Information Theoretic Security for Broadcasting of Two Encrypted Sources under Side-Channel Attacks

In this paper, we propose a theoretical framework to analyze the secure communication problem for broadcasting two encrypted sources in the presence of an adversary which launches side-channel attacks. The adversary is not only allowed to eavesdrop the ciphertexts in the public communication channel, but is also allowed to gather additional information on the secret keys via the side-channels, physical phenomenon leaked by the encryption devices during the encryption process, such as the fluctuations of power consumption, heat, or electromagnetic radiation generated by the encryption devices. Based on our framework, we propose a countermeasure against such adversary by using the post-encryption-compression (PEC) paradigm, in the case of one-time-pad encryption. We implement the PEC paradigm using affine encoders constructed from linear encoders and derive the explicit the sufficient conditions to attain the exponential decay of the information leakage as the block lengths of encrypted sources become large. One interesting feature of the proposed countermeasure is that its performance is independent from the type of side information leaked by the encryption devices.


I. INTRODUCTION
In this paper, we consider the problem of strengthening the security of broadcasting secret sources encripted by common key criptsystems under the situation where the running criptsystems have some potential problems.More precisely, we consider two cryptosystems described as follows: two sources X 1 and X 2 , respectively, are encrypted in a node to C 1 and C 2 using secret key K 1 and K 2 .The cipher texts C 1 and C 2 , respectively, are sent through public communication channels to the sink nodes 1 and 2. For each i, at the sink node i, X i is decrypted from C i using K i .In this paper we assume we have two potentical problems in the above two cryptsystems.One is that the two common keys used in the above systems may have correlation.The other is that the adversary can use the sidechannel, where the side information on two common keys can be obtained via the rate constraint noiseless channel.To solve this problem we formulate the post encryption coding system.In this communication system, we evaluate the information leakage on two secrete messages to the adversary.We provide an explicit sufficient condition for the information leakage to decay exponentially as the block length of encrypted source tends to infinity.

A. Preliminaries
In this subsection, we show the basic notations and related consensus used in this paper.Random Source of Information and Key: For each i = 1, 2, let X i be a random variable from a finite set X i .For each i = 1, 2, let {X i,t } ∞ t=1 be two stationary discrete memoryless sources(DMS) such that for each t = 1, 2, . .., X i,t take values in finite set X i and has the same distribution as that of X i denoted by p Xi = {p Xi (x i )} xi∈Xi .The stationary DMS {X i,t } ∞ t=1 , are specified with p Xi .
We next define the two keys used in the two common cryptosystems.For each i = 1, 2, let (K 1 , K 2 ) be a pair of two correlated random variables taken from the same finite set X 1 × X 2 .Let {(K 1,t , K 2,t } ∞ t=1 be a stationary discrete memoryless source such that for each t = 1, 2, . .., (K 1,t , K 2,t ) takes values in X 1 × X 2 and has the same distribution as that of (K 1 , K 2 ) denoted by The stationary DMS {(K 1,t , K 2,t } ∞ t=1 is specified with p K1K2 .In this paper we assume that for each i = 1, 2, the marginal distribution p Ki is the uniform distribution over X i .Random Variables and Sequences: We write the sequence of random variables with length n from the information sources as follows: Similarly, the strings with length n of X n i are written as 2 ) stands for the probability of the occurrence of (x n , x n 2 ).When the information source is memoryless specified with p X1X2 , we have the following equation holds: p X1X2 (x 1,t , x 2,t ).
In this case we write p X n 1 X n 2 (x n 1 , x n 2 ) as p n X1X2 (x n 1 , x n 2 ).Similar notations are used for other random variables and sequences.Consensus and Notations: Without loss of generality, throughout this paper, we assume that X 1 and X 2 are finite fields.The notation ⊕ is used to denote the field addition operation, while the notation ⊖ is used to denote the field subtraction operation, i.e., a ⊖ b = a ⊕ (−b) for any elements a, b from the same finite field.All discussions and theorems in this paper still hold althoughX 1 and X 2 are different finite fields.However, for the sake of simplicity, we use the same notation for field addition and subtraction for both X 1 and X 2 .Throughout this paper all logarithms are taken to the base natural.

B. Basic System Description
In this subsection we explain the basic system setting and basic adversarial model we consider in this paper.First, let the information source and the key be generated independently by three different parties S gen,1 , S gen,2 and K gen respectively.In our setting, we assume the followings.
• The random keys K n 1 and K n 2 are generated by K gen from uniform distribution.• The key 1 and X n 2 are generated by S gen and are correlated to each other.
• The sources are independent to the keys.Next, let the two correlated random sources X n 1 and X n 2 , respectively from S gen,1 and S gen,2 be sent to two separated nodes L 1 and L 2 .And let two random key (sources) K n 1 and K n 2 from K gen be also sent separately to L 1 and L 2 .Further settings of our system are described as follows.Those are also shown in Fig. 1.
1) Separate Sources Processing: For each i = 1, 2, at the node i , X n i is encrypted with the key K n i using the encryption function Enc i .The ciphertext C n i of X n i is given by 2) Transmission: Next, the ciphertexts C n 1 and C n 2 , respectively are sent to the information processing center D 1 and D 2 through two public communication channels.Meanwhile, the keys K n 1 and K n 2 , respectively are sent to D 1 and D 2 through two private communication channels.
3) Sink Nodes Processing: For each i = 1, 2, in D i , we decrypt the ciphertext C n i using the key K n i through the corresponding decryption procedure Dec i defined by Dec It is obvious that we can correctly reproduce the source output X n from C n i and K n i by the decryption function Dec i .Side-Channel Attacks by Eavesdropper Adversary: An adversary A eavesdrops the public communication channel in the system.The adversary A also uses a side information obtained by side-channel attacks.Let Z be a finite set and let W : X 1 × X 2 → Z be a noisy channel.Let Z be a channel output from W for the input random variable K.We consider the discrete memoryless channel specified with W .Let Z n ∈ Z n be a random variable obtained as the channel output by connecting Since the channel is memoryless, we have On the above output Z n of W n for the input (K n 1 , K n 2 ), we assume the followings.
• The two random pairs (X 1 , X 2 ), (K 1 , K 2 ) and the ran- • W is given in the system and the adversary A can not control W . • By side-channel attacks, the adversary A can access Z n .We next formulate side information the adversary A obtains by side-channel attacks.For each be a rate of the encoder function ϕ (n) A .For R A > 0, we set On encoded side information the adversary A obtains we assume the following.
• The adversary A, having accessed Z n , obtains the encoded additional information ϕ n=1 must be upper bounded by a prescribed value.In other words, the adversary A must use ϕ

(n)
A such that for some R A and for any sufficiently large n, ϕ As a soultion to the side channel attacks, we consider the post-encryption coding system.This system is shown in Fig. 2.
1) Encoding at Source node i , i = 1, 2: For each i = 1, 2, we first use ϕ . Instead of sending C n i , we send Cmi i to the public communication channel.
2) Decoding at Sink Nodes D i , i = 1, 2: For each i = 1, 2, D i receives C mi i from public communication channel.Using common key K n i and the decoder function On Reliability and Security: From the description of our system in the previous section, the decoding process in our system above is successful if X n = X n holds.Combining this and (6), it is clear that the decoding error probabilities p e,i , i = 1, 2, are as follows: A ) is measured by the mutual information between (X n 1 , X n 2 ) and A ).This quantity is formally defined by A ). Reliable and Secure Framework: Definition 1: A pair (R 1 , R 2 ) is achievable under R A > 0 for the system Sys if there exists two sequences {(ϕ and for any eavesdropper A with ϕ A satisfying ϕ A |p n X1X2 , p n ZK1K2 ) ≤ ǫ.Definition 2: (Reliable and Secure Rate Region) Let R Sys (p X1X2 , p K1K2 , W ) denote the set of all (R A , R) such that R is achievable under R A .We call R Sys (p X1X2 , p K1K2 , W ) the reliable and secure rate region.
Definition 3: ) is achievable under R A > 0 for the system Sys if there exists a sequence {(ϕ and for any eavesdropper A with ϕ A satisfying ϕ A |p n X1X2 , p n ZK1K2 ) ≤ e −n(F −ǫ) .Definition 4: (Rate, Reliability, and Security Region) ) the rate, reliability, and security region.

III. PROPOSED IDEA: AFFINE ENCODER AS PRIVACY AMPLIFIER
For be a linear mapping.We define the mapping φ where A i is a matrix with n rows and m i columns.Entries of The mapping ϕ is called the affine mapping induced by the linear mapping φ Next, let ψ (n) i be the corresponding decoder for φ does not have a linear structure in general.Description of Proposed Procedure: We describe the procedure of our privacy amplified system as follows.
1) Encoding at Source node i , i = 1, 2: First, we use ϕ Then, instead of sending C n , we send Cmi i to the public communication channel.By the affine structure (4) of encoder we have that where we set First, using the linear encoder ϕ Receiving C mi i from public communication channel, D i computes X mi i in the following way.From ( 5), we have that the decoder D i can obtain to X mi i as follows: Our privacy amplified system described above is illustrated in Fig. 3.

IV. MAIN RESULTS
In this section we state our main results.To describe our results we define several functions and sets.Let U be an auxiliary random variable taking values in a finite set U. We assume that the joint distribution of (U, In the following argument for convenience of descriptions of definitions we use the following notations: For each i = 1, 2, 3, we simply write p i = p UZKi .Specifically, for i = 3, we have p 3 = p UZK1K2 = p.Define the three sets of probability distribution p = p UZK1K2 by The two regions R i (p ZKi ), i = 1, 2 have the same form as the region appearing as the admissible rate region in the one-helper source coding problem posed and investigated by Ahlswede and Körner [1].
We can show that the region R i (p ZKi ), i = 1, 2, and R 3 (p ZK1K2 ) satisfy the following property.
Property 1: We next explain that the region R i (p ZKi ), i = 1, 2, and R 3 (p ZK1K2 ) can be expressed with a family of supporting hyperplanes.To describe this result we define three sets of probability distributions on U ×Z ×X 1 ×X 2 by For i = 1, 2, 3, and µ ∈ [0, 1], define Then we have the following property.
Property 2: c) For any p ZK1K2 we have We define several quantities to state a result on D Sys ( p X1X2 , p K1K2 , W ). Let i ∈ {1, 2}.We first define a function related to an exponential upper bound of p e (φ . Let X i be an arbitrary random variable over X i and has a probability distribution p Xi .Let P(X i ) denote the set of all probability distributions on X i .For R i ≥ 0 and p Xi ∈ P(X i ), we define the following function: We next define a function related to an exponential upper bound of ∆ (n) (ϕ A |p n X1X2 , p n ZK1K2 ).For each i = 1, 2, 3, we define a set of probability distributions on U ×Z ×X i by Q(p Ki|Z ) :={q i = q UZKi : q KiZ|U = p KiZ|U for some p i ∈ P(p ZKi )}.
For each i = 1, 2, 3, for (µ, α) ∈ [0, 1] 2 , and for , We next define a function serving as a lower bound of For each i = 1, 2, 3, and for each p i ∈ P(p ZKi ), define Furthermore, set We can show that the above functions satisfy the following property.
Proof of this property is found in Oohama [2](extended version).We set Our main result is as follows.
Theorem 1: For any R A , R 1 , R 2 > 0 and any p ZK1K2 , there exists two sequence of mappings {(ϕ n=1 , i = 1, 2 such that for any p Xi , i = 1, 2, and any n ≥ (R 1 +R 2 ) −1 , we have and for any eavesdropper A with ϕ A satisfying ϕ where δ i,n , i = 1, 2, 3 are defined by Note that for i = 1, 2, 3, δ i,n → 0 as n → ∞.This theorem is proved by a coupling of two techniques.One is a technique Oohama [3] developed for deriving approximation error exponents for the intrinsic randomness problem in the framework of distributed random number extraction, which was posed by the author.This technique is used in the security analysis for the privacy amplification of distributed encrypted sources with correlated keys posed and investigated by Santoso and Oohama [4], [5].The other is a technique Oohama [2] developed for establishing exponential strong converse theorem for the one helper source coding problem.This technique is used in the security analysis for the side channel attacks to the Shannon cipher system posed and investigated by Oohama and Santoso [6], [7].
The functions Sys (p X1X2 , p ZK1K2 ).Thus, by Theorem 1, under Sys (p X1X2 , p ZK1K2 ), we have the followings: • On the reliability, for i = 1, 2, p e (φ i |p n Xi ) goes to zero exponentially as n tends to infinity, and its exponent is lower bounded by the function E(R i |p Xi ).
• On the security, for any ϕ A satisfying ϕ 1 , X n 2 goes to zero exponentially as n tends to infinity, and its exponent is lower bounded by the function From Theorem 1, we immediately obtain the following corollary.
Corollary 1: In the remaining part of this section, we give two simple examples of R (in) Sys (p X1X1 , p ZK1K2 ).Those correspond two extrimal cases on the correlation of (K 1 , K 2 , Z).In those two examples, we assume that X 1 = X 2 = {0, 1} and p X1 (1) = s 1 , p X2 (1) = s 2 .We further assume that p K1,K2 has the binary symmetric distribution given by where ρ ∈ [0, 0.5] is a parameter indicating the correlation level of (K 1 , K 2 ).
Example 1: We consider the case where W = p Z|K1K2 is given by In this case we have K 2 ↔ K 1 ↔ Z.This corresponds to the case where the adversary A attacks only node L 1 .Let N A be a binary random variable with p NA (1) = ρ A .We assume that N A is independent of (X 1 , X 2 ) and (K 1 , K 2 ).Using N A , Z can be written as Z = K 1 ⊕ N A .The inner bound for this example denoted by R Example 2: We consider the case of ρ = 0.5.In this case K 1 and K 2 is independent.In this case we have no information leakage if R A = 0. We assume that W = p Z|K1K2 is given by Let N A be the same random variable as the previous example.Using N A , Z can be written as Z = K 1 ⊕K 2 ⊕N A .The inner bound in this example denoted by R

V. PROOFS OF THE RESULTS
In this section we prove Theorem 1.

A. Types of Sequences and Their Properties
In this subsection we prepare basic results on the types.Those results are basic tools for our analysis of several bounds related to error provability of decoding or security.
Definition 5: For each i = 1, 2 and for any n-sequence denotes the number of t such that x i,t = x i .The relative frequency {n(x i |x n i )/n} xi∈Xi of the components of x n i is called the type of x n denoted by P x n .The set that consists of all the types on X is denoted by P n (X ).Let X i denote an arbitrary random variable whose distribution P Xi belongs to P n (X i ).For p Xi ∈ P n (X i ), set For set of types and joint types the following lemma holds.For the detail of the proof see Csiszár and Körner [8].
By Lemma 1 parts b) and c), we immediately obtain the following lemma: Lemma 2: For p Xi ∈ P n (X i ),

B. Upper Bounds on Reliablity and Security
In this subsection we evaluate upper bounds of p e (φ Xi ), we derive an upper bound which can be characterized with a quantity depending on (φ i |p n Xi ), i = 1, 2. For x n i ∈ X n i and p X ∈ P n (X i ) we define the following functions.
Then we have the following lemma.Lemma 3: In the proposed system, for i = 1, 2 and for any pair of (φ Proof of this lemma is found in [6].We omit the proof.
We next discuss upper bounds of On an upper bound of A ; X n 1 X n 2 ), we have the following lemma.
Lemma 4: where represents the uniform distribution over X m1 1 × X m2 2 .Proof: We have the following chain of inequalities: 2 ).

C. Random Coding Arguments
We construct a pair of affine encoders (ϕ 2 ) using the random coding method.For the two decoders ψ we propose the minimum entropy decoder used in Csiszár [9] and Oohama and Han [10].Random Construction of Affine Encoders: For each i = 1, 2, we first choose m i such that where ⌊a⌋ stands for the integer part of a.It is obvious that By the definition (2) of φ where A i is a matrix with n rows and m i columns.By the definition (3) of ϕ where for each i = 1, 2, b mi i is a vector with m i columns.Entries of A i and b mi i are from the field of X i .Those entries are selected at random, independently of each other and with uniform distribution.Randomly constructed linear encoder φ (n) i and affine encoder ϕ (n) i have three properties shown in the following lemma.
Lemma 5 (Properties of Linear/Affine Encoders): For each i = 1, 2, we have the following: a) For any b) For any s n i ∈ X n i , and for any s mi i ∈ X mi , we have c) For any s n i , t n i ∈ X n i with s n i = t n i , and for any s mi i ∈ X mi i , we have Proof of this lemma is found in [6].We omit the proof.We next define the decoder function To this end we define the following quantities.
Definition 6: For x n i ∈ X n i , we denote the entropy calculated from the type P x n i by H(x n i ).In other words, for a type P Xi ∈ P n (X i ) such that P Xi = P x n i , we define H(x n i ) = H(X i ).Minimum Entropy Decoder: For each i = 1, 2, and for φ arbitrary if there is no such Error Probability Bound: In the following arguments we let expectations based on the random choice of the affine encoders ϕ Then we have the following lemma.Lemma 6: For each i = 1, 2, for any n and for any P Xi ∈ P n (X i ), Proof of this lemma is found in [6].We omit the proof.Estimation of Approximation Error: Define Then, we have the following lemma.

Lemma 7:
For i = 1, 2 and for any n, m i satisfying Proof of this lemma is given in Appendix A. From the bound (19) in Lemma (7), we know that the quantity A |p n ZK1K2 ) serves as an upper bound of the ensemble average of the conditional divergence From Lemmas 4 and 7, we have the following corollary.Corollary 2: A |p n ZK1K2 ).
Existence of Universal Code {(ϕ i )} i=1,2 : From Lemma 6 and Corollary 2, we have the following lemma stating an existence of universal code {(ϕ Lemma 8: There exists at least one deterministic code {(ϕ such that for i = 1, 2 and for any p Furthermore, for any ϕ Proof: We have the following chain of inequalities: (n + 1) |Xi| .
Step (a) follows from Lemma 6 and Corollary 2.
Step (b) follows from Lemma 1 part a).Hence there exists at least one deterministic code {(ϕ (n + 1) |Xi| , from which we have that for i = 1, 2 and for any p Xi ∈ P n (X i ), i ) e(n + 1 (n + 1) |Xi| .
Furthermore, we have that for any ϕ (n + 1) |Xi| , completing the proof.Proposition 1: For any R A , R 1 , R 2 > 0, and any p ZK1K2 , there exist two sequences of mappings {(ϕ n=1 , i = 1, 2 such that for i = 1, 2 and for any p Xi ∈ P(X i ), we have and for any eavesdropper A with ϕ A satisfying ϕ Proof: By Lemma 8, there exists (ϕ Furthermore for any ϕ The bound (21) in Proposition 1 has already been proved in (23).Hence it suffices to prove the bound (20) in Proposition 1 to complete the proof.On an upper bound of p e (φ i |p n Xi ), i = 1, 2, we have the following chain of inequalities: ≤ e(n + 1) |Xi| Step (a) follows from Lemma 3 and (22).
Step (b) follows from Lemma 1 part a).

D. Explicit Upper Bound of
A |p n ZK1K2 ) In this subsection we derive an explicit upper bound of ) which holds for any eavesdropper A with ϕ A satisfying ϕ In fact, from |X mi i | ≤ e nRi and (42) in Lemma 11, we have the bound (19) in Lemma 7. In this appendix we prove Lemma 11.In the following arguments, we use the following simplified notations: We define Then, the conditional distribution of the random pair Then the conditional divergence between p L1L2|M and p V1V2 for given M is given by The quantity Υ (ϕ1(k1),l1),(ϕ2(k2),l2) has the following form: The above form is useful for computing E[Υ (ϕ1(k1),l1) ,(ϕ2(k2),l2) ].
Step (b) follows from Lemma 5 parts b) and c).In a similar manner we compute E 2 to obtain We further compute E 12 to obtain Step (a) follows from that the random constructuions of ϕ 1 and ϕ 2 are independent.

Fig. 1 .
Fig. 1.Side-channel attacks to the two Shannon cipher systems.

i
, those satisfy the following affine structure: where h(•) denotes the binary entropy function and a * b := a b + āb.

For
the above two examples, we show the section of the regions R (in) Sys,exi ( p X1X2 , p ZK1K2 ) i =, 1, 2 by the plane {R A = 1 − h(θ)} is shown in Fig. 4.

Fig. 4 .
Fig. 4. Shape of the regions R