C. H. Bennett, G. Brassard, C. Cr'epeau and U. M. Maurer, "Generalized privacy amplification ", IEEE Transactions on Information Theory, Vol. 41, no. 6, November  Home/Search   Document Details and Download   Summary   Related Articles   Check

....information f(XA ) over the public authenticated channel in such a way that he can recover XA knowing XB . Since f(XA ) is sent over a public channel, it is considered known to an eavesdropper. Therefore, the second step of key distillation consists in applying a privacy amplification protocol [4, 19, 3], where the tapped information is wiped out at the cost of a reduction in the key length. Privacy amplification (PA) is not covered in this paper, since the currently developed protocols can readily be used. It is however relevant to our problem, as the reduction in key length during PA is ....

....of a reduction in the key length. Privacy amplification (PA) is not covered in this paper, since the currently developed protocols can readily be used. It is however relevant to our problem, as the reduction in key length during PA is roughly equal to the number of bits known to an eavesdropper [3, 20], both from tapping the quantum channel and from listening to the public channel. It should thus now appear clearly that the reconciliation information f(XA ) should not give more information than necessary on XA , otherwise resulting in a penalty in the key length. Ideally, only H(XA jXB ) bits ....

C. H. BENNETT, G. BRASSARD, C. CR EPAU, AND U. M. MAU- RER, Generalized privacy amplification, IEEE Trans. Inform. Theory, 41 (1995.

....Euler Institute for Discrete Mathematics and its Applications (EIDMA) P.O.Box 513, 5600 MB Eindhoven, The Netherlands v.b.balakirsky ele.tue.nl Abstract. Secret key agreement protocol between legal parties based on reconciliation and privacy amplification procedure has been considered in [2]. The so called privacy amplification theorem is used to estimate the amount of Shannon s information leaking to an illegal party (passive eavesdropper) about the final key. We consider a particular case where one of the legal parties (Alice) sends to another legal party (Bob) a random binary ....

.... The amount of Shannon s information I 0 leaking to Eve under the condition that she knows completely the key sharing protocol given above, the code C, the check string y and the noisy version x of the string x received through wire tap BSC is given by the so called Privacy Amplification Theorem [2]: k t c 0 ) ln 2 (1) where t c is the Renyi (or collision) information that has Eve from all her knowledge mentioned above, and 0 is the length of the string after hashing. The collision information t c is comprised of the collision information t c about x contained in x and the ....

[Article contains additional citation context not shown here]

Bennett, C. H., Brassard, G., Maurer, U. M. "Generalized Privacy Amplification". IEEE Trans. on IT, vol. 41, nr. 6, pp. 1915-1923. 1995.

....Brassard, and Robert [3] and by Impagliazzo, Levin, and Luby [7] Both techniques build on the fact that uniform entropy can be extracted using universal hash functions [5] 3. 1 Privacy Amplification Privacy amplification is a key component of many unconditionally secure cryptographic protocols [2]. Assume Alice and Bob share a random variable W while an eavesdropper Eve knows a correlated random variable V that summarizes her knowledge about W . The details of the distribution PWV are unknown to Alice and Bob except that they assume a lower bound on the 2 R enyi entropy of order two of P ....

....eavesdropping but immune to tampering, Alice and Bob wish to agree on a function g such that Eve knows nearly nothing about g(W ) Let X denote the random variable corresponding to the conditional probability distribution P W jV =v . The following theorem by Bennett, Brassard, Cr epeau, and Maurer [2] shows that if Alice and Bob choose g randomly from a universal hash function G : W Y for suitable Y, Eve s information about Y = g(W ) is negligible. Theorem 1 ( 2] Let X be a random variable over the alphabet X with probability distribution PX and R enyi entropy H 2 (X) let G be the random ....

[Article contains additional citation context not shown here]

C. H. Bennett, G. Brassard, C. Cr'epeau, and U. M. Maurer, "Generalized privacy amplification, " IEEE Transactions on Information Theory, vol. 41, pp.

....the impossibility results given in [7] by achieving an output distribution that is not truly random, but rather exponentially close in statistical deviation from truly random. Work on privacy amplification in unconditionally secure key agreement protocols is also related to our work (see e.g. [3, 6]) Bellare and Miner [1] consider the notion of forward security for signature schemes, which is a different attempt to address the key exposure problem. The kind of security they achieve prevents an adversary that gains a current secret key from being able to forge signatures on messages dated ....

C. Bennett, G. Brassard, C. Crepeau, U. Maurer. Generalized Privacy Amplification. In IEEE Transactions on Information Theory, 41(6), 1995.

No context found.

C. H. Bennett, G. Brassard, C. Cr'epeau and U. M. Maurer, "Generalized privacy amplification ", IEEE Transactions on Information Theory, Vol. 41, no. 6, November

....a secret key mentioned here, there also exist efficient protocols for generating a secret key (which ,nay be somewhat shorter) In general, the distribution PxYz may be under Eve s partial control and ,nay only partly be known to Alice and Bob. Two examples are the privacy amplification scenario [3] mentioned in Section 2.3, and quantum cryptography, where both Bob s and Eve s distributions depend on the type of measurement performed by Eve on the photons sent by Alice. In this paper we assume that PxYz is known to all parties. In the sequel we assume without loss of generality that and ....

....discussion over the authenticated public channel, Alice and Bob maage to generate a secret key about which Eve has arbitrarily little informa tion. Another special case of key agreement protocols secure against passive adversaries is privacy amplification introduced in [4] and generalized in [3]. Privacy amplification is a protocol step that would typically be used as the last step in a practical key agreement protocol, but it can itself be described in the flamework of key agreement protocols. Here Alice and Bob are assumed to know a string W (i.e. X = Y W) about which Eve has some ....

[Article contains additional citation context not shown here]

C.H. Bennett, G. Brassard, C. CrOpeau, and U.M. Maurer, "Generalized privacy amplification", to appear in IEEE Tr'ansactions on Information Theory, Nov. 1995.

.... amplification A basic tool for applying information theory to cryptography is privacy amplification originally introduced by Bennett, Brassard and Robert [3] However, this technique was only recently shown to be applicable to a wide range of scenarios by Bennett, Brassard, Cr epeau and Maurer [2] who provided a generalized analysis of privacy amplification. These results are summarized briefly in this section. An important technique used is universal hashing. Definition 2. A class G of functions A Gamma B is universal if, for any distinct x 1 and x 2 in A, the probability that g(x 1 ) ....

....arbitrary t bits of deterministic information about W (see corollary below) because in these scenarios one knows a lower bound on Eve s collision entropy. Theorem 4 also implies the following result on privacy amplification against deterministic information first stated in [3] For a proof see [2]. Corollary 5. Let W be a random n bit string with uniform distribution over Sigma n , let V = e(W ) for an arbitrary eavesdropping function e : Sigma n Sigma t for some t n, let s n Gamma t be a positive safety parameter, and let r = n Gamma t Gamma s. If Alice and Bob choose ....

C.H. Bennett, G. Brassard, C. Cr'epeau and U.M. Maurer, Generalized privacy amplification, to appear in Proc. 1994 IEEE Int. Symp. on Information Theory, Trondheim, Norway, June 27 -- July 1, 1994.

....exploit the full secrecy capacity. A method that is different from that proposed in [6] and [20] for exploiting the availability of a superior channel is to use a reconciliation and universal hashing information reduction protocol as described in [2] One open problem that will be addressed in [3] is to generalize the proof for the information reduction protocol given in [2] to cases where Eve knows K bits of information rather than the output of a 2 K valued function. 4. Generating a Mutual Secret Key from Randomness Received over Independent Channels Consider a random source (e.g. a ....

C.H. Bennett, G. Brassard, U.M. Maurer and L. Salvail, Generalized privacy amplification, in preparation.

....Information Reconciliation [1, 6] To agree on a string T with very high probability, Alice and Bob exchange redundant error correction information U , such as a sequence of parity checks. After this phase, Eve s (incomplete) information about T consists of Z, C and U . Privacy Amplification [2, 3]: In the final phase, Alice and Bob agree publicly on a compression function G to distill from T a shorter string S about which Eve has only a negligible amount of information. Therefore, S can subsequently be used as a secret key. Information reconciliation and privacy amplification are ....

....In other words, Eve s information about W is modeled by the probability distribution P W jV =v about which Alice and Bob have some incomplete knowledge. In particular, they know a lower bound on the collision entropy (see below) of the distribution P W jV =v but they do not know v. It is known [2] that the collision entropy after reconciliation with U = u (i.e. of the distribution P W jV =v;U=u ) is a lower bound on the size of the secret key that can be distilled safely by privacy amplification. This paper is concerned with understanding the reduction of the collision entropy induced by ....

[Article contains additional citation context not shown here]

C. H. Bennett, G. Brassard, C. Cr'epeau, and U. M. Maurer, "Generalized privacy amplification." Preprint, 1994.

....a secret key mentioned here, there also exist efficient protocols for generating a secret key (which may be somewhat shorter) In general, the distribution PXY Z may be under Eve s partial control and may only partly be known to Alice and Bob. Two examples are the privacy amplification scenario [3] mentioned in Section 2.3, and quantum cryptography, where both Bob s and Eve s distributions depend on the type of measurement performed by Eve on the photons sent by Alice. In this paper we assume that PXY Z is known to all parties. In the sequel we assume without loss of generality that S and ....

....discussion over the authenticated public channel, Alice and Bob manage to generate a secret key about which Eve has arbitrarily little information. Another special case of key agreement protocols secure against passive adversaries is privacy amplification introduced in [4] and generalized in [3]. Privacy amplification is a protocol step that would typically be used as the last step in a practical key agreement protocol, but it can itself be described in the framework of key agreement protocols. Here Alice and Bob are assumed to know a string W (i.e. X = Y = W ) about which Eve has some ....

[Article contains additional citation context not shown here]

C.H. Bennett, G. Brassard, C. Cr'epeau, and U.M. Maurer, "Generalized privacy amplification", to appear in IEEE Transactions on Information Theory, Nov. 1995.

....Information Reconciliation [1, 6] To agree on a string T with very high probability, Alice and Bob exchange redundant error correction information U , such as a sequence of parity checks. After this phase, Eve s (incomplete) information about T consists of Z, C and U . Privacy Amplification [2, 3]: In the final phase, Alice and Bob agree publicly on a compression function G to distill from T a shorter string S about which Eve has only a negligible amount of information. Therefore, S can subsequently be used as a secret key. Information reconciliation and privacy amplification are ....

....Eve s information about W is modeled by the probability distribution P W jV =v about which Alice and Bob have some incomplete knowledge. In particular, they know a lower bound on the R enyi entropy (see below) of the distribution P W jV =v with high probability but they do not know v. It is known [2] that the R enyi entropy after reconciliation with U = u (i.e. of the distribution P W jV =v;U=u ) is a lower bound on the size of the secret key that can be distilled safely by privacy amplification. This paper is concerned with understanding the reduction of the R enyi entropy induced by the ....

[Article contains additional citation context not shown here]

C. H. Bennett, G. Brassard, C. Cr'epeau, and U. M. Maurer, "Generalized privacy amplification, " IEEE Transactions on Information Theory, vol. 41, Nov. 1995. (To appear).

No context found.

C.H. Bennett, G. Brassard, C. Crepeau, and U. Maurer. Generalized privacy amplification. IEEE Trans. Information Theory, 41(6):1915--1923, 1995.

No context found.

C. H. Bennett, G. Brassard, C. Crepeau, and U. M. Maurer, Generalized privacy amplification, IEEE Trans. on Information Theory , Vol. 41, No. 6, pp. 1915--1923, 1995.

No context found.

C. H. Bennett, G. Brassard, C. Crepeau, U. Maurer. Generalized Privacy Amplification. In IEEE Transaction on Information Theory, vol. 41, no. 6, pp. 1915.

No context found.

C. H. Bennett, G. Brassard, C. Cr'epeau, and U. M. Maurer, "Generalized privacy amplification, " IEEE Transactions on Information Theory, vol. 41, pp. 1915.

No context found.

C. H. Bennett, G. Brassard, C. Crepeau, and U. M. Maurer. Generalized privacy amplification. IEEE Trans. Inform. Theory, 41(6):1915.

No context found.

C.H. Bennett, G. Brassard, C. Crepeau, and U. Mauer. Generalized privacy amplification. IEEE Trans. on Inf. Theory, 41:1915, 1995.

No context found.

C. H. Bennett, G. Brassard, C. Crepeau, and U. M. Maurer. Generalized privacy amplification. IEEE Trans. Inform. Theory, 41(6):1915.

No context found.

C. H. BENNETT, G. BRASSARD, C. CR EPEAU, AND U. M. MAU- RER, Generalized privacy amplification, IEEE Trans. Inform. Theory, 41 (1995.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC