C. H. Bennett, G. Brassard, and J.-M. Robert. How to reduce your enemy's information. In Proc. of CRYPTO '85, Lecture Notes in Computer Science, vol. 218, pp. 468--476, Springer-Verlag, 1986.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....or variational distance. The distinction between nonuniformity measures is not central for the work presented here and we mainly use relative entropy distance. 3 Related Concepts Privacy amplification and entropy smoothing have been introduced independently by Bennett, Brassard, and Robert [3] and by Impagliazzo, Levin, and Luby [7] Both techniques build on the fact that uniform entropy can be extracted using universal hash functions [5] 3.1 Privacy Amplification Privacy amplification is a key component of many unconditionally secure cryptographic protocols [2] Assume Alice and ....

C. H. Bennett, G. Brassard, and J.-M. Robert, "How to reduce your enemy's information," in Advances in Cryptology --- CRYPTO '85 (H. C. Williams, ed.), vol. 218 of Lecture Notes in Computer Science, pp. 468--476, Springer-Verlag, 1986.

....it is indistinguishable from an oblivious bit fixing source that is, a distribution on strings of length m in which m Gamma k bit positions are fixed and the other k bit positions vary uniformly and independently. Such sources were the focus of the bit extraction problem studied in [Vaz85, BBR85, CGH 85, Fri92] and the term oblivious bit fixing source was introduced in [CW89] To see that the output of PE P ;m is indistinguishable from an oblivious bit fixing source, simply observe that the distribution D given in the proof of Theorem 11 is such a source. 4 Extracting from ....

Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert. How to reduce your enemy's information (extended abstract). In Hugh C. Williams, editor, Advances in Cryptology--- CRYPTO '85, volume 218 of Lecture Notes in Computer Science, pages 468--476. Springer-Verlag,

....it is indistinguishable from a oblivious bit fixing source that is, a distribution on strings of length m in which m k bit positions are fixed and the other k bit positions vary uniformly and independently. Such sources were the focus of the bit extraction problem studied in [Vaz85, BBR85, CGH 85, Fri92] and the term oblivious bit fixing source was introduced in [CW89] To see that the output of PE P ;m is indistinguishable from an oblivious bit fixing source, simply observe that the distribution D given in the proof of Theorem 10 is such a source. 11 Extracting from ....

Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert. How to reduce your enemy's information (extended abstract). In Hugh C. Williams, editor, Advances in Cryptology--- CRYPTO '85, volume 218 of Lecture Notes in Computer Science, pages 468--476. Springer-Verlag,

....class of hash functions can be used to generate a sequence of pairwise independent random variables in the following way: Select G 2 G uniformly at random and apply it to any fixed sequence x 1 ; x l of distinct values in X , i.e. Y j = G(x j ) for j = 1; l. Privacy amplification [7, 6] is a method to eliminate partial information about a random variable and extract a shorter, almost uniformly distributed value. The following theorem [23, 5] is formulated using min entropy, but it can be generalized to Renyi entropy of any order 1 [9] Theorem 2 (Privacy Amplification [5] ....

C. H. Bennett, G. Brassard, and J.-M. Robert. How to reduce your enemy's information. In H. C. Williams, editor, Advances in Cryptology: CRYPTO '85, volume 218 of Lecture Notes in Computer Science, pages 468--476. Springer, 1986.

....class of hash functions can be used to generate a sequence of pairwise independent random variables in the following way: Select uniformly at random and apply it to any fixed sequence f 5 IJI I 5Kf of distinct values in [ Let oB9 fBs for H5 IJI IJ5K . Privacy amplification [BBR86, BBR88] is a method to eliminate partial information about a random variable and extract a shorter, almost uniformly distributed value. The following theorem [ILL89, BBCM95] is formulated using min entropy, but it can be generalized to Renyi entropy of any order = Cac97b] Theorem 2 ( BBCM95] ....

Charles H. Bennett, Gilles Brassard, and JeanMarc Robert, How to reduce your enemy's information, Advances in Cryptology: CRYPTO '85 (Hugh C. Williams, ed.), Lecture Notes in Computer Science, vol. 218, Springer, 1986, pp. 468--476.

....by the DES S boxes are certain balance and correlation immune properties. Another context in which resilient functions are useful is in renewing a partially leaked key. Cryptographic scenarios in which partially leaked keys are studied include quantum key exchange (Bennett, Brassard and Robert [79]) and key distribution patterns (Stinson [87] In both these situations, resilient functions have been proposed as a useful method of obtaining a smaller secure key from a larger partially leaked key. Suppose Alice and Bob share a random n bit binary key, x 1 ; x n , and an opponent, ....

....C , is an OA 2 n Gammam Gammad 1 (d Gamma 1; n; 2) Since C is a subspace of (Z 2 ) n , it is easy to see that every coset of C is also an OA 2 n Gammam Gammad 1 (d Gamma 1; n; 2) and these 2 m OAs form a large set. Applying Corollary 7. 3, we have the following result, shown in [79, 82]. Theorem 7.5 If there exists a binary linear code of length n, dimension m and distance d, then there exists a function f : Z 2 ) n (Z 2 ) m that is resilient of order d Gamma 1. Combinatorial Designs in Communications 29 Simplex codes provide a good illustration of Theorem 7.5. For any ....

C. H. Bennett, G. Brassard & J. M. Robert, How to reduce your enemy's information, Lecture Notes in Computer Science, 218 (1986), 468--476.

....of hash functions can be used to generate a sequence of pairwise independent random variables in the following way: Select G 2 G uniformly at random and apply it to any fixed sequence x 1 ; x l of distinct values in X . Let Y j = G(x j ) for j = 1; l. Privacy amplification [BBR86, BBR88] is a method to eliminate partial information about a random variable and extract a shorter, almost uniformly distributed value. The following theorem [ILL89, BBCM95] is formulated using min entropy, but it can be generalized to Renyi entropy of any order ff 1 [Cac97b] Theorem 2 ( BBCM95] ....

Charles H. Bennett, Gilles Brassard, and JeanMarc Robert, How to reduce your enemy's information, Advances in Cryptology: CRYPTO '85 (Hugh C. Williams, ed.), Lecture Notes in Computer Science, vol. 218, Springer, 1986, pp. 468--476.

....of hash functions can be used to generate a sequence of pairwise independent random variables in the following way: Select G 2 G uniformly at random and apply it to any fixed sequence x 1 ; x l of distinct values in X , i.e. Y j = G(x j ) for j = 1; l. Privacy amplification [7, 6] is a method to eliminate partial information about a random variable and extract a shorter, almost uniformly distributed value. The following theorem [23, 5] is formulated using min entropy, but it can be generalized to Renyi entropy of any order ff 1 [9] Theorem 2 (Privacy Amplification ....

C. H. Bennett, G. Brassard, and J.-M. Robert. How to reduce your enemy's information. In H. C. Williams, editor, Advances in Cryptology: CRYPTO '85, volume 218 of Lecture Notes in Computer Science, pages 468--476. Springer, 1986.

.... for connections between authentication codes and designs [7, 2] the papers that introduced threshold schemes [16] for the connection between anonymous threshold schemes and designs [6] the paper that introduced key distribution patterns [9] the paper that introduced correlation immune functions [3, 4] the papers that introduced resilient functions [1] for recent results on resilient functions 10 Applications of Designs to Cryptography 1.6 ....

C. H. Bennett, G. Brassard, and J. M. Robert. How to Reduce Your Enemy's Information. Lecture Notes Comput. Sci., 218 (1986), 468--476.

.... 2 1 Delta OT k string OT to bitwise Gamma 2 1 Delta OT has for a long time concentrated on using self intersecting codes for the constructions [BCS96] but recent work by Brassard and Cr epeau [BC97] shows that the reduction can be done much more efficiently using privacy amplification [BBR86, ILL89, BBCM95]. This technique allows to weaken the security assumptions for Bob, permitting him not only to read one of the two bits, but also the XOR of both bits or even any binary function of them (GOT) Brassard and Cr epeau also suggested the further generalization to UOT. This paper extends their work ....

.... if, for all distinct x 1 ; x 2 2 X , there are at most jGj=jYj functions g in G such that g(x 1 ) g(x 2 ) Entropy smoothing by universal hashing is a widely used technique to concentrate the randomness inherent in a probability distribution known in different contexts as privacy amplification [BBR86, BBCM95] or the leftover hash lemma [ILL89] In cryptography, privacy amplification can be used to extract a short secret key from shared information about which an adversary has partial knowledge. Assume Alice and Bob share a random variable W , while an eavesdropper Eve knows a correlated random ....

Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert, How to reduce your enemy 's information, Advances in Cryptology: CRYPTO '85 (Hugh C. Williams, ed.), Lecture Notes in Computer Science, vol. 218, Springer, 1986, pp. 468--476.

....2 universal hash function can be used to generate a sequence of pairwise independent random variables in the following way: Select G 2 G uniformly at random and apply it to any fixed sequence x 1 ; x l of distinct values in X . Let Y j = G(x j ) for j = 1; l. Privacy amplification [BBR86] is a method to eliminate partial information about a random variable and extract a shorter, almost uniformly distributed value. The following theorem [ILL89, BBCM95] is formulated using min entropy, but it can be generalized to R enyi entropy of any order ff 1 [Cac97b] Theorem 2 ( BBCM95] ....

Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert, How to reduce your enemy 's information, Advances in Cryptology: CRYPTO '85 (Hugh C. Williams, ed.), Lecture Notes in Computer Science, vol. 218, Springer, 1986, pp. 468--476.

....an affirmative answer. These bounds are relatively close for t n=3 and for t 2n=3. Our results have applications in the fields of fault tolerance and cryptography. 1. INTRODUCTION The bit extraction problem formulated above The bit extraction problem was suggested by Brassard and Robert [BRref] and by Vazirani [Vref] an be viewed as a three move game between a user and an adversary. The game is parametrized by the integers n, m and t; and proceeds as follows. First, the user picks a function f : f0; 1g n 7 f0; 1g m . The function f will be applied to a n bit string. Next, the ....

....and a Bantrell Postdoctoral Fellowship. Supported in part by a Weizmann Postdoctoral Fellowship. On leave from the CS Dept. Technion, Israel. Supported in part by an IBM Graduate Fellowship and NSF Grant MCS 82 04506. The bit extraction problem was suggested by Brassard and Robert [BRref] and by Vazirani [Vref] c winning strategy. It is evident that the user has a winning strategy in the following two extreme cases: 1)m = 1 and t n Gamma 1 (by XORing all the bits) 2)t = 1 and m n Gamma 1 (by XORing every two adjacent bits) In both cases m n Gamma t. On the other hand, ....

[Article contains additional citation context not shown here]

Brassard, G., and JM Robert, "How to Reduce your Enemy's Information", to appear in the proceedings of Crypto85.

....theory [19] where no additional random sources are available. However, entropy smoothing does not consider the auxiliary random bits as a resource, unlike extractors used in theoretical computer science [17] In cryptography, entropy smoothing is known as privacy amplification. Introduced in 1985 [3, 4] and later generalized [2] it has become a key component of unconditionally secure cryptographic protocols with such various purposes as key agreement from correlated Supported by the Swiss National Science Foundation, grant no. 20 42105.94. information [16] key agreement over quantum ....

C. H. Bennett, G. Brassard, and J.-M. Robert, "How to reduce your enemy's information," in Advances in Cryptology --- CRYPTO '85 (H. C. Williams, ed.), vol. 218 of Lecture Notes in Computer Science, pp. 468--476, Springer-Verlag, 1986.

.... Amplification by Universal Hashing Entropy smoothing by universal hashing is a widely used technique in cryptography and theoretical computer science to concentrate the randomness inherent in a probability distribution, known in different contexts as entropy smoothing [7] or privacy amplification [2, 1]. The amount of extractable almost uniform randomness is closely related to the R enyi entropy [8] of the distribution. The R enyi entropy of order 2 of a random variable X is defined as H 2 (X) Gamma log X x2X PX (x) 2 : Universal hashing was introduced by Carter and Wegman [4] It is a ....

C. H. Bennett, G. Brassard, and J.-M. Robert, "How to reduce your enemy's information," in Advances in Cryptology: CRYPTO '85 (H. C. Williams, ed.), vol. 218 of Lecture Notes in Computer Science, pp. 468--476, Springer, 1986.

....out for Bob: if he discovers that Alice has cheated, he stoically shuts his mouth and continues as if nothing had happened. Once 5 This is why we had to use noninteractive reconciliation, such as that provided by error correcting codes, rather than the interactive reconciliation protocols of [6, 2]. aware of Alice s dishonesty, he takes whatever actions are necessary to counter her plans, but he must do so discreetly. If Alice knows that this will be Bob s behaviour, she knows that she cannot hope to learn anything from cheating, and thus she may not even attempt it. Potential harm ....

Bennett, C. H., G. Brassard and J.--M. Robert, "How to reduce your enemy's information ", Advances in Cryptology --- Crypto '85 Proceedings, August 1985, Springer--Verlag, pp. 468 -- 476.

....of the secret key and the theoretical upper bound is illustrated, and in Section VI a technique for closing this gap is presented. II. Unconditionally secure secret key agreement Unconditionally secure secret key agreement by public discussion was introduced by Bennett, Brassard and Robert in [5], 6] and generalized by Ahlswede and Csisz ar [1] and by Maurer [24] who introduced a general information theoretic model described below. It takes place in a scenario where Alice and Bob are connected by an insecure channel to which a passive eavesdropper Eve has perfect access, and where Alice, ....

....[1] is zero. After this phase, involving a sequence of messages summarized in a random variable C, Alice can compute a string W from X and C about which Bob has less uncertainty than Eve: H(W jXC) 0 and H(W jY C) H(W jZC) In the second phase, often referred to as information reconciliation [5], 2] 11] Alice and Bob exchange redundant information and apply error correction techniques in order for Bob to be able to learn W with very high probability but such that Eve is left only with incomplete information about it. Generally, Alice can send a bit string D whose length L is slightly ....

[Article contains additional citation context not shown here]

C. H. Bennett, G. Brassard and J.--M. Robert, "How to reduce your enemy's information ", Advances in Cryptology --- Proceedings of Crypto '85, Lecture Notes in Computer Science, Vol. 218, Springer--Verlag, Berlin, 1986, pp. 468 -- 476.

....background information on quantum cryptography. For further detail on the basic quantum channel, see chapter 6 of [13] We first review the original quantum key distribution protocol of [3] which illustrates the method most plainly. Then, we describe subsequent modifications of the protocol [11, 12, 4], which give it the ability, necessary in practice, to function despite partial information leakage to the eavesdropper and partial corruption of the quantum transmissions by noise. In Section 3, we describe the physical apparatus by which quantum key distribution has actually been carried out. In ....

....that is almost perfectly secret. The protocol we sketch is simple but not optimal: other protocols, which we are currently developing, have a higher yield of shared secret key at the same levels of noise and leakage. Further details on preliminary versions of the current protocol may be found in [4, 11, 24, 12]. Once the quantum transmission has been completed (with very dim light pulses used instead of single photons, as discussed in (2) above) the first task is for Alice and Bob to exchange public messages enabling them to reconcile the differences between their data. Because we assume throughout ....

Bennett, C. H., G. Brassard and J.--M. Robert, "How to reduce your enemy's information ", Advances in Cryptology --- Crypto '85 Proceedings, August 1985, Springer-- Verlag, pp. 468 -- 476.

No context found.

C. H. Bennett, G. Brassard, and J.-M. Robert. How to reduce your enemy's information. In Proc. of CRYPTO '85, Lecture Notes in Computer Science, vol. 218, pp. 468--476, Springer-Verlag, 1986.

No context found.

C. H. Bennett, G. Brassard, and J.-M. Robert, "How to reduce your enemy's information," in Advances in Cryptology --- CRYPTO '85 (H. C. Williams, ed.), vol. 218 of Lecture Notes in Computer Science, pp. 468--476, Springer-Verlag, 1986.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC