I Introduction
Authentication, or the ability to verify the identity of the sender of received transmissions, is crucial in secure communications. It is especially important in the wireless channel where malicious parties have easy access to all nodes and can attempt to intercept messages and impersonate legitimate senders. While cryptographic authentication methods are very practical, they are limited to computational complexity as the basis for security. The first information theoretic analysis of authentication was done by Simmons [1]
for the noiseless channel in which it was shown that an opponent’s attack success probability is lower bounded by
when the legitimate parties share a key of length .Similar to coding for secrecy in the wire-tap channel, an authentication constraint can be added to a channel code. In [2], Maurer likened authentication to a binary hypothesis test for whether a received message is authentic versus inauthentic. Naturally then, an authentication code would have a decoder that groups certain observations as authentic and others as inauthentic in addition to mapping to possible codewords. A larger authentic set would allow for an increase in rate since fewer observations would be thrown out as inauthentic, but would allow an adversary to more easily send messages that would be falsely authenticated. It is because of this that the additional constraint on the code should lead to a trade-off between rate and authentication capabilities in our inner bound.
In [3], Lai et. al. presented a code for noisy channels with authentication capabilities and concluded that if the main channel is not less noisy than the adversary, it is possible to limit the attack success probability to with a shared key of length . Although it was shown that the communication rate is unaffected if is small, their analysis is only concerned with cases where is a constant independent of . Gungor and Koksal [4] explored a more general problem and presented an inner bound on the achievable rate with error and erasure exponents for impersonation and substitution attacks both with and without a shared key. We consider the model of [3], while not requiring a constant and determine an inner bound that improves upon Gungor and Koksal’s coding scheme. Of interest is that the coding scheme can be decomposed into two separate coding schemes, one for source authentication and one for channel authentication. A direct proof is given for the region while the converse is left for future work. If the converse were true, it would prove that authentication under the operational requirements is a limited resource, and that this resource and the message rate must linearly share the channel’s capacity.
Our contributions are as follows. First, for all DM-ASC, a substitution channel, defined in Section II-B, we give an inner bound on the trade-off between the rate , the key rate
, and the average type I error exponent
, when the average probability of message error, , must go to zero with block length going to infinity. The average type I error exponent is a measure of authentication ability and is defined in Section II-C. It should be noted that this measure of authentication subsumes both the “impostor” and “substitution” attack. Our inner bound is characterized in terms of (in principal) computable information theoretic measures in the form of an inner bound. The derived region subsumes the results of Lai et. al. [3] in which only an asymptotically vanishing key rate is considered. The inner bound is also a strict improvement over the bounds found in Gungor and Koksal [4]. Our scheme benefits from higher communication rates and less key leakage.Ii Notation, Model, and Metrics
Ii-a Notation
Random variables and their realizations will be denoted by uppercase and lowercase letters, respectively. The support set of a random variable and other sets are denoted by a calligraphic font. An -length sequence of random variables, realizations, or sets will be denoted by superscript . So, is a -length sequence of random variables which may take on values The probability is denoted , or , and even when clear. The probability of a set is written as , assuming where the set will often be omitted from the summation notation when it is clear, i.e.,
. The set of all probability distributions on a certain set, say
, is denoted by . Similarly, the set of probability distributions of conditioned on is denoted as . The set represents a special subset of , where if for any , there exists at most one such that . Note, for random variables , if , thenform a Markov chain,
. A superscript of will denote the -fold product distribution of .The use of will refer to the Bachmann-Landau notation. When there is a range of possible values for , we will use to denote it. Throughout the paper, the order will only be dependent on continuous functions of the cardinalities of the support sets.
Ii-B Model
Our authentication model consists of three parties. Alice, a legitimate transmitter, wishes to authenticate her communications with Bob, a legitimate receiver, over a discrete memoryless channel in the presence of Gríma, a malicious adversary. Gríma has the ability to intercept Alice’s message and send his own to Bob via a noiseless channel. His goal is to have Bob accept his messages as if they were from Alice. To aid in authentication, Alice and Bob share a secret key which is distributed uniformly over .
When Alice wishes to communicate, she jointly encodes a message , distributed uniformly over , and the key , as codeword . The distribution of is defined by the encoder , where is the set of all probability distributions over conditioned on . Alice then transmits to both Bob and Gríma. The three parties are connected via a discrete memoryless-adversarial substitution channel (DM-ASC) which consists of three discrete memoryless channels, , and a Gríma-controlled switch. The triple represents the channels from Alice to Bob, Alice to Gríma, and Gríma to Bob, respectively, while the switch controls Bob’s observations.
Note that for simplicity, we use the triple instead of the formal septuple , assuming that these values specify by their non-zero indices. Furthermore, we will assume for the remainder that are all discrete and finite. The channel is depicted in Figure 1.
When the switch is open, Bob will receive Alice’s transmission over . In other words, will be distributed according to where . When the switch is closed, Gríma first obtains , then determines and transmits to Bob. We only consider in which the channel from Gríma to Bob is noiseless, i.e. , as in [3, 4]. Thus, will be distributed according to
where , and . Gríma is free to choose any attack strategy, , including ones modeled after the standard impersonation and substitution attacks. Regardless of the switch’s position, Bob receives
and either makes an estimate of the message,
, or declares an intrusion, , which is determined by a decoder .Ii-C Performance Metrics
Before presenting the performance metrics, we define an authentication code.
Definition 1.
A code is any pair , where and . The rate of is , the block-length of is , and the key requirement of is .
The performance of the code is measured in two ways, reliability and type I error. Reliability is measured by the average probability of error over all keys and messages at Bob, that is
(1) |
where is a chosen constraint and
(2) |
Type I error refers to the fact that authenticating is equivalent to a binary hypothesis test where the null hypothesis is an intrusion and the alternate hypothesis is authenticity. Therefore, a good code limits the average type I error by
(3) |
where
(4) |
Definition 2.
A code is called an -average authentication (AA) code for DM-ASC if the block-length is , the rate at least , the key requirement at most , it is reliable in that and it satisfies the average authenticity requirement:
(5) |
Our study aims to determine what types of codes are possible in the following sense.
Definition 3.
A triple is said to be achievable for the DM-ASC if there exist a sequence of -AA codes such that
The average authentication region (AAR) is then
(6) |
Iii Background
Before presenting the inner bound for the average authentication region, we review existing schemes. First, we review Lai’s [3] strategy and frame it in terms of information metrics for ease of comparison. Next, we examine Simmons’ [1] strategy for the noiseless channel and transform Gungor and Koksal’s [4] inner bound into our terms.
Iii-a Lai’s Strategy
In [3], Lai et. al. propose essentially using a code designed for a wire-tapper channel, and sending the key as part of the message. The specific code they proposed is optimal for their limited scenario (key requirement ), but in light of the forthcoming discussion, it is not optimal in ours.
Recognizing that the essence of the construction is to transmit two independent messages (the message itself and the key), with one subject to a secrecy constraint, the most logical coding scheme is a special class of codes for the discrete memoryless broadcast channel with confidential communications (t,q,) (DM-BCC). While we are the first to notice and use this specific construction for the purpose of authentication, we refer to this as Lai’s strategy. Before continuing we discuss the DM-BCC.
The achievable rate region of the DM-BCC was first derived by Csiszár and Körner in [5] and later refined in [6, Chapter 17]. In said model, there exist three messages that Alice wishes to send, a common message, , that is to be decoded by both Bob and Gríma, a private message, , that is to be decoded by Bob and kept secret from Gríma, and finally a message, , to be decoded by only Bob, but without a secrecy constraint. Secrecy in this context is indicated by
where as . Meaning that the information gained about from Gríma’s observations asymptotically vanishes. All messages have reliability constraints for their intended recipients. The three messages are jointly coded as and sent through the channel where Bob observes , which is distributed as while Gríma observes, , distributed as .
The triple is achievable for the DM-BCC if
for some , and , and sets and such that and . It can be seen here that secrecy is only possible when the channel from Alice to Gríma’s is not less noisy than the channel from Alice to Bob.
Lai’s strategy attains authentication capabilities by implementing the coding scheme for the DM-BCC in which Alice’s message is sent as and the key is sent as while . If message rates are chosen within the achievable region above, Bob will decode the message reliably, satisfying the reliability constraint of an authentication code. Additionally, since the key is also reliably decoded and each corresponds to only one , he can declare authenticity when . The security constraint on reduces the information about the key that is leaked to Gríma; the analysis of our work will determine the degree of effectiveness.
As stated before, non-zero rates are only possible when is less noisy than , i.e. when . To solve this issue, we return to Simmons’ strategy for the noiseless case.
Iii-B Simmon’s Strategy
Simmons’ authentication scheme [1] for noiseless channels breaks down the problem into protecting against two different attacks, i.e., an impostor formerly referred to as “impersonation” attack and a substitution attack. The attacks differ in that in the former, Gríma attacks without first observing one of Alice’s transmissions, while in the latter, Gríma does. In the strategy, the code is created by independently and randomly choosing not necessarily unique subsets of , each denoted as . The size of each subset is where each element corresponds to a single message . Then, to communicate , Alice sends the associated from the subset indexed by their shared key, . Bob authenticates a message when the observed is an element of the correct . The rate of communication in this scheme is .
Since an observed can be contained in multiple , Gríma will be unable to immediately infer which key was used for authentication. In order to launch a successful substitution attack, Gríma must choose an that is contained in the same , however on average there is only subset that contains both and . Therefore, he must essentially guess the correct key to fool Bob which happens with probability since there are, on average, subsets that contain . In terms of an achievable rate region, this scheme can achieve the triple . Simmons’ strategy, together with Lai’s strategy, forms the basis for our code.
Iii-C Gungor and Koksal’s Bounds
Inner bounds for the average achievability region of a DM-ASC, have been established by Gungor and Koksal [4]. Specifically, their scheme splits Alice and Bob’s shared key into two smaller keys, one for authentication (á la Lai’s strategy) and one for secrecy. These two keys are then used as the dimensions in a two dimensional dimensional binning process, where the codeword corresponding to the triple of messages and keys is chosen independently. The independent choice over the secrecy key, though, leaks extraneous information since there is no need to differentiate between secrecy keys at the legitimate receiver.
In any case, the set of all achievable derived from their scheme is a subset of
(7) |
where
(8) |
and . A proof of this can be found in Appendix -C.
Iv Authentication Capacity Region
We now present our main theorems and the inner bound of the average authentication region. First, we present the minor contribution of characterizing the inner bound of the authentication region using Lai’s strategy.
Theorem 4.
(9) |
where , for all , , and where and are finite.
Proof:
The type I error capabilities are limited by the capacity of the wire-tap channel and if the secrecy capacity is 0, then no authentication is possible. We now extend Simmons’ strategy and although it will only be applied to the triples from Theorem 4, the associated code construction makes no such assumption on the genesis of the original code.
Theorem 5.
If then , for all non-negative .
Proof:
See Appendix -F∎
Theorem 6.
(10) |
where , for all distributions , , and and and are finite.
Proof:
The proof can be found in Appendix -G ∎
This inner bound exhibits a trade-offs between rate, type I error, and key requirement in information theoretic terms. It is apparent from the first condition that this scheme requires communication and authentication share the main channel’s capacity. As long as is non-zero, an increase in the length of the secret key provides a proportional increase in type I error. Whereas when the condition is zero, an increase in requires twice the increase in as evident in Simmons’ scheme.
Our scheme also improves over Gungor and Koksal’s inner bound in this respect, since our scheme does not continue to unnecessarily leak information when Gríma’s channel is less noisy than Bob’s channel. Instead, in such a case, our scheme reverts to that of Simmon’s, which is known to be optimal.
V Examples
To demonstrate that our inner bound outperforms Gungor and Koksal’s inner, we provide a few examples and analyses. While it is easy to see that our inner bound (6) is larger than Lai’s (4) due to the addition of , we will provide an explicit example to show that (6) also improves upon Gungor’s inner bound (8). For clarity, we will examine the case where and are binary symmetric channels (BSC) with transition probabilities and respectively.
In a BSC, (6) simplifies to
where is now a distribution on given and . Meanwhile, (8) simplifies to
(11) |
where .
V-a BSC Analysis
The and that maximize the average region and all three constraints simultaneously is BSC(.5) and a uniform . Since the upper bound of the third condition is always larger than the upper bound of the second condition for this set of distributions, we only focus on the first two conditions. For a less noisy main channel, the minimum is always , whereas when the main channel is not less noisy, the minimum is always , both regardless of Alice’s choice of .
When we consider the case where the adversary’s channel is “less noisy” than the main channel, it is easy to see that Gungor’s region is not better than the AAR. With such a channel pair, the condition when evaluated at its minimum , the bound is . This results in the condition for the average region. In order for Gungor’s strategy to be better, its upper bounds on must be greater than . Examining the third condition in Gungor’s region, it can been seen that in order to have a nonzero bound on , since is a valid choice. Then, for both conditions to be greater than we must have
These two conditions, however, cannot occur simultaneously since they imply that which is only valid when . This is only satisfied when is less noisy than which contradicts our original assumption on this pair of channels. Therefore, given the same and assumption of a less noisy adversary channel, Gungor’s scheme cannot achieve any greater than that of our scheme, which implies that their region is contained in ours. We will show through example that their region is a proper subset since there are instances of that are contained in the AAR, but not in theirs.
V-B BSC Examples
First, we consider a case when the main channel is less noisy than Gríma’s channel, where in specific and . The trade off between the rate and the authentication, given a fixed key rate, for both (6) and (8) is plotted in Figure 2. Note the equivalence of the two regions for small . As increases, though, (6) becomes strictly larger than (8). While (6) obtains a constant value for , which is equal to the capacity of , approximately , (8) struggles due to the inefficiency of their coding scheme. This aligns with intuition, as (6) uses the channel capacity for authenticity until the secrecy capacity is exhausted, and then switches to Simmons’ scheme to further the authentication exponent.
Next, in Figure 3, the rate, key requirement, and adversarial channel are held constant while the maximum possible achievable via (6) and (8) is computed for a range of main channel transition probabilities, . Both schemes have a dramatic performance decrease when the main channel becomes worse than the adversarial channel. Still (6) is generally larger than (8) for many possible main channels. It should be noted the point where is exactly the point where the capacity of the channel equals , in other words both schemes are using all of the channels capacity simply to provide reliable communications.
References
- [1] G. J. Simmons, “Authentication theory/coding theory.” in Advances in Cryptology, Proceedings of CRYPTO ’84, Santa Barbara, California, USA, August 19-22, 1984, Proceedings, 1984, pp. 411–431.
- [2] U. Maurer, “Authentication theory and hypothesis testing,” IEEE Transactions on Information Theory, vol. 46, no. 4, pp. 1350–1356, July 2000.
- [3] L. Lai, H. El Gamal, and H. V. Poor, “Authentication over noisy channels,” IEEE transactions on information theory, vol. 55, no. 2, pp. 906–916, 2009.
- [4] O. Gungor and C. E. Koksal, “On the basic limits of rf-fingerprint-based authentication,” IEEE transactions on information theory, vol. 62, no. 8, pp. 4523–4543, 2016.
- [5] I. Csiszár and J. Körner, “Broadcast channels with confidential messages,” IEEE transactions on information theory, vol. 24, no. 3, pp. 339–348, 1978.
- [6] ——, Information Theory: Coding Theorems for Discrete Memoryless Systems, 2nd ed. Cambridge University Press, 2011. [Online]. Available: http://books.google.com/books?id=2gsLkQlb8JAC
- [7] T. M. Cover and J. A. Thomas, Elements of information theory, 2nd ed. New York, NY, USA: Wiley-Interscience, 2006.
Comments
There are no comments yet.