On Known-Plaintext Attacks to a Compressed Sensing-based Encryption: A Quantitative Analysis
Valerio Cambareri, Mauro Mangia, Fabio Pareschi, Riccardo Rovatti, Gianluca Setti
IIEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1
On Known-Plaintext Attacks to a CompressedSensing-Based Encryption: A QuantitativeAnalysis
Valerio Cambareri,
Student Member, IEEE , Mauro Mangia,
Member, IEEE ,Fabio Pareschi,
Member, IEEE , Riccardo Rovatti,
Fellow, IEEE , Gianluca Setti,
Fellow, IEEE
Abstract
Despite the linearity of its encoding, compressed sensing may be used to provide a limited form of data protectionwhen random encoding matrices are used to produce sets of low-dimensional measurements (ciphertexts). In thispaper we quantify by theoretical means the resistance of the least complex form of this kind of encoding againstknown-plaintext attacks. For both standard compressed sensing with antipodal random matrices and recent multiclassencryption schemes based on it, we show how the number of candidate encoding matrices that match a typicalplaintext-ciphertext pair is so large that the search for the true encoding matrix inconclusive. Such results on thepractical ineffectiveness of known-plaintext attacks underlie the fact that even closely-related signal recovery underencoding matrix uncertainty is doomed to fail.Practical attacks are then exemplified by applying compressed sensing with antipodal random matrices as amulticlass encryption scheme to signals such as images and electrocardiographic tracks, showing that the extractedinformation on the true encoding matrix from a plaintext-ciphertext pair leads to no significant signal recovery qualityincrease. This theoretical and empirical evidence clarifies that, although not perfectly secure, both standard compressedsensing and multiclass encryption schemes feature a noteworthy level of security against known-plaintext attacks,therefore increasing its appeal as a negligible-cost encryption method for resource-limited sensing applications.
Index Terms
Compressed sensing, encryption, security, secure communications
Copyright c (cid:13) a r X i v : . [ c s . I T ] J un IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY
I. I
NTRODUCTION
This paper elaborates on the possibility of exploiting Compressed Sensing (CS) [1], [2] not only to reduce theresource requirements for signal acquisition, but also to protect the acquired data so that their information is hiddenfrom unauthorised receivers. A number of prior analyses [3]–[7] show that, although the encoding performed byCS cannot be regarded as perfectly secure, practical encryption is still provided at a very limited cost, either at theanalog-to-digital interface or immediately after it, in early digital-to-digital processing stages.Such a lightweight encryption scheme may be particularly beneficial to acquisition systems within the frameworkof wireless sensor networks [8] where large amounts of data are locally acquired by sensor nodes with extremelytight resource budgets, and afterwards transmitted to a remote node for further processing. When the security of thesetransmissions is an issue, low-resource techniques that help balancing the trade-off between encryption strength andcomputational cost may offer an attractive design alternative to the deployment of separate conventional encryptionstages.An encryption scheme based on CS leverages the fact that, in its framework, a high-dimensional signal is encodedby linear projection on a random subspace, thus producing a set of low-dimensional measurements. These can bemapped back to the acquired signal only under prior assumptions on its sparsity [9] and a careful choice of randomsubspaces such as those defined by antipodal random (also known as Bernoulli random [10], [11]) encoding matrices.In addition, suitable sparse signal recovery algorithms [12]–[14] are required to decode the original signal. Thesemust be applied with an exact knowledge of the subspace on which the signal was projected. In complete absenceof this information the acquired signal is unrecoverable. Hence, this subspace may be generated from a sharedsecret between the transmitter and intended receivers that enables their high-quality signal recovery.If, on the other hand, the above subspace is only partially known, a low-quality version of the signal maybe recovered from its measurements, with a degradation that increases gracefully with the amount of missinginformation on the projection subspace. By exploiting this effect, multiclass encryption schemes were devised [5],[7] in which high-class users are able to decode high-quality information starting from a complete knowledge of theshared secret, while lower-class users only recover a low-quality approximation of the acquired signal starting frompartial knowledge of the secret. In order to take full advantage of this scheme, its security must be quantitativelyassessed against potential cryptanalyses. The theoretical and empirical evidence provided in [7] dealt with statisticalattacks on the measurements produced by universal random encoding matrices [10].In this paper we address the resistance of an embodiment of CS against Known-Plaintext Attacks (KPAs), i.e. ,in threatening situations where a malicious eavesdropper has gained access to an instance of the signal (plaintext)and its corresponding random measurements (ciphertext), and from this information tries to infer the correspondinginstance of an antipodal random encoding matrix. KPAs are more threatening than attacks solely based on observingthe ciphertext. Yet, we will show how both simple and multiclass encryption based on CS exhibit a noteworthylevel of resistance against this class of attacks due to the nature of the encoding.The paper is organised as follows. In Section II we briefly review the fundamentals of CS and multiclass encryption
AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS3 in the two-class case, which distinguishes between first-class receivers authorised to reconstruct the signal with fullquality and second-class receivers with reduced decoding quality.Section III describes KPAs as delivered both by eavesdroppers and second-class receivers who aim at improvingthe quality of their signal recovery. There, it is shown that the expected number of candidate solutions matchinga plaintext-ciphertext pair is enormous, thus implying that finding the true encoding matrix among such a hugesolution set is practically infeasible. To extend this analysis, we also attack the two-class encryption scheme byusing recovery algorithms that compensate encoding matrix perturbations [15], [16] as suffered by a second-classreceiver. Their performances are shown to be equal to a standard decoding algorithm [13] that does not attemptsuch compensation, i.e. , that legitimately recovers the acquired signal at the prescribed quality level.In Section IV the previous KPAs are exemplified for electrocardiographic tracks (ECG) and images containingsensitive identification text. For all these cases we give empirical evidence on how, even in favourable attackconditions, the encoding matrices produced by KPAs perform poorly when trying to decode any further ciphertext.Theoretical and empirical evidence allows us to conclude that compressed sensing-based encryption, albeit notperfectly secure [3], provides some security properties and defines a framework in which their violation is non-trivial. The Appendices report the proofs of the Propositions and Theorems given in Section III.
A. Relation to Prior Work
To prove how CS and multiclass encryption provide a satisfying level of privacy even against informed attacks, thiswork addresses the problem of finding all the instances of an antipodal random encoding matrix that map a knownplaintext to the corresponding ciphertext, when both quantities are deterministic and digitally represented. Ouranalysis hinges on the connection between linear encoding by antipodal random matrices, the subset-sum problem[17] and its expected number of solutions [18]. While the authors of [3] proved how CS lacks perfect secrecy in theShannon sense [19], both [3] and [4] contrasted this with computational security evidence substantially based onbrute-force attacks. Our improvement in the specific, yet practically important case of antipodal random encodingmatrices is in that our analysis predicts how the expected number of candidate solutions to a KPA varies with theplaintext dimensionality and its digital representation.In addition, we evaluate specific attacks to multiclass encryption by CS in the case of lower-class users attemptingto upgrade their recovery quality. To assess the resistance of this strategy against KPAs, we apply a similar theoreticalanalysis. Then, we extend the attacks to include sparse signal recovery under matrix uncertainty [15], [16] basedon the idea that missing information [20], perturbations [21], [22] and basis mismatches [23] could be partiallycompensated, although we verify that is not the case with the random perturbation entailed by multiclass encryption.II. M
ULTICLASS E NCRYPTION BY C OMPRESSED S ENSING
A. A Brief Review of Compressed Sensing
The encryption schemes we consider in this paper are based on Compressed Sensing (CS) [1], [2], a mathematicalframework in which a signal represented by a vector x ∈ R n is acquired by applying a linear, dimensionality- IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY reducing transformation A : R n → R m ( i.e. , the encoding matrix ) to generate a vector of measurements y = Ax, y ∈ R m , m < n . To enable the recovery of x given y , CS leverages the fact that x is known to be sparse in a properbasis D , i.e. , for any instance of x its representation is x = Ds where s ∈ R n has a number of non-zero entries atmost k (cid:28) n . The results presented in this paper are independent of D , which we consider an orthonormal basis forthe sake of simplicity. In addition, the encoding matrix A must obey some information-preserving guarantees [24],[25] that we assume verified throughout this paper and essentially impose that m = O ( k log n ) . The most relevantfact here is that when A is a typical realisation of a random matrix with independent and identically distributed(i.i.d.) entries following a subgaussian distribution [26] we are reassured that signal recovery is possible regardlessof the chosen basis D . In fact, some signal recovery algorithms exist for which guarantees can be given withvery high probability [12] along with an ever-growing plethora of fast iterative methods capable of reconstructing x starting from y , A and D . An essential decoding scheme is the convex optimisation problem known as basispursuit with denoising , ˆ x = arg min ξ ∈ R n (cid:13)(cid:13) D − ξ (cid:13)(cid:13) s.t. (cid:107) Aξ − y (cid:107) ≤ ω (BPDN)where the (cid:96) -norm in the objective function promotes the sparsity of ˆ x with respect to D , while the (cid:96) -normconstraint enforces its fidelity to the measurements up to a threshold ω ≥ that accounts for noise sources. Inparticular, we here concentrate on operators A ∈ {− , } m × n that are realisations of an antipodal random matrixwith i.i.d. entries and equiprobable symbols {− , } [10]; such matrices are known to verify the above guarantees,and are remarkably ( i ) simple, and therefore suitable to be generated, implemented and stored in digital devices( ii ) random in nature, thus suggesting the possibility of exploiting such randomness to generate an encryptionmechanism using the linear encoding scheme of CS. Due to their limited set of possible symbols {− , } , suchantipodal random matrices are more easily subject to cryptanalysis; for this reason, we tackle them as a baselinefor those defined by a larger set of symbols. B. Security and Two-Class Encryption by Compressed Sensing1) A Security Perspective: the knowledge of A is necessary in the recovery of x from y , since any error in itsentries reflects on the quality of the recovered signal [21]. A number of security analyses leveraging this fundamentalfact were introduced [3], [4], [7] in which CS is regarded as a symmetric encryption scheme, where the plaintext x is mapped to the ciphertext y by means of the linear transformation operated by A , i.e. , the encryption algorithm .The ciphertext is then stored or transmitted, and its intended receivers may decrypt x by knowing y , the sparsitybasis D , and by having a prior agreement on the encryption key or shared secret that is necessary to reproduce A .The ideal requirement for a secure application of CS (as noted in [3], [27]) is that any encoding matrix instanceis used for at most one plaintext-ciphertext pair; this implies the use of a potentially infinite sequence of encodingmatrices { A [ t ] } t ∈ N . In violation of this non-repeatability hypothesis, each A [ t ] could be simply recovered bycollecting n linearly independent plaintext-ciphertext pairs related by it, i.e. , by solving a linear system of equationswith the mn entries of A [ t ] as the unknowns. AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS5
In practice, the encoding matrices are obtained by algorithmic expansion of the shared secret, e.g. , by using thekey as the seed of a pseudo-random number generator (PRNG) which outputs a reproducible bitstream. Due to itsdeterministic and finite-state nature, this stream yields a periodic sequence of encoding matrices { A [ t mod P ] } t ∈ N repeating with period P , where each A [ t ] is obtained by mapping mn distinct bits to antipodal symbols.Thus, the non-repeatability hypothesis will be granted by a system-level choice of an encryption key and PRNGthat makes P large enough to exceed any reasonable observation time.However, such pseudo-random bitstreams may themselves be vulnerable to cryptanalysis if a few of their bits areexposed. As a simple example of this threat, assume that the encoding matrices are generated by a maximal-lengthshift register sequence [28, Chapter 4], for which a B key bit seed grants P = (cid:106) B key − mn (cid:107) . Regrettably, such asequence is easily cryptanalysed from only B key of its bits by the well-known Berlekamp-Massey algorithm [29].Hence, a successful KPA that retrieves even part of an encoding matrix, e.g. , one of its rows, may expose justenough information to reveal the key and therefore break a CS-based encryption. To contrast this type of threat,our analysis shows how KPAs are incapable of revealing missing information on the true encoding matrices, whosesymbols remain undetermined.
2) Two-Class Encryption: in an extended version of this encryption framework, i.e. , two-class encryption by CS[5], [7], we consider a first sequence of matrices { A (0) , [ t ] } t ∈ N , A (0) , [ t ] ∈ {− , } m × n obtained by pseudo-randomexpansion of a seed Key (cid:0) A (0) (cid:1) . In parallel, a sequence of index pair sets { C (0) , [ t ] } t ∈ N , C (0) , [ t ] ⊂ { , . . . , m − } × { , . . . , n − } is obtained by pseudo-random expansion of a seed Key (cid:0) C (0) (cid:1) . We then generate a secondsequence of matrices { A (1) , [ t ] } t ∈ N whose elements A (1) , [ t ] are obtained by combining A (0) , [ t ] , C (0) , [ t ] as A (1) , [ t ] j,l = A (0) , [ t ] j,l if ( j, l ) (cid:54)∈ C (0) , [ t ] − A (0) , [ t ] j,l if ( j, l ) ∈ C (0) , [ t ] (1)with C (0) , [ t ] indicating which entries of A (0) , [ t ] must be sign-flipped to obtain A (1) , [ t ] , that is then used to encode x into y . Thus, we consider a cardinality c for every C (0) , [ t ] , define η = c / mn the sign flipping density, andlet A (0) , A (1) , C (0) be generic, unique random matrix instances (that is, the matrix sequences will be implicitlyconsidered from now on). Given any plaintext x , the corresponding ciphertext y is produced as y = A (1) x , A (1) being the true encoding matrix . Two-class encryption is then achieved by distributing Key (cid:0) A (0) (cid:1) to all authorisedreceivers and Key (cid:0) C (0) (cid:1) only to first-class receivers. In fact, when y is communicated, receivers knowing both Key (cid:0) A (0) (cid:1) and Key (cid:0) C (0) (cid:1) are able to rebuild the corresponding A (1) used in the encoding and reconstruct x withfull quality by solving BPDN with ω = 0 .On the other hand, second-class receivers may only rebuild A (0) from their available information. For < η (cid:28) such a matrix is an approximation of the corresponding A (1) , thus allowing signal recovery with lower quality thanthat achieved by first-class receivers. Furthermore, any receiver not knowing Key (cid:0) A (0) (cid:1) has no information on theencoding matrix and is consequently unable to recover x , which remains encrypted.In [7] we have characterised the effectiveness of this scheme by showing how eavesdroppers trying to compensatetheir ignorance of the key by means of straightforward statistical analysis of y are presented with approximately IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY
Fig. 1. A two-class encryption scheme and the known-plaintext attacks being analysed from an eavesdropper (Eve) and a second-class user(Steve).
Gaussian-distributed ciphertexts (converging with rate O ( n − ) ). In addition, if A (0) is an antipodal random matrix,the same can be said of A (1) since the statistics of its equiprobable symbols are unaltered by C (0) used to build thelatter from the former. Hence, the ciphertext is statistically indistinguishable from the one that could be producedby encoding the same plaintext with A (0) instead of A (1) , and second-class users will also be unable to exploit thestatistical properties of y . C. Signal Models and Assumptions
Since the attacks we present rely on deterministic knowledge of x and y , we assume throughout the paper thatboth plaintexts and ciphertexts are represented by digital words. For simplicity, we let x = { x l } n − l =0 be such that x l ∈ {− L, . . . , − , , , . . . , L } for some integer L > . Note that the number of bits representing the plaintext inthis fashion is at least B x = (cid:100) log (2 L + 1) (cid:101) , so we may assume B x is less than a few tens in typical embodiments(actually, B x ≤
32 bit in typical signal processing applications). Consequently, the ciphertext will be representedby { y l } m − l =0 , where each y l is quantised with B y = B x + (cid:100) log n (cid:101) bit that avoid any information loss.III. K NOWN -P LAINTEXT A TTACKS
In view of quantifying the resistance of this scheme to threatening cryptanalyses, we now consider situations inwhich an attacker gains access to a given, exact value of the plaintext x corresponding to a ciphertext y . Basedon this knowledge, the attacker aims at computing the true encoding A (1) such that y = A (1) x . In the followingwe will consider a KPA by assuming that only one ( x, y ) pair is known for a certain A (1) , consistently with thehypothesis that A (1) is never reused in the encoding (as detailed in Section II-B1). This type of attack gives riseto different strategies (see Fig. 1) whether the attacker knows nothing except the ( x, y ) pair (a pure eavesdropper,Eve) or it is a second-class receiver knowing also the partially correct encoding A (0) and attempting to completeits knowledge of A (1) (we will call this malicious second-class user Steve and its KPA a class-upgrade ).For the sake of simplicity, both KPAs are here characterised on a single row of A (1) , while a complete KPA willentail m of such attacks. Furthermore, we note that the analysis is carried out in full compliance with Kerckhoffs’s We denote with A j the j -th row of a matrix A . AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS7 principle [30], i.e. , the only information that the attackers are missing is their respective part of the encryptionkey, while any other detail on the sparsity basis, as well as two-class encryption specifications is here regarded asknown.
A. Eavesdropper’s Known-Plaintext Attack
Given a plaintext x and the corresponding ciphertext y = A (1) x we now assume the perspective of Eve and attemptto recover A (1) j with a set of antipodal symbols ˆ A (1) j = { ˆ A (1) j,l } n − l =0 such that y j = n − (cid:88) l =0 ˆ A (1) j,l x l (2)Moreover, to favour the attacker we assume all x l (cid:54) = 0 . We now introduce a combinatorial optimisation problemat the core of the analysed KPAs. Definition 1 (Subset-Sum Problem) . Let { u l } n − l =0 , u l ∈ { , . . . , L } ⊂ N + and υ ∈ N + . We define subset-sumproblem (SSP) [17, Chap. 4] the problem of assigning n binary variables b l ∈ { , } , l = 0 , . . . , n − such that υ = n − (cid:88) l =0 b l u l (3)We define solution any { b l } n − l =0 verifying (3). With the above definitions, the density of this problem is defined as[31] δ ( n, L ) = n log L (4)Although in general a SSP is NP-complete, not all of its instances are equally hard . In fact, it is known that high-density instances ( i.e. , δ ( n, L ) > ) have plenty of solutions found or approximated by, e.g. , dynamic programming,whereas low-density instances are typically hard, although for special cases polynomial-time algorithms have beenfound [31]. Moreover, such low-density hard SSP instances have been used in cryptography to develop the familyof public-key knapsack cryptosystems [32], [33] although most have been broken with polynomial-time algorithms[34]. Proposition 1 (Eve’s KPA) . The KPA to A (1) j given ( x, y ) is equivalent to a SSP where each u l = | x l | , the variables b l = (sign ( x l ) ˆ A (1) j,l + 1) and the sum υ = (cid:16) y j + (cid:80) n − l =0 | x l | (cid:17) . This SSP has a true solution { ¯ b l } n − l =0 that ismapped to the row A (1) j , and other candidate solutions that verify (3) but correspond to matrix rows ˆ A (1) j (cid:54) = A (1) j . This mapping is explained in Appendix A, and we define ( x, y, A (1) j ) a problem instance . In our case we see thatthe density (4) is high since n is large and log L is fixed by the digital representation of x ( e.g. , so that B x ≤ ).We are therefore operating in a region in which a solution of the SSP (3) is typically found in polynomial time. Infact, the resistance of the analysed embodiment of CS against KPAs is not due to the hardness of the corresponding If any x l = 0 each corresponding summand would give no contribution to the sum (2), thus making ˆ A (1) j,l an undetermined variable in theattack. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY
Fig. 2. Sample average of the number of solutions for Eve’s KPA compared to the theoretical value of (5) for L = 10 . SSP but, as we show below, to the huge number of candidate solutions as n increases, among which an attackershould find the only true solution to guess a single row of A (1) . Since no a priori criterion exists to select them,we consider them indistinguishable . The next Theorem calculates the expected number of candidate solutions toEve’s KPA by applying the theory developed in [18]. Theorem 1 (Expected number of solutions for Eve’s KPA) . For large n , the expected number of candidate solutionsof the KPA in Proposition 1, in which ( i ) all the coefficients { u l } n − l =0 are i.i.d. uniformly drawn from { , . . . , L } ,and ( ii ) the true solution { ¯ b l } n − l =0 is drawn with equiprobable and independent binary values, is S Eve ( n, L ) n →∞ (cid:39) n L (cid:114) πn (5)The proof of Theorem 1 is given in Appendix A. This result (as well as the whole statistical mechanics frameworkfrom which it is derived) gives no hint on how much (5) is representative of finite- n behaviours. To compensatefor that, we here enumerate by means of the binary programming solver in CPLEX [35] all the solutions to severalsmall- n problem instances of Proposition 1 and verify that, even non-asymptotically, the expression (5) can beused to effectively estimate the expected number of candidate solutions to Eve’s KPA. Such numerical evidenceis reported in Fig. 2, where the sample average of the number of solutions ˆ S Eve ( n, L ) to randomly generatedproblem instances with L = 10 and n = 16 , . . . , is plotted and compared with (5).The remarkable matching observed therein allows us to estimate, for example, that a KPA to the encoding of agrayscale image of n = 64 ×
64 pixel quantised with B x = 8 bit (unsigned, i.e. , L = 128 , n = 4096 ) would haveto discriminate on the average between . · equally good candidate solutions for each of the rows of theencoding matrix. This number is not far from the total possible rows, = 1 . · . Hence, any attackerusing this strategy is faced with a deluge of candidate solutions, from which it would choose one presumed to be n →∞ (cid:39) denotes asymptotic equality as n → ∞ . AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS9 exact to attempt a guess on a single row of A (1) .A legitimate concern when the attacker is presented with such a set of solutions is that most of them couldbe good approximations of the true encoding matrix row A (1) j . To see whether this is the case, we quantify thedifference between A (1) j and the corresponding candidates ˆ A (1) j resulting from a KPA in terms of their Hammingdistance, i.e. , as the number of entries in which they differ. Theorem 2 (Expected number of solutions for Eve’s KPA at Hamming distance h from the true one) . The expectednumber of candidate solutions at Hamming distance h from the true solution of the KPA in Proposition 1, in which( i ) all the coefficients { u l } n − l =0 are i.i.d. uniformly drawn from { , . . . , L } , ( ii ) the true solution { ¯ b l } n − l =0 is drawnwith equiprobable and independent binary values, is S ( h )Eve ( n, L ) = (cid:18) nh (cid:19) P h ( L )2 h L h (6) where P h ( L ) is a polynomial in L whose coefficients are reported in Table I for h = 2 , . . . , . The proof of this Theorem and the derivation of Table I are reported in Appendix B. As before, we collect someempirical evidence that the expression (6) correctly anticipates the expected number of solutions at a given Hammingdistance from the true one, noting that Theorem 2 holds for finite n . Figure 3 reports for n = { , , . . . , } the sample average, over the same problem instances generated in the experimental evaluation of (5), of thenumber of solutions to Eve’s KPA whose Hamming distance from the true one is a given value h = { , . . . , } .This sample average is compared against the value predicted by (6) with the polynomial coefficients in Table I.The remarkable matching we observe allows us to estimate that, resuming the case of a grayscale image with n = 4096 , L = 128 , only . · candidate solutions out of the average . · are expected to have aHamming distance h ≤ , while . · attain a Hamming distance h ≤ . Since these results apply to eachrow of the matrix being inferred, this indicates how the chance that a randomly chosen candidate solution is closeto the true one is negligible.Under repeated threat of Eve’s KPA, a system-level perspective would impose a change of encryption key ( i.e. ,of encoding matrix sequence) whenever the probability of failure of repeated KPAs, p fail , drops below a desiredsecurity level ζ ∈ (0 , , i.e. , at any time p fail ≥ ζ . Some insight on the encryption key lifetime T that guaranteesthis is then obtained by modelling the repeated KPAs as i.i.d. Bernoulli trials, each leading to a successful choice ofthe true solution with a probability that can be estimated with S Eve ( n, L ) − in case of Eve’s KPA. With this p fail = P [ T KPA fail ] = (1 −S Eve ( n, L ) − ) T , so we may choose the key lifetime as T ≤ (cid:2) log (cid:0) − S Eve ( n, L ) − (cid:1)(cid:3) − log ζ to ensure the security level set by ζ . Thus, we measure the key lifetime T in attack opportunities for Eve; however,since S Eve ( n, L ) is typically huge, the resulting T is also very large. As an example, by plugging n = 4096 , L = 128 in (5) and assuming ζ = 0 . , we obtain a key lifetime equivalent to at most T = 1 . · attack opportunities. Fig. 3. Sample average of the number of solutions for Eve’s KPA at Hamming distance h from the true one, compared to the theoretical valueof (6) for L = 10 and n = 21 , , . . . , . B. Class-Upgrade Known-Plaintext Attack
A known-plaintext attack may also be attempted by Steve, a second-class receiver aiming to improve its signalrecovery performances with the intent of reaching the same quality of a first-class receiver. In this KPA, a partiallycorrect encoding matrix A (0) that differs from A (1) in c entries is also known in addition to x and y . With thisprior, Steve may compute ε = y − A (0) x = ∆ Ax where ∆ A = A (1) − A (0) here is an unknown matrix with ternaryentries in {− , , } . Hence, Steve performs a KPA by searching for a set of ternary symbols { ∆ A j,l } n − l =0 suchthat ε j = n − (cid:88) l =0 ∆ A j,l x l (7)of which it is known that ∆ A j,l (cid:54) = 0 only in c cases. Moreover, to ease the solution of this problem and make itrow-wise separable, we assume that Steve has access to an even more accurate information, i.e. , the exact number c j of non-zero entries for each row ∆ A j or equivalently the number of sign flips mapping A (0) j into the corresponding A (1) j (clearly, the total number of non-zero entries in ∆ A is c = (cid:80) m − j =0 c j ). By assuming this, we may prove theequivalence between Steve’s KPA to each row of A (1) and a slightly adjusted SSP. Definition 2 ( γ -cardinality Subset-Sum Problem) . Let { u l } n − l =0 , u l ∈ { , . . . , Q } ⊂ N + , γ ∈ { , . . . , n } ⊂ N + and υ ∈ N + . We define γ - cardinality subset-sum problem ( γ -SSP) the problem of assigning n binary variables b l ∈ { , } , l = 0 , . . . , n − such that υ = n − (cid:88) l =0 b l u l (8) γ = n − (cid:88) l =0 b l (9)We define solution any { b l } n − l =0 verifying (8) and (9). AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS11 h p h p h p h p h p h p h p h p h p h p h p h p h p h p h − − −
152 6512 −
152 115126 625 −
152 11 −
272 8857 −
21 95990 − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − TABLE IT
ABLE OF COEFFICIENTS OF THE POLYNOMIALS P h ( L ) = (cid:80) h − j =1 p hj L j IN (6) FOR h = 2 , . . . , . Proposition 2 (Steve’s KPA) . The KPA to A (1) j given ( x, y, A (0) , c j ) , is equivalent to a γ -SSP where γ = c j , Q = 2 L , υ = ε j + L c j , u l = − A (0) j,l x l + L and b l = (cid:18) − ˆ A (1) j,l A (0) j,l (cid:19) . This SSP has a true solution { ¯ b l } n − l =0 thatis mapped to the row A (1) j , and other candidate solutions that verify (8) and (9) but correspond to matrix rows ˆ A (1) j (cid:54) = A (1) j . The derivation of Proposition 2 is reported in Appendix C. We define ( x, y, A (0) j , A (1) j ) a problem instance . Inthe following, we will denote with r = c j / n the row-density of perturbations. Since in [18] the γ -cardinality SSPcase is obtained as an extension of the results on the unconstrained SSP, we obtain the following Theorem. Theorem 3 (Expected number of solutions for Steve’s KPA) . For large n , the expected number of candidatesolutions of the KPA in Proposition 2, in which ( i ) all the coefficients { u l } n − l =0 are i.i.d. uniformly drawn from { , . . . , L } , and ( ii ) the true solution { ¯ b l } n − l =0 is drawn with equiprobable independent binary values, is S Steve ( n, L, r ) n →∞ (cid:39) (cid:114) r − − nr (1 − r ) − − n (1 − r ) πnL (10)The proof of Theorem 3 is reported in Appendix C. The number of candidate solutions found by Steve’s KPA is (a) (b) (c)Fig. 4. Sample average of the number of solutions for Steve’s KPA compared to the theoretical value of (10) for L = 5 · with row-densityof perturbations r = / n , / n , / n . by many orders of magnitude smaller than Eve’s KPA, the reason being that Steve requires much less informationto achieve complete knowledge of the true encoding A (1) . In order to provide numerical evidence, we find all thesolutions to Steve’s KPA by means of the binary programming solver in CPLEX on a set of 50 randomly generatedproblem instances for L = 5 · , a row-density of perturbations r = / n , / n , / n and n = 20 , . . . , (exceptfor r = / n , whose solution enumeration is still computationally feasible up to n = 48 ). The sample average ofthe number of solutions, ˆ S Steve ( n, L, r ) , is reported in Fig. 4 and well predicted by the theoretical value in (10);note that this approximation is increasingly accurate for large n . Moreover, by resuming the previous example our n = 64 ×
64 pixel grayscale image quantised at B x = 8 bit and encoded with two-class CS using ∆ A with r = 0 . will have on the average . · candidate solutions of indistinguishable quality.In terms of encryption key lifetime, leveraging the same considerations of Section III-A and simply replacing S Eve ( n, L ) with S Steve ( n, L, r ) yields the key lifetimes T with respect to class-upgrade attacks; as an example,plugging n = 4096 , L = 128 , r = 0 . in (10) and assuming ζ = 0 . , yields at most T = 1 . · attackopportunities for Steve.The previous KPA analyses hinge on a counting argument in a general setting, without any other side informationon the structure of A (1) or ∆ A . As we will show in the experiments of Section IV, KPAs yield no advantage interms of recovery performances to unintended receivers. Obviously, as further prior information becomes available(for example the knowledge that the unknown ∆ A has additional structure, or that the original signal is distributed isa non-uniform fashion [36], [37]) revealing the hidden information may be easier. Yet, this is true for any encryptionscheme in which either the encryption key or the plaintext have a non-uniform distribution and is out of the scopeof this analysis. AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS13
C. Signal Recovery-Based Class-Upgrade Attacks
Class-upgrade attacks to two-class encryption schemes are closely related to a recovery problem setting that hasattracted some attention in prior works, i.e. , sparse signal recovery under matrix uncertainty . To recast our problemin this setting, we may construct such a signal recovery-based attack by letting A (1) = A (0) + ∆ A as the encodingmatrix, where A (0) is known a priori and ∆ A is an unknown random perturbation matrix. This information is pairedwith the knowledge of the ciphertext y and a prior on the unknown plaintext x , that is known to be sparse in a basis D . Thus, we attempt the joint recovery of x and ∆ A , eventually just leading to a refinement of the estimated ˆ x . Twomain algorithms are capable of addressing specifically this problem setup for a generic ∆ A , namely GeneralisedApproximate Message-Passing under Matrix Uncertainty (MU-GAMP [16]) and Sparsity-cognisant Total Least-Squares (S-TLS [15]).Although appealing, this joint recovery approach can be anticipated to fail for multiple reasons. First, this attackis intrinsically harder than Steve’s KPA in that the true plaintext x is here unknown. Whatever ∆ A is a candidatesolution to Steve’s KPA given x , is also a possible solution of joint recovery with the same x as a further part ofthe solution. Since we know from Section III-B that Steve’s KPA typically has a huge number of indistinguishableand equally-sparse candidate solutions, at least as many will verify the joint recovery problem when the plaintextis also unknown. Hence, this approach has negligible odds of yielding more information on ∆ A than Steve’s KPA.Note that this relationship between the set of solutions to Steve’s KPA and joint recovery-based attacks alsoprevents the latter from being of any use as a refinement step to improve ∆ A after its guess by an initial KPA. Infact, recovering an estimate of x in this case would be to no avail, since the true x must be known a priori in theinitial KPA.Notwithstanding this, the above joint recovery approach estimates x along with a new ∆ A ; thus, the best-caseachievable signal recovery is the true x , for which the candidate solutions in ∆ A are at best identical to those ofthe initial KPA, as by (7) they must verify ε = ∆ Ax . No improvement is therefore obtained by applying jointrecovery after Steve’s KPA.Furthermore, going back to simple joint-recovery, note that it amounts to solving y = A (0) x + ∆ Ax with ∆ A and x unknown, that is clearly a non-linear equality involving non-convex/non-concave operators. In general, this isa hard problem; both the aforementioned algorithms are indeed able to effectively compensate matrix uncertaintieswhen ∆ A depends on a low-dimensional, deterministic set of parameters. However, such a model does not applyto two-class encryption: even if ∆ A is c -sparse, it has no deterministic structure – to make it so, one would needto know the exact set C (0) of c index pairs at which the sign flipping randomly occurred, which by itself entails acombinatorial search.In fact, ∆ A is uniform in the sense of [16] since it may be regarded as a realisation of a random matrix withi.i.d. zero-mean, bounded-variance entries (as also detailed in [7]). Hence, we expect the accuracy of the estimate ˆ x with joint recovery (both using S-TLS and MU-GAMP) to agree with the uniform matrix uncertainty case of[16], where negligible improvement is shown with respect to the (non-joint) recovery algorithm GAMP [13]. The Fig. 5. Average recovery signal-to-noise ratio performances of a class-upgrade attack using signal recovery under matrix uncertainty algorithms. advocated reason is that the perturbation noise ε = ∆ Ax is asymptotically Gaussian for a given x [16, Proposition2.1].We now provide some empirical evidence on the ineffectiveness of joint recovery as a class-upgrade attack forfinite n, m and sparsity k . As an example, we let n = 256 , m = 128 , k = 20 and η = cmn ∈ [0 . , . andgenerate random instances of x = Ds with s which is k -sparse with respect to a randomly selected, knownorthonormal basis D . For each η , we also generate pairs of matrices ( A (0) , A (1) ) related as (1) and encode x by y = A (1) x . Signal recovery is performed by MU-GAMP, S-TLS and GAMP. To maximise their performances, eachof the algorithms is run with parameters provided by a “genie” revealing the exact value of the unknown featuresof x . In particular, MU-GAMP and GAMP are provided with an i.i.d. Bernoulli-Gaussian sparsity-enforcing signalmodel [13], [38] having the exact mean, variance and sparsity level of the instances s . As far as the perturbation ∆ A is concerned, MU-GAMP is given the probability distribution of its i.i.d. entries. On the other hand, GAMPis initialised with the noise variance of ε = ∆ Ax , that is assumed Gaussian with i.i.d. entries. S-TLS is run inits locally-optimal, polynomial-time version [15, Section IV-B] and fine-tuned with respect to its regularisationparameter as η varies.We here focus on measuring the Average Recovery Signal-to-Noise Ratio of the latter,
ARSNR (dB) =10 log ˆ E (cid:16) (cid:107) x (cid:107) (cid:107) x − ˆ x (cid:107) (cid:17) reported in Fig. 5. The standard deviation from this average is less than .
71 dB in all thereported curves. The maximum
ARSNR performance gap between GAMP and MU-GAMP is .
22 dB while S-TLSattains generally lower performances for high values of η . These observed performances confirm what is also foundin [16], i.e. , that GAMP, MU-GAMP and S-TLS substantially attain the same performances under uniform matrixuncertainty. As expected, class-upgrade attacks based on joint recovery are ineffective even for finite n and m ,since GAMP under the same conditions is the reference case adopted in [7, Section IV] for the design of two-classencryption schemes. AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS15 (a)(b)Fig. 6. Effectiveness of (a) Eve and (b) Steve’s KPA in recovering a hidden ECG. Each point is a guess of the encoding matrix A (1) whosequality is assessed by decoding the ciphertext y (cid:48) corresponding to the known plaintext x (cid:48) ( RSNR (cid:48) ) and by decoding a new ciphertext y (cid:48)(cid:48) ( RSNR (cid:48)(cid:48) ). The Euclidean distance from the average (RSNR (cid:48) , RSNR (cid:48)(cid:48) ) is highlighted by colour gradient. IV. N
UMERICAL E XAMPLES
This Section aims at providing an intuitive appreciation of the poor quality obtained by signal recovery withKPA solutions. While the objective of KPAs is cryptanalysing the true encoding matrix to ultimately retrieve theencryption key, we here focus on the properties of KPA solutions as encoding matrix guesses that can, in theattackers’ belief, improve their signal recovery quality. Thus, we verify that this improvement does not occur byexemplifying practical cases of KPAs in a common framework, which follows this procedure: ˆ E ( · ) denotes the sample average over a set of trials. Attack : an attacker performing a KPA gains access to a single plaintext-ciphertext pair ( x (cid:48) , y (cid:48) ) , and attacks thecorresponding true encoding matrix A (1) row-by-row; we here infer each row A (1) j by generating instances ofan i.i.d. antipodal random vector until a large number of candidate solutions ˆ A (1) j that verify y (cid:48) j = ˆ A (1) j x (cid:48) isfound.Thus, the inferred ˆ A (1) is composed by collecting the outputs of m Monte Carlo random searches for thecorresponding matrix rows. This generation approach is preferable to solving each attacker’s KPA by means ofCPLEX’s binary programming solver for two reasons. Firstly, it is known from Theorem 1 that the expectednumber of solutions is very large and thus the probability of finding one by random search is far from beingnegligible, while its computational cost is relatively low. Secondly, the theoretical conditions [24] that guarantee x (cid:48) can be retrieved from y (cid:48) despite the dimensionality reduction are applicable when A (1) is a typical realisationof an antipodal random matrix. On the contrary, integer programming solvers explore solutions in a systematicway, and tend to generate them in an ordered fashion. When only some of these solutions are considered (asobliged when n is large), this ordered approach yields non-typical sets of ˆ A (1) j that could be very distant from A (1) j ;2) Signal Recovery : to test its guess ˆ A (1) , the attacker may then pretend to ignore the known x (cid:48) and recover anapproximation ˆ x (cid:48) from ( y (cid:48) , ˆ A (1) ) by using a high-performance signal recovery algorithm such as GAMP [13],optimally tuned as in Section III-C. In this setting we measure its accuracy by the Recovery Signal-to-NoiseRatio, RSNR (cid:48) = 10 log (cid:107) x (cid:48) (cid:107) (cid:107) x (cid:48) − ˆ x (cid:48) (cid:107) , which is the only quality indicator in the attacker’s perspective for ˆ A (1) .The RSNR (cid:48) performances are here expected to match those of a (first-class) receiver fully informed on A (1) ,as the equality y (cid:48) = ˆ A (1) x (cid:48) is verified regardless of the exactness of ˆ A (1) ;3) Verification : as a further test of ˆ A (1) , the attacker attempts the recovery of a second, unknown plaintext x (cid:48)(cid:48) encoded as y (cid:48)(cid:48) = A (1) x (cid:48)(cid:48) , of which it is only known that it was obtained with the same encoding matrix as y (cid:48) .The recovery ˆ x (cid:48)(cid:48) is then obtained by means of GAMP, yielding a new RSNR (cid:48)(cid:48) = 10 log (cid:107) x (cid:48)(cid:48) (cid:107) (cid:107) x (cid:48)(cid:48) − ˆ x (cid:48)(cid:48) (cid:107) unknown to the attacker. If any point with high RSNR (cid:48)(cid:48) ≈ RSNR (cid:48) is found, this will indicate the attacker’s success atguessing ˆ A (1) close to the true A (1) . We will show how this never occurs with a large number of candidatesolutions, and detail how the observed (RSNR (cid:48) , RSNR (cid:48)(cid:48) ) pairs are distributed.Both the practical examples of Eve and Steve’s KPA follow the same procedure, with the exception that Eve directlygenerates ˆ A (1) j , whereas Steve generates each row ˆ A (1) j by random search of the index set C (0) j that maps the known A (0) j to the guess ˆ A (1) j that verifies y (cid:48) j = ˆ A (1) j x (cid:48) . Coherently with the theoretical setting of Section III-B, we alsoassume that Steve knows that exactly c j entries of A (0) have been flipped in each row of A (1) . Repeating thissearch for m rows in both attacks provides Eve and Steve’s candidate solutions ˆ A (1) , of which we will study howthe corresponding (RSNR (cid:48) , RSNR (cid:48)(cid:48) ) pairs are distributed as mentioned above. A. Electrocardiographic Signals
We now consider ECG signals from the MIT PhysioNet database [39] sampled at f s = 256 Hz and encoded asdescribed, from two windows x (cid:48) , x (cid:48)(cid:48) of n = 256 samples (and quantised with B x = 12 bit ) into the measurement AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS17 vectors y (cid:48) , y (cid:48)(cid:48) of dimensionality m = 90 . Decoding is allowed by the sparsity level of the windowed signal whendecomposed with D chosen as a Symmlet-6 orthonormal wavelet basis [40].We generate candidate solutions for both Eve and Steve’s KPA that correspond to the recovery performancesreported in Fig. 6. While both malicious users are able to reconstruct the known plaintext x (cid:48) with a relatively highaverage RSNR (cid:48) ≈
25 dB (their KPAs indeed yield solutions to y (cid:48) = ˆ A (1) x (cid:48) ), on the second window of samples x (cid:48)(cid:48) the eavesdropper achieves an average RSNR (cid:48)(cid:48) ≈ − .
20 dB (Fig. 6a), whereas the second-class decoder achievesan average
RSNR (cid:48)(cid:48) ≈ .
15 dB (Fig. 6b) when the two-class encryption scheme is set to a sign flipping density η = c / mn = 0 . between A (0) and A (1) . In this case, the nominal second-class RSNR = 11 .
08 dB whenreconstructing x (cid:48)(cid:48) from y (cid:48)(cid:48) with A (0) , while the correlation coefficient between RSNR (cid:48) and
RSNR (cid:48)(cid:48) is . ;these figures clearly highlight the ineffectiveness of KPAs at inferring A (1) in this case. This is also confirmed bythe perceptual quality of ˆ x (cid:48)(cid:48) corresponding to the maximum RSNR (cid:48)(cid:48) highlighted in Fig. 6.
B. Sensitive Text in Images
In this example we consider the same test images used in [7], i.e. , ×
512 pixel grayscale images of peopleholding a printed identification text concealed by means of two-class encryption. To reduce the computational burdenof KPAs we assume a block size of ×
64 pixel , B x = 8 bit per pixel, and encode the resulting n = 4096 pixelsinto m = 2048 measurements. Signal recovery is performed by assuming the blocks have a sparse representationon a 2D Daubechies-4 wavelet basis [40]. Two-class encryption is applied on the blocks containing printed text:we choose two adjacent blocks x (cid:48) , x (cid:48)(cid:48) containing some letters and encoded with the same A (1) ; in this case, thesecond-class decoder nominally achieves RSNR = 12 .
57 dB without attempting class-upgrade due to the flippingof c = 251658 entries (corresponding to a perturbation density η = 0 . ) in the encoding matrix.In order to test Eve and Steve’s KPA we randomly generate solutions for the j -th row of the encoding given x (cid:48) , y (cid:48) : it is worth noting that while in the previous case the signal dimensionality is sufficiently small to produce asolution set in less than two minutes, in this case generating different solutions for a single row may take upto several hours for some particularly hard instances.By using these candidate solutions to find ˆ x (cid:48) , ˆ x (cid:48)(cid:48) we obtain the results of Figure 7: while both attackers attain anaverage RSNR (cid:48) ≈
33 dB on x (cid:48) , Eve is only capable of reconstructing x (cid:48)(cid:48) with an average RSNR (cid:48)(cid:48) ≈ .
14 dB whereSteve reaches an average
RSNR (cid:48)(cid:48) ≈ .
80 dB with η = 0 . . Note also that, although some lucky guesses existwith RSNR (cid:48)(cid:48) > .
57 dB , it is impossible to identify them by looking at
RSNR (cid:48) since the correlation coefficientbetween
RSNR (cid:48) and
RSNR (cid:48)(cid:48) is − . . Therefore, Steve cannot rely on observing the RSNR (cid:48) to choose the bestperforming solution ˆ A (1) , so both Eve and Steve’s KPAs are inconclusive. As a further perceptual evidence of this,the best recoveries according to the RSNR (cid:48)(cid:48) are reported in Fig. 7.V. C
ONCLUSION
In this paper we have analysed known-plaintext attacks as they may be carried out on standard CS schemes withantipodal random encoding matrices as well as on the particular multiclass protocol developed in [7]. In particular, (a)(b)Fig. 7. Effectiveness of (a) Eve and (b) Steve’s KPA in recovering hidden image blocks. Each point is a guess of the encoding matrix A (1) whose quality is assessed by decoding the ciphertext y (cid:48) corresponding to the known plaintext x (cid:48) ( RSNR (cid:48) ) and by decoding a new ciphertext y (cid:48)(cid:48) ( RSNR (cid:48)(cid:48) ). The Euclidean distance from the average (RSNR (cid:48) , RSNR (cid:48)(cid:48) ) is highlighted by colour gradient. the analysis was carried out from the two perspectives of an eavesdropper and a second-class user trying to guess thetrue encoding matrix. In both cases we have mapped multiclass CS into a collection of subset-sum problems withthe aim of counting the candidate encoding matrices that match a given plaintext-ciphertext pair. In the eavesdroppercase we have found that for each row the expected number grows as O ( n − · n ) – finding the true solution amongsuch huge sets is infeasible. A further study of the candidate solutions’ Hamming distance from the true one showedthat, as the dimensionality n increases, the expected number of solutions close to the true one is only a small fractionof the solution set. As for the second-class user we have shown that depending on the available information on thetrue encoding matrix, the expected number of solutions is significantly smaller, yet sufficiently high for large n toreassure that a second-class user will not be able to perform class-upgrade. Moreover, other class-upgrade attacks AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS19 based on signal recovery under matrix uncertainty were shown to yield almost identical performances to those ofa standard decoding algorithm.Finally, we showed some simulated cases of KPAs on real-world signals such as ECG traces and images byrunning a random search for a solution set corresponding to realistic plaintext-ciphertext pairs, and afterwardstested whether any of the returned candidate solutions could lead to finding the true encoding matrix by testingthem on a successive ciphertext. In all the observed cases, we have found that the decoding performances matchthe average
RSNR level prescribed by the multiclass encryption protocol, i.e. , both malicious users are unable tosuccessfully decode other plaintexts with significant and stable quality improvements with respect to their availableprior information. A
PPENDIX AP ROOFS ON E AVESDROPPER ’ S KPAThe following definition is used in Appendices A and C.
Definition 3.
We define the functions F p ( a, b ) = (cid:90) ξ p e aξ − b d ξ (11) G p ( a, b ) = (cid:90) ξ p (1 + e aξ − b ) (1 + e b − aξ ) d ξ (12) Proof of Proposition 1:
Define the binary variables b l ∈ { , } so that sign ( x l ) ˆ A (1) j,l = 2 b l − and thepositive coefficients u l = | x l | . With this choice (2) is equivalent to y j = (cid:80) n − l =0 (2 b l − u l which leads to a SSPwith υ = (cid:16) y j + (cid:80) n − l =0 | x l | (cid:17) . Since we know that each measurement y j must correspond to the inner productbetween x and the row A (1) j , the latter’s entries are straightforwardly mapped to the true solution of this SSP, { ¯ b l } n − l =0 . Proof of Theorem 1:
Let us first note that, for large n , υ in Proposition 1 is an integer in the range { , . . . , nL / } ,with the values outside this interval being asymptotically unachievable as n → ∞ (see [18, Section 4]). We let τ = υ / nL , τ ∈ [0 , / ] , and a ( τ ) be the solution in a of the equation τ = F ( a, ( i.e. [18, (4.2)]) that is uniquesince F p ( a, in (11) is monotonically decreasing in a .From [18, (4.1)] the number of solutions of a SSP with integer coefficients { u l } n − l =0 uniformly distributed in { , . . . , L } is S Eve ( τ, n, L ) n →∞ (cid:39) e n [ a ( τ ) τ + (cid:82) log ( e − a ( τ ) ξ ) d ξ ] (cid:112) πnL G ( a ( τ ) , that we anticipate to have an approximately Gaussian profile (see Fig. 8). We now compute the average of S Eve ( τ, n, L ) in τ , that clearly depends on the probability of selecting any value of υ ∈ { , . . . , nL } , i.e. , of τ ∈ [0 , ] . Since it is the result of a linear combination, the probability that a specific value of υ appears in arandom instance of the SSP is proportional to the number of solutions associated to it. In normalised terms, the Fig. 8. Gaussian approximation of S Eve ( τ, n, L ) for n = 64 , L = 10 by letting σ ≈ / n . PDF of τ must be proportional to S Eve ( τ, n, L ) , i.e. , τ is distributed as f τ ( t ) = 1 (cid:82) S Eve ( ξ, n, L )d ξ S Eve ( t, n, L ) , ≤ t ≤ , otherwiseWith f τ ( t ) we can compute the expected number of solutions: E τ [ S Eve ( τ, n, L )] = (cid:90) S ( ξ, n, L )d ξ (cid:90) S Eve ( ξ, n, L )d ξ (13)Although we could resort to numerical integration, (13) can be simplified by exploiting what noted above, i.e. ,that S Eve ( τ, n, L ) has an approximately Gaussian profile in τ (Fig. 8) with a maximum in τ = / . Hence, theexpectation in τ becomes E τ [ S Eve ( τ, n, L )] n →∞ (cid:39) S Eve (cid:18) , n, L (cid:19) (cid:90) ∞−∞ (cid:32) e − ( ξ − ) σ (cid:33) d ξ (cid:90) ∞−∞ e − ( ξ − ) σ d ξ = S Eve (cid:18) , n, L (cid:19) √ n L (cid:114) πn (14)that is actually independent of the σ used in the Gaussian approximation, and in which we have exploited a ( / ) = 0 to obtain the statement of the theorem. A PPENDIX BH AMMING D ISTANCE OF
KPA S
OLUTIONS
Proof of Theorem 2:
We here concentrate on counting the number of candidate solutions { b l } n − l =0 to Eve’sKPA that differ from the true one, { ¯ b l } n − l =0 , by exactly h components (at Hamming distance h ). We assume that AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS21 K ⊆ { , . . . , n − } is the set of indexes for which there is a disagreement, i.e. , for all l ∈ K we have b l = 1 − ¯ b l ;this set has cardinality h , and is one among (cid:0) nh (cid:1) possible sets. Since both { b l } n − l =0 and { ¯ b l } n − l =0 are solutions tothe same SSP, and that b l = ¯ b l are identical for l / ∈ K , (cid:80) l ∈ K (cid:0) − ¯ b l (cid:1) u l = (cid:80) l ∈ K ¯ b l u l must hold, implying theequality (cid:88) l ∈ K ¯ b l =0 u l − (cid:88) l ∈ K ¯ b l =1 u l = 0 (15)Although (15) recalls the well-known partition problem, in our case K is chosen by each problem instance that setsall u l and ¯ b l . Thus, (15) holds in a number of cases that depends on how many of the h L h possible assignments ofall u l and ¯ b l satisfy it. The only feasible cases are for h > , and to analyse them we assume K = { , . . . , h − } (the disagreements occur in the first h ordered indexes) without loss of generality.Moreover, when (15) holds for some { ¯ b l } n − l =0 it also holds for { − ¯ b l } n − l =0 . Hence, we may count the configurationsthat verify (15) with ¯ b = 0 , knowing that their number will be only half of the total. With this, the configurationswith ¯ b = 0 must have ¯ b l = 1 for at least one l > in order to satisfy (15), giving h − − total cases to check.The following paragraphs illustrate that, for h < L , the number of configurations that verify (15) can be writtenas a polynomial of order h − . With this in mind we can start with the explicit computation for h = { , } . For h = 2 , there is only one feasible assignment for the { ¯ b l } n − l =0 , so u = u in (15), which makes L cases out of L . For h = 3 , one has feasible assignments for the { ¯ b l } n − l =0 . Due to the symmetry of (15) all the configurationshave the same behaviour and we may focus on, e.g. , ¯ b = ¯ b = 0 and ¯ b = 1 ⇒ u + u = u ; this can be satisfiedonly when u + u ≤ L , i.e. , for L ( L − configurations. This makes a total of · · L ( L − = 3 L ( L − over the L possible configurations.For h > , this procedure is much less intuitive; nevertheless, we can at least prove that the function P h ( L ) counting the configurations for which (15) holds is a polynomial in L of degree h − . To show this, let us proceedin three steps.1) Indicate with π ¯ b the ( h − -dimensional subspace of R h defined by (cid:80) l ∈ K ¯ b l =0 ξ l − (cid:80) l ∈ K ¯ b l =1 ξ l = 0 , ξ ∈ R h . Theintersection α ¯ b ( L ) = { , . . . , L } h ∩ π ¯ b is such that each assignment of { u l } h − l =0 ∈ { , . . . , L } h satisfying (15)is an integer point in α ¯ b . To count those points define β ¯ b ( L ) = { , . . . , L + 1 } ∩ π ¯ b and note that the numberof integer points in α ¯ b is equal to the number of integer points in the interior of β ¯ b (the points on the frontierof β ¯ b have at least one coordinate that is either or L + 1 ).Note how { , . . . , L + 1 } h scales linearly with L + 1 while π ¯ b is a subspace and therefore scale-invariant.Hence, their intersection β ¯ b ( L ) is an h − -dimensional polytope that scales proportionally to the integer L + 1 ,as required by Ehrhart’s theorem [41]. The number E ¯ b ( L ) of integer points in β ¯ b ( L ) is then a polynomialin L + 1 (and so L ) of degree equal to the dimensionality of β ¯ b ( L ) , i.e. , h − . From Ehrhart-Macdonald’sreciprocity theorem [42] we know that the number of integer points in the interior of β ¯ b and thus in α ¯ b is ( − h − E ¯ b ( − L ) , that is also a polynomial in L of degree h − .2) If two different assignments { ¯ b (cid:48) l } h − l =0 and { ¯ b (cid:48)(cid:48) l } h − l =0 are considered, then α ¯ b (cid:48) ( L ) ∩ α ¯ b (cid:48)(cid:48) ( L ) = { , . . . , L } h ∩ π ¯ b (cid:48) ∩ π ¯ b (cid:48)(cid:48) . The same argument we used above tells us that the number of integer points in such an intersection is a polynomial in L of degree h − and, in general that the number of integer points in the intersection of anynumber of polytopes α ¯ b ( L ) is a polynomial of degree not larger than h − .3) The number of configurations of { u l } h − l =0 and { ¯ b l } h − l =0 that satisfy (15) with respect to the above K is thenumber of integer points in the union of all possible polytopes α ¯ b , i.e. , (cid:83) { ¯ b l } h − l =0 α ¯ b ( L ) . Such a number can becomputed by the inclusion-exclusion principle that amounts to properly summing and subtracting the numberof integer points in those polytopes and their various intersections. Since sum and subtraction of polynomialsyield polynomials of non-increasing degree, we know that number is the evaluation of a polynomial P h ( L ) with degree not greater than h − .Let us then write P h ( L ) = (cid:80) h − j =0 p hj L j . In order to compute its coefficients p hj we may fix a binary configuration { b l } h − l =0 , count the points { u l } h − l =0 ∈ N h + for which (15) is verified by means of integer partition functions (thatalso have a polynomial expansion), and subtract the points in which { u l } h − l =0 / ∈ { , . . . , L } h . By summation overall binary configurations, one can extract the coefficients associated with L j for each h . Table I reports the resultof this procedure as carried out by symbolic computation for h ≤ .A PPENDIX CP ROOFS ON THE C LASS -U PGRADE
KPA
Proof of Proposition 2:
In this case the attacker knows ( A (0) , x, y ) , and is able to calculate ε j = y j − (cid:80) n − l =0 A (0) j,l x l = (cid:80) n − l =0 ∆ A j,l x l where the ∆ A j,l are unknown. For the j -th row, the attacker also knows there are c j non-zero elements in ∆ A j,l = − A (0) j,l b l with b l ∈ { , } binary variables that are if the flipping occurredand otherwise. Note that from the above information c j = (cid:80) n − l =0 b l . With this we define a set of even weights D l = − A (0) j,l x l ∈ {− L, . . . , − , , , . . . , L } so the KPA is defined by satisfying the equalities ε j = n − (cid:88) l =0 D l b l (16) c j = n − (cid:88) l =0 b l (17)To obtain a standard γ -SSP with positive weights and γ = c j we sum L to all D l so (16) becomes ε j +2 L (cid:80) n − l =0 b l = (cid:80) n − l =0 ( D l + 2 L ) b l . Multiplying both sides by / and using (17) yields υ = ε j + Lc j = (cid:80) n − l =0 u l b l where u l = − A (0) j,l x l + L ∈ { , . . . , Q } . Q = 2 L . Finally, we exclude u l = 0 to facilitate the attack. Proof of Theorem 3:
Assume F p ( a, b ) and G p ( a, b ) as in (11),(12). Define the normalised constraint r = c j n and two quantities a ( τ, r ) and b ( τ, r ) that are the solutions of the following system of equalities r = F ( a, b ) τ = F ( a, b ) that are respectively equivalent to [18, (5.3-4)]. We also define G ( τ, r ) = G ( a ( τ, r ) , b ( τ, r )) G ( a ( τ, r ) , b ( τ, r ) G ( a ( τ, r ) , b ( τ, r ) G ( a ( τ, r ) , b ( τ, r )) AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS23
With this, [18, (5.8-9)] prove that the number of solutions of a γ -SSP with integer coefficients { u l } n − l =0 uniformlydistributed in { , . . . , Q } , Q = 2 L, γ = c j is S Steve ( τ, n, L, r ) = e n ( a ( τ,r ) τ − b ( τ,r ) r ) πnL (cid:112) det ( G ( τ, r )) · (18) · e n (cid:90) log (cid:104) e b ( τ,r ) − a ( τ,r ) ξ (cid:105) d ξ Using the same arguments as in the proof of Theorem 1, we average on τ and obtain an expression identical to (13)for the computation of E τ [ S Steve ( τ, n, L, r )] . Since S Steve ( τ, n, L, r ) has once again an approximately Gaussianprofile in τ with a maximum in τ = r we approximate the expectation in τ , E τ [ S Steve ( τ, n, L, r )] n →∞ (cid:39) S Steve (cid:16) r , n, L, r (cid:17) √ (cid:114) r − − nρ (1 − r ) − − n (1 − r ) πnL (19)by using the fact that a (cid:0) r , r (cid:1) = 0 and b (cid:0) r , r (cid:1) = log (cid:16) r − r (cid:17) .R EFERENCES[1] D. L. Donoho, “Compressed Sensing,”
IEEE Transactions on Information Theory , vol. 52, no. 4, pp. 1289–1306, Apr. 2006.[2] E. J. Candes and M. B. Wakin, “An Introduction to Compressive Sampling,”
IEEE Signal Processing Magazine , vol. 25, no. 2, pp. 21–30,Mar. 2008.[3] Y. Rachlin and D. Baron, “The secrecy of compressed sensing measurements,” in . IEEE, 2008, pp. 813–817.[4] A. Orsdemir, H. O. Altun, G. Sharma, and M. F. Bocko, “On the security and robustness of encryption via compressed sensing,” in . IEEE, 2008, pp. 1–7.[5] V. Cambareri, J. Haboba, F. Pareschi, R. Rovatti, G. Setti, and K. W. Wong, “A two-class information concealing system based oncompressed sensing,” in . IEEE, 2013, pp. 1356–1359.[6] J. Barcelo-Llado, A. Morell, and G. Seco-Granados, “Amplify-and-Forward Compressed Sensing as a Physical-Layer Secrecy Solution inWireless Sensor Networks,”
IEEE Transactions on Information Forensics and Security , vol. 9, no. 5, pp. 839–850, May 2014.[7] V. Cambareri, M. Mangia, F. Pareschi, R. Rovatti, and G. Setti, “Low-complexity multiclass encryption by compressed sensing,”
IEEETransactions on Signal Processing , vol. 63, no. 9, pp. 2183–2195, 2015.[8] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensor networks,”
IEEE Communications Magazine , vol. 40,no. 8, pp. 102–114, 2002.[9] E. J. Candes and J. Romberg, “Sparsity and incoherence in compressive sampling,”
Inverse problems , vol. 23, no. 3, p. 969, 2007.[10] E. J. Candes and T. Tao, “Near-optimal signal recovery from random projections: Universal encoding strategies?”
IEEE Transactions onInformation Theory , vol. 52, no. 12, pp. 5406–5425, 2006.[11] J. Haboba, M. Mangia, F. Pareschi, R. Rovatti, and G. Setti, “A pragmatic look at some compressive sensing architectures with saturationand quantization,”
IEEE Journal on Emerging and Selected Topics in Circuits and Systems , vol. 2, no. 3, pp. 443–459, Sept 2012.[12] E. J. Candes and T. Tao, “Decoding by linear programming,”
IEEE Transactions on Information Theory , vol. 51, no. 12, pp. 4203–4215,Dec. 2005.[13] S. Rangan, “Generalized approximate message passing for estimation with random linear mixing,” in . IEEE, 2011, pp. 2168–2172.[14] E. van den Berg and M. P. Friedlander, “Sparse optimization with least-squares constraints,”
SIAM Journal on Optimization , vol. 21, no. 4,pp. 1201–1229, 2011. [15] H. Zhu, G. Leus, and G. B. Giannakis, “Sparsity-cognizant total least-squares for perturbed compressive sampling,”
IEEE Transactions onSignal Processing , vol. 59, no. 5, pp. 2002–2016, 2011.[16] J. T. Parker, V. Cevher, and P. Schniter, “Compressive sensing under matrix uncertainties: An approximate message passing approach,”in . IEEE, 2011, pp.804–808.[17] S. Martello and P. Toth,
Knapsack problems: algorithms and computer implementations . John Wiley & Sons, Inc., 1990.[18] T. Sasamoto, T. Toyoizumi, and H. Nishimori, “Statistical mechanics of an np-complete problem: subset sum,”
Journal of Physics A:Mathematical and General , vol. 34, no. 44, p. 9555, 2001.[19] C. E. Shannon, “Communication Theory of Secrecy Systems,”
Bell System Technical Journal , vol. 28, no. 4, pp. 656–715, Oct. 1949.[20] P.-L. Loh and M. J. Wainwright, “High-dimensional regression with noisy and missing data: Provable guarantees with nonconvexity,”
Annals of Statistics , vol. 40, no. 3, p. 1637, 2012.[21] M. Herman and T. Strohmer, “General deviants: An analysis of perturbations in compressed sensing,”
IEEE Journal of Selected Topics inSignal Processing , vol. 4, no. 2, pp. 342–349, 2010.[22] V. Cambareri, M. Mangia, F. Pareschi, R. Rovatti, and G. Setti, “Average recovery performances of non-perfectly informed compressedsensing: with applications to multiclass encryption,” in . IEEE, April 2015, pp. 3651–3655.[23] Y. Chi, L. L. Scharf, A. Pezeshki, and A. R. Calderbank, “Sensitivity to basis mismatch in compressed sensing,”
IEEE Transactions onSignal Processing , vol. 59, no. 5, pp. 2182–2195, 2011.[24] E. J. Cand`es, “The restricted isometry property and its implications for compressed sensing,”
Comptes Rendus Mathematique , vol. 346,no. 9, pp. 589–592, 2008.[25] D. Donoho and J. Tanner, “Precise undersampling theorems,”
Proceedings of the IEEE , vol. 98, no. 6, pp. 913–924, june 2010.[26] R. Baraniuk, M. Davenport, R. DeVore, and M. Wakin, “A simple proof of the restricted isometry property for random matrices,”
Constructive Approximation , vol. 28, no. 3, pp. 253–263, 2008.[27] I. Drori, “Compressed video sensing,” in
BMVA Symposium on 3D Video-Analysis, Display, and Applications , 2008.[28] S. W. Golomb and G. Gong,
Signal Design for Good Correlation: For Wireless Communication, Cryptography, and Radar . CambridgeUniversity Press, Jul. 2005.[29] J. Massey, “Shift-register synthesis and BCH decoding,”
IEEE Transactions on Information Theory , vol. 15, no. 1, pp. 122–127, Jan. 1969.[30] A. Kerckhoffs, “La cryptographie militaire,”
Journal des sciences militaires , vol. IX, pp. 5–38, Jan. 1883.[31] J. C. Lagarias and A. M. Odlyzko, “Solving low-density subset sum problems,”
Journal of the ACM (JACM) , vol. 32, no. 1, pp. 229–246,1985.[32] R. Merkle and M. Hellman, “Hiding information and signatures in trapdoor knapsacks,”
IEEE Transactions on Information Theory , vol. 24,no. 5, pp. 525–530, 1978.[33] B. Chor and R. L. Rivest, “A knapsack-type public key cryptosystem based on arithmetic in finite fields,”
IEEE Transactions on InformationTheory , vol. 34, no. 5, pp. 901–909, 1988.[34] A. M. Odlyzko, “The rise and fall of knapsack cryptosystems,”
Cryptology and computational number theory , vol. 42, pp. 75–88, 1990.[35] ILOG, Inc., “ILOG CPLEX: High-performance software for mathematical programming and optimization,” 2006.[36] M. Mangia, R. Rovatti, and G. Setti, “Rakeness in the design of analog-to-information conversion of sparse and localized signals,”
IEEETransactions on Circuits and Systems I: Regular Papers , vol. 59, no. 5, pp. 1001 –1014, may 2012.[37] V. Cambareri, M. Mangia, F. Pareschi, R. Rovatti, and G. Setti, “A rakeness-based design flow for analog-to-information conversion bycompressive sensing,” in . IEEE, 2013, pp. 1360–1363.[38] J. Vila and P. Schniter, “Expectation-maximization bernoulli-gaussian approximate message passing,” in . IEEE, 2011, pp. 799–803.[39] A. L. Goldberger, L. A. N. Amaral, L. Glass, J. M. Hausdorff, P. C. Ivanov, R. G. Mark, J. E. Mietus, G. B. Moody, C.-K. Peng, andH. E. Stanley, “PhysioBank, PhysioToolkit, and PhysioNet: Components of a new research resource for complex physiologic signals,”
Circulation , vol. 101, no. 23, pp. e215–e220, 2000 (June 13).[40] S. Mallat,
A wavelet tour of signal processing . Access Online via Elsevier, 1999.
AMBARERI et al. : ON KNOWN-PLAINTEXT ATTACKS TO A COMPRESSED SENSING-BASED ENCRYPTION: A QUANTITATIVE ANALYSIS25 [41] E. Ehrhart, “Sur un probleme de g´eom´etrie diophantienne lin´eaire. ii. systemes diophantiens lin´eaires. (french),”
J. Reine Angew. Math ,vol. 227, pp. 25–49, 1967.[42] I. G. Macdonald, “Polynomials Associated with Finite Cell-Complexes,”
Journal of the London Mathematical Society , vol. 2, no. 1, pp.181–192, 1971.
Valerio Cambareri (S’13) received the B.S., M.S. ( summa cum laude ), and Ph.D. degrees in Electronic Engineeringfrom the University of Bologna, Italy, in 2008, 2011 and 2015 respectively. From 2012 to 2015, he was a Ph.D. studentin Electronics, Telecommunications and Information Technologies at DEI – University of Bologna, Italy. In 2014 hewas a visiting Ph.D. student in the Integrated Imagers team at IMEC, Belgium. His current research activity focuseson statistical and digital signal processing, compressed sensing and computational imaging.
Mauro Mangia (S’09-M’13) received the B.S. and M.S. degree in Electronic Engineering from the University ofBologna, Italy, in 2004 and 2009 respectively; he received the Ph.D. degree in Information Technology from theUniversity of Bologna in 2013. He is currently a post-doc researcher in the statistical signal processing group ofARCES – University of Bologna, Italy. In 2009 and 2012 he was a visiting Ph.D. student at the ´Ecole PolytechniqueF´ed´erale de Lausanne (EPFL). His research interests are in nonlinear systems, compressed sensing, ultra-widebandsystems and system biology. He was recipient of the 2013 IEEE CAS Society Guillemin-Cauer Award and the beststudent paper award at IEEE ISCAS2011.
Fabio Pareschi (S’05-M’08) received the Dr. Eng. degree (with honours) in Electronic Engineering from Universityof Ferrara, Italy, in 2001, and the Ph.D. in Information Technology under the European Doctorate Project (EDITH)from University of Bologna, Italy, in 2007. He is currently an Assistant Professor in the Department of Engineering(ENDIF), University of Ferrara. He is also a faculty member of ARCES – University of Bologna, Italy. He servedas Associate Editor for the IEEE Transactions on Circuits and Systems – Part II (2010-2013). His research activityfocuses on analog and mixed-mode electronic circuit design, statistical signal processing, random number generationand testing, and electromagnetic compatibility. He was recipient of the best paper award at ECCTD2005 and the beststudent paper award at EMCZurich2005.
Riccardo Rovatti (M’99-SM’02-F’12) received the M.S. degree in Electronic Engineering and the Ph.D. degree inElectronics, Computer Science, and Telecommunications both from the University of Bologna, Italy in 1992 and 1996,respectively. He is now a Full Professor of Electronics at the University of Bologna. He is the author of approximately300 technical contributions to international conferences and journals, and of two volumes. His research focuses onmathematical and applicative aspects of statistical signal processing and on the application of statistics to nonlineardynamical systems. He received the 2004 IEEE CAS Society Darlington Award, the 2013 IEEE CAS Society Guillemin-Cauer Award, as well as the best paper award at ECCTD 2005, and the best student paper award at EMC Zurich 2005and ISCAS 2011. He was elected IEEE Fellow in 2012 for contributions to nonlinear and statistical signal processing applied to electronicsystems.