wireless Communications 2011 18 2 66 74

10.1109/MWC.2011.5751298

2-s2.0-79955372872

Xiao

Gong

Towsley

Secure wireless communication with dynamic secrets

Proceedings of the IEEE INFOCOM

March 2010

San Diego, Calif, USA

1 9

10.1109/INFCOM.2010.5461974

2-s2.0-77953313388

Koyluoglu

O. O.

Koksal

C. E.

El Gamal

On secrecy capacity scaling in wireless networks

IEEE Transactions on Information Theory 2012 58 5 3000 3015

10.1109/TIT.2012.2184692

MR2952529

2-s2.0-84860255627

Pinto

P. C.

Barros

Win

M. Z.

Secure communication in stochastic wireless networks—part II: maximum rate and collusion

IEEE Transactions on Information Forensics and Security 2012 7 1 139 147

10.1109/TIFS.2011.2165947

2-s2.0-84855911932

Safaka

Fragouli

Argyraki

Diggavi

Exchanging pairwise secrets efficiently

Proceedings of the IEEE INFOCOM

2013

2265 2273

Lai

L. F.

Gamal

H. E.

Poor

H. V.

The wiretap channel with feed-back: encryption over the channel

IEEE Transactionson Information Theory 2008 54 11 5059 5067

10.

Csiszar

Narayan

Secrecy capacities for multiterminal channel models

IEEE Transactions on Information Theory 2008 54 6 2437 2452

10.1109/TIT.2008.921705

11.

Oggier

Hassibi

The secrecy capacity of the MIMO wiretap channel

IEEE Transactions on Information Theory 2011 57 8 4961 4972

MR2849098

10.1109/TIT.2011.2158487

2-s2.0-79960996804

12.

Bloch

Barros

Physical-Layer Security: From Information Theory to Security Engineering 2011

Cambridge, UK

Cambridge University Press

10.1017/CBO9780511977985

MR2858337

13.

Khan

M. K.

Zhang

An efficient and practical fingerprint-based remote user authentication scheme with smart cards

Information Security Practice and Experience 2006 3903

Berlin, Germany

Springer

260 268 Lecture Notes in Computer Science

14.

Maurer

U. M.

Secret key agreement by public discussion from common information

IEEE Transactions on Information Theory 1993 39 3 733 742

10.1109/18.256484

MR1237712

2-s2.0-0027599802

15.

Ahlswede

Csiszár

Common randomness in information theory and cryptography. I. Secret sharing

IEEE Transactions on Information Theory 1993 39 4 1121 1132

10.1109/18.243431

MR1267151

2-s2.0-0027629488

16.

van Assche

Cardinal

Cerf

N. J.

Reconciliation of a quantum-distributed gaussian key

IEEE Transactions on Information Theory 2004 50 2 394 400

10.1109/TIT.2003.822618

2-s2.0-1442337635

MR2044088

17.

Vilela

J. P.

Bloch

Barros

McLaughlin

S. W.

Wireless secrecy regions with friendly jamming

IEEE Transactions on Information Forensics and Security 2011 6 2 256 266

10.1109/TIFS.2011.2111370

2-s2.0-79957465600

18.

Goel

Negi

Guaranteeing secrecy using artificial noise

IEEE Transactions on Wireless Communications 2008 7 6 2180 2189

10.1109/TWC.2008.060848

2-s2.0-45849133457

19.

Forney

J. G. D.

On the role of MMSE estimation in approaching the information-theoretic limits of linear Gaussian channels: shannon meets wiener

Proceedings of the Allerton Conference Communication, Control, and Computing

October 2003

Monticello, Ill, USA

ACM

430 439

20.

Levenshtein

V. I.

Efficient reconstruction of sequences

IEEE Transactions on Information Theory 2001 47 1 2 22

10.1109/18.904499

MR1819952

2-s2.0-0035089745

21.

Van Dijk

On a special class of broadcast channels with confidential messages

IEEE Transactions on Information Theory 1997 43 2 712 714

ZBL0872.94021

10.1109/18.556128

2-s2.0-0031103783

22.

Ozarow

L. H.

Wyner

A. D.

Wire-tap channel II

209

Proceedings of the EUROCRYPT 84 Workshop on Advances in Cryptology: Theory and Application of Cryptographic Techniques

1985

Paris, France

Springer

33 51 Lecture Notes in Computer Science

23.

Dodis

Smith

Correcting errors without leaking partial information

Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC ′05) 2005

ACM

654 663

10.1145/1060590.1060688

MR2181670

2-s2.0-34848837353

24.

Dodis

Kanukurthi

Katz

Smith

Robust fuzzy extractors and authenticated key agreement from close secrets

IEEE Transactions on Information Theory 2012 58 9 6207 6222

10.1109/TIT.2012.2200290

MR2966087

2-s2.0-84865393678

On Key Evolution over Wireless Channels

Abstract

1. Introduction

2. Preliminaries

3. Key Evolution

3.1. Noiseless Main Channel and Binary Symmetric Wiretapper's Channel WTC ( ϵ = 0 , δ > 0 )

Remarks 1.

Remark 2.

3.2. Noisy Main Channel and Wiretapper's Channel WTC ( ϵ > 0 , δ > 0 )

Examples 3.

4. Artificial Noise to Confuse Adversaries

5. k-Resistant Encryption

5.1. Problem Description

Definition 4 (k-resistant encryption scheme).

5.2. Construction Methods

Remarks 5.

6. Conclusions

Footnotes

Conflict of Interests

Acknowledgments

References

3.1. Noiseless Main Channel and Binary Symmetric Wiretapper's Channel WTC $(ϵ = 0, δ > 0)$

3.2. Noisy Main Channel and Wiretapper's Channel WTC $(ϵ > 0, δ > 0)$