Results 1  10
of
165
Generalized privacy amplification
 IEEE Transactions on Information Theory
, 1995
"... Abstract This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard, and Robert for a special scenario. Privacy amplification is a process that allows two parties to distill a secret key from a common random variable about which ..."
Abstract

Cited by 329 (19 self)
 Add to MetaCart
(Show Context)
Abstract This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard, and Robert for a special scenario. Privacy amplification is a process that allows two parties to distill a secret key from a common random variable about which an eavesdropper has partial information. The two parties generally know nothing about the eavesdropper’s information except that it satisfies a certain constraint. The results have applications to unconditionally secure secretkey agreement protocols and quantum cryptography, and they yield results on wiretap and broadcast channels for a considerably strengthened definition of secrecy capacity. Index Terms Cryptography, secretkey agreement, unconditional security, privacy amplification, wiretap channel, secrecy capacity, RCnyi entropy, universal hashing, quantum cryptography. I.
Informationtheoretic analysis of information hiding
 IEEE Transactions on Information Theory
, 2003
"... Abstract—An informationtheoretic analysis of information hiding is presented in this paper, forming the theoretical basis for design of informationhiding systems. Information hiding is an emerging research area which encompasses applications such as copyright protection for digital media, watermar ..."
Abstract

Cited by 269 (19 self)
 Add to MetaCart
(Show Context)
Abstract—An informationtheoretic analysis of information hiding is presented in this paper, forming the theoretical basis for design of informationhiding systems. Information hiding is an emerging research area which encompasses applications such as copyright protection for digital media, watermarking, fingerprinting, steganography, and data embedding. In these applications, information is hidden within a host data set and is to be reliably communicated to a receiver. The host data set is intentionally corrupted, but in a covert way, designed to be imperceptible to a casual analysis. Next, an attacker may seek to destroy this hidden information, and for this purpose, introduce additional distortion to the data set. Side information (in the form of cryptographic keys and/or information about the host signal) may be available to the information hider and to the decoder. We formalize these notions and evaluate the hiding capacity, which upperbounds the rates of reliable transmission and quantifies the fundamental tradeoff between three quantities: the achievable informationhiding rates and the allowed distortion levels for the information hider and the attacker. The hiding capacity is the value of a game between the information hider and the attacker. The optimal attack strategy is the solution of a particular ratedistortion problem, and the optimal hiding strategy is the solution to a channelcoding problem. The hiding capacity is derived by extending the Gel’fand–Pinsker theory of communication with side information at the encoder. The extensions include the presence of distortion constraints, side information at the decoder, and unknown communication channel. Explicit formulas for capacity are given in several cases, including Bernoulli and Gaussian problems, as well as the important special case of small distortions. In some cases, including the last two above, the hiding capacity is the same whether or not the decoder knows the host data set. It is shown that many existing informationhiding systems in the literature operate far below capacity. Index Terms—Channel capacity, cryptography, fingerprinting, game theory, information hiding, network information theory,
Cryptanalysis of block ciphers with overdefined systems of equations
, 2002
"... Abstract. Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small Sboxes interconnected by linear keydependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on proba ..."
Abstract

Cited by 251 (22 self)
 Add to MetaCart
Abstract. Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small Sboxes interconnected by linear keydependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on probabilistic characteristics, which makes their security grow exponentially with the number of rounds Nr. In this paper we study the security of such ciphers under an additional hypothesis: the Sbox can be described by an overdefined system of algebraic equations (true with probability 1). We show that this is true for both Serpent (due to a small size of Sboxes) and Rijndael (due to unexpected algebraic properties). We study general methods known for solving overdefined systems of equations, such as XL from Eurocrypt’00, and show their inefficiency. Then we introduce a new method called XSL that uses the sparsity of the equations and their specific structure. The XSL attack uses only relations true with probability 1, and thus the security does not have to grow exponentially in the number of rounds. XSL has a parameter P, and from our estimations is seems that P should be a constant or grow very slowly with the number of rounds. The XSL attack would then be polynomial (or subexponential) in Nr, with a huge constant that is doubleexponential in the size of the Sbox. The exact complexity of such attacks is not known due to the redundant equations. Though the presented version of the XSL attack always gives always more than the exhaustive search for Rijndael, it seems to (marginally) break 256bit Serpent. We suggest a new criterion for design of Sboxes in block ciphers: they should not be describable by a system of polynomial equations that is too small or too overdefined.
The Gaussian Multiple Access Wiretap Channel
 IEEE TRANSACTION ON INFORMATION THEORY
, 2008
"... We consider the Gaussian multiple access wiretap channel (GMACWT). In this scenario, multiple users communicate with an intended receiver in the presence of an intelligent and informed wiretapper who receives a degraded version of the signal at the receiver. We define suitable security measures ..."
Abstract

Cited by 110 (12 self)
 Add to MetaCart
(Show Context)
We consider the Gaussian multiple access wiretap channel (GMACWT). In this scenario, multiple users communicate with an intended receiver in the presence of an intelligent and informed wiretapper who receives a degraded version of the signal at the receiver. We define suitable security measures for this multiaccess environment. Using codebooks generated randomly according to a Gaussian distribution, achievable secrecy rate regions are identified using superposition coding and timedivision multiple access (TDMA) coding schemes. An upper bound for the secrecy sumrate is derived, and our coding schemes are shown to achieve the sum capacity. Numerical results are presented showing the new rate region and comparing it with the capacity region of the Gaussian multipleaccess channel (GMAC) with no secrecy constraints, which quantifies the price paid for secrecy.
The general Gaussian multiple access and twoway wiretap channels: Achievable rates and cooperative jamming
 IEEE Trans. Inf. Theory
, 2008
"... We consider the General Gaussian Multiple Access WireTap Channel (GGMACWT) and the Gaussian TwoWay WireTap Channel (GTWWT) which are commonly found in multiuser wireless communication scenarios and serve as building blocks for adhoc networks. In the GGMACWT, multiple users communicate with a ..."
Abstract

Cited by 90 (32 self)
 Add to MetaCart
(Show Context)
We consider the General Gaussian Multiple Access WireTap Channel (GGMACWT) and the Gaussian TwoWay WireTap Channel (GTWWT) which are commonly found in multiuser wireless communication scenarios and serve as building blocks for adhoc networks. In the GGMACWT, multiple users communicate with an intended receiver in the presence of an intelligent and informed eavesdropper who receives their signals through another GMAC. In the GTWWT, two users communicate with each other with an eavesdropper listening through a GMAC. We consider a secrecy measure that is suitable for this multiterminal environment, and identify achievable such secrecy regions for both channels using Gaussian codebooks. In the special case where the GGMACWT is degraded, we show that Gaussian codewords achieve the strong secret key sumcapacity. For both GGMACWT and GTWWT, we find the power allocations that maximize the achievable secrecy sumrate, and find that the optimum policy may prevent some terminals from transmission in order to preserve the secrecy of the system. Inspired by this construct, we next propose a new scheme which we call cooperative jamming, where users who are not transmitting according to the sumrate maximizing power allocation can help the remaining users by “jamming ” the eavesdropper. This scheme is shown to increase the achievable secrecy sumrate, and in some cases allow a previously nontransmitting terminal to be able to transmit with secrecy. Overall,
Advanced Slide Attacks
, 2000
"... Abstract. Recently a powerful cryptanalytic tool—the slide attack— was introduced [3]. Slide attacks are very successful in breaking iterative ciphers with a high degree of selfsimilarity and even more surprisingly are independent of the number of rounds of a cipher. In this paper we extend the app ..."
Abstract

Cited by 69 (6 self)
 Add to MetaCart
Abstract. Recently a powerful cryptanalytic tool—the slide attack— was introduced [3]. Slide attacks are very successful in breaking iterative ciphers with a high degree of selfsimilarity and even more surprisingly are independent of the number of rounds of a cipher. In this paper we extend the applicability of slide attacks to a larger class of ciphers. We find very efficient known and chosentext attacks on generic Feistel ciphers with a periodic keyschedule with four independent subkeys, and consequently we are able to break a DES variant proposed in [2] using just 128 chosen texts and negligible time for the analysis (for one out of every 2 16 keys). We also describe knownplaintext attacks on DESX and EvenMansour schemes with the same complexity as the best previously known chosenplaintext attacks on these ciphers. Finally, we provide new insight into the design of GOST by successfully analyzing a 20round variant (GOST⊕) and demonstrating weak key classes for all 32 rounds. 1
Cryptographic Protocols
, 1982
"... this paper only with one aspect of security: properties of the system that are hidden from an enemy who may make inferences. Informally, a participant (honest or dishonest) is presented with information and properties that he brings to the protocol as priori information. Whatever is to be excluded ..."
Abstract

Cited by 58 (9 self)
 Add to MetaCart
this paper only with one aspect of security: properties of the system that are hidden from an enemy who may make inferences. Informally, a participant (honest or dishonest) is presented with information and properties that he brings to the protocol as priori information. Whatever is to be excluded from knowledge (e.g., the knowledge of secret keys in a public key system) must be explicitly excluded from this information. This information is model led by a set theoretic structure, and so the basic inferences that can be drawn by a participant are the sentences of the complete logical theory of this structure. A participant can also apply cryp tographic operations to generate new messages. The basic mechanism for this is.an inference function which is assigned to each participant. The nature of an inference function is unspecified, except that it satisfy a losslessness condition
DataHiding Codes
 Proc. IEEE
, 2005
"... This tutorial paper reviews the theory and design of codes for hiding or embedding information in signals such as images, video, audio, graphics, and text. Such codes have also been called watermarking codes; they can be used in a variety of applications, including copyright protection for digital m ..."
Abstract

Cited by 56 (4 self)
 Add to MetaCart
(Show Context)
This tutorial paper reviews the theory and design of codes for hiding or embedding information in signals such as images, video, audio, graphics, and text. Such codes have also been called watermarking codes; they can be used in a variety of applications, including copyright protection for digital media, content authentication, media forensics, data binding, and covert communications. Some of these applications imply the presence of an adversary attempting to disrupt the transmission of information to the receiver; other applications involve a noisy, generally unknown, communication channel. Our focus is on the mathematical models, fundamental principles, and code design techniques that are applicable to data hiding. The approach draws from basic concepts in information theory, coding theory, game theory, and signal processing, and is illustrated with applications to the problem of hiding data in images. Keywords—Coding theory, data hiding, game theory, image processing, information theory, security, signal processing, watermarking. I.
Cooperation with an untrusted relay: a secrecy perspective
 IEEE TRANSACTIONS ON INFORMATION THEORY
, 2010
"... We consider the communication scenario where a sourcedestination pair wishes to keep the information secret from a relay node despite wanting to enlist its help. For this scenario, an interesting question is whether the relay node should be deployed at all. That is, whether cooperation with an untr ..."
Abstract

Cited by 53 (13 self)
 Add to MetaCart
We consider the communication scenario where a sourcedestination pair wishes to keep the information secret from a relay node despite wanting to enlist its help. For this scenario, an interesting question is whether the relay node should be deployed at all. That is, whether cooperation with an untrusted relay node can ever be beneficial. We first provide an achievable secrecy rate for the general untrusted relay channel, and proceed to investigate this question for two types of relay networks with orthogonal components. For the first model, there is an orthogonal link from the source to the relay. For the second model, there is an orthogonal link from the relay to the destination. For the first model, we find the equivocation capacity region and show that answer is negative. In contrast, for the second model, we find that the answer is positive. Specifically, we show, by means of the achievable secrecy rate based on compressandforward, that by asking the untrusted relay node to relay information, we can achieve a higher secrecy rate than just treating the relay as an eavesdropper. For a special class of the second model, where the relay is not interfering itself, we derive an upper bound for the secrecy rate using an argument whose net effect is to separate the eavesdropper from the relay. The merit of the new upper bound is demonstrated on two channels that belong to this special class. The Gaussian case of the second model mentioned above benefits from this approach in that the new upper bound improves the previously known bounds. For the Cover–Kim deterministic relay channel, the new upper bound finds the secrecy capacity when the sourcedestination link is not worse than the sourcerelay link, by matching with achievable rate we present.
M.: ‘Robust and secure image hashing
 IEEE Trans. Inf. Forensics Sec
"... Abstract — Image hash functions find extensive applications in content authentication, database search, and watermarking. This paper develops a new algorithm for generating an image hash based on Fourier transform features and controlled randomization. We formulate the robustness of image hashing as ..."
Abstract

Cited by 47 (8 self)
 Add to MetaCart
(Show Context)
Abstract — Image hash functions find extensive applications in content authentication, database search, and watermarking. This paper develops a new algorithm for generating an image hash based on Fourier transform features and controlled randomization. We formulate the robustness of image hashing as a hypothesis testing problem and evaluate the performance under various image processing operations. We show that the proposed hash function is resilient to contentpreserving modifications, such as moderate geometric and filtering distortions. We introduce a general framework to study and evaluate the security of image hashing systems. Under this new framework, we model the hash values as random variables and quantify its uncertainty in terms of differential entropy. Using this security framework, we analyze the security of the proposed schemes and several existing representative methods for image hashing. We then examine the security versus robustness tradeoff and show that the proposed hashing methods can provide excellent security and robustness. Index Terms — Differential entropy, image authentication, image hashing, multimedia security.