Results 1  10
of
26
Secrecy capacities for multiple terminals
 IEEE Trans. Inform. Theory
, 2004
"... Abstract—We derive singleletter characterizations of (strong) secrecy capacities for models with an arbitrary number of terminals, each of which observes a distinct component of a discrete memoryless multiple source, with unrestricted and interactive public communication permitted between the termi ..."
Abstract

Cited by 104 (12 self)
 Add to MetaCart
(Show Context)
Abstract—We derive singleletter characterizations of (strong) secrecy capacities for models with an arbitrary number of terminals, each of which observes a distinct component of a discrete memoryless multiple source, with unrestricted and interactive public communication permitted between the terminals. A subset of these terminals can serve as helpers for the remaining terminals in generating secrecy. According to the extent of an eavesdropper’s knowledge, three kinds of secrecy capacity are considered: secret key (SK), private key (PK), and wiretap secret key (WSK) capacity. The characterizations of the SK and PK capacities highlight the innate connections between secrecy generation and multiterminal source coding without secrecy requirements. A general upper bound for WSK capacity is derived which is tight in the case when the eavesdropper can wiretap noisy versions of the components of the underlying multiple source, provided randomization is permitted at the terminals. These secrecy capacities are seen to be achievable with noninteractive communication between the terminals. The achievability results are also shown to be universal. Index Terms—Common randomness, multiple source, private key, public discussion, secrecy capacity, security index, Slepian–Wolf constraints, wiretap. I.
InformationTheoretic Key Agreement of Multiple Terminals  Part II: Channel Model
, 2008
"... This is the second part of a twopart paper on informationtheoretically secure secret key agreement. This paper focuses on the secret key rate problem under the channel model. In the channel model, a set of two or more terminals wish to create a shared secret key that is informationtheoretically s ..."
Abstract

Cited by 37 (10 self)
 Add to MetaCart
This is the second part of a twopart paper on informationtheoretically secure secret key agreement. This paper focuses on the secret key rate problem under the channel model. In the channel model, a set of two or more terminals wish to create a shared secret key that is informationtheoretically secure from an eavesdropper. The first terminal can choose a sequence of inputs to a discrete memoryless broadcast channel, which has outputs at the other terminals and at the eavesdropper. After each channel use, the terminals can engage in arbitrarily many rounds of interactive authenticated communication over a public channel; thus, each input by the first terminal can depend on the previous inputs and the public communication so far. At the end of the process each terminal should be able to generate the key. We introduce a technique for proving that a given expression bounds the secrecy rate from above. Using this technique, a new upper bound on the secrecy rate in the general multiterminal case is proposed that strictly improves the currently best known upper bound. We also derive a new lower bound on the secrecy rate and prove that it strictly improves what is essentially the best known lower bound.
Secrecy capacities for multiterminal channel models
 In Proc. IEEE Int. Symp. Information Theory (ISIT
, 2005
"... Shannon theoretic secret key generation by several parties is considered for models in which a secure noisy channel with one input terminal and multiple output terminals and a public noiseless channel of unlimited capacity are available for accomplishing this goal. The secret key is generated for a ..."
Abstract

Cited by 34 (7 self)
 Add to MetaCart
(Show Context)
Shannon theoretic secret key generation by several parties is considered for models in which a secure noisy channel with one input terminal and multiple output terminals and a public noiseless channel of unlimited capacity are available for accomplishing this goal. The secret key is generated for a set A of terminals of the noisy channel, with the remaining terminals (if any) cooperating in this task through their public communication. Singleletter characterizations of secrecy capacities are obtained for models in which secrecy is required from an eavesdropper that observes only the public communication and perhaps also a set of terminals disjoint from A. These capacities are shown to be achievable with noninteractive public communication, the channel input terminal sending no public message and each output terminal sending at most one public message, not using randomization. Moreover, when the input terminal belongs to the set A, it can generate the secret key at the outset and transmit it over the noisy channel, suitably encoded, whereupon the output terminals in A securely recover this key using public communication as above. For models in which the eavesdropper also possesses side information that is not available to any of the terminals cooperating in secrecy generation, an upper bound for the secrecy capacity and a sufficient condition for its tightness are given. Index Terms – Multiterminal channel, multiple source, private key, secrecy capacity, secret key, wiretap side information.
Key agreement from weak bit agreement
 In Proceedings of the Thirty Seventh Annual ACM Symposium on Theory of Computing
"... Assume that Alice and Bob, given an authentic channel, have a protocol where they end up with a bit SA and SB, respectively, such that with probability 1+ε 2 these bits are equal. Further assume that conditioned on the event SA = SB no polynomial time bounded algorithm can predict the bit better tha ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
(Show Context)
Assume that Alice and Bob, given an authentic channel, have a protocol where they end up with a bit SA and SB, respectively, such that with probability 1+ε 2 these bits are equal. Further assume that conditioned on the event SA = SB no polynomial time bounded algorithm can predict the bit better than with probability 1 − δ. Is it possible to 2 obtain key agreement from such a primitive? We show that for constant δ and ε the answer is yes if and only if δ> 1−ε 1+ε, both for uniform and nonuniform adversaries. The main computational technique used in this paper is a strengthening of Impagliazzo’s hardcore lemma to the uniform case and to a set size parameter which is tight (i.e., twice the original size). This may be of independent interest.
OneWay SecretKey Agreement and Applications to Circuit Polarization and Immunization of PublicKey Encryption
 In Advances in Cryptology CRYPTO 2005
, 2005
"... Abstract. Secretkey agreement between two parties Alice and Bob, connected by an insecure channel, can be realized in an informationtheoretic sense if the parties share many independent pairs of correlated and partially secure bits. We study the special case where only oneway communication from A ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Secretkey agreement between two parties Alice and Bob, connected by an insecure channel, can be realized in an informationtheoretic sense if the parties share many independent pairs of correlated and partially secure bits. We study the special case where only oneway communication from Alice to Bob is allowed and where, for each of the bit pairs, with a certain probability, the adversary has no information on Alice's bit. We give an expression which, for this situation, exactly characterizes the rate at which Alice and Bob can generate secret key bits. This result can be used to analyze a slightly restricted variant of the problem of polarizing circuits, introduced by Sahai and Vadhan in the context of statistical zeroknowledge, which we show to be equivalent to secretkey agreement as described above. This provides us both with new constructions to polarize circuits, but also proves that the known constructions work for parameters which are tight. As a further application of our results on secretkey agreement, we show how to immunize singlebit publickey encryption schemes from decryption errors and insecurities of the encryption, a question posed and partially answered by Dwork, Naor, and Reingold. Our construction works for stronger parameters than the known constructions. 1
Secret key and private key constructions for simple multiterminal source models
 Proceedings Int. Symp. on Inform. Theory
, 2005
"... Abstract — This work is motivated by recent results of Csiszár ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
(Show Context)
Abstract — This work is motivated by recent results of Csiszár
Quantum Proofs for Classical Theorems
, 2009
"... Alongside the development of quantum algorithms and quantum complexity theory in recent years, quantum techniques have also proved instrumental in obtaining results in classical (nonquantum) areas. In this paper we survey these results and the quantum toolbox they use. ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
Alongside the development of quantum algorithms and quantum complexity theory in recent years, quantum techniques have also proved instrumental in obtaining results in classical (nonquantum) areas. In this paper we survey these results and the quantum toolbox they use.
New monotones and lower bounds in unconditional twoparty computation
 In Advances in Cryptology — CRYPTO ’05
, 2005
"... Abstract. Since bit and string oblivious transfer and commitment, two primitives of paramount importance in secure two and multiparty computation, cannot be realized in an unconditionally secure way for both parties from scratch, reductions to weak informationtheoretic primitives as well as betwe ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Since bit and string oblivious transfer and commitment, two primitives of paramount importance in secure two and multiparty computation, cannot be realized in an unconditionally secure way for both parties from scratch, reductions to weak informationtheoretic primitives as well as between different variants of the functionalities are of great interest. In this context, we introduce three independent monotones—quantities that cannot be increased by any protocol—and use them to derive lower bounds on the possibility and efficiency of such reductions. An example is the transition between different versions of oblivious transfer, for which we also propose a new protocol allowing to increase the number of messages the receiver can choose from at the price of a reduction of their length. Our scheme matches the new lower bound and is, therefore, optimal. 1 Introduction, Motivation
2005b, General paradigm for distilling classical key from quantum states, eprint quantph/0506189
"... states ..."
(Show Context)
A cryptographic treatment of the wiretap channel
, 2010
"... The wiretap channel is a setting where one aims to provide informationtheoretic privacy of communicated data based solely on the assumption that the channel from sender to adversary is “noisier” than the channel from sender to receiver. It has been the subject of decades of work in the information ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
The wiretap channel is a setting where one aims to provide informationtheoretic privacy of communicated data based solely on the assumption that the channel from sender to adversary is “noisier” than the channel from sender to receiver. It has been the subject of decades of work in the information and coding (I&C) community. This paper bridges the gap between this body of work and modern cryptography with contributions along two fronts, namely metrics (definitions) of security, and schemes. We explain that the metric currently in use is weak and insufficient to guarantee security of applications and propose two replacements. One, that we call missecurity, is a mutualinformation based metric in the I&C style. The other, semantic security, adapts to this setting a cryptographic metric that, in the cryptography community, has been vetted by decades of evaluation and endorsed as the target for standards and implementations. We show that they are equivalent (any scheme secure under one is secure under the other), thereby connecting two fundamentally different ways of defining security and providing a strong, unified and wellfounded target for designs. Moving on to schemes, results from the wiretap community are mostly nonconstructive, proving the existence of schemes without necessarily yielding ones that are explicit,