Murali VaranasiApril 9, 2012JOINT SCHEMES FOR PHYSICAL LAYER SECURITY AND ERROR CORRECTION12What makes more sense and why?PLAINTEXTCYPHERTEXTCOMPRESSIONERROR DETECTION OR CORRECTIONPLAINTEXTDECOMPRESSION-1CYPHERTEXT-1

DETECT/CORRECTCHANNEL

USER

THECLOUDIS THIS THE BEST ORDER OF DOING THINGS?IntroductionError Correction Based Cipher I (ECBC I)Error Correction Based Cipher II (ECBC II)AMH CipherJoint Error Correction, Encryption and Modulation Scheme (JEEM)SummaryReferences

Outline3Rapid increase in the number of application on wireless devices.High cost of Upper layer encryption in wireless sensor networks.Evidence of the existence of secrecy achieving codes.Issues with wireless channelsnoisy in nature: Error correction is an integral part of the physical layer of modern day communication system.Data are susceptible to eavesdropping and tampering: Encryption is employed to provide secrecy.Challenging to efficiently transmit data since random errors that occur during transmission need to be removed before decryption.Major challenges facing resource constraint wireless devices are error resilience, security, and speed

Introduction Motivation I4Introduction Motivation II5To combine encryption and channel coding as one process at the physical layer to facilitate reliable, secure and efficient communication.Exploit secrecy achieving characteristics of channel codes. lead to improved efficiency, speed and savings in hardware usage because of hardware reuse. give flexibility in terms of design and technology used for fabrication. difficult to build lower layer analyzers in terms of attacks.Introduction - Goal6Introduction - Contribution7Joint schemes that provide both the security and reliability:Potential of reducing hardware usage due to hardware reuse.Increases power savings since power consumption is of utmost importance in modern wireless communication.Joint schemes with no tradeoff between reliability and security in ECBC as opposed to previous schemes.We show: cryptanalysis of ECBC,Result of randomization tests on ECBC, andResult of hardware implementation of ECBC.

Related Research8McEliece introduced the use of error correcting code as a public key cryptosystem:Based on algebraic coding theory using t-error correcting Goppa code (MG + Z).Requires large block length (n = 1000 bits) to correct large number of errors (t = 50 bits).Results in very large computational overhead.Rao proposed a private key cryptosystem based on algebraic-code using McEliece scheme:Suggested G be made private.Provided better security with simpler error correcting code.Less computational intensive compared to McEliece scheme.Broken by a chosen-plaintext attack.Later introduced a private key cryptosystem which had a tradeoff between reliability and security.Hwang et. al proposed Secret Error Correcting Code (SECC) using preparata code Did not use error vector originally introduced in the original McEliece scheme.

Related Research9Mathur et al. presented a joint scheme for error correction and cryptography using High Diffusion (HD) codes:Based on the structure of Advanced Encryption Standard (AES).Replaced high diffusion layer of the AES with HD code.Higher in complexity compared to McEliece based schemes and AES.Confirmed in their literature that McEliece based schemes has low power consumption advantage.

Our WorkError Correction Based Cipher (ECBC) and AMH Cipher (AMHC)ECBC is based on McEliece schemeAMHC is based on AES structureProvides data reliability, integrity and securityFull error correcting capability of the error correcting code is preserved

10Error Correction Based Cipher I (ECBC I) ECBC I is a private key algebraic based system.It is based on Block Chaining Technique.We utilize a non-linear function and linear error correcting code.

1111ECBC I Encryption

1212ECBC I - EncryptionSame plaintext will be encrypted to different ciphertextCryptanalyst cannot cannot construct equivalent generator matrix combinatorially.Errors cannot be corrected systematically since ciphertexts are not codewords.Detailed analysis in the Cryptanalysis section.

13ECBC I - DecryptionThe transmitter and receiver have to agree on initial Q0 and X0 vector (initialization vectors)

14Decryption in a Noiseless Channel15Apply decryption : Qi = Ci + Zi

Multiplying with the transpose of permutation matrix:

Applying decoding algorithm:

Adding error vector:

Decryption Noisy Channel16Noisy channel with error vector Zc :

Applying Decryption process:

Multiply by transpose of permutation matrix :

After applying decoding algorithm

Decryption Noisy Channel17Applying the inverse of nonlinear function f-1 :

Adding the error vector Q*i-1 to di :

This shows that the error correction ability of the code is fully preserved for error due to the channel.Error intentionally introduced at the transmitter can be removed at the receiver.The scheme could be used as a checksum to detect illegal tampering or modification

Cryptanalysis18Analysing:If Xi is fed forward and Qi-1 is not fed back

Cryptanalysis19A chosen plaintext attack will break GP if the expansion function g is a linear function that has a left inverse based on the equationTo illustrate, let Mi = Mi+1 and Mi+2 = Mi+3 :

If g is linear :

GP can be derived if the cryptanalyst could obtain k such distinct pair.Since GP is a permuted version of G, the work factor of deriving G is increased.If g is non-linear, the attack will not work.

Cryptanalysis20If Xi is not fed forward but Qi-1 is fed back

Cryptanalyst would have to search for equivalent ciphertext Ci = Cj .This means that :

If f is linear, FGP could be found by known plaintext attack

Cryptanalysis21However, if f is non-linear, the attack will not work.The cryptanalyst can collect k linearly independent equivalent codewords to construct G = fGP which is combinatorially equivalent to G.It is computational infeasible to estimate the matrix G if k is large enough.The ECBC scheme withstands chosen-plaintext(Struik-Tilburg type) attacks because of the non-linear function f that tranforms the plaintext.Error Correction Based Cipher II (ECBC II)Based on Nordstrom Robinson (NR) code and McEliece Public Key Cryptosystem (MPKC).NR code has twice the codewords of any linear code with same minimum distance and length.NR code is a binary image of the octacode and the octacode is linear.The non-linear binary code in Z2 could be mapped into a linear octacode in Z4.We take advantage of the mapping from Z2 to Z4 and vice-versa

22Error Correction Based Cipher II (ECBC II)if Alice wants to send a message to Bob, we can change the symbol mapped to each bit when changing from Z2 to Z4.If Eve does not know the mapping, more errors will be introduced into the received data.instead of taking advantage of the octacode, Eve will have to decode the message using the complicated decoder which might not work depending on the number of errors introduced into the message.Bob can take advantage of decoding the linear code while Eve will have to decode a non-linear code.23ECBC II EncryptionThe message m in Z2 is multiplied with a matrix called the scrambler (S) to obtain m.The scrambled message m in Z2 is mapped into m in Z4 based on a key (k).The m in Z4 is then multiplied with the Nordstrom-Robinson Generator Matrix (G) to obtain codeword C.The C is then mapped back into Z2 to obtain a different version of the codeword C using a key k. The codeword C is then multiplied with a permutation matrix (P) to obtain C.An Error vector (E) is then added to the permuted codeword (C) to obtain ciphertext (CT).The ciphertext CT is then transmitted through the communication channel.

24ECBC II DecryptionThe received ciphertext (CT) is multiplied with the transpose of the permutation matrix to obtain CT. This does not tamper with the weight of the error.The CT in Z2 is mapped to Z4 using a key k to obtain CT.The error vector (EPT ) in CT is removed using syndrome decoding to obtain m.The m is mapped to Z2 (C) from Z4 using key k to obtain m.The m is multiplied with the scrambler to obtain m.25ECBC II CryptanalysisThe cryptanalyst could try to attack this scheme using known-plaintext attack by independently solving matrices for each column of the product SGP (private key). However this requires large pairs of message and ciphertext.This will be very difficult because of the periodic randomized mapping from Z2 to Z4.In order to prevent chosen plaintext attack, the multiplication of the message with the scrambler should be replaced with a non-linear function.

26ECBC II CryptanalysisThe cryptanalyst can choose pairs of plaintext that differ by 1

If ciphertext 1 and 2 in Z2 are expressed as:

If SGP = G and a superscript of 2 means the data is in Z2

where g is the ith row vector of G27ECBC II CryptanalysisThe Hamming weight of the E1 - E2 will be at least 2t.The cryptanalyst can consider (C1 C2) as an estimate of g1 if t