 Channel model, and this is John working with me here, Belair and Alexander Vardy. And I would like to start this talk with the observation that if we look at today's cryptography, then most of it is based on computational assumptions. So we prove security of cryptographic schemes under the assumption that some underlying computational problem is hard. This could be a problem such as factoring large integers or solving discrete logs. But today I want to do something different. I want to talk about basing cryptography on physical assumptions. And in particular, the physical assumption that we are going to consider is the availability of a communication channel, which is subject to noise. And this noise might come, for example, from interference or from some other physical phenomenon that we want to exploit. And basing cryptography on noisy channels is actually something very old within our community. There's been some work in the 80s started by Kripo and Kilian on designing protocols for bit commitments and oblivion transfer based on noisy channels. But today I want to go back to an even older and more basic setting, which was considered within the information theory and coding community in the 70s, which is Weiner's wiretap channel model. This setting was introduced by Aaron Weiner in 1975. And once part of it generalized by Cesar and Kerner in 78. And the task that we are considering here is the basic task of message encryption. And we consider message encryption in a simple setting where we have a sender that encrypts a message, possibly using randomization into a ciphertext C. And then the ciphertext C is sent to our channel, to a receiver who obtains a noisy ciphertext C prime and then tries to decrypt it into a message M prime. But also we have a wiretapper on the line that receives a noisy version of the ciphertext to another channel, CHA. And our goals are as usual, message privacy. So ZM, what the adversary gets, should not reveal any information about the message M. And additionally, we want correctness so decryption should be correct with high probability. And the only assumption that we make in this setting, this is the most important point, is that the channel to the adversary is in some well-defined mathematical way noisier than the channel to the receiver. In particular, there are no keys, so encryption is completely key less, and security is going to be information theoretic. So we don't want to make any computational assumptions. And in this line of work and also in this talk, there's usually an additional goal that we want to achieve, which is that we want our encryption scheme to be as space efficient as possible in the sense that what we call the rate, which is the ratio between the ciphertext length and the message length, should be as large as possible. So in particular, for the purpose of this talk, when I say channel and I talk about a noisy channel, I want you to think about something very simple. Our results are more general. But for this talk, we think of channels as being defined to some randomized map, mapping bits into bits. And in particular, such a randomized map defines a system that processes an incoming stream of bits, and each output bit is obtained by applying independently the randomized map to the corresponding input bit. So this defines some length preserving randomized map from string to strings. And in particular, one example of such a channel is just a clear channel that doesn't do anything, but a more interesting channel that we'll talk about in this talk is the binary symmetric channel, which flips independently each incoming bit with probability p and keeps it the same with probability 1 minus p. So one particular instantiation of the YTAP channel model is by having the main channel from the sender to the receiver and the channel to the adversary, both being binary symmetric channels with respective error probabilities p and q, such that p is more than q, and both are smaller or equal to 1 half. This is to ensure that the channel to the adversary is noisier than the channel to the receiver. Okay, and I want to stress that, even though this problem is a very old problem, it has recently attracted a lot of interest from the practical corner, and in particular as an entire community, which has been named physical layer security, which has been centered around this problem and similar problems. And things this researcher look at are problems like the following. So assume that we have some device like a mobile phone, and we want to use this mobile phone to make a payment to a cash register. And we want the mobile phone to send a credit card number to the cash register in a private way. And we want to exploit the fact that you can hold your phone very close to the cash register. And in particular, you can use a very low communication power to send your credit card number to the cash register. And if we do this properly, we can ensure maybe that every wiretapper that tries to find out the credit card number is going to be sufficiently far from the mobile phone. And in particular, the signal the wiretapper receives is going to be degraded. Okay. And if we can ensure this, then of course, if we have a scheme for the wiretap channel model, we could use this to communicate privately between the mobile phone and the cash register without the need of establishing cryptographic keys. Which would be a great advantage. But so in, there's been 35 years in fact of work, starting from Weiner's work on this setting and related setting. There's been papers, there's been books even on the topic, but this work has been almost exclusively confined within the information theory and coding community. And from a cryptographic perspective, so we are all cryptographers here, we can see two major drawbacks with this type of work. First of all, the privacy notions that have been used within this work are from our perspective improper in the sense that not only they are based on metrics that are hard to work with in a cryptographic sense like channel entropies, but even worse, they mostly only consider, they actually only consider random message securities. And we know that in reality, we cannot expect messages to be random. And another point is also that with respect to constructions of actual encryption schemes, results are also a bit surprisingly disappointing in a sense that all schemes that have been proposed either are missing some explicit decryption algorithms. So they use some existential results to show that decryption is maybe in principle possible but there's no efficient decryption algorithm. Or if they do have such an algorithm, then they all achieve security notions that are much weaker than what we would like to achieve. And so the main contribution of this paper is to fill these two gaps by taking a cryptographic point of view on this problem. Now, our first contribution is to give proper security definitions for the wiretap channel model on the one hand based on semantic security, that's what we use in cryptography. And on the other hand, we also give definitions based on information theoretic quantities and show them equivalent. And also with respect to schemes, we provide quite general paradigm to construct encryption schemes for the wiretap channel model that are polynomial time in encrypting and decrypting and are semantically secure and also can be instantiated to achieve optimal rate in many settings. Okay, so in the following, let me just first go through the issue of security notions. And let me start by saying what people in the wiretap community have been considering so far. So the traditional security notion used so far is based on mutual information. Okay, so mutual information between the message sent by the sender and the noisy ciphertext Z of M received by the wiretap. And mutual information is defined as usually in terms of the difference between the entropy of the message and the conditional entropy of the message given the noisy ciphertext where entropies are in the sense of Shannon entropies. It doesn't matter if you don't remember the definition just to think of this as a measure of uncertainty over the outcome of a random variable. Now, in particular, the usual requirement that you find in the literature is that if we look at this mutual information for a random message M, which is uniformly distributed, then it is required to be negligible or very small. Ideally we would like even to be zero, but that we cannot achieve. Okay, and now of course as cryptographer the first things that captures our attention is the fact why does the message need to be uniformly distributed. And in fact, if we look at the work in the information theory and coding community, then this seems to be a common misconception. So people argue that it's completely fine to assume without loss of generality that messages are uniformly distributed because you can always apply source compression to the message to make sure that the message is transformed into a uniform one. But we in fact know that this is not true. So for this to be true, we will need a compression algorithm that takes a message with an unknown arbitrary distribution. It could be really any distribution. Doesn't know this distribution and transforms into a uniform one. So this we cannot achieve. So we really want one single encryption algorithm that works for any message distribution and it's secure. So this is not the notion we want to have. And now our first attempt that we could make is what we call mutual information security. So by the way, we refer to the older notion as random mutual information security. And near the difference is just that we require the mutual information to be small for all possible message distributions. Okay. Again, this is one way to go, but from a cryptographic perspective, this is something which is not possibly not nice to work with because first of all, mutual information is based on Shannon entropy. And these are hard to work with. And also when we think about concrete security, it's not exactly clear what a certain number of bits of Shannon security mean. So a better approach would be to translate semantic security to the wiretap setting, which is what we do. So this is done as follows. So we consider an experiment. First of all, where does an adversary A and is going to receive a noisy encryption of a message M and the task of the adversaries to get some function F of M of the message. Okay. And for every such adversary, we require that there exists another adversary call it S, which is as good or nearly as good in a setting where it doesn't receive the noisy side effects at all. Okay. And we require this to be true for all adversaries and also for all functions F that needs to be guessed and for all message distributions. And since we care about information theoretic security here, it's really all functions F and all message distributions without restrictions of computationally, efficiently computable or efficiently sampleable. Okay. And a slightly easier way to define security is another approach is to consider what we call distinguishing security. And here it's a traditional way of defining security where the adversary gets two messages M0 and M1 and an encryption of one of them chosen uniformly at random either M0 and M1 and needs to guess which one is the message that has been encrypted. And we require that the adversary must not be able to guess which one was encrypted with probability to much larger than one half. Okay. And this turns out actually to be equivalent to, so this turns out to be equivalent to requiring that the statistical distance between any two encryptions of any two messages, any two noise encryption is negligible. Okay. So these are two different ways to define security in a more in the cryptographic way. And our main result here is to show that in fact, all of these three new ways of defining security turn out to be equivalent. So mutual information security, distinguishing security and semantic security turn out to be equivalent. Well, of course, the older notion using the literature of mutual information security for random messages is of course not equivalent to mutual information security. This is what I wanted to say about definitions. Now let me move to the question of devising efficient encryption schemes for the wiretap setting. So recall that what we want here is we want to find an efficient encryption and decryption algorithms that ensure correctness, semantic security and achieve optimal rate. Now if we look at these three questions and now we look back at related work, what we will see first of all is that we have tools around that we've been developing in the context of information theoretic cryptography that allows to obtain solution to satisfy property one and two. So we could use for example fuzzy extractors by Dolly Zetal or tools from the line of work on information theoretic key agreements started by Marl in the 90s to obtain schemes that achieve correctness and semantic security, but then it's not clear how to achieve optimal rate. On the other hand, if you look at work in the information theory community, then there's been some work, for example, by recent work by Asher Matsumoto and by Madhavifar and Bardi on constructing schemes but even there you cannot achieve all of the three properties at the same time. We can either achieve correctness and optimal rate but at the cost of a weaker security or people can achieve semantic security and optimal rate or something equivalent to semantic security but the corresponding schemes do not have any correctness guarantees that can be proven. Okay, and so our work is the first to provide a scheme that achieves all of the three properties. Now just let me mention what is this optimal rate for the case of binary symmetric channels just to give you an idea. So it turns out it has been shown already in the 70s that no scheme can achieve rate higher than h of q minus h of p minus something vanishing and where h is as usual the binary entropy function and our scheme achieves exactly this rate so in particular this means that this is the optimal rate for any security notion. So does our scheme operate? I just want to give you a high level idea without going into details. So I'm going to just give you an encryption algorithm in a slightly different setting where the encryption algorithm can make use of a public random seed to encrypt the message. In the white-up setting this is a public random value which is known to the adversary in the actual white-up setting such a value does not exist and in the paper we show how to get rid of this. So encryption just works as follows. We just take a message which is m-bit longed and the seed has length k-bits, k is larger than m and we just append k minus m random bits to the message to obtain a k-bit string and then we multiply this longer string with the seed where multiplication really means interpreting k-bit strings as element of an extension field. We get this string x and then we apply some polynomial time linear encoding function that outputs an n-bit ciphertext c. And the only restriction here is that the message cannot be so long, too long, there's a restriction on the length of the message which is not really important to look exactly what it is but the message cannot be so long but as long as this is guaranteed then our main theorem tells us that our encryption scheme is indeed semantically secure. And the proof turns out to be trickier than one would expect because in particular one main issue that we have to face is that we cannot really look at the distribution of a ciphertext for a particular message and say a lot about the distribution of the corresponding ciphertext. Without understanding too much about the combinatorial structure of the underlying code. And this is tricky, for many codes we do not even understand well what the combinatorial structure of the output is. And so we just take a detour where to prove security of the scheme as a first step we show, and this is a fairly general result that holds for a larger classes of schemes but in particular for this one that in order to prove semantic security for the scheme it is sufficient to prove a weaker notion of random message security for the scheme. And this is in fact the main technical step in the proof, the first main technical step. And then at the second step this leads us with the task of proving random message security for the scheme which happens to be much, much easier if we don't know anything about the combinatorial structure of the code. So we need to know very little. Okay. And let me just gloss over these slides very quickly. I don't wanna say much. The only point is that why do we achieve the rate? Well the point is that we need to instantiate the encoding function E with our scheme such that it allows for decryption when we just send ciphertext over the main channel from the sender to the receiver. So the idea is that we take this from a good error correcting code for a binary symmetric channel with error probability P. And if we instantiate this with the best codes we can find that achieve rate like concatenated codes or polar codes, then we plug in numbers. We let the message as to be as long as our security proof tolerates then we get exactly the optimal rate. Okay. So let me wrap up. So what we've seen here is that so we revisited the problem of secure communication in the one in one is wiretap channel model. And on the one hand we provided new security notions to define privacy in this setting which were based on a cryptographic viewpoint and that model security for arbitrary messages like we want in cryptography. And we also devised the first polynomial time scheme that achieves the security notions and also in many settings achieves optimal rate. And just a little advertisement. I mean the point is that our scheme is really simple and modular and efficient. So if you really want to implement it the efficiency is essentially the one of the underlying error correcting code. And just two additional remarks is that I mean in the paper we provide actually a general a concrete treatment of security in the wiretap channel model. And also I explained results here for the specific case of binary symmetric channels but in fact the result extend to a much larger class of channels. And if you want to know about this just look at the paper. Okay, thank you. Thank you.