The Secrecy of Compressed Sensing Measurements

Yaron Rachlin & Dror Baron

Alice wants to send Bob secret message. Message is K-sparse. Alice uses CS projection matrix to encode

message.

Does matrix act as encryption key? If Bob knows CS matrix, can recover message.

Compressed Sensing (CS) Secrecy Scenario

2

Compressed Sensing Attack Scenario Eve intercepts message, does not know

matrix. Can Eve recover secret message?

+ =?

3

Is compressed sensing secure? Claims:

“The encryption matrix can be viewed as a one-time pad that is completely secure” I. Drori “Compressed Video Sensing” BMVA Symposium on 3D Video - Analysis, Display and Applications, 2008.

“effectively implements a weak form of encryption ” D. Baron, M. F. Duarte, S. Sarvotham, M. B. Wakin and R. G. Baraniuk “An Information-Theoretic Approach to Distributed Compressed Sensing” Allerton 2005.

4

Notions of security Information theoretic – H(message|

ciphertext)=H(message) Computationally unbounded adversary

Computational – Extracting message equivalent to solving computationally hard problem

Computationally bounded adversary

5

Perfect Secrecy? Definition of perfect secrecy (Shannon).

X message, Y ciphertext, I(X;Y)=0 Does CS-based encryption achieve perfect

secrecy? NO

Noiseless case: If message X=0, ciphertext Y=0. CS matrices satisfying RIP roughly preserve l2 norm. Mutual information is positive.

Could mutual information be small?

Y = ©X

6

Computational Secrecy Recovery is feasible, but hard for

computationally bounded adversary. (Weaker) More widely used than perfect secrecy.

How many matrices must an attacker try before finding the correct Phi matrix? Propose this as a computational notion of security

for CS.

7

264 keys could be an unfortunate predicament.

Application Example: Biometrics Don’t want to store lots of data “in the clear.” Can we just store features? (Reversible) If encryption key compromised, severe loss.

Possible solution: Compress (lossy, enable revocation) Then encrypt (high overhead) Or, compress & encrypt in same step?

Time critical application.8

Other Applications Low power sensors

Sensor Networks nodes have limited battery life.

Provides low-cost encryption while performing compression.

High bandwidth sensors Networks of video cameras require low

latency.

9

Results Sender transmits:

Attacker guesses:

With probability one:

Theorem: For randomly generated Gaussian ’with M≥K+1, each subset of M columns can be used to find an M-sparse x’ that will satisfy y = ’x’ with probability one. For all subsets of size T<M, a T-sparse x’ will satisfy

y = ’x’ with probability zero.10

y = ©x

©0

y 6= ©0x

Strictly Sparse, Noiseless Case Intuition – dim(subspace intersection) < K.

Pr(signal in intersection)=0.

M=3, K=2

M=3, K=1

11

-0.5

0

0.5

-2-1

01

2

-0.6

-0.4

-0.2

0

0.2

0.4

0.6

-1-0.5

00.5

1

-1

-0.5

0

0.5

1-3

-2

-1

0

1

2

3

Implications for secrecy Lemma: With probability one,

and

will yield M-sparse solutions.

What does result mean in terms of security? Information theoretic:

Can detect correct key Computational:

Need to evaluate (many) keys in ensemble until correct one found.

12

minx

kxk0 subject to y = ©0x

minx

kxk1 subject to y = ©0x

Quality of Reconstruction True Signal. N=376, K = 37

Attacker reconstruction using wrong matrix.

Reconstruction with correct matrix.

0 50 100 150 200 250 300 350 400-1

-0.8

-0.6

-0.4

-0.2

0

0.2

0.4

0.6

0.8

1

0 50 100 150 200 250 300 350 400

-1

-0.8

-0.6

-0.4

-0.2

0

0.2

0.4

0.6

0.8

1

0 50 100 150 200 250 300 350 400-1.5

-1

-0.5

0

0.5

1

1.5

2

13

Simulations with L1 reconstruction

Simulation of attacks using wrong measurement matrices.

Best among 10,000 pairs gave significant error. Eve is in trouble! Bob reconstructs correctly.

14

0 100 200 300 400 500 600 700 8000

20

40

60

80

100

120

140

Signal Length

L2 N

orm

Squ

ared

of

Rec

onst

ruct

ion

Err

or

Lowest Attack Reconstruction Error

10th Percentile Attack Error50th Percentile

90th Percentile

Other Settings Strictly Sparse, Noiseless (Results,

Simulations) Compressible, Noiseless Strictly Sparse, Noisy (Ongoing Work) Compressible, Noisy

Preliminary analysis indicates similar results feasible in other settings.

15

Thank you for your attention.Questions?

16