1. Secure Communication for Distributed Systems Paul Cuff Electrical Engineering Princeton University

2. Overview Application A framework for secrecy of distributed systems Theoretical result Information theory in a competitive context (zero-sum game) Two methods of coordination

3. Main Idea Secrecy for distributed systems Design encryption specifically for a system objective Node A Node B Message Information Action Adversary Distributed System Attack

4. Communication in Distributed Systems “Smart Grid” Image from http://www.solarshop.com.auhttp://www.solarshop.com.au

5. Example: Rate-Limited Control Adversary 00101110010010111 Signal (sensor) Communication Signal (control) Attack Signal

6. Example: Feedback Stabilization “Data Rate Theorem” [Wong-Brockett 99, Baillieul 99] Controller Dynamic System EncoderDecoder 10010011011010101101010100101101011 Sensor Adversary Feedback

7. Traditional View of Encryption Information inside

8. Shannon Analysis 1948 Channel Capacity Lossless Source Coding Lossy Compression 1949 - Perfect Secrecy Adversary learns nothing about the information Only possible if the key is larger than the information C. Shannon, "Communication Theory of Secrecy Systems," Bell Systems Technical Journal, vol. 28, pp. 656-715, Oct. 1949.

9. Shannon Model Schematic Assumption Enemy knows everything about the system except the key Requirement The decipherer accurately reconstructs the information C. Shannon, "Communication Theory of Secrecy Systems," Bell Systems Technical Journal, vol. 28, pp. 656-715, Oct. 1949. EnciphererDecipherer Ciphertext Key Plaintext Adversary For simple substitution:

10. Shannon Analysis Equivocation vs Redundancy Equivocation is conditional entropy: Redundancy is lack of entropy of the source: Equivocation reduces with redundancy: C. Shannon, "Communication Theory of Secrecy Systems," Bell Systems Technical Journal, vol. 28, pp. 656-715, Oct. 1949.

11. Computational Secrecy Assume limited computation resources Public Key Encryption Trapdoor Functions Difficulty not proven Can become a “cat and mouse” game Vulnerable to quantum computer attack W. Diffie and M. Hellman, “New Directions in Cryptography,” IEEE Trans. on Info. Theory, 22(6), pp. 644-654, 1976. 1125897758 834 689 524287 2147483647 X

12. Information Theoretic Secrecy Achieve secrecy from randomness (key or channel), not from computational limit of adversary. Physical layer secrecy Wyner’s Wiretap Channel [Wyner 1975] Partial Secrecy Typically measured by “equivocation:” Other approaches: Error exponent for guessing eavesdropper [Merhav 2003] Cost inflicted by adversary [this talk]

13. Equivocation Not an operationally defined quantity Bounds: List decoding Additional information needed for decryption Not concerned with structure

14. Our Framework Assume secrecy resources are available (secret key, private channel, etc.) How do we encode information optimally? Game Theoretic Eavesdropper is the adversary System performance (for example, stability) is the payoff Bayesian games Information structure

15. Competitive Distributed System Node ANode B Message Key InformationAction Adversary Attack Encoder: System payoff:. Decoder:Adversary:

16. Zero-Sum Game Value obtained by system: Objective Maximize payoff Node ANode B Message Key Information Action Adversary Attack

17. Secrecy-Distortion Literature [Yamamoto 97]: Cause an eavesdropper to have high reconstruction distortion Replace payoff (π) with distortion No causal information to the eavesdropper Warning: Problem statement can be too optimistic!

18. How to Force High Distortion Randomly assign bins Size of each bin is Adversary only knows bin Reconstruction of only depends on the marginal posterior distribution of Example (Bern(1/3)):

19. THEORETICAL RESULTS Information Theoretic Rate Regions Provable Secrecy

20. Two Categories of Results Lossless Transmission Simplex interpretation Linear program Hamming Distortion General Reward Function Common Information Secret Key

21. Competitive Distributed System Node ANode B Message Key InformationAction Adversary Attack Encoder: System payoff:. Decoder:Adversary:

22. Zero-Sum Game Value obtained by system: Objective Maximize payoff Node ANode B Message Key Information Action Adversary Attack

23. Theorem: [Cuff 10] Lossless Case Require Y=X Assume a payoff function Related to Yamamoto’s work [97] Difference: Adversary is more capable with more information Also required:

24. Linear Program on the Simplex Constraint: Minimize: Maximize: U will only have mass at a small subset of points (extreme points)

25. Linear Program on the Simplex

26. Binary-Hamming Case Binary Source: Hamming Distortion Optimal approach Reveal excess 0’s or 1’s to condition the hidden bits 0100100001 **00**0*0* Source Public message

27. Binary Source (Example) Information source is Bern(p) Usually zero (p < 0.5) Hamming payoff Secret key rate R 0 required to guarantee eavesdropper error R0R0 p Eavesdropper Error

28. General Payoff Function No requirement for lossless transmission. Any payoff function π(x,y,z) Any source distribution (i.i.d.) Adversary:

29. Payoff-Rate Function Maximum achievable average payoff Markov relationship: Theorem:

30. Unlimited Public Communication Maximum achievable average payoff Conditional common information: Theorem (R=∞):

31. RELATED COMMUNICATION METHODS Two Coordination Results

32. Coordination Capacity References: [C., Permuter, Cover – IT Trans. 09] [C. - ISIT 08] [Bennett, Shor, Smolin, Thapliyal – IT Trans. 02] [C., Zhao – ITW 11] Ability to coordinate sequences (“actions”) with communication limitations. Empirical Coordination Strong Coordination

33. X1X2X3X4X5X6…Xn Empirical Coordination Y1Y2Y3Y4Y5Y6…Yn Z1Z2Z3Z4Z5Z6…Zn Empirical Distribution

34. 1011000110110001 0110101101101011 1101001011010010 000001010011100101110111

35. Average Distortion Average values are a function of the empirical distribution Example: Squared error distortion Rate distortion theory fits in the empirical coordination context.

36. No Rate – No Channel No explicit communication channel Signal “A” serves an analog and information role. Analog: symbol-by-symbol relationship (Digital): uses complex structure to carry information. Processor 1 Processor 2 Source Actuator 1Actuator 2

37. Define Empirical Coordination Processor 1 Processor 2 Source is achievable if:

38. Coordination Region The coordination region gives us all results concerning average distortion. Processor 1 Processor 2 Source

39. Result – No constraints Processor 1 Processor 2 Source Achievability: Make a codebook of (A n, B n ) pairs

40. General Results Variety of causality constraints (delay) Processor 1 Processor 2 Source

41. Alice and Bob Game Alice and Bob want to cooperatively score points by both correctly guessing a sequence of random binary numbers (one point if they both guess correctly). Alice gets entire sequence ahead of time Bob only sees that past binary numbers and guesses of Alice. What is the optimal score in the game?

42. Alice and Bob Game (answer) Online Matching Pennies [Gossner, Hernandez, Neyman, 2003] “Online Communication” Solution

43. General (causal) solution Score in Alice and Bob Game is a first-order statistic Achievable empirical distributions (Processor 2 is strictly causal) Surprise: Bob doesn’t need to see the past of the sequence.

44. X1X2X3X4X5X6…Xn Strong Coordination Y1Y2Y3Y4Y5Y6…Yn Z1Z2Z3Z4Z5Z6…Zn Joint distribution of sequences is i.i.d. with respect to the desired joint distribution. (Allow epsilon total variation distance.)

45. Point-to-point Coordination Theorem [C. 08]: Strong Coordination involves picking a V such that X-V-Y Message: R > I(X;V) Common Randomness: R 0 + R > I(X,Y;V) Uses randomized decoder (channel from V to Y) Node ANode B Message Common Randomness Source Output Synthetic Channel p(y|x)

46. Zero-Sum Game Value obtained by system: Objective Maximize payoff Node ANode B Message Key Information Action Adversary Attack

47. Encoding Scheme Coordination Strategies Empirical coordination for U Strong coordination for Y K

48. Converse

49. What the Adversary doesn’t know can hurt him. [Yamamoto 97] Knowledge of Adversary: [Yamamoto 88]:

50. Proposed View of Encryption Information obscured Images from albo.co.uk