Results 1  10
of
43
Generalized privacy amplification
 IEEE Transactions on Information Theory
, 1995
"... Abstract This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard, and Robert for a special scenario. Privacy amplification is a process that allows two parties to distill a secret key from a common random variable about which ..."
Abstract

Cited by 325 (19 self)
 Add to MetaCart
Abstract This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard, and Robert for a special scenario. Privacy amplification is a process that allows two parties to distill a secret key from a common random variable about which an eavesdropper has partial information. The two parties generally know nothing about the eavesdropper’s information except that it satisfies a certain constraint. The results have applications to unconditionally secure secretkey agreement protocols and quantum cryptography, and they yield results on wiretap and broadcast channels for a considerably strengthened definition of secrecy capacity. Index Terms Cryptography, secretkey agreement, unconditional security, privacy amplification, wiretap channel, secrecy capacity, RCnyi entropy, universal hashing, quantum cryptography. I.
Informationtheoretic key agreement: From weak to strong secrecy for free
 LECTURE NOTES IN COMPUTER SCIENCE
, 2000
"... One of the basic problems in cryptography is the generation of a common secret key between two parties, for instance in order to communicate privately. In this paper we consider informationtheoretically secure key agreement. Wyner and subsequently Csiszár and Körner described and analyzed settings ..."
Abstract

Cited by 125 (2 self)
 Add to MetaCart
(Show Context)
One of the basic problems in cryptography is the generation of a common secret key between two parties, for instance in order to communicate privately. In this paper we consider informationtheoretically secure key agreement. Wyner and subsequently Csiszár and Körner described and analyzed settings for secretkey agreement based on noisy communication channels. Maurer as well as Ahlswede and Csiszár generalized these models to a scenario based on correlated randomness and public discussion. In all these settings, the secrecy capacity and the secretkey rate, respectively, have been defined as the maximal achievable rates at which a highlysecret key can be generated by the legitimate partners. However, the privacy requirements were too weak in all these definitions, requiring only the ratio between the adversary’s information and the length of the key to be negligible, but hence tolerating her to obtain a possibly substantial amount of information about the resulting key in an absolute sense. We give natural stronger definitions of secrecy capacity and secretkey rate, requiring that the adversary obtains virtually no information about the entire key. We show that not only secretkey agreement satisfying the strong secrecy condition is possible, but even that the achievable keygeneration rates are equal to the previous weak notions of secrecy capacity and secretkey rate. Hence the unsatisfactory old definitions can be completely replaced by the new ones. We prove these results by a generic reduction of strong to weak key agreement. The reduction makes use of extractors, which allow to keep the required amount of communication negligible as compared to the length of the resulting key.
Unconditionally Secure Key Agreement and the Intrinsic Conditional Information
, 1999
"... This paper is concerned with secretkey agreement by public discussion. Assume that two parties Alice and Bob and an adversary Eve have access to independent realizations of random variables X , Y , and Z, respectively, with joint distribution PXY Z . The secret key rate S(X ; Y jjZ) has been define ..."
Abstract

Cited by 58 (7 self)
 Add to MetaCart
This paper is concerned with secretkey agreement by public discussion. Assume that two parties Alice and Bob and an adversary Eve have access to independent realizations of random variables X , Y , and Z, respectively, with joint distribution PXY Z . The secret key rate S(X ; Y jjZ) has been defined as the maximal rate at which Alice and Bob can generate a secret key by communication over an insecure, but authenticated channel such that Eve's information about this key is arbitrarily small. We define a new conditional mutual information measure, the intrinsic conditional mutual information between X and Y when given Z, denoted by I(X ; Y # Z), which is an upper bound on S(X ; Y jjZ). The special scenarios are analyzed where X , Y , and Z are generated by sending a binary random variable R, for example a signal broadcast by a satellite, over independent channels, or two scenarios in which Z is generated by sending X and Y over erasure channels. In the first two scenarios it can be sho...
Informationtheoretically secret key generation for fading wireless channels
 IEEE TRANS ON INFORMATION FORENSICS AND SECURITY
, 2010
"... The multipathrich wireless environment associated with typical wireless usage scenarios is characterized by a fading channel response that is timevarying, locationsensitive, and uniquely shared by a given transmitter–receiver pair. The complexity associated with a richly scattering environment i ..."
Abstract

Cited by 52 (2 self)
 Add to MetaCart
(Show Context)
The multipathrich wireless environment associated with typical wireless usage scenarios is characterized by a fading channel response that is timevarying, locationsensitive, and uniquely shared by a given transmitter–receiver pair. The complexity associated with a richly scattering environment implies that the shortterm fading process is inherently hard to predict and best modeled stochastically, with rapid decorrelation properties in space, time, and frequency. In this paper, we demonstrate how the channel state between a wireless transmitter and receiver can be used as the basis for building practical secret key generation protocols between two entities. We begin by presenting a scheme based on level crossings of the fading process, which is wellsuited for the Rayleigh and Rician fading models associated with a richly scattering environment. Our level crossing algorithm is simple, and incorporates a selfauthenticating mechanism to prevent adversarial manipulation of message exchanges during the protocol. Since the level crossing algorithm is best suited for fading processes that exhibit symmetry in their underlying distribution, we present a second and more powerful approach that is suited for more general channel state distributions. This second approach is motivated by observations from quantizing jointly Gaussian processes, but exploits empirical measurements to set quantization boundaries and a heuristic log likelihood ratio estimate to achieve an improved secret key generation rate. We validate both proposed protocols through experimentations using a customized 802.11a platform, and show for the typical WiFi channel that reliable secret key establishment can be accomplished at rates on the order of 10 b/s.
Linking Information Reconciliation and Privacy Amplification
 JOURNAL OF CRYPTOLOGY
, 1994
"... Information reconciliation allows two parties knowing correlated random variables, such as a noisy version of the partner's random bit string, to agree on a shared string. Privacy amplification allows two parties sharing a partially secret string about which an opponent has some partial info ..."
Abstract

Cited by 39 (5 self)
 Add to MetaCart
Information reconciliation allows two parties knowing correlated random variables, such as a noisy version of the partner's random bit string, to agree on a shared string. Privacy amplification allows two parties sharing a partially secret string about which an opponent has some partial information, to distill a shorter but almost completely secret key by communicating only over an insecure channel, as long as an upper bound on the opponent's knowledge about the string is known. The relation between these two techniques has not been well understood. In particular, it is important to understand the effect of sideinformation, obtained by the opponent through an initial reconciliation step, on the size of the secret key that can be distilled safely by subsequent privacy amplification. The purpose of this paper is to provide the missing link between these techniques by presenting bounds on the reduction of the R'enyi entropy of a random variable induced by sideinformation. We s...
Secrecy capacities for multiterminal channel models
 In Proc. IEEE Int. Symp. Information Theory (ISIT
, 2005
"... Shannon theoretic secret key generation by several parties is considered for models in which a secure noisy channel with one input terminal and multiple output terminals and a public noiseless channel of unlimited capacity are available for accomplishing this goal. The secret key is generated for a ..."
Abstract

Cited by 34 (7 self)
 Add to MetaCart
(Show Context)
Shannon theoretic secret key generation by several parties is considered for models in which a secure noisy channel with one input terminal and multiple output terminals and a public noiseless channel of unlimited capacity are available for accomplishing this goal. The secret key is generated for a set A of terminals of the noisy channel, with the remaining terminals (if any) cooperating in this task through their public communication. Singleletter characterizations of secrecy capacities are obtained for models in which secrecy is required from an eavesdropper that observes only the public communication and perhaps also a set of terminals disjoint from A. These capacities are shown to be achievable with noninteractive public communication, the channel input terminal sending no public message and each output terminal sending at most one public message, not using randomization. Moreover, when the input terminal belongs to the set A, it can generate the secret key at the outset and transmit it over the noisy channel, suitably encoded, whereupon the output terminals in A securely recover this key using public communication as above. For models in which the eavesdropper also possesses side information that is not available to any of the terminals cooperating in secrecy generation, an upper bound for the secrecy capacity and a sufficient condition for its tightness are given. Index Terms – Multiterminal channel, multiple source, private key, secrecy capacity, secret key, wiretap side information.
Reliable Biometric Authentication with Privacy Protection
 24th Benelux Symp. on Info. Theory
, 2003
"... Abstract. We propose a new scheme for reliable authentication of physical objects. The scheme allows not only the combination of noisy data with cryptographic functions but has the additional property that the stored reference information is nonrevealing. By breaking into the database and retrievin ..."
Abstract

Cited by 29 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new scheme for reliable authentication of physical objects. The scheme allows not only the combination of noisy data with cryptographic functions but has the additional property that the stored reference information is nonrevealing. By breaking into the database and retrieving the stored data, the attacker will not be able to obtain any realistic approximation of the original physical object. This technique has applications in secure storage of biometric templates in databases and in authentication of PUFs (Physical Uncloneable Functions). 1.
InformationTheoretically Secure SecretKey Agreement by NOT Authenticated Public Discussion
 Advances in Cryptology  EUROCRYPT '97, Lecture
, 1997
"... All informationtheoretically secure key agreement protocols (e.g. based on quantum cryptography or on noisy channels) described in the literature axe secure only against passive adversaries in the sense that they assume the existence of an authenticated public channel. The goal of this paper is ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
All informationtheoretically secure key agreement protocols (e.g. based on quantum cryptography or on noisy channels) described in the literature axe secure only against passive adversaries in the sense that they assume the existence of an authenticated public channel. The goal of this paper is to investigate informationtheoretic security even against active adversaries with complete control over the communication channel connecting the two paxties who want to agree on a secret key. Several impossibility results axe proved and some scenarios are characterized in which secretkey agreement secure against active adversaries is possible.