1: \documentclass[pre,superscriptaddress,amsfonts,showpacs]{revtex4}

2: %\documentclass[11pt]{article}

3: \usepackage{epsf}

4: 

5: 

6: 

7: \newcommand{\bd     }{\begin{displaymath}}

8: \newcommand{\ed     }{\end{displaymath}}

9: \newcommand{\plus   }{{\!+\!}}

10: \newcommand{\minus  }{{\!-\!}}

11: \newcommand{\order  }{{\cal O}}

12: \newcommand{\vsp    }{\vspace*{3mm}}

13: \newcommand{\s      }{\sigma}

14: \newcommand{\bef    }{\beta F}

15: \newcommand{\thf    }{\tanh[F]}

16: \newcommand{\be     }{\beta}

17: \newcommand{\ra     }{\rightarrow}

18: \newcommand{\ua     }{\uparrow}

19: \newcommand{\da     }{\downarrow}

20: \newcommand{\mc     }{\mathcal}

21: \newcommand{\bra    }{\langle}

22: \newcommand{\ket    }{\rangle}

23: \newcommand{\Bra    }{\left\langle}

24: \newcommand{\Ket    }{\right\rangle}

25: \newcommand{\mb     }{\mbox{\boldmath$m$}}

26: \newcommand{\mh     }{\hat{m}}

27: \newcommand{\mo     }{m_0}

28: \newcommand{\moh    }{\hat{m}_0}

29: \newcommand{\la     }{\lambda}

30: \newcommand{\atanh  }{{\rm{ath}}}

31: \newcommand{\sech   }{\mathrm{sech}}

32: \newcommand{\mnoth  }{\hat{m}_0}

33: \newcommand{\bM     }{\mbox{\boldmath$M$}}

34: \newcommand{\bA     }{\mbox{\boldmath$A$}}

35: \newcommand{\bB     }{\mbox{\boldmath$B$}}

36: \newcommand{\bF     }{\mbox{\boldmath$F$}}

37: \newcommand{\bS     }{\mbox{\boldmath$S$}}

38: \newcommand{\bP     }{\mbox{\boldmath$P$}}

39: \newcommand{\bv     }{\mbox{\boldmath$v$}}

40: \newcommand{\bn     }{\mbox{\boldmath$n$}}

41: \newcommand{\bh     }{\mbox{\boldmath$h$}}

42: \newcommand{\bw     }{\mbox{\boldmath$w$}}

43: \newcommand{\bsigma }{\mbox{\boldmath$\sigma$}}

44: \newcommand{\blambda}{\mbox{\boldmath$\lambda$}}

45: \newcommand{\bXI    }{\mbox{\boldmath$\Xi$}}

46: \newcommand{\bLAMBDA}{\mbox{\boldmath$\Lambda$}}

47: \newcommand{\bT     }{\mbox{\boldmath$T$}}

48: \newcommand{\bG     }{\mbox{\boldmath$G$}}

49: \newcommand{\bGAMMA }{\mbox{\boldmath$\Gamma$}}

50: \newcommand{\bD     }{\mbox{\boldmath$D$}}

51: \newcommand{\bJ     }{\mbox{\boldmath$J$}}

52: \newcommand{\bSigma }{\mbox{\boldmath$\Sigma$}}

53: \newcommand{\bs     }{\mbox{\boldmath$s$}}

54: \newcommand{\bolds  }{\mbox{\boldmath$s$}}

55: \newcommand{\bdeltaL}{\mbox{\boldmath$\delta L$}}

56: \newcommand{\bone   }{\mbox{\boldmath$1$}}

57: \newcommand{\bomega }{\mbox{\boldmath$\omega$}}

58: \newcommand{\boldeta}{\mbox{\boldmath$\eta$}}

59: \newcommand{\btau   }{\mbox{\boldmath$\tau$}}

60: \newcommand{\bk     }{\mbox{\boldmath$k$}}

61: \newcommand{\bpsi   }{\mbox{\boldmath$\psi$}}

62: \newcommand{\bz     }{\mbox{\boldmath$z$}}

63: \newcommand{\bZ     }{\mbox{\boldmath$Z$}}

64: \newcommand{\bzero  }{\mbox{\boldmath$0$}}

65: \newcommand{\bV     }{\mbox{\boldmath$V$}}

66: \newcommand{\bphi   }{\mbox{\boldmath$\phi$}}

67: \newcommand{\bx     }{\mbox{\boldmath$x$}}

68: \newcommand{\by     }{\mbox{\boldmath$y$}}

69: \newcommand{\br     }{\mbox{\boldmath$r$}}

70: \newcommand{\bt     }{\mbox{\boldmath$t$}}

71: \newcommand{\bxi    }{\mbox{\boldmath$\xi$}}

72: \newcommand{\bzeta  }{\mbox{\boldmath$\zeta$}}

73: \newcommand{\bC     }{\mbox{\boldmath$C$}}

74: \newcommand{\bI     }{\mbox{\boldmath$I$}}

75: \newcommand{\mcA    }{\mathcal{A}}

76: \newcommand{\mcG    }{\mathcal{G}}

77: \newcommand{\LK     }{\Lambda_K}

78: \newcommand{\OL     }{\Omega_L}

79: \newcommand{\LKP    }{\Lambda_{K^\prime}}

80: \newcommand{\OLP    }{\Omega_{L^\prime}}

81: \newcommand{\CB     }{\overline{C}}

82: \newcommand{\LB     }{\overline{L}}

83: 

84: 

85: \begin{document}

86: 

87: \title{\bf

88: Analysis of common attacks in LDPCC-based public-key cryptosystems}

89: \author{{\bf N.S.~Skantzos$^{\dagger *}$, D.~Saad$^{\dagger}$

90: and Y.~Kabashima$^{\ddagger}$}\\

91: $^{\dagger}$ Neural Computing Research Group, Aston University, B4 7ET, UK\\

92: $^{*}$ Institut for Theoretical Physics, Celestijnenlaan 200D,

93: KULeuven, Leuven, B-3001 Belgium \\

94: $^{\ddagger}$ Dept.\@ of Computational Intelligence \& Systems Science,\\

95: Tokyo Institut of Technology, Yokohama  2268502, Japan\\

96: email: \texttt{skantzon@aston.ac.uk}, \texttt{saadd@aston.ac.uk}

97: and \texttt{kaba@dis.titech.ac.jp}}

98: 

99: 

100: \begin{abstract}

101: \noindent We analyze the security and reliability of a recently

102: proposed class of public-key cryptosystems against attacks by

103: unauthorized parties who have acquired partial knowledge of one or

104: more of the private key components and/or of the plaintext. Phase

105: diagrams are presented, showing critical partial knowledge levels

106: required for unauthorized decryption.

107: \end{abstract}

108: 

109: \pacs{89.70.+c, 03.67.Dd, 05.50.+q,89.80.+h}

110: \maketitle

111: 

112: %--------------------------------------------------------------------%

113: \section{Introduction}

114: %--------------------------------------------------------------------%

115: %

116: An important aspect in many modern communication systems is the

117: ability to exclude unauthorized parties from gaining access to

118: confidential material. Although cryptosystems in general have an

119: extensive history, until fairly recently they have been based on

120: simple variations of the same theme: information security among

121: authorized parties relies on sharing a secret key which is to

122: be used for encryption and decryption of transmitted messages.

123: While in this way confidentiality of the sent message may be

124: secured, such systems suffer from the (obvious) drawback of

125: non-secure key distribution.

126: 

127: In 1978 Rivest, Shamir and Adleman first devised a way to resolve

128: this problem which led to the celebrated RSA \emph{public-key}

129: cryptosystem~\cite{RSA} (for historical accuracy, a similar system

130: has been suggested years earlier in the British GCHQ but was kept

131: secret). The idea behind public key cryptosystems is to

132: differentiate between the encryption- and decryption-keys; private

133: key(s) are assigned to authorized users, for decryption purposes,

134: while transmitting parties only need to know the matching

135: encryption (public) key~\cite{DH}. The two keys are related by a

136: function which generates the encryption mechanism from the

137: decryption key with low computational costs, while the opposite

138: operation (evaluating the decryption key from the encryption

139: mechanism) is computationally infeasible. Such functions are

140: called `one-way' or trap-door functions; the RSA algorithm for

141: instance, is based on the intractability of factorizing large

142: integers generated by taking the product of two large prime

143: numbers.

144: 

145: The proliferation of digital communication in the last few decades

146: has brought in a demand for secure communication leading to the

147: invention of several other public-key cryptosystems, most notable

148: of which are the El-Gammal cryptosystem (based on the Discrete

149: Logarithm problem), systems based on elliptic curves and the

150: McEliece cryptosystem (based on linear error-correcting

151: codes)~\cite{stinson}. A common denominator of all public-key

152: algorithms is the high computational complexity  of the task

153: facing the unauthorized user; this is typically related to hard

154: computational problems that cannot be solved in practical time

155: scales.

156: 

157: A new public-key cryptosystem based on a diluted Ising spin-glass

158: system has been recently proposed in~\cite{KMS}. The suggested

159: cryptosystem is similar in spirit to that of McEliece and relies

160: on exploiting physical properties of the MacKay-Neal (MN)

161: low-density parity-check (LDPC) error-correcting codes. In

162: particular, in the context of MN codes it has been

163: shown~\cite{KMS,mackay,kabashima} that for certain parameter

164: values successful decoding is highly likely, while for others

165: (particularly when the number of parity-checks per bit and the

166: number of bits per check tend to infinity) the `perfect' solution,

167: describing full retrieval of the sent message, admits only a very

168: narrow basin of attraction; iterative algorithmic solutions lead

169: in this case, almost certainly, to a decryption failure. One can

170: use these properties to devise an LDPC based

171: cryptosystem~\cite{KMS}. The narrow basin of attraction ensures

172: that a random initialization of the decryption equations will fail

173: to converge to the plaintext solution while the naive approach of

174: trying all possible initializations is clearly doomed for a

175: sufficiently large plaintext size. The `one-way' function relies

176: on the hard computational task of decomposing a dense matrix (the

177: public key) into a combination of sparse and dense matrices

178: (private keys)~\cite{garey_johnson}.

179: 

180: In this paper we examine the suggested cryptosystem from an

181: adversary's viewpoint. We consider an unauthorized party that has

182: acquired partial or full knowledge of one or more of the private

183: keys, and/or of the message, and we evaluate the critical

184: knowledge levels required for unauthorized decryption. In

185: addition, we examine the decryption reliability by authorized

186: users due to the probabilistic nature of the cryptosystem.

187: 

188: The paper is organized as follows: In the following section we give an

189: outline of the suggested cryptosystem. In section~\ref{sec:attack} we

190: formulate unauthorized-decryption scenarios with partial knowledge

191: based on a statistical mechanical framework. In

192: section~\ref{sec:analysis} we derive the observable quantity that

193: measures decryption success of the unauthorized user as a function of

194: the attack parameters and in section~\ref{sec:results} we examine

195: various cases and present numerical results as well as the related

196: phase diagrams. In sections~\ref{sec:BOA} and~\ref{sec:reliability} we

197: briefly study the basin of attraction of the ferromagnetic solution,

198: and the reliability of the decryption mechanism (for authorized

199: users), respectively. The implication of the analysis are discussed in

200: section~\ref{sec:conclusion}.

201: 

202: 

203: %--------------------------------------------------------------------%

204: \section{Description of the Cryptosystem}

205: %--------------------------------------------------------------------%

206: %

207: The cryptosystem suggested in~\cite{KMS} is based on the framework

208: of MN error-correcting codes~\cite{mackay}. An outline of the

209: encryption/decryption process is as follows.

210: 

211: A plaintext represented by $\bxi\in\{0,1\}^N$ is encrypted to the

212: ciphertext $\br\in\{0,1\}^M$ (with $M>N$) using a predetermined

213: generator matrix $G\in\{0,1\}$ and a corrupting vector

214: $\bzeta\in\{0,1\}^M$ with $P(\zeta_i)=p \ \delta_{\zeta_i,1}+(1-p)

215: \ \delta_{\zeta_i,0}$ for each component $1 \le i \le M$; the

216: Kronecker tensor $\delta_{ab}$ returns 1 when the arguments are

217: equal ($a=b$) and zero otherwise. The generated ciphertext is of

218: the form:

219: \begin{equation}

220: \br=G\bxi+\bzeta

221: \hspace{10mm}

222: {\rm (mod\ 2)}

223: \end{equation}

224: The  $(M\times N)$ matrix $G$ together with the corruption rate

225: $p\in[0,1]$ constitute the \emph{public} key.

226: 

227: The encryption matrix $G$ is constructed by choosing a dense

228: matrix $D$ (of dimensionality $M\times M$) and two

229: randomly-selected sparse matrices $A$ (of dimensionality $M\times

230: N$) and $B$ (of dimensionality $M\times M$) through $G=B^{-1}A D$

231: (mod 2). The matrices $A$ and $B$ are characterized by $K$ and $L$

232: non-zero elements per row and $C$ and $L$ non-zero elements per

233: column respectively. The resulting dense matrix $G$ is {\em

234: modeled} as being characterized by $K^\prime$ and $C^\prime$

235: non-zero elements per row and per column respectively with

236: $K^\prime,C^\prime\to\infty$ (while $K^\prime/C^\prime=N/M$ is

237: finite). In fact, the dense matrix $G$ is of an irregular form due

238: to the inverse of the sparse matrix $B$ as well as the product

239: taken with the dense matrix $D$; we will model the matrix $G$ by a

240: regular dense matrix to simplify the analysis. The parameters

241: $K,C$ and $L$ define a particular cryptosystem while the matrices

242: $A$, $B$ and $D$ constitute the \emph{private} key.

243: 

244: The authorized user may obtain the plaintext from the received

245: ciphertext $\br$ by taking the (mod 2) product

246: $B\br=A\bxi+B\bzeta$. Finding a set of solutions $\bsigma$ and

247: $\btau$ such that the equation

248: \begin{equation}

249: A\bsigma+B\btau=A\bxi+B\bzeta

250: \hspace{10mm}

251: {\rm (mod\ 2)}

252: \label{eq:MN}

253: \end{equation}

254: is true will lead to candidate solutions of the decryption problem

255: (of which the most probable one will be detected according to a

256: further selection criterion). For particular choices of $K$ and

257: $L$, solving the above equation can be achieved via iterative

258: methods which have common roots in both graphical models and

259: physics of disordered systems such as Belief

260: Propagation~\cite{mackay} Belief Revision~\cite{weiss} and more

261: recently Survey Propagation~\cite{MPZ}; where state probabilities

262: for the decrypted message bits $P(\bsigma, \btau|\br)$ are

263: calculated by solving iteratively a set of coupled equations,

264: describing conditional probabilities of the ciphertext bits given

265: the plaintext and vice versa. This problem is identical to the

266: decoding problem of a regular MN error-correcting code; for the

267: explicit iterative decoding equations see

268: equations~(\ref{eq:horizontal}-\ref{eq:vertical}) as well

269: as~\cite{mackay,MKSV}.

270: 

271: The unauthorized user, on the other hand, faces the task of

272: finding the most probable solutions to the equation

273: \begin{equation}

274: G\bxi+\bzeta=G\bsigma+\btau \hspace{10mm} {\rm (mod\ 2)} \ .

275: \label{eq:sourlas}

276: \end{equation}

277: The above decryption equation is effectively identical to the decoding

278: problem of Sourlas error-correcting codes~\cite{sourlas}, with the

279: public matrix $G$ being dense. Most notably, in the context of Sourlas

280: codes, finding solutions to (\ref{eq:sourlas}) is strongly dependent

281: on initial conditions: for all initial conditions other than the

282: plaintext itself, the iterative equations of Belief Propagation will

283: fail to converge to the plaintext

284: solution~\cite{KMS,mackay,kabashima,kanter} such that obtaining the

285: correct solution for (\ref{eq:sourlas}) without knowledge of the

286: private key will become infeasible. Obtaining the private keys by

287: decomposing $G$ into $A$, $B$ and $D$ is known to be a hard

288: computational problem even if the values of $K$, $C$ and $L$ are

289: known~\cite{garey_johnson}.

290: 

291: We would like to point to the fact that there may exist more than one

292: triplet of matrices $\{A,B,D\}$ such that $G=B^{-1}AD$. with $D$ being

293: a dense matrix, finding a set of matrices $A^\prime$, $B^\prime$ and

294: $D^\prime$ such that their combination produces

295: $G=(B^\prime)^{-1}A^\prime D^\prime$ requires an exponentially

296: diverging number of operations, with respect to the system size,

297: making the decomposition computationally infeasible. For $D=\bone$ (as

298: was the original formulation in~\cite{KMS}) finding a pair of sparse

299: matrices $A^\prime$ and $B^\prime$ such that

300: $G=(B^\prime)^{-1}A^\prime$ requires only a number of operations that

301: is polynomial in $N$, and the cryptosystem is therefore not secure.

302: 

303: Other advantages and drawbacks of the new cryptosystem appear

304: in~\cite{KMS}.

305: 

306: %--------------------------------------------------------------------%

307: \section{Formulation of the Attack}

308:          \label{sec:attack}

309: %--------------------------------------------------------------------%

310: %

311: An essential ingredient of any cryptosystem is a certain level of

312: robustness against attacks. The robustness of the current cryptosystem

313: against attacks with no additional secret information has already been

314: reported in~\cite{KMS}. In this section we study the vulnerability of

315: the new cryptosystem to various attacks, characterized by partial

316: knowledge of the secret keys and/or the plaintext itself; the

317: additional information manifests itself in a set of decryption

318: equations similar to (\ref{eq:MN}) in which partial information of the

319: secret keys (and plaintext) is used in conjunction with the publicly

320: available information of (\ref{eq:sourlas}).

321: %

322: \begin{center}

323: \begin{figure}[b]

324: \setlength{\unitlength}{1.1mm}

325: \begin{picture}(120,55)

326: \put( 30,  0){\epsfysize=45\unitlength\epsfbox{matrix.eps}}

327: \put(12,27){$(1-\gamma)M$} \put(20,7) {$\gamma M$}

328: \put(58,27){$L-\tilde{L}_j$} \put(63,7) {$\tilde{L}_j$}

329: \end{picture}

330: \caption{ The matrix $B$ of dimensionality $M\times M$ used as a

331: private key in decryption. The scenario we consider here is that

332: unauthorized users have acquired knowledge of $\gamma M$ rows of

333: the matrix. The $(\gamma M\times M)$ block may have

334: $\tilde{L}_j=0,\ldots,L$ non-zero elements per column for all $j$.

335: } \label{fig:matrix}

336: \end{figure}

337: \end{center}

338: %

339: The cumulative information provided by the different sets of equations

340: will potentially allow for a successful decryption. To this extent,

341: knowledge of the matrix $B$ is of utmost importance since obtaining

342: partial knowledge of the syndrome vector and equation (\ref{eq:MN}) is

343: only accessible through decryption using the matrix $B$. Let us consider

344: that an unauthorized user has acquired knowledge of a number of rows

345: $\gamma_A M$, $\gamma_B M$ and $\gamma_D M$ of the secret matrices

346: $A$, $B$ and $D$ (with $\gamma_\star\in[0,1]$). Relation (\ref{eq:MN})

347: then provides $\gamma M\equiv{\rm min}\{\gamma_A,\gamma_B,\gamma_D\}

348: M$ decryption equations (\ref{eq:sparse-part}) based on sparse

349: matrices. To analyze the attack we will thus from now on assume that a

350: block $(\gamma M\times M)$ of all matrices is known to the

351: unauthorized user with $\gamma\in[0,1]$. In this case, the products

352: $\sum_{j=1}^MB_{ij}r_j$ for $i=1,\ldots,\gamma M$ can be taken and the

353: unauthorized user will arrive at the following decryption problem:

354: \begin{eqnarray}

355: {\rm private:}

356: &

357: (\hat{A}\bsigma)_i+(\hat{B}\btau)_i=(\hat{A}\bxi)_i+(\hat{B}\bzeta)_i

358: &

359: {\rm for\ rows}\ i=1,\ldots,\gamma M

360: \label{eq:sparse-part}

361: \\

362: {\rm public:}

363: &

364: (G\bsigma)_i+(\bI\btau)_i=(G\bxi)_i+(\bI\bzeta)_i

365: &

366: {\rm for\ rows}\ i=1,\ldots,M

367: \label{eq:dense-part}

368: \end{eqnarray}

369: %

370: where we absorbed the matrix $D$ using $\bsigma\to D\bsigma$ and

371: $\bxi\to D \bxi$; in practice, after decryption, one will have to

372: use of the inverted matrix $D^{-1}$ to obtain the original

373: plaintext. All solutions $\bsigma$ and $\btau$ will have to

374: simultaneously satisfy (\ref{eq:sparse-part}) and

375: (\ref{eq:dense-part}). The matrices $\hat{A}$ and $\hat{B}$ will

376: be described by $K$ and $L$ non-zero elements per row. The average

377: number of known non-zero elements per column in $\hat{A}$ and

378: $\hat{B}$ will be denoted $\CB$ and $\LB$, respectively. Since

379: $\gamma$ is the probability of selecting a non-zero element in the

380: known part of the private key it follows that $\CB=\gamma C$

381: and $\LB=\gamma L$. For all columns $j=1,\ldots,M$ we will denote

382: the number of non-zero elements in $\hat{A}$ and $\hat{B}$ by the

383: random variables $\tilde{C}_j(=\sum_{i=1}^{\gamma M}\hat{A}_{ij})$

384: and $\tilde{L}_j(=\sum_{j=1}^{\gamma M}\hat{B}_{ij})$ which are

385: described by the distributions:

386: \begin{eqnarray}

387: P(\tilde{C}_j;C)= & \left(\!\begin{array}{c} C \\ \tilde{C}_j

388: \end{array}\!\right)\ \gamma^{\tilde{C}_j}\

389: (1-\gamma)^{C-\tilde{C}_j} & \hspace{3mm} \tilde{C}_j=0,\ldots,C

390: \label{eq:prob_C}

391: \\

392: P(\tilde{L}_j;L)= & \left(\!\begin{array}{c} L \\ \tilde{L}_j

393: \end{array}\!\right)\ \gamma^{\tilde{L}_j}\

394: (1-\gamma)^{L-\tilde{L}_j} & \hspace{3mm} \tilde{L}_j=0,\ldots,L

395: \label{eq:prob_L}

396: \end{eqnarray}

397: 

398: 

399: To facilitate the statistical mechanical description we will now

400: replace the field $\{0,1;+{\rm (mod\ 2)}\}$ by the more familiar

401: Ising spin representation~\cite{sourlas} $\{-1,1;\times\}$. Equations

402: (\ref{eq:sparse-part}) and (\ref{eq:dense-part}) will also be

403: modified: From the matrices $\hat{A},\hat{B}$ and $G,\bI$ we

404: construct the binary tensors $\mcA=\{\mcA_{\bra i_1\cdots

405: i_K;j_1\cdots j_L\ket};1\leq i_1<\cdots<i_K\leq N, 1\leq

406: j_1<\cdots<j_L\leq M\}$ and $\mcG=\{\mcG_{\bra i_1\cdots

407: i_{K^\prime};j\ket}; 1\leq i_1<\cdots<i_{K^\prime}\leq N, 1\leq

408: j\leq M\}$. The elements of these tensors are $\mcA_{\bra

409: i_1\ldots i_K;j_1\ldots j_L\ket}=1$ if $\hat{A}$ and $\hat{B}$

410: have respectively a row in which the elements $\{i_1,\ldots,i_K\}$

411: and $\{j_1,\ldots,j_L\}$ are all 1 and 0 otherwise. Similarly,

412: $\mcG_{\bra i_1\ldots i_{K^\prime};j\ket}=1$ if $G$ and $\bI$ have

413: respectively a row in which the elements

414: $\{i_1,\cdots,i_{K^\prime}\}$ and $\{j\}$ are all 1 and 0

415: otherwise. The notation we used to indicate tensor elements, $\bra

416: i_1\ldots i_K\ket$, denotes that the sites $i_1,\ldots,i_K$ are

417: ordered and different.

418: 

419: The fact that the number of non-zero elements per column

420: in $\hat{A},\hat{B}$ and $G,\bI$, respectively, are $\tilde{C}_i, \tilde{L}_i$

421: and $C^\prime, 1$, for all columns,

422: will be imposed by the constraints:

423: \begin{eqnarray}

424: \sum_{i_2\cdots i_K;j_1\cdots j_L}

425: \mcA_{\bra i_1\cdots i_K;j_1\cdots j_L\ket}=\tilde{C}_{i_1}

426: &&

427: \forall i_1=1,\cdots,M

428: \label{eq:mcA1}

429: \\

430: \sum_{i_1\cdots i_K;j_2\cdots j_L}

431: \mcA_{\bra i_1\cdots i_K;j_1\cdots j_L\ket}=\tilde{L}_{j_1}

432: &&

433: \forall j_1=1,\cdots,M

434: \\

435: \sum_{i_2\cdots i_{K^\prime};j}

436: \mcG_{\bra i_1\cdots i_{K^\prime};j\ket}=C^\prime

437: &&

438: \forall i_1=1,\cdots, M

439: \\

440: \sum_{i_1\cdots i_{K^\prime}} \mcG_{\bra i_1\cdots

441: i_{K^\prime};j\ket}=1 && \forall j=1,\cdots,M \label{eq:mcG2}

442: \end{eqnarray}

443: To compress notation in what follows we will denote the set of

444: indices involved in the tensors $\mcA$ and $\mcG$ by $\LK=\bra

445: i_1\cdots i_K\ket$ and $\OL=\bra j_1\cdots j_L\ket$.

446: 

447: For the system described in

448: (\ref{eq:sparse-part}-\ref{eq:dense-part}) the microscopic state

449: probability $P(\bsigma,\btau)$ can be written as

450: \begin{equation}

451: P(\bsigma,\btau| \bxi,\bzeta, \mcA, \mcG)=\frac1Z\

452: \left[\Delta(\bsigma,\btau; \bxi,\bzeta, \mcA)\

453:       \Delta(\bsigma,\btau;\bxi,\bzeta,\mcG)\

454:       \Phi(\bsigma; \bxi)\

455:       \Phi(\btau; \bzeta)\right]\ e^{-\beta H(\bsigma,\btau)}

456: \label{eq:state_prob}

457: \end{equation}

458: (notice that the dependence on $\bxi,\bzeta$ is not explicit, but

459: through the received vector $\br$) where $Z$ is the partition

460: function and $H(\bsigma,\btau)$ the energy:

461: \begin{equation}

462: H(\bsigma,\btau)=-F_{\sigma}\sum_{i=1}^N\s_i-F_{\tau}\sum_{j=1}^M\tau_j

463: \label{eq:hamiltonian}

464: \end{equation}

465: with $F_{\sigma}=\frac12\log\frac{1-p_{\sigma}}{p_{\sigma}}$ and

466: $F_{\tau}=\frac12\log\frac{1-p_{\tau}}{p_{\tau}}$. The fields

467: $F_{\sigma}$ and $F_{\tau}$ represent prior knowledge of the

468: statistics from which the plaintext and the corrupting vector are

469: drawn, such that

470: \begin{equation}

471: P(\xi_i)=(1-p_{\sigma})\delta_{\xi_i,1}+p_{\sigma}\delta_{\xi_i,-1}

472: \hspace{10mm} p_{\sigma}\in[0,1] \label{eq:prob_xi}

473: \end{equation}

474: \begin{equation}

475: P(\zeta_j)=(1-p_{\tau})\delta_{\zeta_j,1}+p_{\tau}\delta_{\zeta_j,-1}

476: \hspace{10mm} p_{\tau}\in[0,1] \label{eq:prob_zeta}

477: \end{equation}

478: The indicator functions  $\Delta(\bsigma,\btau;\bxi,\bzeta,\mcA)$ and

479: $\Delta(\bsigma,\btau;\bxi,\bzeta,\mcG)$ restrict the  space of solutions

480: $\bsigma\in\{-1,1\}^N$ and $\btau\in\{-1,1\}^M$ to those that obey

481: equations (\ref{eq:sparse-part}) and (\ref{eq:dense-part}):

482: \begin{eqnarray}

483: \Delta(\bsigma,\btau; \bxi,\bzeta,\mcA)

484: &=&

485: \prod_{\LK\OL}\left[1+\frac12 \mcA_{\LK\OL}(\prod_{i\in\LK}\s_i\xi_i

486: \prod_{j\in\OL}\tau_j\zeta_j-1)\right]

487: \label{eq:Delta_A}

488: \\

489: \Delta(\bsigma,\btau; \bxi,\bzeta, \mcG)

490: &=&

491: \prod_{\LKP\OLP}\left[1+\frac12 \mcG_{\LKP\OLP}(\prod_{i\in\LKP}\s_i\xi_i

492: \prod_{j\in\OLP}\tau_j\zeta_j-1)\right]

493: \label{eq:Delta_G}

494: \end{eqnarray}

495: and finally the terms $\Phi(\cdots)\in\{0,1\}$ correspond to

496: \begin{eqnarray}

497: \Phi(\bsigma; \bxi)

498: &=&

499: \prod_{i=1}^N\left[(1-c_i)+c_i\delta_{\sigma_i,\xi_i}\right]

500: \\

501: \Phi(\btau; \bzeta)&=&

502: \prod_{i=1}^M\left[(1-d_i)+d_i\delta_{\tau_i,\zeta_i}\right]

503: \end{eqnarray}

504: where the quenched variables $c_i,d_j\in\{0,1\}$ model prior knowledge

505: of bits of the plaintext and the corrupting vector such that

506: if for some $i$ the plaintext bit $\xi_i$ is known

507: then the thermal variable $\s_i$ takes the quenched plaintext value

508: (and similarly for the corruption vector $\zeta_j$ and $\tau_j$).

509: For the distribution of $c_i$ and $d_j$ we will consider

510: \begin{equation}

511: P(c_i)=w_{\sigma}\,\delta_{c_i,1}+(1-w_{\sigma})\,\delta_{c_i,0}

512: \hspace{10mm} w_{\sigma}\in[0,1] \label{eq:prob_wp}

513: \end{equation}

514: \begin{equation}

515: P(d_j)=w_{\tau}\,\delta_{d_j,1}+(1-w_{\tau})\,\delta_{d_j,0}

516: \hspace{10mm} w_{\tau}\in[0,1] \label{eq:prob_wc}

517: \end{equation}

518: The system described by (\ref{eq:state_prob}) represents a set of

519: variables interacting via multi-spin ferromagnetic couplings of

520: finite connectivity, represented by a combination of matrices, in

521: the presence of the random fields $\xi_iF_{\sigma}$ and

522: $\zeta_jF_{\tau}$. At $\beta=1$ (which corresponds to the

523: Nishimori temperature \cite{nishimori}) we will evaluate the free

524: energy per plaintext bit

525: \begin{equation}

526: f=-\lim_{N\to\infty}\frac{1}{\beta N}\left\bra \log

527: Z\right\ket_{\Gamma}

528: \end{equation}

529: The macroscopic observable we are interested in calculating is the

530: overlap $m=\lim_{N\to\infty}\frac1N\sum_i\xi_i\hat{\xi}_i$ between

531: the plaintext and the Bayes Marginal Posterior Maximizer (MPM)

532: estimate of the plaintext $\hat{\xi}_i\equiv{\rm

533: sign}\sum_{\s_i=\pm}\s_i\ p(\s_i|\br)$ where $p(\s_i|\br)$ is the

534: microscopic state probability (\ref{eq:state_prob}). Disorder

535: averages $\langle \rangle_{\Gamma}$ are taken over the probability

536: distributions

537: (\ref{eq:prob_xi},\ref{eq:prob_zeta},\ref{eq:prob_wp},\ref{eq:prob_wc})

538: and over the distribution of the tensors $\mcA$ and $\mcG$ obeying

539: the constrains (\ref{eq:mcA1}-\ref{eq:mcG2}):

540: \begin{eqnarray}

541: \left\bra \mc{F}\left(\mcA\right)\right\ket_{\mcA,\{\tilde{C}_i,\tilde{L}_i\}}

542: \nonumber

543: &=&

544: \frac{1}{\mathcal{N}}

545:  \sum_{\{\mcA_{\LK\OL}\}}

546:  \prod_{i=1}^N\left\bra

547:  \delta\left[\sum_{\LK\OL/i\in\LK}\mcA_{\LK\OL}-\tilde{C}_{i}\right]\right\ket_{P(\tilde{C}_{i})}

548: \nonumber

549: \\

550: &&

551: \hspace{16mm}

552: \times\

553:  \prod_{j=1}^M

554:  \left\bra\delta\left[\sum_{\LK\OL/j\in\OL}\mcA_{\LK\OL}-\tilde{L}_{j}\right]

555:  \right\ket_{P(\tilde{L}_{j})} \mc{F}(\mcA)

556: \label{eq:mcA}

557: \\

558: \left\bra \mc{F}\left(\mcG\right)\right\ket_{\mcG}

559: &=&

560: \frac{1}{\mathcal{N}^\prime}

561:  \sum_{\{\mcG_{\LKP\OLP}\}}

562:  \prod_{i=1}^N

563:  \delta\left[\sum_{\LKP\OLP/i\in\LKP}\mcA_{\LKP\OLP}-C^\prime\right]\

564: \nonumber

565: \\

566: &&

567: \hspace{16mm}

568: \times\

569:  \prod_{j=1}^M

570:  \delta\left[\sum_{\LKP\OLP/j_1\in\OLP}\mcG_{\LKP\OLP}-1\right]

571:   \mc{F}(\mcG)

572: \label{eq:mcG}

573: \end{eqnarray}

574: where $\mc{N}$ and $\mc{N}^\prime$ are the corresponding normalisation constants.

575: 

576: The parameters $w_{\sigma},w_{\tau},F_{\sigma},F_{\tau}$ and

577: $\gamma$ describe the attack characteristics.

578: 

579: 

580: %--------------------------------------------------------------------%

581: \section{The Free Energy  and Decryption Observables}\label{sec:analysis}

582: %--------------------------------------------------------------------%

583: 

584: The calculation generally follows that of~\cite{kabashima,MKSV}.

585: To perform the various disorder averages we begin by invoking the

586: replica identity $\bra \log Z\ket=\lim_{n\to 0}\frac1n\log \bra

587: Z^n\ket$ and making the gauge transformations $\s_i\to\s_i\xi_i$,

588: $\tau_i\to\tau_i\zeta_i$,

589: $\mcA_{\LK\OL}\to\mcA_{\LK\OL}\prod_{i\in\LK}\xi_i\prod_{j\in\OL}\zeta_j$

590: and

591: $\mcG_{\LKP\OLP}\to\mcG_{\LKP\OLP}\prod_{i\in\LKP}\xi_i\prod_{j\in\OLP}\zeta_j$.

592: This will allow us to disentangle the variables $\{\xi,\zeta\}$

593: from expressions involving the tensors $\mcA$ and $\mcG$ in

594: (\ref{eq:Delta_A},\ref{eq:Delta_G}). Replacing the $\delta$

595: functions in (\ref{eq:mcA},\ref{eq:mcG}) by their integral

596: representations allows us to perform the tensor summations,

597: leading to:

598: \begin{eqnarray}

599: \lefteqn{\left\bra\, \Delta_{\mcA}(\bsigma,\btau),\Delta_{\mcG}(\bsigma,\btau)\,\right\ket=}

600: \nonumber

601: \\

602: &&

603: =\frac{1}{\mc{N}\mc{N}^\prime}

604: \oint\frac{\prod_{i=1}^NdZ_idX_i}{(2\pi)^{2N}}\

605: \oint\frac{\prod_{j=1}^MdY_jdV_j}{(2\pi)^{2M}}

606: \nonumber

607: \\

608: & & \times\ \prod_{i=1}^N \left\bra Z_i^{-(\tilde{C}_i+1)}

609: X_i^{-(C^\prime+1)}\right\ket_{P(\tilde{C}_i)}\ \prod_{j=1}^M

610: \left\bra Y_j^{-(\tilde{L}_j+1)} V_j^{-2}

611:  \right\ket_{P(\tilde{L}_j)}

612: \nonumber

613: \\

614: & &

615: \times\

616: e^{(\frac12)^n\sum_{m=0}^n\sum_{\bra \alpha_1\cdots\alpha_m\ket}

617:    \frac{1}{K!}\left(\sum_{i=1}^NZ_i\s_i^{\alpha_1}\cdots\s_i^{\alpha_m}\right)^K

618:    \frac{1}{L!}\left(\sum_{j=1}^MY_j\tau_j^{\alpha_1}\cdots\tau_j^{\alpha_m}\right)^L}

619: \nonumber

620: \\

621: & &

622: \times\

623: e^{(\frac12)^n\sum_{m=0}^n\sum_{\bra \alpha_1\cdots\alpha_m\ket}

624:    \frac{1}{K^\prime!}\left(\sum_{i=1}^N X_i\s_i^{\alpha_1}\cdots\s_i^{\alpha_m}\right)^{K^\prime}

625:    \left(\sum_{j=1}^M V_j\tau_j^{\alpha_1}\cdots\tau_j^{\alpha_m}\right)}

626: \label{eq:tensor_av1}

627: \end{eqnarray}

628: In the above expression we can now identify the following order parameters

629: \begin{equation}

630: q_{\alpha_1\cdots\alpha_m}=\sum_{i=1}^NZ_i\s_i^{\alpha_1}\cdots \s_i^{\alpha_m}

631: \hspace{10mm}

632: r_{\alpha_1\cdots\alpha_m}=\sum_{i=1}^NX_i\s_i^{\alpha_1}\cdots \s_i^{\alpha_m}

633: \end{equation}

634: \begin{equation}

635: t_{\alpha_1\cdots\alpha_m}=\sum_{j=1}^MY_j\tau_j^{\alpha_1}\cdots \tau_j^{\alpha_m}

636: \hspace{10mm}

637: u_{\alpha_1\cdots\alpha_m}=\sum_{j=1}^MV_j\tau_j^{\alpha_1}\cdots \tau_j^{\alpha_m}

638: \end{equation}

639: which we insert in (\ref{eq:tensor_av1}) via suitably defined

640: $\delta$ functions (giving rise to the Lagrange multipliers

641: $\hat{q}_{\alpha_1\cdots\alpha_m}$,

642: $\hat{r}_{\alpha_1\cdots\alpha_m}$ ,

643: $\hat{t}_{\alpha_1\cdots\alpha_m}$ and

644: $\hat{u}_{\alpha_1\cdots\alpha_m}$). To proceed with the

645: calculation one needs to assume a certain order parameter symmetry

646: for the above quantities and their conjugates for all $m>1$. The

647: simplest such assumption renders all replica $m$-tuples equivalent

648: and all order parameters within this replica symmetric scheme need

649: only depend on the number $m$. This effect can be described by the

650: introduction of suitably defined distributions, the moments of

651: which completely define the $m$-index order parameters

652: \begin{equation}

653: q_{\alpha_1\cdots\alpha_m}=q\int dx\ \pi(x)\ x^m

654: \hspace{10mm}

655: \hat{q}_{\alpha_1\cdots\alpha_m}=\hat{q}\int dx\ \hat{\pi}(x)\ x^m

656: \label{eq:pi}

657: \end{equation}

658: \begin{equation}

659: r_{\alpha_1\cdots\alpha_m}=r\int dy\ \rho(y)\ y^m

660: \hspace{10mm}

661: \hat{r}_{\alpha_1\cdots\alpha_m}=\hat{r}\int dy\ \hat{\rho}(y)\ y^m

662: \end{equation}

663: \begin{equation}

664: t_{\alpha_1\cdots\alpha_m}=t\int dx\ \phi(x)\ x^m

665: \hspace{10mm}

666: \hat{t}_{\alpha_1\cdots\alpha_m}=\hat{t}\int dx\ \hat{\phi}(x)\ x^m

667: \end{equation}

668: \begin{equation}

669: u_{\alpha_1\cdots\alpha_m}=u\int dy\ \psi(y)\ y^m

670: \hspace{10mm}

671: \hat{u}_{\alpha_1\cdots\alpha_m}=\hat{u}\int dy\ \hat{\psi}(y)\ y^m

672: \label{eq:psi}

673: \end{equation}

674: where all integrals are over the interval $[-1,1]$. The Nishimori

675: condition ($\beta=1$), which corresponds to MPM decoding~\cite{iba},

676: also ensures that this simplest replica-symmetric scheme is sufficient

677: to describe the thermodynamically dominant

678: state~\cite{nishimori,NS}. Furthermore, it is worthwhile mentioning

679: that extending the replica symmetric calculation to include the

680: one-step replica symmetry breaking ansatz is unlikely to modify the

681: location of the transition points identified under the

682: replica-symmetric ansatz, as has been recently shown in a similar

683: system~\cite{franz}. Using the above ansatz we perform the contour

684: integrals in (\ref{eq:tensor_av1}), and trace over the spin variables;

685: then, in the limit $n\to 0$ we obtain:

686: \begin{eqnarray}

687: \label{eq:free_energy}

688: -\beta f

689: &=&

690: {\rm Extr}\left\{

691:  -\CB J_{1a}[\pi,\hat{\pi}]-\frac{\CB L}{K}J_{1b}[\rho,\hat{\rho}]

692: -C^\prime J_{1c}[\phi,\hat{\phi}]-\frac{C^\prime }{K^\prime}J_{1d}[\psi,\hat{\psi}]

693: \right.

694: \\

695: &&

696: \left.

697: +\frac{\CB}{K}J_{2a}[\pi,\rho]+\frac{C^\prime}{K^\prime}J_{2b}[\phi,\psi]+J_{3a}[\hat{\pi},\hat{\phi}]

698: +\frac{\CB}{K}\frac{L}{\LB}J_{3b}[\hat{\rho},\hat{\psi}]\right\}

699: -\left(\frac{\CB}{K}+\frac{C^\prime}{K^\prime}\right)\log 2

700: \nonumber

701: \end{eqnarray}

702: where the extremization is taken over the distributions defined in

703: (\ref{eq:pi}-\ref{eq:psi}) and the various integrals

704: $J_{\star\star}$ are given by

705: \begin{equation}

706: J_{1a}[\pi,\hat{\pi}]=\int dxd\hat{x}\ \pi(x)\hat{\pi}(\hat{x})\ \log(1+x\hat{x})

707: \hspace{10mm}

708: J_{1b}[\rho,\hat{\rho}]=\int dyd\hat{y}\ \rho(y)\hat{\rho}(\hat{y})\ \log(1+y\hat{y})

709: \label{eq:J1a}

710: \end{equation}

711: \begin{equation}

712: J_{1c}[\phi,\hat{\phi}]=\int dxd\hat{x}\ \phi(x)\hat{\phi}(\hat{x})\ \log(1+x\hat{x})

713: \hspace{10mm}

714: J_{1d}[\psi,\hat{\psi}]=\int dyd\hat{y}\ \psi(y)\hat{\psi}(\hat{y})\ \log(1+y\hat{y})

715: \label{eq:J1c}

716: \end{equation}

717: \begin{equation}

718: J_{2a}[\pi,\rho]=\int [\prod_{k=1}^Kdx_k\ \pi(x_k) \prod_{\ell=1}^Ldy_\ell\ \rho(y_\ell)]\

719:    \log(1+\prod_k x_k\prod_\ell y_\ell)

720: \label{eq:J2a}

721: \end{equation}

722: \begin{equation}

723: J_{2b}[\phi,\psi] = \int dy\ \psi(y)\ [\prod_{k=1}^{K^\prime}dx_k\ \phi(x_k)]\

724:    \log(1+y\prod_k x_k)

725: \label{eq:J2b}

726: \end{equation}

727: \begin{eqnarray}

728: \lefteqn{J_{3a}[\hat{\pi},\hat{\phi}]

729: =

730: \int \prod_{c'=1}^{C^\prime}

731:   d\hat{\phi}(y_{c'})\left\{(1-\gamma)^C\left\bra\log \sum_{\lambda=\pm}[(1-c)+c\delta_{\lambda,1}]e^{\beta F_{\sigma}\xi

732:   \lambda}\prod_{c'}(1+y_{c'}\lambda)\right\ket_{c,\xi}\right.}

733: \nonumber

734: \\

735: & & \left. +\left\bra \int

736: [\prod_{c=1}^{\tilde{C}}d\hat{\pi}(x_c)] \left\bra\log

737: \sum_{\lambda=\pm}[(1-c)+c\delta_{\lambda,1}]e^{\beta F_{\sigma}\xi \s}

738: \prod_{c}(1+x_c\lambda)\prod_{c'}(1+y_{c'}\lambda)\right\ket_{c,\xi}\right\ket_{\tilde{C}}\right\}

739: \label{eq:J3a}

740: \end{eqnarray}

741: \begin{eqnarray}

742: \lefteqn{J_{3b}[\hat{\rho},\hat{\psi}] =\int dy~\hat{\psi}(y)\

743: \left\{(1-\gamma)^L

744:   \left\bra\log \sum_{\lambda=\pm}[(1-d)+d\delta_{\lambda,1}]

745:     e^{\beta F_{\tau}\zeta \lambda}(1+y\lambda)\right\ket_{d,\zeta}\right.}

746: \nonumber

747: \\

748: & &

749: \left.

750: +\left\bra\int[\prod_{\ell=1}^{\tilde{L}}d\hat{\rho}(x_\ell)]

751:  \left\bra\log \sum_{\lambda=\pm}[(1-d)+d\delta_{\lambda,1}]

752:     e^{\beta F_{\tau}\zeta \lambda}

753: \prod_{\ell}(1+x_\ell\lambda)(1+y\lambda)\right\ket_{d,\zeta}\right\ket_{\tilde{L}}\right\}

754: \label{eq:J3b}

755: \end{eqnarray}

756: where

757: \begin{equation}

758: \CB=\sum_{\tilde{C}=0}^C P(\tilde{C};C)\ \tilde{C} \hspace{10mm}

759: \LB=\sum_{\tilde{L}=0}^L P(\tilde{L};L)\ \tilde{L}

760: \end{equation}

761: Averages denoted $\bra \cdots \ket_{\tilde{C}}$ and $\bra \cdots

762: \ket_{\tilde{L}}$ are over the densities (\ref{eq:prob_C}) and

763: (\ref{eq:prob_L}) with $\tilde{C}=1,\ldots,C$ and $\tilde{L}=1,\ldots,L$.

764: Functional differentiation of (\ref{eq:free_energy}) with

765: respect to the densities of (\ref{eq:pi}-\ref{eq:psi}) results in

766: the following saddle point equations:

767: \begin{eqnarray}

768: \hat{\pi}(\hat{x})

769: &=&

770: \int[\prod_{k=1}^{K-1}dx_k\pi(x_k)\prod_{l=1}^{L}dy_l\rho(y_l)]\

771:    \delta\left[\hat{x}-\prod_{k=1}^{K-1}x_k\prod_{l=1}^Ly_l\right]

772: \label{eq:saddle_pihat}

773: \\

774: \hat{\rho}(\hat{y})

775: &=&

776: \int[\prod_{k=1}^{K}dx_k\pi(x_k)\prod_{l=1}^{L-1}dy_l\rho(y_l)]\

777:    \delta\left[\hat{y}-\prod_{k=1}^{K}x_k\prod_{l=1}^{L-1}y_l\right]

778: \\

779: \hat{\phi}(\hat{x})

780: &=&

781: \int dy\psi(y)\ [\prod_{k=1}^{K^\prime-1}dx_k\phi(x_k)]\

782:    \delta\left[\hat{x}-y\prod_{k=1}^{K^\prime-1}x_k\right]

783: \\

784: \hat{\psi}(\hat{y})

785: &=&

786: \int[\prod_{k=1}^{K^\prime}dx_k\phi(x_k)]\

787:    \delta\left[\hat{y}-\prod_{k=1}^{K^\prime}x_k\right]

788: \end{eqnarray}

789: and

790: 

791: \begin{eqnarray}

792: \lefteqn{\pi(x)=w_{\sigma}\ \delta[x-1]} \label{eq:saddle_pi}

793: \\

794: & & +\frac{(1-w_{\sigma})}{\CB}\left\bra\tilde{C} \int[

795: \prod_{c'=1}^{C^\prime}d\hat{\phi}(\hat{y}_{c'})

796: \prod_{c=1}^{\tilde{C}-1}d\hat{\pi}(\hat{x}_c)]

797:  \left\bra

798:  \delta\left(x-\tanh[\beta F_{\sigma}\xi+\sum_{c=1}^{\tilde{C}-1}\atanh(\hat{x}_c)

799:  +\sum_{c'=1}^{C^\prime}\atanh(\hat{y}_{c'})]\right)\right\ket_\xi

800:  \right\ket_{\tilde{C}}

801: \nonumber

802: \\

803: & &

804: \nonumber

805: \\

806: \lefteqn{\rho(x)=w_{\tau}\ \delta[x-1]} \label{eq:saddle_rho}

807: \\

808: & & +\frac{(1-w_{\tau})}{\LB} \left\bra\tilde{L}\int

809: d\hat{\psi}(\hat{y})\

810:    [\prod_{l=1}^{\tilde{L}-1}d\hat{\rho}(\hat{y}_l)]

811:  \left\bra \delta\left(x-\tanh[\beta F_{\tau}\zeta+\sum_{l=1}^{\tilde{L}-1}\atanh(\hat{x}_l)

812:                                  +\atanh(\hat{y})]\right)\right\ket_\zeta

813:  \right\ket_{\tilde{L}}

814: \nonumber

815: \\

816: & &

817: \nonumber

818: \\

819: \lefteqn{\phi(x)=w_{\sigma}\ \delta[x-1]} \label{eq:saddle_phi}

820: \\

821: & &

822:   +(1-w_{\sigma})\int\prod_{c'=1}^{C^\prime-1}d\hat{\phi}(y_{c'})

823:   \left\{(1-\gamma)^C\left\bra \delta\left(x-\tanh[\beta F_{\sigma}\xi+

824:    \sum_{c'=1}^{C^\prime-1}\atanh(\hat{y}_{c'})]\right)\right\ket_\xi\right.

825: \nonumber

826: \\

827: & &

828: \left.

829: +\left\bra

830:  \int[\prod_{c=1}^{\tilde{C}}d\hat{\pi}(\hat{x}_c)]

831:  \left\bra \delta\left(x-\tanh[\beta F_{\sigma}\xi+\sum_{c=1}^{\tilde{C}}\atanh(\hat{x}_c)

832:                                  +\sum_{c'=1}^{C^\prime-1}\atanh(\hat{y}_{c'})]\right)\right\ket_\xi

833:  \right\ket_{\tilde{C}}\right\}

834: \nonumber

835: \\

836: & &

837: \nonumber

838: \\

839: \lefteqn{\psi(x)=w_{\tau}\ \delta[x-1]} \label{eq:saddle_psi}

840: \\

841: & & +(1-w_{\tau})\left\{(1-\gamma)^L\left\bra\delta[x-\tanh(\beta

842: F_{\tau}\zeta)]\right\ket_{\zeta} +\left\bra

843:   \int[\prod_{l=1}^{\tilde{L}}d\hat{\rho}(\hat{x}_l)]

844:  \left\bra \delta\left(x-\tanh[\beta F_{\tau}\zeta+\sum_{l=1}^{\tilde{L}}\atanh(\hat{x}_l)]\right)\right\ket_\zeta

845: \right\ket_{\tilde{L}}\right\}

846: \nonumber

847: \end{eqnarray}

848: In general, the coupled set of equations

849: (\ref{eq:saddle_pihat})-(\ref{eq:saddle_psi}) are to be solved

850: numerically. Among the set of $\bsigma$ that satisfy equations

851: (\ref{eq:sparse-part}) and (\ref{eq:dense-part}) we choose the MPM

852: estimate of the plaintext $\hat{\xi}_i={\rm

853: sign}\sum_{\s_i=\pm}\s_i\ p(\s_i|\br)={\rm sign}\bra\s_i\ket$

854: (thermal average) by using Nishimori's condition (or

855: $\beta=1$)~\cite{nishimori}. Then, the overlap

856: $m=\lim_{N\to\infty}\frac1N\sum_i\xi_i\hat{\xi}_i$ becomes

857: \begin{eqnarray}

858: m &=& w_{\sigma}+(1-w_{\sigma})\int dh\ P(h)\ {\rm sign} (h)

859: \label{eq:overlap}

860: \\

861: P(h) & = & \int \prod_{c'=1}^{C^\prime}d\hat{\phi}(\hat{y}_{c'}) ]

862: \left\{ (1-\gamma)^C\left\bra\delta\left(h-\tanh[\beta

863: F_{\sigma}\xi+

864:    \sum_{c'=1}^{C'}\atanh(\hat{y}_{c'})]\right)\right\ket_{\xi}\right.

865: \nonumber

866: \\

867: & & +\left.

868: \left\bra\int[\prod_{c=1}^{\tilde{C}}d\hat{\pi}(\hat{x}_c)]

869: \left\bra\delta\left(h-\tanh[\beta

870: F_{\sigma}\xi+\sum_{c=1}^{\tilde{C}}\atanh(\hat{x}_c)

871: +\sum_{c'=1}^{C^\prime}\atanh(\hat{y}_{y'})]\right)\right\ket_{\xi}\right\ket_{\tilde{C}}\right\}

872: \end{eqnarray}

873: from which it can be seen that the perfect (ferromagnetic)

874: solution $m=1$ is achieved when $w_{\sigma}=1$ (complete knowledge

875: of the solution) or when $\hat{\phi}(x)=\delta[x-1]$. This also

876: implies that all densities involved in (\ref{eq:free_energy})

877: $\lambda(x)=\{\pi(x),\ldots,\hat{\psi}(x)\}$ acquire the form

878: $\lambda(x)=\delta[x-1]$ giving a free energy of the form

879: \begin{equation}

880: f_{FM}=\left(\frac{C^\prime}{K^\prime}-\frac{C}{K}\right)\log

881: 2-\frac{C}{K}\beta F_{\tau}\bra \zeta\ket_{\zeta}

882: \end{equation}

883: The physical meaning of the terms $w_\star\,\delta[x-1]$ in

884: (\ref{eq:saddle_pi}-\ref{eq:saddle_psi}) is that the acquired

885: microscopic knowledge gives  a probabilistic weight at the

886: ferromagnetic state. The state $m=0$ is obtained if

887: $w_{\sigma}=F_{\sigma}=0$ and

888: $\hat{\pi}(x)=\hat{\phi}(x)=\delta[x]$ (paramagnetic solution).

889: 

890: 

891: %--------------------------------------------------------------------%

892: \section{Phase Diagrams} \label{sec:results}

893: %--------------------------------------------------------------------%

894: 

895: In this section we obtain numerical solutions for various attack

896: scenarios. In all cases studied we assume an unbiased plaintext

897: ($p_{\sigma}=1/2,~F_{\sigma}=0$); for brevity we refer to the

898: remaining bias parameter, the corruption level denoted $p_{\tau}$

899: in previous sections, simply as $p$. All experiments have been

900: carried out using a regular cryptosystem with $K=L=2$, being the

901: original cryptosystem suggested in~\cite{KMS}. In principle, one

902: can use any set of regular or irregular matrices, provided one

903: identifies the corresponding dynamical transition point. However,

904: having been thoroughly studied previously, the current

905: construction serves as a particularly suited benchmark.

906: 

907: Solving the coupled equations

908: (\ref{eq:saddle_pihat}-\ref{eq:saddle_psi}) we typically observe that

909: for sufficiently small values of $p$ the ferromagnetic state $m=1$ is

910: the only stable solution whereas at a corruption value that marks the

911: dynamical (spinodal) transition $p_s$, an exponential number of

912: solutions with $m\neq 1$ are created (either suboptimal ferromagnetic

913: or paramagnetic, depending on the values of $(K,C,L)$). For all

914: $p>p_s$ perfect decryption will be difficult to obtain. This

915: transition also defines the corruption level below which an

916: unauthorized attacker, that have acquired partial information of the

917: secret keys, will be successful.

918: 

919: We will concentrate on two main attacks: (i) The attacker has

920: partial knowledge of the keys (primarily the matrix $B$). (ii) The

921: attacker has partial microscopic knowledge of the plaintext and/or

922: corruption vector.

923: 

924: In figure \ref{fig:PhaseD1} we present a phase diagram describing

925: regions with perfect ($m=1$) or partial/null ($|m|<1$) decryption

926: success as evaluated from solving equations (\ref{eq:free_energy})

927: and (\ref{eq:overlap}). We plot the dynamical transition

928: corruption level $p_s$ as a function of the private key fractional

929: knowledge $\gamma$ for different values of $w_{\sigma}$ and

930: $w_{\tau}$ (we have set $p_{\sigma}=1/2$ which corresponds to an

931: `unbiased' plaintext). In the limit $\gamma=0$ (i.e., no knowledge

932: of the matrices), while $m=1$ may be a stable solution, the

933: decryption dynamics is fully dominated by $|m|<1$ states. For

934: $\gamma=1$ the cryptosystem describes a specific MN code and

935: perfect decryption can occur below $p_s$.

936: 

937: 

938: \begin{center}

939: \begin{figure}[t]

940: \setlength{\unitlength}{1.1mm}

941: \begin{picture}(120,55)

942: \put( 30, 5){\epsfysize=50\unitlength\epsfbox{PhaseD1.eps}}

943: \put(20,35){\large $p_s$}

944: \put(65,0) {\large $\gamma$}

945: \put(75,15){\large $m=1$}

946: \put(43,37){\large $|m|<1$}

947: \end{picture}

948: \caption{Phase diagram of the spinodal corruption-rate against the

949: fractional knowledge of the private key $\gamma$ for a

950: $(K,C,L)=(2,6,2)$ cryptosystem for $(w_{\sigma},w_{\tau})=(0,0)$

951: (solid line) and $(0.2,0.2)$ (dashed line). Microscopic knowledge

952: of the plaintext and the corrupting vector enlarges the perfect

953: decryption area, as expected.} \label{fig:PhaseD1}

954: \end{figure}

955: \end{center}

956: 

957: 

958: 

959: \begin{center}

960: \begin{figure}[bh]

961: \setlength{\unitlength}{1.1mm}

962: \begin{picture}(120,55)

963: \put( -5, 5){\epsfysize=50\unitlength\epsfbox{PhaseD2.eps}}

964: \put( 70, 5){\epsfysize=50\unitlength\epsfbox{PhaseD3.eps}}

965: \put(-10,30){\large $p_s$}

966: \put(35,0) {\large $\gamma$}

967: \put(65,30){\large $p_s$}

968: \put(105,0) {\large $\gamma$}

969: \put(43,15){\large $m=1$}

970: \put(112,15){\large $m=1$}

971: \put(15,35){\large $|m|<1$}

972: \put(85,35){\large $|m|<1$}

973: \end{picture}

974: \caption{Phase diagrams of the spinodal corruption-rates against

975: the fractional knowledge of the private key $\gamma$ for a

976: $(K,C,L)=(2,6,2)$ cryptosystem. Left picture:

977: $(w_{\sigma},w_{\tau})=(0.1,0)$ (solid line) and $(0,0.1)$ (dashed

978: line). Right picture: $(w_{\sigma},w_{\tau})=(0.2,0)$ (solid line)

979: and $(0,0.2)$ (dashed line). For sufficiently large

980: $\gamma$-values microscopic knowledge of the corrupting vector

981: becomes more important to the unauthorized user than that of the

982: plaintext; this effect becomes more emphasized as the fraction of

983: known bits increases.} \label{fig:PhaseD2}

984: \end{figure}

985: \end{center}

986: 

987: 

988: 

989: 

990: 

991: \begin{center}

992: \begin{figure}[t]

993: \setlength{\unitlength}{1.1mm}

994: \begin{picture}(120,55)

995: \put( -5, 5){\epsfysize=50\unitlength\epsfbox{PhaseD4.eps}}

996: \put( 70, 5){\epsfysize=50\unitlength\epsfbox{overlap.eps}}

997: \put(-7,30){\large $p_s$}

998: \put(35,0) {\large $\gamma$}

999: \put(63,30){\large $m$}

1000: \put(105,0) {\large $p$}

1001: \put(47,13){\small $m=1$}

1002: \put(15,35){\large $|m|<1$}

1003: \end{picture}

1004: \caption{Left: Comparison between two different

1005: cryptosystems with $(K,C,L)=(2,3,2)$ (solid line) and

1006: $(K,C,L)=(2,4,2)$ (dashed line). Smaller $C$-values correspond to

1007: higher rate codes and lead to smaller regions in parameter space

1008: where perfect decryption is possible. Right: Overlap $m$ as

1009: function of the corrupting-rate $p$ obtained from equation

1010: (\ref{eq:overlap}) for a $(K,C,L)=(2,6,2)$ cryptosystem and along

1011: the line $\gamma=0.8$ for $(w_{\sigma},w_{\tau})=(0.2,0)$ (solid

1012: line) and $(w_{\sigma},w_{\tau})=(0,0)$ (dashed line).}

1013: \label{fig:overlap}

1014: \end{figure}

1015: \end{center}

1016: 

1017: The interaction between the sparsely ({\ref{eq:sparse-part}) and

1018: densely ({\ref{eq:dense-part}) connected decryption components is

1019: non-linear and non-trivial; however, as a first approximation one

1020: can view the fractional matrix knowledge $\gamma$ as changing the

1021: effective sparse component, which is the main contributor in the

1022: decryption process. To that end $\gamma$ will have a direct impact

1023: on the effective code rate $N/(M\gamma)$, the average connectivity

1024: $\gamma C$ and the connectivity distribution. It is clear that at

1025: an effective code rate 1 ($\gamma=N/M=1/3$ in the case of the

1026: parameters used in figure \ref{fig:PhaseD1}) decryption is even

1027: not theoretically feasible.  The reason figure~\ref{fig:PhaseD1}

1028: points to a possibility of decryption below this value is due to

1029: additional information brought in by the dense components we

1030: ignored in this simplistic description.

1031: 

1032: We also examined the effect of prior microscopic knowledge of the

1033: plaintext/corrupting vector ($w_{\sigma},w_{\tau}>0$) on the area

1034: of perfect decryption; which clearly increases with the knowledge

1035: provided, as expected. Also this can be viewed as a change to the

1036: effective code rate. This time, the partial microscopic knowledge

1037: of either plaintext or corrupting vector (or both) serves to

1038: reduce the effective number of variables and hence the code rate

1039: itself; lower code rate will typically allow for perfect

1040: decryption in worse corruption conditions as can be seen in

1041: figure~\ref{fig:PhaseD1}

1042: 

1043: 

1044: To understand the implication of these results let us assume using

1045: the cryptosystem described in figure~\ref{fig:PhaseD1} at a

1046: corruption level chosen of $p=0.1$ (which is chosen much smaller

1047: that $p_s$ to increase the decryption reliability). In this case

1048: knowing about $70\%$ of the matrices (secret keys) will be

1049: sufficient for decrypting the ciphertext. True, there is still a

1050: need to know the dense matrix $D^{-1}$ for extracting the

1051: plaintext itself and the exposed fraction of the secret key is

1052: significant; but still there is a weakness that may be exploited

1053: by a skillful attacker.

1054: 

1055: To compare the importance of prior microscopic knowledge of

1056: plaintext versus that of the corrupting vector we plotted in

1057: figure \ref{fig:PhaseD2} the phase diagram for

1058: $(w_{\sigma},w_{\tau})=\{(0.1,0),(0.2,0)\}$ and

1059: $(w_\s,w_\tau)=\{(0,0.1),(0,0.2)\}$ which describe two

1060: complementary scenarios (left and right figures respectively). The

1061: effect is quite similar, taking into account the information

1062: provided by the two vectors (the plaintext is unbiased but of

1063: length $N$ while the corruption vector is biased but of length

1064: $M$). For high $\gamma$-values microscopic knowledge of the

1065: corrupting vector becomes more informative than that of the

1066: plaintext, an effect which becomes more emphasized as the fraction

1067: of known bits increases.

1068: 

1069: 

1070: In figure~\ref{fig:overlap} we compare two cryptosystems with

1071: $(K,C,L)=(2,4,2)$ and $(K,C,L)=(2,3,2)$ for

1072: $(w_{\sigma},w_{\tau})=(0,0)$. We see that smaller $C$ values (i.e.,

1073: higher code rates) will reduce the area of perfect decryption. On the

1074: one hand, this will increase the secret information required for

1075: perfect decryption at each corruption level; on the other hand it will

1076: reduce the corruption level that can be used and will expose the

1077: cryptosystem to attacks based on an exhaustive search of corruption

1078: vectors.

1079: 

1080: The security of a cryptosystem may be compromised without a full

1081: recovery of the plaintext; also partial recovery of the plaintext

1082: may pose a significant threat. To study the effect of partial

1083: knowledge of the matrices and plaintext on the ability to obtain

1084: high overlap between the decrypted ciphertext and plaintext, we

1085: conducted several experiments, an example of which appears in

1086: figure \ref{fig:overlap}. Here we show the overlap obtained $m$ as

1087: function of the corruption-rate $p$ for a specific cryptosystem

1088: $(K,C,L)=(2,6,2)$ along the line $\gamma=0.8$ and for two

1089: different choices of $w_{\sigma}$. Prior to the dynamical

1090: transition points  both ciphertexts are decrypted perfectly; this

1091: corresponds to corruption and partial knowledge levels below the

1092: solid and dashed lines of figure~\ref{fig:PhaseD1}.

1093: 

1094: Above the dynamical transition point, new suboptimal solutions are

1095: created and the overlap value obtained deteriorates with the

1096: corruption level. However, the two different choices of

1097: $w_{\sigma}$-values lead to two different deterioration patterns:

1098: while overlap in the system with no microscopic knowledge of the

1099: plaintext deteriorates very rapidly, the system with

1100: $w_{\sigma}=0.2$ provides solutions with high overlap values even

1101: if the corruption is high. As a consequence, we see that the

1102: effect of microscopic knowledge goes beyond a shift in the

1103: dynamical transition point; it also influences decryption beyond

1104: that point (in fact, it goes even beyond Shannon's limit).

1105: 

1106: 

1107: %--------------------------------------------------------------------%

1108: \section{Basin of attraction}\label{sec:BOA}

1109: %--------------------------------------------------------------------%

1110: %

1111: The increasingly narrowing basin of attraction for the ferromagnetic

1112: solution, as the connectivity values $K,C$ and $L\to\infty$, is

1113: central to the security level offered by the cryptosystem. The effect

1114: has been reported in a number of papers in the statistical

1115: physics~\cite{KMS,kanter} and information-theory~\cite{mackay}

1116: literature; in this section we will show that the basin of attraction

1117: shrinks as the connectivity increases, to a value of $O(1/K)$ as

1118: $K,C\to\infty$.

1119: 

1120: To provide a rough evaluation of the basin of attraction

1121: (BOA) for obtaining the ferromagnetic solution we focus on

1122: Eq.~(\ref{eq:MN}) in the limit $K,C \to \infty$. BOA clearly

1123: depends on the algorithm used;  here we focus on the Belief

1124: Propagation (BP) algorithm, which is empirically known to be the

1125: best practical algorithm for solving problems of the current type.

1126: As far as we explored, no other schemes such as the naive mean

1127: field and the Belief Revision algorithms exhibit better

1128: performance than BP, which implies that our consideration on BP is

1129: at least of a certain practical significance (Survey

1130: Propagation~\cite{MPZ} has not yet been tested for these systems).

1131: 

1132: Let us represent prior knowledge on plain text $\bxi$ and noise

1133: $\bzeta$ (in {Ising spin representation}) as the {\em prior

1134: probabilities}

1135: \begin{eqnarray}

1136: P_i^{o}(\sigma_i)&=&\frac{\exp(F_{\sigma i} \sigma_i)}{2 \cosh

1137: (F_{\sigma i})},

1138: \label{eq:prior_sigma} \\

1139: P_j^{o}(\tau_j)&=&\frac{\exp(F_{\tau j}\tau_j)}{2 \cosh (F_{\tau

1140: j})}, \label{eq:prior_tau}

1141: \end{eqnarray}

1142: respectively. Here, the parameters $F_{\sigma i}$ and $F_{\tau j}$

1143: express confidence of the prior knowledge per variable, which is a

1144: generalization of the global prior terms $F_{\sigma}, F_{\tau}$

1145: used earlier. Notice that this representation includes the case

1146: that certain bits are completely determined by setting $|F_{\sigma

1147: i}| \mbox{(or $|F_{\tau j}|$)} \to \infty$, enabling us to cover

1148: various scenarios. In the following, we assume that the fraction

1149: of completely determined bits is less than $1$ when $N,M \to

1150: \infty$. Given prior probabilities (\ref{eq:prior_sigma}) and

1151: (\ref{eq:prior_tau}), and the indicator function $\Delta

1152: (\bsigma,\btau;\bxi,\bzeta,{\cal A})$ which is the alternative to

1153: parity check equation (\ref{eq:MN}), the Bayesian framework

1154: provides the {\em posterior  probability }

1155: \begin{eqnarray}

1156: P^{post}(\bsigma,\btau)=\frac{\Delta

1157: (\bsigma,\btau;\bxi,\bzeta,{\cal A}) \prod_{i=1}^N P^{o}_i

1158: (\sigma_i) \prod_{j=1}^M P^{o}_j (\tau_i)}{Z},

1159: \label{eq:posterior}

1160: \end{eqnarray}

1161: where $Z$ is the normalization constant. Using

1162: Eq.~(\ref{eq:posterior}), one can determine the best possible action

1163: for minimizing the expected value of a given cost

1164: function~\cite{iba}. As a cost function, we select here the Hamming

1165: distance between the correct plain text $\bxi$ and its estimates

1166: $\hat{\bxi}$, $L(\hat{\bxi},\bxi)=N-\sum_{i=1}^N \hat{\xi}_i \xi_i$;

1167: this selection naturally offers the maximizer of posterior marginal

1168: (MPM) decoding $\hat{\xi_i}={\rm sign}(m^\sigma_i)$ as the optimal

1169: estimation strategy, where

1170: \begin{equation}

1171: m^{\sigma}_{i}=\sum_{\bsigma,\btau} \sigma_i~ P^{post}(\bsigma,\btau),

1172: \label{eq:post_mean}

1173: \end{equation}

1174: is the average of spin $\sigma_i$ over the posterior probability

1175: and ${\rm sign}(x)=1$ for $x >0$ and $-1$, otherwise.

1176: 

1177: Computational cost for an exact evaluation of the spin average

1178: (\ref{eq:post_mean}) increases as $O(2^{N+M})$, which implies that

1179: MPM decoding is practically difficult. An alternative approach is

1180: to resort to an approximation such as BP. In the current case,

1181: this means to iteratively solving the coupled equations (for

1182: details of the derivation see~\cite{mackay,MKSV})

1183: \begin{eqnarray}

1184: \hat{m}^{\sigma}_{\mu i}&=&J_\mu \prod_{l \in {\cal

1185: L}^{\sigma}(\mu) \backslash i} m_{\mu l}^{\sigma} \prod_{j \in

1186: {\cal L}^{\tau}(\mu)} m_{\mu j}^{\tau}, \quad \hat{m}^{\tau}_{\mu

1187: j}=J_\mu \prod_{l \in {\cal L}^{\sigma}(\mu)} m_{\mu l}^{\sigma}

1188: \prod_{k \in {\cal L}^{\tau}(\mu) \backslash j } m_{\mu k}^{\tau},

1189: \label{eq:horizontal} \\

1190: m^{\sigma}_{\mu i}&=&\tanh(F_{\sigma i} + \sum_{\nu \in {\cal

1191: M}^{\sigma}(i) \backslash \mu} \atanh (\hat{m}^{\sigma}_{\nu i})

1192: ), \quad m^{\tau}_{\mu j}=\tanh(F_{\tau j} + \sum_{\nu \in {\cal

1193: M}^{\tau}(j) \backslash \mu} \atanh (\hat{m}^{\tau}_{\nu j}) ),

1194: \label{eq:vertical}

1195: \end{eqnarray}

1196: where $J_\mu \equiv \left (\prod_{l \in {\cal L}^{\sigma}(\mu)}

1197: \xi_l \prod_{j \in {\cal L}^{\tau}(\mu)} \zeta_j \right )$, ${\cal

1198: L}^{\sigma}(\mu)$ and ${\cal L}^{\tau}(\mu)$ are the sets of indices

1199: of non-zero elements in $\mu$th row of $A$ and $B$, respectively,

1200: and ${\cal M}^{\sigma}(i)$ and ${\cal M}^{\tau}(j)$ are similarly

1201: defined for columns of $A$ and $B$, respectively.  ${\cal

1202: L}^{\sigma}(\mu) \backslash i$ denotes a set of indices in ${\cal

1203: L}^{\sigma}$ other than $i$, and similarly for other symbols.

1204: %DS - change 7/5/03

1205: The variables $m^{\sigma/\tau}_{\mu i}$ and

1206: $\hat{m}^{\sigma/\tau}_{\mu i}$ represent pseudo posterior

1207: averages of $\sigma_i$ (or $\tau_{j}$) when the $\mu$th check

1208: $J_\mu$ is left out, and the influence of a newly added $J_\mu$ on

1209: $\sigma_i$ (or $\tau_{j}$), respectively (see~\cite{mackay,MKSV}

1210: for details). Using $\hat{m}^{\sigma}_{\mu i}$, the posterior

1211: average $m_i^{\sigma}$ is obtained as

1212: \begin{eqnarray}

1213: m_i^{\sigma}=\tanh(F_{\sigma i} + \sum_{\mu \in {\cal

1214: M}^{\sigma}(i) } \atanh (\hat{m}^{\sigma}_{\mu i}) ).

1215: \label{eq:full}

1216: \end{eqnarray}

1217: 

1218: Let us investigate the condition necessary for finding the correct

1219: solution by iterating Eqs.(\ref{eq:horizontal}) and

1220: (\ref{eq:vertical}) in the limit $K,C \to \infty$. For this

1221: purpose, we first employ the gauge transformation $\xi_{i}

1222: m^{\sigma}_{\mu i} \to m^{\sigma}_{\mu i}$, $\xi_{i}

1223: \hat{m}^{\sigma}_{\mu i} \to \hat{m}^{\sigma}_{\mu i}$, $\zeta_{j}

1224: m^{\tau}_{\mu j} \to m^{\tau}_{\mu j}$, $\zeta_{j}

1225: \hat{m}^{\tau}_{\mu j} \to \hat{m}^{\tau}_{\mu j}$ and $J_\mu

1226: \left (\prod_{l \in {\cal L}^{\sigma}(\mu)} \xi_l \prod_{j \in

1227: {\cal L}^{\tau}(\mu)} \zeta_j \right ) \to 1$. This decouples the

1228: quenched random variables $\xi_i$ and $\zeta_j$ from

1229: Eq.(\ref{eq:horizontal}), as $J_\mu$ becomes independent of the

1230: quenched variables, and the BP equations can be expressed as

1231: \begin{eqnarray}

1232: \hat{m}^{\sigma}_{\mu i}&=& \prod_{l \in {\cal L}^{\sigma}(\mu)

1233: \backslash i} m_{\mu l}^{\sigma} \prod_{j \in {\cal

1234: L}^{\tau}(\mu)} m_{\mu j}^{\tau}, \quad \hat{m}^{\tau}_{\mu j}=

1235: \prod_{l \in {\cal L}^{\sigma}(\mu)} m_{\mu l}^{\sigma} \prod_{k

1236: \in {\cal L}^{\tau}(\mu) \backslash j } m_{\mu k}^{\tau},

1237: \label{eq:horizontal2} \\

1238: m^{\sigma}_{\mu i}&=&\tanh(F_i^{\sigma} \xi_i + \sum_{\nu \in

1239: {\cal M}^{\sigma}(i) \backslash \mu} \atanh (\hat{m}^{\sigma}_{\nu

1240: i}) ), \quad m^{\tau}_{\mu j}=\tanh(F_j^{\tau} \zeta_j + \sum_{\nu

1241: \in {\cal M}^{\tau}(j) \backslash \mu} \atanh (\hat{m}^{\tau}_{\nu

1242: j}) ). \label{eq:vertical2}

1243: \end{eqnarray}

1244: The expression of the correct solution is also converted to $m_{\mu

1245: i}^{\sigma}=1$ and $m_{\mu j}^{\tau}=1$. Notice that any state which

1246: is characterized by decreasing absolute values $|m_{\mu i}^{\sigma}| <

1247: 1 - \varepsilon$ and $|m_{\mu i}^{\tau}| < 1 - \varepsilon$ for an

1248: arbitrary fixed positive number $\varepsilon > 0$ is attracted to a

1249: locally stable solution $\hat{m}^{\sigma}_{\mu i} \sim 0$,

1250: $\hat{m}^{\tau}_{\mu j} \sim 0$, $m^{\sigma}_{\mu

1251: i}=\tanh(F_i^{\sigma} \xi_i)$ and $m^{\tau}_{\mu j}=\tanh(F_j^{\tau}

1252: \zeta_j)$ for $K \to \infty$ in a single update since products on the

1253: right hand sides of Eq.~(\ref{eq:horizontal2}) vanish. To provide a

1254: rough evaluation of the BOA for the correct (ferromagnetic) solution

1255: $m_{\mu i}^{\sigma}=1$ and $m_{\mu j}^{\tau}=1$, let us assume that

1256: $m^{\sigma}_{\mu i}$ and $m^{\tau}_{\mu j}$ are randomly distributed

1257: at $1-\varepsilon(K)$ and $-(1-\varepsilon(K))$ with probabilities

1258: $1-p(K)$ and $p(K)$, respectively, where $\varepsilon(K)$ and $p(K)$

1259: are small parameters to characterize the BOA for a large $K$. Under

1260: this assumption, $\hat{m}^{\sigma}_{\mu i}$ and $\hat{m}^{\sigma}_{\mu

1261: j}$ are distributed at $ \pm (1-\varepsilon(K))^{K+L} \sim \pm

1262: (1-\varepsilon(K))^{K} $ with probability $(1 \pm (1- 2p(K))^{K+L})/2

1263: \sim (1 \pm (1-2 p(K))^{K})/2$, respectively. If either

1264: $(1-\varepsilon(K))^K$ or $(1-2p(K))^K$ is negligible, the absolute

1265: values of $m_{\mu i}^{\sigma}$ and $m_{\mu j}^{\tau}$ become

1266: sufficiently smaller than $1$, and therefore, the state is trapped in

1267: a locally stable solution in the second iteration~\cite{footnote}.

1268: This implies that the critical condition is given by $\varepsilon(K)

1269: \sim O(1/K)$ and $p(K) \sim O(1/K)$ for large $K$. In terms of the

1270: macroscopic overlap, this means $m_{cr}^0\approx 1-O(1/K)$.

1271: 

1272: 

1273: %--------------------------------------------------------------------%

1274: \section{Reliability}\label{sec:reliability}

1275: %--------------------------------------------------------------------%

1276: 

1277: 

1278: Unlike most of the commonly used cryptosystems which are based on

1279: a deterministic decryption procedure, the current cryptosystem

1280: relies on a probabilistic decryption process. The evaluation of

1281: decryption success for an \emph{authorized} user is therefore as

1282: important as assessing the level of robustness against attacks.

1283: 

1284: In practical scenarios, decryption success generally depends on

1285: the plaintext size. Analysis of finite size effects in the belief

1286: propagation based decryption procedure is  difficult. A principled

1287: alternative that we pursue here is based on evaluating the {\em

1288: average error exponent} of the current cryptosystem; this provides

1289: the expected error-level at any given corruption level when

1290: maximum likelihood decoding is employed, and therefore represents

1291: a lower bound to the expected error-rate. Moreover, the corruption

1292: levels employed are far below the critical (thermodynamic)

1293: transition point, we therefore {\em assume} that belief

1294: propagation decryption will provide similar performance to maximum

1295: likelihood decoding; clearly, the lower bound will become looser

1296: as we get close to the dynamical transition point.

1297: 

1298: The average block error rate $P_B(p)$ (i.e., erroneous decrypted plaintexts)

1299: takes the form

1300: \begin{equation}

1301:  P_B(p) = e^{-M E(p)} \ ,

1302: \end{equation}

1303: where $E(p)$ is the average error exponent per noise level $p$ and

1304: $M$ the length of the ciphertext (in the particular case of LDPC

1305: codes we assume that short loops, which contribute polynomially to

1306: the block error probability~\cite{miller}, have been removed). The

1307: quantity $P_B(p)$ represents the probability by which candidate

1308: solutions $\{\bsigma,\btau\}$ are drawn from the set of those

1309: satisfying equation (\ref{eq:sparse-part}) (with $\gamma=1$;

1310: authorized decryption) other than the ones corresponding to the

1311: true plaintext and corrupting vector, $\bsigma=\bxi$ and

1312: $\btau=\bzeta$, respectively.  To evaluate this probability we

1313: introduce the indicator function

1314: \begin{equation}

1315: \Psi(\Gamma)=

1316: \lim_{\beta\to\infty}\lim_{\lambda_{1,2}\to\pm\lambda}

1317: \left[Z_1^{\lambda_1}(\Gamma;\beta_1)\

1318: Z_2^{\lambda_2}(\Gamma;\beta_2)\right]_{\beta_1=\beta_2=\beta}

1319: \label{eq:indic_function}

1320: \end{equation}

1321: where $\Gamma=\{\bxi,\bzeta,\mcA\}$ collectively denotes the set of

1322: quenched variables. The power $\lambda\in[0,1]$ is used in conjunction

1323: with the partition functions

1324: \begin{equation}

1325: Z_1(\Gamma;\beta_1)=

1326: \sum_{\bsigma\neq\bxi}\sum_{\btau\neq \bzeta}

1327: e^{-\beta_1 H(\bsigma,\btau)}

1328: \hspace{10mm}

1329: Z_2(\Gamma;\beta_2)=

1330: \sum_{\bsigma}\sum_{\btau}

1331: e^{-\beta_2 H(\bsigma,\btau)}

1332: \label{eq:Z1andZ2}

1333: \end{equation}

1334: to provide an indicator function as explained below. The

1335: Hamiltonian $H(\bsigma,\btau)$ is given by (\ref{eq:hamiltonian})

1336: and the trace over spin variables is restricted to those

1337: configurations satisfying equation (\ref{eq:sparse-part}). The

1338: above partition functions $Z_1$ and $Z_2$ differ only in the

1339: exclusion of the true plaintext and corrupting vector in the trace

1340: over variables; this enables us to identify instances where the

1341: maximum likelihood decoder chooses solutions that do not match the

1342: true (quenched variable) vectors. The Hamiltonian

1343: (\ref{eq:hamiltonian}) is proportional to the magnetizations

1344: $m_\sigma(\bsigma)=\frac1N\sum_i\s_i$ and

1345: $m_\tau(\btau)=\frac1M\sum_i\tau_i$.  Therefore, if the true

1346: plaintext and corrupting vectors have the highest magnetizations

1347: (decryption success), the Boltzmann factor $\exp[-\beta

1348: H(\bsigma,\btau)]$ will dominate the sum over states in $Z_2$ in

1349: the limit $\beta\to\infty$ and $\Psi(\Gamma)=0$. Alternatively, if

1350: some other vectors $\bsigma\neq \bxi$ and $\btau\neq\bzeta$ have

1351: the highest magnetizations of all candidates (decoding failure),

1352: its Boltzmann factor will dominate both $Z_1$ and $Z_2$ so that

1353: $\Psi(\Gamma)=1$. Separate temperatures $\beta_{1,2}$ and powers

1354: $\lambda_{1,2}$ have been introduced to determine whether obtained

1355: solutions are physical or not (values of these parameters will be

1356: obtained via the zero-entropy condition).

1357: 

1358: To derive the average error exponent $E(p)$ we take the logarithm

1359: of the above indicator function averaged with respect to the

1360: disorder  variables $\Gamma=\{\bxi,\bzeta,\mcA\}$

1361: \begin{equation}

1362: E(p)=\lim_{M\to\infty}\frac{1}{M}\log\left\bra \Psi(\Gamma)\right\ket_{\Gamma}

1363: \label{eq:error-exponent}

1364: \end{equation}

1365: 

1366: The evaluation of (\ref{eq:error-exponent}) is similar in spirit

1367: to the analysis of section \ref{sec:analysis}. For details of this

1368: calculation we refer  the reader to~\cite{reliability} where we

1369: also study and compare the reliability and average error exponents

1370: of various low-density parity-check codes.

1371: 

1372: Results describing $E(p)$ for authorised decryption of the

1373: cryptosystem \cite{KMS} are presented in figure

1374: \ref{fig:reliability} where we plot $E(p)$ as function of the

1375: corruption level $p$ for $(K,C,L)=(2,8,2)$ (code-rate 1/4) and

1376: $(K,C,L)=(2,4,2)$ (code-rate 1/2) cryptosystems. It is clear that

1377: decryption errors decay very fast with the system size as we go

1378: away from the critical corruption level. For instance, in the case

1379: of $R=1/4$, using a corruption level of $p=0.13$ (Shannon's limit

1380: is at $p=0.20$) and a modest ciphertext size of $M=1000$ will

1381: result in a negligible block error probability $P_B=10^{-11}$.

1382: 

1383: \begin{center}

1384: \begin{figure}[t]

1385: \setlength{\unitlength}{1.1mm}

1386: \begin{picture}(120,55)

1387: \put( 40,  0){\epsfysize=45\unitlength\epsfbox{AE_authorised.eps}}

1388: \put(30,27){$E(p)$}

1389: \put(70,-2) {$p$}

1390: \end{picture}

1391: \caption{Reliability exponent (\ref{eq:error-exponent})

1392: as a function of the corruption level $p$

1393: for the case $K=L=2$ and rates $R=1/2$ (dashed line) and

1394: $R=1/4$ (solid line). }

1395: \label{fig:reliability}

1396: \end{figure}

1397: \end{center}

1398: 

1399: %--------------------------------------------------------------------%

1400: \section{Discussion}\label{sec:conclusion}

1401: %--------------------------------------------------------------------%

1402: 

1403: In this paper we have analyzed several security issues related to

1404: the recently suggested public-key cryptosystem of~\cite{KMS}.

1405: The suggested cryptosystem is based on the computational

1406: difficulty of decomposing a dense matrix into a combination of

1407: dense and sparse matrices (obeying certain statistics) which is a

1408: known hard computational problem. We have considered several

1409: attack scenarios in which unauthorized parties have acquired

1410: partial knowledge of one or more of the private keys and/or

1411: microscopic knowledge of the plaintext and/or the `corrupting

1412: vector'. The analysis follows standard statistical mechanical

1413: methods of dealing with diluted spin systems within replica

1414: symmetric considerations. Of central importance to the

1415: unauthorized decryption is the dynamical transition which defines

1416: decryption success in practical situations. Our phase diagrams

1417: show the dynamical threshold as a function of the partial acquired

1418: knowledge of the private key; they describe regions with perfect-

1419: ($m=1$) or partial/null decryption success ($|m|<1$).

1420: 

1421: Public-key cryptosystems play an important role in modern

1422: communications. The increasing demand for secure transmission of

1423: information has lead to the invention of novel cryptosystems in

1424: recent years. To this extent and based on the insight gained by

1425: statistical physics analyses of error-correcting codes a new

1426: family of cryptosystems was suggested in \cite{KMS}. This paper

1427: constitutes a first step in studying  this class of cryptosystems

1428: by considering the potential success of possible attacks.

1429: 

1430: Several future research directions aimed at improving the security

1431: and reliability of this cryptosystem may include studying the

1432: efficacy of irregular code constructions and the use of novel

1433: decryption methods such as survey propagation~\cite{MPZ} for pushing

1434: the dynamical transition point closer to the information theoretic

1435: limits.

1436: 

1437: 

1438: 

1439: 

1440: 

1441: 

1442: 

1443: %--------------------------------------------------------------------%

1444: \subsection*{Acknowledgements}

1445: %--------------------------------------------------------------------%

1446: 

1447: We would like to thank Jort van Mourik for helpful discussions.

1448: Support from EPSRC research grant GR/N63178, the Royal Society

1449: (DS, NS) and Grant-in-Aid, MEXT, Japan, No. 14084206 (YK) are

1450: gratefully acknowledged.

1451: %DS - change 7/5/03

1452: NS would also like to acknowledge support from the Fund for Scientific

1453: Research-Flanders,

1454: Belgium, for the final stages of this research.

1455: 

1456: 

1457: 

1458: 

1459: 

1460: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

1461: 

1462: 

1463: 

1464: \begin{thebibliography}{99}

1465: 

1466: \bibitem{RSA}

1467: R.I.~Rivest, A.~Shamir and L.~Adleman (1978)

1468: %`A method for obtaining digital signatures and public key cryptosystems',

1469: \emph{Commun. ACM} \textbf{21} 120-126

1470: \bibitem{DH}

1471: W.~Diffie and M.E.~Hellman (1976)

1472: %`New directions in cryptography',

1473: \emph{IEEE Trans.\@ Inf.\@ Th.\@} \textbf{22} 644-654

1474: %\bibitem{handbook}

1475: %A.~Menezes, P.~van Oorschot and S.~Vanstone (1996) `Handbook of applied cryptography',

1476: %CRC Press

1477: \bibitem{stinson}

1478: D.R.~Stinson (1995) \emph{`Cryptography, Theory and Practice'} CRC Press LLC

1479: \bibitem{KMS}

1480: Y.~Kabashima, T.~Murayama and D.~Saad (2000)

1481: %`Cryptographical Properties of Ising Spin Systems'

1482: \emph{Phys Rev Lett}  \textbf{84} 2030

1483: \bibitem{mackay}

1484: D.J.C.~MacKay (1999) \emph{IEEE Trans.\@ Inf.\@ Th.\@} \textbf{45} 399

1485: \bibitem{kabashima}

1486: Y.~Kabashima, T.~Murayama and D.~Saad (2000)

1487: %`Typical Performance of Gallager-type Error-Correcting Codes'

1488: \emph{Phys Rev Lett} \textbf{84} 1355

1489: \bibitem{garey_johnson}

1490: M.R.~Garey and D.S.~Johnson, \emph{`Computers and Intractability'}

1491: (1979) Freeman 251

1492: \bibitem{weiss} Y.~Weiss

1493: (2000) \emph{Neural Computation} \textbf{12} 1

1494: \bibitem{MPZ} M.~M\'{e}zard, G.~Parisi and R.~Zecchina (2002)  \emph{Science} \textbf{297} 812

1495: %

1496: \bibitem{MKSV}

1497: T.~Murayama, Y.~Kabashima, D.~Saad and R.~Vicente (2000)

1498: %`Statistical physics of regular low-density parity-check error-correcting codes',

1499: \emph{Phys Rev E} \textbf{62} 1577

1500: \bibitem{sourlas}

1501: N.~Sourlas (1989)

1502: %`Spin-glass models as error-correcting codes'

1503: \emph{Nature} \textbf{339} 693

1504: \bibitem{kanter}

1505: I.~Kanter and D.Saad (1999)

1506: %`Error-correcting codes that nearly saturate Shannon's bound'

1507: \emph{Phys Rev Lett} \textbf{83} 2660

1508: \bibitem{nishimori}

1509: H.~Nishimori, \emph{`Statistical Physics of Spin Glasses and Information Processing'},

1510: Oxford University Press, Oxford UK (2001)

1511: \bibitem{iba} Y.~Iba (1999), \emph{ J. Phys. A,}  \textbf{32} 3875

1512: \bibitem{NS}

1513: H.~Nishimori and D.~Sherrington `Disordered and Complex Systems' (eds) P.~Sollich,

1514: A.C.C.~Coolen, L.P.~Hughston and R.F.~Streater,

1515: American Institute of Physics, New York, pp.67 (2001)

1516: \bibitem{franz} S.~Franz, M.~Leone, A.~Montanari and

1517: F.~Ricci-Tersenghi, \emph{Phys Rev E} \textbf{66} 046120

1518: \bibitem{miller} G.~Miller and D.~Burshtein (2001)

1519: \emph{IEEE Trans.~Infor.~Theory} \textbf{47} 2696

1520: \bibitem{reliability}

1521: N.S.~Skantzos, J.~van Mourik, D.~Saad and Y.~Kabashima (2003)

1522: \emph{J Phys A}, in press (\texttt{cond-mat/0304520})

1523: \bibitem{footnote} Although larger $C$ values would increase the

1524: absolute values of $m_{\mu i}$ and $m_{\mu j}$ in

1525: Eq. (\ref{eq:vertical2}), this effect is relatively small and the

1526: critical condition is determined mainly by $K$ in

1527: Eq.~(\ref{eq:horizontal2}).

1528: \end{thebibliography}

1529: 

1530: \end{document}

1531: