Information-theoretic security

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Information-theoretic security is security of a cryptosystem which derives purely from information theory; the system cannot be broken even if the adversary has unlimited computing power. The cryptosystem is considered cryptoanalytically unbreakable if the adversary does not have enough information to break the encryption.


An encryption protocol with information-theoretic security does not depend for its effectiveness on unproven assumptions about computational hardness. Such a protocol is not vulnerable to future developments in computer power such as quantum computing. An example of an information-theoretically secure cryptosystem is the one-time pad. The concept of information-theoretically secure communication was introduced in 1949 by American mathematician Claude Shannon, the inventor of information theory, who used it to prove that the one-time pad system was secure.[1] Information-theoretically secure cryptosystems have been used for the most sensitive governmental communications, such as diplomatic cables and high-level military communications, because of the great efforts enemy governments expend toward breaking them.

There are a variety of cryptographic tasks for which information-theoretic security is a meaningful and useful requirement. A few of these are:

  1. Secret sharing schemes such as Shamir's are information-theoretically secure (and also perfectly secure) in that having less than the requisite number of shares of the secret provides no information about the secret.
  2. More generally, secure multiparty computation protocols often have information-theoretic security.
  3. Private information retrieval with multiple databases can be achieved with information-theoretic privacy for the user's query.
  4. Reductions between cryptographic primitives or tasks can often be achieved information-theoretically. Such reductions are important from a theoretical perspective because they establish that primitive can be realized if primitive can be realized.
  5. Symmetric encryption can be constructed under an information-theoretic notion of security called entropic security, which assumes that the adversary knows almost nothing about the message being sent. The goal here is to hide all functions of the plaintext rather than all information about it.
  6. Quantum cryptography is largely part of information-theoretic cryptography.

Security levels[edit]

Perfect security is a special case of information-theoretic security. For an encryption algorithm, if there is ciphertext produced that uses it, no information about the plaintext is provided without knowledge of the key. If E is a perfectly secure encryption function, for any fixed message m, there must be, for each ciphertext c, at least one key k such that . Mathematically, let m and c be the random variables representing the plaintext and ciphertext messages, respectively; then, we have that

where is the mutual information between m and c. In other words, the plaintext message is independent of the transmitted ciphertext if we do not have access to the key. It has been proved that any cipher with the perfect secrecy property must use keys with effectively the same requirements as one-time pad keys.[1]

It is common for a cryptosystem to leak some information but nevertheless maintain its security properties even against an adversary that has unlimited computational resources. Such a cryptosystem would have information-theoretic but not perfect security. The exact definition of security would depend on the cryptosystem in question but normally is defined as a bounded amount of leaked bits:

Here, should be less than the entropy (number of bits of information) of m, otherwise the bound is trivial.

Unconditional security[edit]

The term information-theoretic security is often used interchangeably with the term unconditional security. The latter term can also refer to systems that do not rely on unproven computational hardness assumptions. Today, such systems are essentially the same as those that are information-theoretically secure. Nevertheless, it does not always have to be that way. One day, RSA might be proved secure, as it relies on the assertion that factoring large numbers is hard, thus becoming unconditionally secure, but it will never be information-theoretically secure because even if no efficient algorithms for factoring large primes exist, it could still be done in principle with unlimited computational power.

Physical layer encryption[edit]

A weaker notion of security, defined by Aaron D. Wyner, established a now-flourishing area of research that is known as physical layer encryption.[2] It exploits the physical wireless channel for its security by communications, signal processing, and coding techniques. The security is provable, unbreakable, and quantifiable (in bits/second/hertz).

Wyner's initial physical layer encryption work in the 1970s posed the Alice–Bob–Eve problem in which Alice wants to send a message to Bob without Eve decoding it. If the channel from Alice to Bob is statistically better than the channel from Alice to Eve, it had been shown that secure communication is possible.[3] That is intuitive, but Wyner measured the secrecy in information theoretic terms defining secrecy capacity, which essentially is the rate at which Alice can transmit secret information to Bob. Shortly afterward, Imre Csiszár and Körner showed that secret communication was possible even if Eve had a statistically better channel to Alice than Bob did.[4] The basic idea of the information theoretic approach to securely transmit confidential messages (without using an encryption key) to a legitimate receiver is to use the inherent randomness of the physical medium (including noises and channel fluctuations due to fading) and exploit the difference between the channel to a legitimate receiver and the channel to an eavesdropper to benefit the legitimate receiver.[5] More recent theoretical results are concerned with determining the secrecy capacity and optimal power allocation in broadcast fading channels.[6][7] There are caveats, as many capacities are not computable unless the assumption is made that Alice knows the channel to Eve. If that were known, Alice could simply place a null in Eve's direction. Secrecy capacity for MIMO and multiple colluding eavesdroppers is more recent and ongoing work,[8][9] and such results still make the non-useful assumption about eavesdropper channel state information knowledge.

Still other work is less theoretical by attempting to compare implementable schemes. One physical layer encryption scheme is to broadcast artificial noise in all directions except that of Bob's channel, which basically jams Eve. One paper by Negi and Goel details its implementation, and Khisti and Wornell computed the secrecy capacity when only statistics about Eve's channel are known.[10][11]

Parallel to that work in the information theory community is work in the antenna community, which has been termed near-field direct antenna modulation or directional modulation.[12] It has been shown that by using a parasitic array, the transmitted modulation in different directions could be controlled independently.[13] Secrecy could be realized by making the modulations in undesired directions difficult to decode. Directional modulation data transmission was experimentally demonstrated using a phased array.[14] Others have demonstrated directional modulation with switched arrays and phase-conjugating lenses.[15][16][17]

That type of directional modulation is really a subset of Negi and Goel's additive artificial noise encryption scheme. Another scheme using pattern-reconfigurable transmit antennas for Alice called reconfigurable multiplicative noise (RMN) complements additive artificial noise.[18] The two work well together in channel simulations in which nothing is assumed known to Alice or Bob about the eavesdroppers.

Secret key agreement[edit]

The different works mentioned in the previous part employ, in one way or another, the randomness present in the wireless channel to transmit information-theoretically secure messages. Conversely, we could analyze how much secrecy one can extract from the randomness itself in the form of a secret key. That is the goal of secret key agreement.

In this line of work, started by Maurer[19] and Ahlswede and Csiszár,[20] the basic system model removes any restriction on the communication schemes and assumes that the legitimate users can communicate over a two-way, public, noiseless, and authenticated channel at no cost. This model has been subsequently extended to account for multiple users[21] and a noisy channel[22] among others.

See also[edit]


  1. ^ a b Shannon, Claude E. (October 1949). "Communication Theory of Secrecy Systems" (PDF). Bell System Technical Journal. 28 (4): 656–715. doi:10.1002/j.1538-7305.1949.tb00928.x. hdl:10338.dmlcz/119717. Retrieved 2011-12-21.
  2. ^ Koyluoglu (16 July 2010). "Information Theoretic Security". Retrieved 11 August 2010.
  3. ^ Wyner, A. D. (October 1975). "The Wire-Tap Channel" (PDF). Bell System Technical Journal. 54 (8): 1355–1387. doi:10.1002/j.1538-7305.1975.tb02040.x. S2CID 21512925. Archived from the original (PDF) on 2014-02-04. Retrieved 2013-04-11.
  4. ^ Csiszár, I.; Körner, J. (May 1978). "Broadcast Channels with Confidential Messages". IEEE Transactions on Information Theory. IT-24 (3): 339–348. doi:10.1109/TIT.1978.1055892.
  5. ^ Liang, Y.; Vincent Poor, H.; Shamai, S. (2008). "Information Theoretic Security". Foundations and Trends in Communications and Information Theory. 5 (4–5): 355–580. doi:10.1561/0100000036.
  6. ^ Liang, Yingbin; Poor, Vincent; Shamai (Shitz), Shlomo (June 2008). "Secure Communication Over Fading Channels". IEEE Transactions on Information Theory. 54 (6): 2470–2492. arXiv:cs/0701024. doi:10.1109/tit.2008.921678. S2CID 7249068.
  7. ^ Gopala, P.; Lai, L.; El Gamal, H. (October 2008). "On the Secrecy Capacity of Fading Channels". IEEE Transactions on Information Theory. 54 (10): 4687–4698. arXiv:cs/0610103. doi:10.1109/tit.2008.928990. S2CID 3264079.
  8. ^ Khisti, Ashish; Wornell, Gregory (November 2010). "Secure Transmission with Multiple Antennas II: The MIMOME Wiretap Channel". IEEE Transactions on Information Theory. 56 (11): 5515–5532. arXiv:1006.5879. Bibcode:2010arXiv1006.5879K. doi:10.1109/tit.2010.2068852. S2CID 1428.
  9. ^ Oggier, F.; Hassibi, B. (August 2011). "The Secrecy Capacity of the MIMO Wiretap Channel". IEEE Transactions on Information Theory. 57 (8): 4961–4972. arXiv:0710.1920. doi:10.1109/tit.2011.2158487. S2CID 1586.
  10. ^ Negi, R.; Goel, S. (2008). "Guaranteeing secrecy using artificial noise". IEEE Transactions on Wireless Communications. 7 (6): 2180–2189. doi:10.1109/twc.2008.060848. S2CID 5430424.
  11. ^ Khisti, Ashish; Wornell, Gregory (Jul 2010). "Secure transmission with multiple antennas I: The MISOME wiretap channel". IEEE Transactions on Information Theory. 56 (7): 3088–3104. CiteSeerX doi:10.1109/tit.2010.2048445. S2CID 47043747.
  12. ^ Daly, M.P.; Bernhard, J.T. (Sep 2009). "Directional modulation technique for phased arrays". IEEE Transactions on Antennas and Propagation. 57 (9): 2633–2640. Bibcode:2009ITAP...57.2633D. doi:10.1109/tap.2009.2027047. S2CID 27139656.
  13. ^ Babakhani, A.; Rutledge, D.B.; Hajimiri, A. (Dec 2008). "Transmitter architectures based on near-field direct antenna modulation" (PDF). IEEE Journal of Solid-State Circuits. IEEE. 76 (12): 2674–2692. Bibcode:2008IJSSC..43.2674B. doi:10.1109/JSSC.2008.2004864. S2CID 14595636.
  14. ^ Daly, M.P.; Daly, E.L.; Bernhard, J.T. (May 2010). "Demonstration of directional modulation using a phased array". IEEE Transactions on Antennas and Propagation. 58 (5): 1545–1550. Bibcode:2010ITAP...58.1545D. doi:10.1109/tap.2010.2044357. S2CID 40708998.
  15. ^ Hong, T.; Song, M.-Z.; Liu, Y. (2011). "RF directional modulation technique using a switched antenna array for physical layer secure communication applications". Progress in Electromagnetics Research. 116: 363–379. doi:10.2528/PIER11031605.
  16. ^ Shi, H.; Tennant, A. (April 2011). Direction dependent antenna modulation using a two element array. Proceedings 5th European Conference on Antennas and Propagation(EUCAP). pp. 812–815.
  17. ^ Malyuskin, O.; Fusco, V. (2012). "Spatial data encryption using phase conjugating lenses". IEEE Transactions on Antennas and Propagation. 60 (6): 2913–2920. Bibcode:2012ITAP...60.2913M. doi:10.1109/tap.2012.2194661. S2CID 38743535.
  18. ^ Daly, Michael (2012). Physical layer encryption using fixed and reconfigurable antennas (Ph.D.). University of Illinois at Urbana-Champaign.
  19. ^ Maurer, U. M. (May 1993). "Secret key agreement by public discussion from common information". IEEE Transactions on Information Theory. 39 (3): 733–742. doi:10.1109/18.256484.
  20. ^ Ahlswede, R.; Csiszár, I. (July 1993). "Common randomness in information theory and cryptography. I. Secret sharing". IEEE Transactions on Information Theory. 39 (4): 1121–1132. doi:10.1109/18.243431.
  21. ^ Narayan, Prakash; Tyagi, Himanshu (2016). "Multiterminal Secrecy by Public Discussion". Foundations and Trends in Communications and Information Theory. 13 (2–3): 129–275. doi:10.1561/0100000072.
  22. ^ Bassi, G.; Piantanida, P.; Shamai, S. (2019). "The Secret Key Capacity of a Class of Noisy Channels with Correlated Sources". Entropy. 21 (8): 732. Bibcode:2019Entrp..21..732B. doi:10.3390/e21080732.