Physical layer security sure is hot these days. Its proponents claim provable security, something the cryptographic community hasn't yet been able to provide. Sounds great!
Physical layer security is largely based on the wire-tap channel; here (pdf) is one of the seminal papers on the subject. The great achievement in the wire-tap channel is to allow transmission at capacity on the from source to the legitimate receiver, while the mutual information from source to wire-tapper is zero, even if the wire-tapper knows the code book. Thus, we have "proven" that communication is secure, because the wire-tapper can never accurately guess the message that was sent to the legitimate receiver.
But here's the thing. Look at figures 1 and 2 in the paper I link. Everything relies on the wire-tapper having a physically degraded channel with respect to the legitimate receiver. This makes sense: if, somehow, the situation were reversed and the legitimate receiver were degraded with respect to the wire-tapper, it would obviously be impossible to prevent the wire-tapper from decoding the messages. Put another way, there is no security unless the wire-tapper has a worse channel than the legitimate receiver.
Here is my question: isn't it misleading to call this "secure"? It is unlikely that the wire-tapper would oblige us by providing his channel state information. Thus, we merely exchange one set of uncertainties for another: namely, exchanging uncertainty about the hardness of the factoring problem for uncertainty about the wire-tapper's channel state -- except that factoring is very widely believed to be intractable, whereas it's not hard to imagine a committed adversary being able to find a good channel for a wire-tap.
3 comments:
There is a small catch in your argument, if you allow the legit parties to access any authentic public channel they can perform an advantage distillation step to improve their channel against the eavesdropper.
There is also a bulk of work in this domain that extend a good deal of Wyner's work.
In particular, the work of Csizar and Korner (broadcast channel) and Maurer (secret key agreement) do not assume a better channel between the legitimate parties. However, they generally need a source of common randomness.
There are also some researchers that are trying to study the impact of phy-layer security in cryptographic protocols, thus trying to improve the security of a system by considering both types of security (the CCIT group at Georgia Tech. have been working in this area for sometime now).
Thanks, this is interesting. As an outsider in this field I only know of the major papers.
I don't buy "advantage distillation". Can you guarantee that the wiretapper will be degraded with respect to the primary user, even if you don't know the wiretapper's channel state? For example, even if the primary channel is noiseless, if the wiretapper manages to also find a noiseless channel for him/herself, then security is lost. Generally, my point is that you can't call it "security" if you have to assume that the adversaries are constrained.
Common randomness is interesting -- basically, what you mean is a one-time pad. So I can see an application of physical-layer security would be to stretch out a one-time pad, by sending most of your information in the clear (which the eavesdropper can see) and encrypt only a small part of it with the one-time pad (which the eavesdropper can't see). My problem here is that setting up a one-time pad (or common randomness, in general) is cumbersome, so as long as factoring is intractable, public-key cryptography will win.
Post a Comment