|
|
| Line 1: |
Line 1: |
| A [[cryptosystem]] is '''information-theoretically secure''' if its security derives purely from [[information theory]]. That is, it cannot be broken even when the [[Adversary (cryptography)|adversary]] has unlimited computing power. The adversary simply does not have enough [[information theory|information]] to break the encryption, so these cryptosystems are considered [[cryptanalysis|cryptanalytically]] unbreakable. An encryption protocol that has information-theoretic security does not depend for its effectiveness on unproven assumptions about computational hardness, and such an algorithm is not vulnerable to future developments in computer power such as [[quantum computer|quantum computing]]. An example of an information-theoretically secure cryptosystem is the [[one-time pad]]. The concept of information-theoretically secure communication was introduced in 1949 by American mathematician [[Claude Shannon]], the inventor of [[information theory]], who used it to prove that the one-time pad system was secure.<ref name="Shannon">{{cite journal
| | Hi there. My title is Sophia Meagher although it is not the name on my beginning certificate. He is an information officer. To climb is some thing I really appreciate doing. Her family life in Ohio.<br><br>Also visit my web blog [http://www.singingrevolution.org/profile.php?u=ShRoy phone psychic] |
| | last = Shannon
| |
| | first = Claude E.
| |
| | title = Communication Theory of Secrecy Systems
| |
| | journal = Bell System Technical Journal
| |
| | volume = 28
| |
| | issue = 4
| |
| | pages = 656–715
| |
| | publisher = AT&T Corporation
| |
| | location = USA
| |
| | date = October 1949
| |
| | url = http://www3.alcatel-lucent.com/bstj/vol28-1949/articles/bstj28-4-656.pdf
| |
| | issn =
| |
| | doi =
| |
| | id =
| |
| | accessdate = 2011-12-21}}</ref> Information-theoretically secure cryptosystems have been used for the most sensitive governmental communications, such as [[diplomatic cable]]s and high-level military communications, because of the great efforts enemy governments expend toward breaking them.
| |
| | |
| An interesting special case is '''perfect security''': an encryption algorithm is perfectly secure if a [[ciphertext]] produced using it provides no information about the [[plaintext]] without knowledge of the [[key (cryptography)|key]]. If ''E'' is a perfectly secure encryption function, for any fixed message ''m'' there must exist for each ciphertext ''c'' at least one key ''k'' such that <math>c = E_k(m)</math>. It has been proven that any cipher with the perfect secrecy property must use keys with effectively the same requirements as [[one-time pad]] keys.<ref name="Shannon" />
| |
| | |
| It is common for a cryptosystem to leak some information but nevertheless maintain its security properties even against an adversary that has unlimited computational resources. Such a cryptosystem would have information theoretic but not perfect security. The exact definition of security would depend on the cryptosystem in question.
| |
| | |
| There are a variety of cryptographic tasks for which information-theoretic security is a meaningful and useful requirement. A few of these are:
| |
| # [[Secret sharing]] schemes such as [[Shamir's Secret Sharing|Shamir's]] are information-theoretically secure (and also perfectly secure) in that less than the requisite number of shares of the [[secrecy|secret]] provide no information about the secret.
| |
| # More generally, [[secure multiparty computation]] protocols often, but not always have information theoretic security.
| |
| # [[Private information retrieval]] with multiple databases can be achieved with information-theoretic privacy for the user's query.
| |
| # [[Reduction (complexity)|Reductions]] between cryptographic primitives or tasks can often be achieved information-theoretically. Such reductions are important from a theoretical perspective, because they establish that primitive <math>\Pi</math> can be realized if primitive <math>\Pi'</math> can be realized.
| |
| # [[Symmetric encryption]] can be constructed under an information-theoretic notion of security called [[entropic security]], which assumes that the adversary knows almost nothing about the message being sent. The goal here is to hide ''all functions'' of the plaintext rather than all information about it.
| |
| # [[Quantum cryptography]] is largely part of information-theoretic cryptography.
| |
| | |
| ==Physical layer encryption==
| |
| A weaker notion of security defined by A. Wyner established a now flourishing area of research known as physical layer encryption.<ref>{{cite web| title=Information Theoretic Security|url=http://itsecurity.orgfree.com/|last=Koyluoglu|date=16 July 2010|accessdate=11 August 2010}}</ref> This exploits the physical wireless channel for its security by communications, signal processing, and coding techniques. The security is provable, unbreakable, and quantifiable (in bits/second/hertz).
| |
| | |
| Wyner's initial physical layer encryption work in the 1970s posed the Alice – Bob – Eve problem in which Alice wants to send a message to Bob without Eve decoding it. It was shown that if the channel from Alice to Bob is statistically better than the channel from Alice to Eve, secure communication is possible.<ref name="Wyner">{{cite journal
| |
| | last = Wyner
| |
| | first = A. D.
| |
| | title = The Wire-Tap Channel
| |
| | journal = Bell System Technical Journal
| |
| | volume = 54
| |
| | issue = 8
| |
| | pages = 1355–1387
| |
| | publisher = AT&T Corporation
| |
| | date = October 1975
| |
| | url = http://www3.alcatel-lucent.com/bstj/vol54-1975/articles/bstj54-8-1355.pdf
| |
| | issn =
| |
| | doi =
| |
| | id =
| |
| | accessdate = 2013-04-11}}</ref> This is intuitive, but Wyner measured the secrecy in information theoretic terms defining secrecy capacity, which essentially is the rate at which Alice can transmit secret information to Bob. Shortly after, Csiszár and Körner showed that secret communication was possible even when Eve had a statistically better channel to Alice than did Bob.<ref name="Csiszar">{{cite journal
| |
| | last1 = Csiszár
| |
| | first1 = I.
| |
| | last2 = Körner
| |
| | first2 = J.
| |
| | title = Broadcast Channels with Confidential Messages
| |
| | journal = IEEE Transactions on Information Theory
| |
| | volume = IT-24
| |
| | issue = 3
| |
| | pages = 339–348
| |
| | publisher = IEEE
| |
| | date = May 1978
| |
| | url =
| |
| | issn =
| |
| | doi =
| |
| | id =
| |
| | accessdate = }}</ref>
| |
| More recent theoretical results are concerned with determining the secrecy capacity and optimal power allocation in broadcast fading channels.<ref name="Liang">{{cite journal
| |
| | last1 = Liang
| |
| | first1 = Yingbin
| |
| | last2 = Poor
| |
| | first2 = Vincent
| |
| | last3 = Shamai (Shitz)
| |
| | first3 = Shlomo
| |
| | title = Secure Communication Over Fading Channels
| |
| | journal = IEEE Transactions on Information Theory
| |
| | volume = 54
| |
| | issue = 6
| |
| | pages = 2470–2492
| |
| | publisher = IEEE
| |
| | date = June 2008
| |
| }}</ref><ref name="Gopala">{{cite journal
| |
| | last1 = Gopala
| |
| | first1 = P.
| |
| | last2 = Lai
| |
| | first2 = L.
| |
| | last3 = El Gamal
| |
| | first3 = H.
| |
| | title = On the Secrecy Capacity of Fading Channels
| |
| | journal = IEEE Transactions on Information Theory
| |
| | volume = 54
| |
| | issue = 10
| |
| | pages = 4687–4698
| |
| | publisher = IEEE
| |
| | date = October 2008
| |
| }}</ref>
| |
| There are caveats, as many capacities are not computable unless the assumption is made that Alice knows the channel to Eve. If this were known, Alice could simply place a null in Eve's direction. Secrecy capacity for [[MIMO]] and multiple colluding eavesdroppers is more recent and ongoing work,<ref name="Khisti">{{cite journal
| |
| | last1 = Khisti
| |
| | first1 = Ashish
| |
| | last2 = Wornell
| |
| | first2 = Gregory
| |
| | title = Secure Transmission with Multiple Antennas II: The MIMOME Wiretap Channel
| |
| | journal = IEEE Transactions on Information Theory
| |
| | volume = 56
| |
| | issue = 11
| |
| | pages = 5515–5532
| |
| | publisher = IEEE
| |
| | date = November 2010
| |
| }}</ref><ref name="Oggier">{{cite journal
| |
| | last1 = Oggier
| |
| | first1 = F.
| |
| | last2 = Hassibi
| |
| | first2 = B.
| |
| | title = The Secrecy Capacity of the MIMO Wiretap Channel
| |
| | journal = IEEE Transactions on Information Theory
| |
| | volume = 57
| |
| | issue = 8
| |
| | pages = 4961–4972
| |
| | publisher = IEEE
| |
| | date = August 2011
| |
| }}</ref> and these results still make the non-useful assumption about eavesdropper channel state information knowledge.
| |
| | |
| Still other work is less theoretical and attempts to compare implementable schemes. One physical layer encryption scheme is to broadcast artificial noise in all directions except that of Bob's channel, basically jamming Eve. One paper by Negi and Goel details the implementation, and Khisti and Wornell computed the secrecy capacity when only statistics about Eve's channel are known.<ref name="Negi">{{cite journal
| |
| | last1 = Negi
| |
| | first1 = R.
| |
| | last2 = Goel
| |
| | first2 = S.
| |
| | title = Guaranteeing secrecy using artificial noise
| |
| | journal = IEEE Transactions on Wireless Communications
| |
| | volume = 7
| |
| | issue = 6
| |
| | pages = 2180–2189
| |
| | publisher = IEEE
| |
| | year = 2008
| |
| }}</ref><ref name="KhistiMISOME">{{cite journal
| |
| | last1 = Khisti
| |
| | first1 = Ashish
| |
| | last2 = Wornell
| |
| | first2 = Gregory
| |
| | title = Secure transmission with multiple antennas I: The MISOME wiretap channel
| |
| | journal = IEEE Transactions on Information Theory
| |
| | volume = 56
| |
| | issue = 7
| |
| | pages = 3088–3104
| |
| | publisher = IEEE
| |
| | date = Jul 2010
| |
| }}</ref>
| |
| | |
| Parallel to this work in the information theory community is work in the antenna community that has been termed near-field direct antenna modulation or directional modulation.<ref name="Daly">{{cite journal
| |
| | last1 = Daly
| |
| | first1 = M.P.
| |
| | last2 = Bernhard
| |
| | first2 = J.T.
| |
| | title = Directional modulation technique for phased arrays
| |
| | journal = IEEE Transactions on Antennas and Propagation
| |
| | volume = 57
| |
| | issue =
| |
| | pages = 2633–2640
| |
| | publisher = IEEE
| |
| | date = Sep 2009
| |
| }}</ref>
| |
| It was shown that by using a parasitic array, the transmitted modulation in different directions could be controlled independently.<ref name="Babakhani">{{cite journal
| |
| | last1 = Babakhani
| |
| | first1 = A.
| |
| | last2 = Rutledge
| |
| | first2 = D.B.
| |
| | last3 = Hajimiri
| |
| | first3 = A.
| |
| | title = Transmitter architectures based on near-field direct antenna modulation
| |
| | journal = IEEE Journal Solid-State Circuits
| |
| | volume = 76
| |
| | issue = 12
| |
| | pages = 2674–2692
| |
| | publisher = IEEE
| |
| | date = Dec 2008
| |
| }}</ref>
| |
| Secrecy could be realized by making the modulations in undesired directions difficult to decode. Directional modulation data transmission was experimentally demonstrated using a phased array.<ref name="Daly2">{{cite journal
| |
| | last1 = Daly
| |
| | first1 = M.P.
| |
| | last2 = Daly
| |
| | first2 = E.L.
| |
| | last3 = Bernhard
| |
| | first3 = J.T.
| |
| | title = Demonstration of directional modulation using a phased array
| |
| | journal = IEEE Transactions on Antennas and Propagation
| |
| | volume = 58
| |
| | issue =
| |
| | pages = 1545–1550
| |
| | publisher = IEEE
| |
| | date = May 2010
| |
| }}</ref>
| |
| Others have demonstrated directional modulation with switched arrays and phase-conjugating lenses.<ref name="Hong">{{cite journal
| |
| | last1 = Hong
| |
| | first1 = T.
| |
| | last2 = Song
| |
| | first2 = M.-Z.
| |
| | last3 = Liu
| |
| | first3 = Y.
| |
| | title = RF directional modulation technique using a switched antenna array for physical layer secure communication applications
| |
| | journal = Progress in Electromagnetics Research
| |
| | volume = 116
| |
| | issue =
| |
| | pages = 363–379
| |
| | year = 2011
| |
| }}</ref><ref name="Shi">{{cite conference
| |
| | last1 = Shi
| |
| | first1 = H.
| |
| | last2 = Tennant
| |
| | first2 = A.
| |
| | title = Direction dependent antenna modulation using a two element array
| |
| | conference= Proceedings 5th European Conference on Antennas and Propagation(EUCAP)
| |
| | pages = 812–815
| |
| | date = April 2011
| |
| }}</ref><ref name="Malyuskin">{{cite journal
| |
| | last1 = Malyuskin
| |
| | first1 = O.
| |
| | last2 = Fusco
| |
| | first2 = V.
| |
| | title = Spatial data encryption using phase conjugating lenses
| |
| | journal = IEEE Transactions on Antennas and Propagation
| |
| | volume = 60
| |
| | issue = 6
| |
| | pages = 2913–2920
| |
| | publisher = IEEE
| |
| | year = 2012
| |
| }}</ref>
| |
| | |
| This type of directional modulation is really a subset of Negi and Goel's additive artificial noise encryption scheme. Another scheme using pattern-reconfigurable transmit antennas for Alice called reconfigurable multiplicative noise (RMN) complements additive artificial noise.<ref name="DalyPhD">{{cite thesis
| |
| | last1 = Daly
| |
| | first1 = Michael
| |
| | title = Physical layer encryption using fixed and reconfigurable antennas
| |
| | type = Ph.D.
| |
| | publisher = University of Illinois at Urbana-Champaign
| |
| | year = 2012
| |
| | url = https://www.ideals.illinois.edu/handle/2142/42321
| |
| }}</ref>
| |
| The two work well together in channel simulations in which nothing is assumed known to Alice or Bob about the eavesdroppers.
| |
| | |
| ==Unconditional security==
| |
| | |
| Information-theoretic security is often used interchangeably with unconditional security. However, the latter term can also refer to systems that don't rely on unproven computational hardness assumptions. Today these systems are essentially the same as those that are information-theoretically secure. Nevertheless, it does not always have to be that way. One day [[RSA (algorithm)|RSA]] might be proved secure (it relies on the assertion that factoring large primes is hard), thus becoming unconditionally secure, but it will never be information-theoretically secure (because even though no efficient algorithms for factoring large primes may exist, in principle it can still be done given unlimited computational power).
| |
| | |
| ==See also==
| |
| * [[Leftover hash lemma]] (Privacy amplification)
| |
| * [[Semantic security]]
| |
| | |
| ==References==
| |
| | |
| {{cite journal
| |
| | last = Russell
| |
| | first = Alexander
| |
| | last2 = Wang
| |
| | first2 = Hong
| |
| | editor-last = Knudsen
| |
| | editor-first= Lars
| |
| | year = 2002
| |
| | title = How to fool an unbounded adversary with a short key
| |
| | journal = Advances in Cryptology — EUROCRYPT 2002
| |
| | series = Lecture Notes in Computer Science
| |
| | volume = 2332
| |
| | pages = 133–148
| |
| | publisher = Springer Berlin / Heidelberg
| |
| | doi = 10.1007/3-540-46035-7_9
| |
| | url = http://www.engr.uconn.edu/~acr/Papers/encryption-euro-final.pdf
| |
| | format = PDF
| |
| | accessdate = 11 August 2010
| |
| }}
| |
| {{Reflist}}
| |
| | |
| {{DEFAULTSORT:Information Theoretic Security}}
| |
| [[Category:Theory of cryptography]]
| |
| [[Category:Information-theoretically secure algorithms]]
| |