Now let us consider the performance of the above scheme. Similarly to the Juels-Wattenberg scheme, the resilience of the modified fuzzy commitment scheme is bounded by the error- correcting capability of code C1. Furthermore, it is clear that the rate is
R = k n. The equivocation is
d = H(s|c + b) H(s) . As analyzed in [17], we have the following lemma. Lemma 6.5.1 H(s|c + b) = H(s|s + bHT).
Proof: First, since s + bHT is a function of c + b, we have H(s|c + b) ≤ H(s|s + bHT). Now let us prove the reverse inequality. Consider
H(s|c + b) − H(s|s + bHT) = H(s, c + b)− H(c + b) − H(s, s + bHT) + H(s + bHT) = H(s, c + b, s + bHT)− H(s, s + bHT)
−H(c + b, s + bHT) + H(s + bHT) = H(c + b|s, s + bHT)− H(c + b|s + bHT) ≥ H(c + b|s, b) − H(c + b|s + bHT)
= H(c|s, b) − H(c + b|s + bHT) = H(c|s) − H(c + b|s + bHT) ≥ 0.
The last inequality is due to c being chosen randomly from the codewords such that c∈ C1
and cHT = s.
Thus we have proved that H(s|c + b) = H(s|s + bHT). In other words, there is no
advantage for the wiretapper in possessing c + b on top of its syndrome. By Lemma 6.5.1, the equivocation can be calculated as follows.
d = H(s|c + b) H(s) = H(s|s + bHT) H(s) = 1− I(s; s + bHT) H(s) . Note that I(s; s + bHT) = H(s + bHT)− H(s + bHT|s) = H(s + bHT)− H(bHT|s) = H(s + bHT)− H(bHT) = k− H(bHT).
The last equation follows from the fact that since s is uniformly distributed, H(s + bHT) = H(s) = k. Now, we could simplify the calculation of the equivocation as follows.
d = 1− I(s; s + bH T) H(s) = 1− k− H(bHT) k = H(bHT) k .
Clearly, in order to guarantee perfect secrecy on the secret s, we need d = 1 ⇔ H(bHT) = k.
This give us some insight into the choice H so as to yield as high as possible security. That is, the best choice of H for this scheme is the one so that bHT is uniformly distributed, or as close as possible to be uniformly distributed.
6.6
Concluding remarks
In this chapter, a fuzzy commitment scheme by Juels and Wattenberg [15] and a modified version by Cohen and Z´emor [16] are reviewed. Note that we use binary codes in both schemes. We point out that both schemes are easy to extend by using linear codes over ar- bitrary finite fields. Furthermore, the information leakage problem in biometrics is modelled as a wiretap problem. For the Juels-Wattenberg scheme, an information theoretic security proof is provided. For the modified version given by Cohen and Z´emor [16], we consider the practical case when linear codes of reasonable length are used in the scheme. At last but not least, we give some insight into the choice of the parameters C1 and H so that the
scheme has good performance in resilience, storage and security.
Chapter 7
Conclusions
7.1
Summary of the thesis
In this thesis, we explore the security capacity and the capacity region for the wiretap channel with side information. For the discrete memoryless case, we give a bound for the secrecy capacity and an achievable rate equivocation region. In particular, the secrecy capacity in some special cases is determined.
We extend our result for the discrete memoryless case to the Gaussian case. Our contri- bution to the Gaussian wiretap channel with side information is twofold. First, we derive an achievable rate equivocation region R⊥ by using Costa’s strategy. We compare it with the region RL for the Gaussian wiretap channel given by Leung-Yan-Cheong and Hell-
man [4, Theorem 1]. We draw a conclusion that for the Gaussian wiretap channel, side information helps to get a larger secrecy capacity and achieve a larger rate equivocation region. Furthermore, we generalize Costa’s strategy by taking the correlation coefficient of the codeword and side information as another parameter into our consideration. The regionR⊥ is improved by using the generalized Costa’s strategy. That is, for the Gaussian wiretap channel, it is a better choice in some cases to send a codeword dependent on side information, in order to yield higher secret rate with the same equivocation. In addition, we give the best choice of the correlation coefficient for the generalized Costa’s strategy to achieve the maximal rate at the perfect secrecy.
In this thesis, we also investigate the problem of developing forward coding schemes for secure communication over the wiretap channel. A code construction is considered for the specific case when both the main channel and the wiretap channel are binary symmetric. Theoretically, we show that the secrecy capacity can be achieved by using random linear codes. For practical purpose, we evaluate the performance of the coding schemes when linear codes especially Hamming codes and repetition codes are used in the construction. The performance is characterized from the perspectives of the efficiency, reliability and security which are measured by the rate, the error probability of decoding and the equivocation of the wiretap, respectively.
As an application, we reformulate the security problem in biometrics as a communication problem for the wiretap channel. A fuzzy commitment scheme by Juels and Wattenberg [15] and a modified version by Cohen and Z´emor [16] are reviewed. Both schemes are based on error correcting codes and promise a secure biometric template storage. The performance of the schemes is characterized with the terminologies for the wiretap channel, where high rate corresponds to efficient storage of the protected biometric data and high equivocation
corresponds to low information leakage to a third party. For the Juels-Wattenberg scheme, under the assumption that the biometric template is uniformly distributed, we give a se- curity proof in the information theoretic sense. For the Cohen-Z´emor scheme, we focus on the case when linear codes of reasonable length are used in its construction. In particular, we also give some insight into the choice of the parameters so that the scheme has good performance in resilience, storage and security.