Security Model: Eavesdropper on the Broadcast

Two Security Questions for Coded Caching

Chapter 12 addressed demand privacy: users should not learn each other's demands. This chapter addresses a complementary question: delivery secrecy. An external eavesdropper E\mathcal{E} overhears the broadcast transmission XX. Can we design a coded-caching scheme such that E\mathcal{E} learns nothing about the file library?

These are two different threat models:

  • Demand privacy (Ch 12): Internal users are the adversary β€” each user must not learn other demands.
  • Delivery secrecy (Ch 17): External eavesdropper is the adversary β€” must not learn any file content from the broadcast.

Both are relevant in practice: privacy for user protection in shared-link services; secrecy for untrusted networks (wireless broadcast where the medium is open).

Definition:

Secure Delivery Model

The secure coded-caching model (Sengupta-Tandon-Clancy 2015) consists of:

  1. A server with library W={W1,…,WN}\mathcal{W} = \{W_1, \ldots, W_N\}.
  2. Users 1,…,K1, \ldots, K with caches Z1,…,ZK\mathcal{Z}_1, \ldots, \mathcal{Z}_K of size MFMF bits each.
  3. An external eavesdropper E\mathcal{E} observing the full broadcast XX.

Security requirement: for any demand vector d\mathbf{d}, I(W;X)β€…β€Š=β€…β€Š0I(\mathcal{W}; X) \;=\; 0 (perfect information-theoretic secrecy of the library).

Correctness: each legitimate user kk can decode WdkW_{d_k} from its cache Zk\mathcal{Z}_k and the broadcast XX.

The eavesdropper sees only XX, not the caches. The caches are pre-distributed privately during off-peak (e.g., via physical storage, secure link, or asymmetric keying). The broadcast phase is the only attack surface.

Theorem: Secrecy Requires Mβ‰₯1M \geq 1

For perfect-secrecy coded caching with KK users, Nβ‰₯KN \geq K files, and cache size MM per user, a necessary condition is Mβ‰₯1M \geq 1. No secure scheme exists with M<1M < 1.

The eavesdropper observes XX. By the cut-set bound, to decode each file WnW_n a user needs the sum M+Rβ‰₯1M + R \geq 1 file (bits of info). For secrecy, XX must be independent of W\mathcal{W}, so XX carries "zero information" β€” all information must come from the cache. Hence Mβ‰₯1M \geq 1.

Proof
Cut-set setup

User kk decodes WdkW_{d_k} from (Zk,X)(\mathcal{Z}_k, X). By Fano: H(Wdk∣Zk,X)≀ϡFH(W_{d_k} | \mathcal{Z}_k, X) \leq \epsilon F for some small Ο΅\epsilon.

Secrecy condition

Perfect secrecy: I(W;X)=0I(\mathcal{W}; X) = 0 β‡’\Rightarrow I(Wdk;X)=0I(W_{d_k}; X) = 0 β‡’\Rightarrow H(Wdk∣X)=H(Wdk)=FH(W_{d_k} | X) = H(W_{d_k}) = F.

Combining

Fβˆ’Ο΅F≀I(Wdk;Zk∣X)≀H(Zk)=MFF - \epsilon F \leq I(W_{d_k}; \mathcal{Z}_k | X) \leq H(\mathcal{Z}_k) = MF.

Conclusion

Mβ‰₯1βˆ’Ο΅M \geq 1 - \epsilon, so Mβ‰₯1M \geq 1 as Ο΅β†’0\epsilon \to 0. The cache must store at least one full file's worth of random key material. β– \blacksquare

Why Mβ‰₯1M \geq 1: Intuition

Think of the cache as a one-time pad store. To decode a requested file WdkW_{d_k} securely, the user needs enough key material to "unmask" the transmission. A one-time pad requires key length = message length = 1 file. Hence Mβ‰₯1M \geq 1.

Coded caching's multicasting gain still applies above the Mβ‰₯1M \geq 1 floor: extra memory Mβˆ’1M - 1 provides the MAN rate reduction. So effectively, Meff=Mβˆ’1M_\text{eff} = M - 1 replaces MM in the rate formula.

Secrecy-Rate-Memory Tradeoff

Secure rate (STC 2015) shifts the MAN curve by 1 file in memory (Mβ†’Mβˆ’1M \to M - 1). At M=1M = 1: secure rate = uncoded MAN. Below M=1M = 1: no secure scheme. Plot both curves for comparison.

Parameters
10
20

Example: Wireless Eavesdropper Scenario

A CDN operator streams video over a wireless broadcast link to K=5K = 5 users. An eavesdropper in range also receives the signal. N=10N = 10 videos, M=1.5M = 1.5 per user. Quantify security margin.

Solution
Feasibility check

M=1.5β‰₯1M = 1.5 \geq 1 β€” secure scheme exists.

Effective memory

Meff=Mβˆ’1=0.5M_\text{eff} = M - 1 = 0.5. Effective ratio ΞΌeff=0.5/10=0.05\mu_\text{eff} = 0.5/10 = 0.05.

Secure rate

Rsec=K(1βˆ’0.05)/(1+Kβ‹…0.05)=5β‹…0.95/1.25=3.8R_\text{sec} = K (1 - 0.05)/(1 + K \cdot 0.05) = 5 \cdot 0.95/1.25 = 3.8 files/channel-use.

Non-secure MAN baseline

RMAN=5(1βˆ’0.15)/(1+5β‹…0.15)=5β‹…0.85/1.75=2.43R_\text{MAN} = 5 (1 - 0.15)/(1 + 5 \cdot 0.15) = 5 \cdot 0.85/1.75 = 2.43.

Penalty

Secure rate (3.83.8) is worse than non-secure MAN (2.432.43): secure delivery costs (Rsecβˆ’RMAN)(R_\text{sec} - R_\text{MAN}) files per use. The 1-file cache is spent on key material.

Leakage

Eavesdropper: I(W;X)=0I(\mathcal{W}; X) = 0 by construction. Perfect secrecy achieved at cost of increased rate.

Common Mistake: Don't Conflate Privacy and Secrecy

Mistake:

Assuming demand-privacy schemes (Wan-Caire, Ch 12) also provide secrecy against external eavesdroppers.

Correction:

  • Demand privacy masks which file each user wants from other users. The broadcast XX itself may still leak file content to an outsider.
  • Delivery secrecy prevents E\mathcal{E} from learning file content. Does not address which file a particular user requested (that's privacy).

In many scenarios you want both. Joint schemes exist (STC 2015 + Wan-Caire masking), but each primitive addresses only one threat.

Key Takeaway

Secure delivery requires at least 1 file of cache per user. This is the fundamental one-time-pad cost of information-theoretic secrecy. Above this floor, coded caching's MAN gain still applies to the remaining memory Mβˆ’1M - 1. Secrecy is not free β€” unlike Wan-Caire demand privacy, it costs capacity.

Prerequisites & NotationSengupta-Tandon-Clancy Secure Delivery Scheme