Physical-LayerSecurity FromInformationTheorytoSecurityEngineering Thiscompleteguidetophysical-layersecuritypresentsthetheoreticalfoundations,prac- ticalimplementation,challenges,andbenefitsofagroundbreakingnewmodelforsecure communication.Usingabottom-upapproachfromthelinklevelallthewaytoend-to- end architectures, it provides essential practical tools that enable graduate students, industryprofessionals,andresearcherstobuildmoresecuresystemsbyexploitingthe noiseinherenttocommunicationchannels. Thebookbeginswithaself-containedexplanationoftheinformation-theoreticlimits of secure communications at the physical layer. It then goes on to develop practical codingschemes,buildingonthetheoreticalinsightsandenablingreaderstounderstand thechallengesandopportunitiesrelatedtothedesignofphysical-layersecurityschemes. Finally,applicationstomulti-usercommunicationsandnetworkcodingarealsoincluded. Matthieu Bloch is an Assistant Professor in the School of Electrical Engineering of theGeorgiaInstituteofTechnology.HereceivedaPh.D.inEngineeringSciencefrom theUniversite´ deFranche-Comte´,Besanc¸on,France,in2006,andaPh.D.inElectrical EngineeringfromtheGeorgiaInstituteofTechnologyin2008.Hisresearchinterestsare intheareasofinformationtheory,error-controlcoding,wirelesscommunications,and quantumcryptography. Joa˜o Barros is an Associate Professor in the Department of Electrical and Computer Engineering of the Faculdade de Engenharia da Universidade do Porto, the Head of the Porto Delegation of the Instituto de Telecomunicac¸o˜es, Portugal, and a Visiting ProfessorattheMassachusettsInstituteofTechnology.HereceivedhisPh.D.inElectrical Engineering and Information Technology from the Technische Universita¨t Mu¨nchen (TUM), Germany, in 2004 and has since published extensively in the general areas of informationtheory,communicationnetworks,andsecurity.Hehastaughtshortcourses andtutorialsatvariousinstitutionsandreceivedaBestTeachingAwardfromtheBavarian State Ministry of Sciences and the Arts, as well as the 2010 IEEE ComSoc Young ResearcherAwardforEurope,theMiddleEast,andAfrica. Physical-Layer Security From Information Theory to Security Engineering MATTHIEU BLOCH GeorgiaInstituteofTechnology JOA˜O BARROS UniversityofPorto CAMBRIDGEUNIVERSITYPRESS Cambridge,NewYork,Melbourne,Madrid,CapeTown, Singapore,Sa˜oPaulo,Delhi,Tokyo,MexicoCity CambridgeUniversityPress TheEdinburghBuilding,CambridgeCB28RU,UK PublishedintheUnitedStatesofAmericabyCambridgeUniversityPress,NewYork www.cambridge.org Informationonthistitle:www.cambridge.org/9780521516501 (cid:2)C CambridgeUniversityPress2011 Thispublicationisincopyright.Subjecttostatutoryexception andtotheprovisionsofrelevantcollectivelicensingagreements, noreproductionofanypartmaytakeplacewithoutthewritten permissionofCambridgeUniversityPress. Firstpublished2011 PrintedintheUnitedKingdomattheUniversityPress,Cambridge AcatalogrecordforthispublicationisavailablefromtheBritishLibrary ISBN 978-0-521-51650-1Hardback CambridgeUniversityPresshasnoresponsibilityforthepersistenceor accuracyofURLsforexternalorthird-partyinternetwebsitesreferredto inthispublication,anddoesnotguaranteethatanycontentonsuch websitesis,orwillremain,accurateorappropriate. Toourfamilies Contents Preface pagexi Notation xiii Listofabbreviations xv PartI Preliminaries 1 1 Aninformation-theoreticapproachtophysical-layersecurity 3 1.1 Shannon’sperfectsecrecy 4 1.2 Securecommunicationovernoisychannels 6 1.3 Channelcodingforsecrecy 7 1.4 Secret-keyagreementfromnoisyobservations 8 1.5 Activeattacks 9 1.6 Physical-layersecurityandclassicalcryptography 10 1.7 Outlineoftherestofthebook 11 2 Fundamentalsofinformationtheory 13 2.1 Mathematicaltoolsofinformationtheory 13 2.1.1 Usefulbounds 13 2.1.2 Entropyandmutualinformation 14 2.1.3 Stronglytypicalsequences 18 2.1.4 Weaklytypicalsequences 21 2.1.5 Markovchainsandfunctionaldependencegraphs 22 2.2 Thepoint-to-pointcommunicationproblem 23 2.2.1 Point-to-pointcommunicationmodel 24 2.2.2 Thesourcecodingtheorem 26 2.2.3 Thechannelcodingtheorem 29 2.3 Networkinformationtheory 32 2.3.1 Distributedsourcecoding 33 2.3.2 Themultiple-accesschannel 37 2.3.3 Thebroadcastchannel 40 2.4 Bibliographicalnotes 44 viii Contents PartII Information-theoreticsecurity 47 3 Secrecycapacity 49 3.1 Shannon’sciphersystem 49 3.2 Securecommunicationoveranoisychannel 53 3.3 Perfect,weak,andstrongsecrecy 55 3.4 Wyner’swiretapchannel 58 3.4.1 Achievabilityproofforthedegradedwiretapchannel 65 3.4.2 Converseproofforthedegradedwiretapchannel 76 3.5 Broadcastchannelwithconfidentialmessages 78 3.5.1 Channelcomparison 83 3.5.2 Achievabilityproofforthebroadcastchannelwithconfidential messages 90 3.5.3 Converseproofforthebroadcastchannelwithconfidential messages 98 3.6 Multiplexingandfeedback 103 3.6.1 Multiplexingsecureandnon-securemessages 103 3.6.2 Feedbackandsecrecy 104 3.7 Conclusionsandlessonslearned 108 3.8 Bibliographicalnotes 110 4 Secret-keycapacity 112 4.1 Sourceandchannelmodelsforsecret-keyagreement 113 4.2 Secret-keycapacityofthesourcemodel 118 4.2.1 Secret-keydistillationbasedonwiretapcodes 120 4.2.2 Secret-keydistillationbasedonSlepian–Wolfcodes 121 4.2.3 Upperboundforsecret-keycapacity 127 4.2.4 Alternativeupperboundsforsecret-keycapacity 129 4.3 Sequentialkeydistillationforthesourcemodel 134 4.3.1 Advantagedistillation 136 4.3.2 Informationreconciliation 143 4.3.3 Privacyamplification 148 4.4 Secret-keycapacityofthechannelmodel 162 4.5 Strongsecrecyfromweaksecrecy 166 4.6 Conclusionsandlessonslearned 169 4.7 Appendix 170 4.8 Bibliographicalnotes 174 5 SecuritylimitsofGaussianandwirelesschannels 177 5.1 Gaussianchannelsandsources 177 5.1.1 Gaussianbroadcastchannelwithconfidentialmessages 177 5.1.2 Multiple-inputmultiple-outputGaussianwiretapchannel 185 5.1.3 Gaussiansourcemodel 190 Contents ix 5.2 Wirelesschannels 193 5.2.1 Ergodic-fadingchannels 195 5.2.2 Block-fadingchannels 203 5.2.3 Quasi-staticfadingchannels 206 5.3 Conclusionsandlessonslearned 210 5.4 Bibliographicalnotes 210 PartIII Codingandsystemaspects 213 6 Codingforsecrecy 215 6.1 Secrecyandcapacity-achievingcodes 216 6.2 Low-densityparity-checkcodes 217 6.2.1 BinarylinearblockcodesandLDPCcodes 217 6.2.2 Message-passingdecodingalgorithm 220 6.2.3 PropertiesofLDPCcodesundermessage-passingdecoding 222 6.3 Secrecycodesforthebinaryerasurewiretapchannel 223 6.3.1 Algebraicsecrecycriterion 225 6.3.2 CosetcodingwithdualofLDPCcodes 228 6.3.3 Degradingerasurechannels 229 6.4 Reconciliationofbinarymemorylesssources 231 6.5 Reconciliationofgeneralmemorylesssources 234 6.5.1 Multilevelreconciliation 235 6.5.2 MultilevelreconciliationofGaussiansources 239 6.6 Securecommunicationoverwiretapchannels 242 6.7 Bibliographicalnotes 245 7 Systemaspects 247 7.1 Basicsecurityprimitives 248 7.1.1 Symmetricencryption 248 7.1.2 Public-keycryptography 249 7.1.3 Hashfunctions 250 7.1.4 Authentication,integrity,andconfidentiality 251 7.1.5 Key-reuseandauthentication 251 7.2 Securityschemesinthelayeredarchitecture 253 7.3 Practicalcasestudies 256 7.4 Integratingphysical-layersecurityintowirelesssystems 260 7.5 Bibliographicalnotes 265 PartIV Otherapplicationsofinformation-theoreticsecurity 267 8 Secrecyandjamminginmulti-userchannels 269 8.1 Two-wayGaussianwiretapchannel 270 8.2 Cooperativejamming 275 8.3 Codedcooperativejamming 283 x Contents 8.4 Key-exchange 289 8.5 Bibliographicalnotes 291 9 Network-codingsecurity 293 9.1 Fundamentalsofnetworkcoding 293 9.2 Network-codingbasics 295 9.3 Systemaspectsofnetworkcoding 297 9.4 Practicalnetwork-codingprotocols 299 9.5 Securityvulnerabilities 302 9.6 Securingnetworkcodingagainstpassiveattacks 303 9.7 CounteringByzantineattacks 306 9.8 Bibliographicalnotes 309 References 311 Authorindex 323 Subjectindex 326