Results 1  10
of
214
Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. Technical Report 2003/235, Cryptology ePrint archive, http://eprint.iacr.org, 2006. Previous version appeared at EUROCRYPT 2004
 34 [DRS07] [DS05] [EHMS00] [FJ01] Yevgeniy Dodis, Leonid Reyzin, and Adam
, 2004
"... We provide formal definitions and efficient secure techniques for • turning noisy information into keys usable for any cryptographic application, and, in particular, • reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying mater ..."
Abstract

Cited by 292 (35 self)
 Add to MetaCart
We provide formal definitions and efficient secure techniques for • turning noisy information into keys usable for any cryptographic application, and, in particular, • reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying material that, unlike traditional cryptographic keys, is (1) not reproducible precisely and (2) not distributed uniformly. We propose two primitives: a fuzzy extractor reliably extracts nearly uniform randomness R from its input; the extraction is errortolerant in the sense that R will be the same even if the input changes, as long as it remains reasonably close to the original. Thus, R can be used as a key in a cryptographic application. A secure sketch produces public information about its input w that does not reveal w, and yet allows exact recovery of w given another value that is close to w. Thus, it can be used to reliably reproduce errorprone biometric inputs without incurring the security risk inherent in storing them. We define the primitives to be both formally secure and versatile, generalizing much prior work. In addition, we provide nearly optimal constructions of both primitives for various measures of “closeness” of input data, such as Hamming distance, edit distance, and set difference.
Generalized Privacy Amplification
 IEEE Transactions on Information Theory
, 1995
"... This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard and Robert [1] for a special scenario. The results have applications to unconditionallysecure secretkey agreement protocols, quantum cryptography and to a nonasymptotic ..."
Abstract

Cited by 215 (18 self)
 Add to MetaCart
This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard and Robert [1] for a special scenario. The results have applications to unconditionallysecure secretkey agreement protocols, quantum cryptography and to a nonasymptotic and constructive treatment of the secrecy capacity of wiretap and broadcast channels, even for a considerably strengthened definition of secrecy capacity. I. Introduction This paper is concerned with unconditionallysecure secretkey agreement by two communicating parties Alice and Bob who both know a random variable W, for instance a random nbit string, about which an eavesdropper Eve has incomplete information characterized by the random variable V jointly distributed with W according to PV W . This distribution may partially be under Eve's control. Alice and Bob know nothing about PV W , except that it satisfies a certain constraint. We present protocols by which Alice and Bob can us...
Discrete memoryless interference and broadcast channels with confidential messages: secrecy rate regions
 IEEE Transactions on Information Theory
, 2008
"... Abstract — Discrete memoryless interference and broadcast channels in which independent confidential messages are sent to two receivers are considered. Confidential messages are transmitted to each receiver with perfect secrecy, as measured by the equivocation at the other receiver. In this paper, w ..."
Abstract

Cited by 80 (9 self)
 Add to MetaCart
Abstract — Discrete memoryless interference and broadcast channels in which independent confidential messages are sent to two receivers are considered. Confidential messages are transmitted to each receiver with perfect secrecy, as measured by the equivocation at the other receiver. In this paper, we derive inner and outer bounds for the achievable rate regions for these two communication systems. I.
Secure communication over fading channels
 In Proc. Annu. Allerton Conf. Communication, Control and Computing
, 2006
"... The fading broadcast channel with confidential messages (BCC) is investigated, where a source node has common information for two receivers (receivers 1 and 2), and has confidential information intended only for receiver 1. The confidential information needs to be kept as secret as possible from rec ..."
Abstract

Cited by 70 (11 self)
 Add to MetaCart
The fading broadcast channel with confidential messages (BCC) is investigated, where a source node has common information for two receivers (receivers 1 and 2), and has confidential information intended only for receiver 1. The confidential information needs to be kept as secret as possible from receiver 2. The broadcast channel from the source node to receivers 1 and 2 is corrupted by multiplicative fading gain coefficients in addition to additive Gaussian noise terms. The channel state information (CSI) is assumed to be known at both the transmitter and the receivers. The parallel BCC with independent subchannels is first studied, which serves as an informationtheoretic model for the fading BCC. The secrecy capacity region of the parallel BCC is established. This result is then specialized to give the secrecy capacity region of the parallel BCC with degraded subchannels. The secrecy capacity region is then established for the parallel Gaussian BCC, and the optimal source power allocations that achieve the boundary of the secrecy capacity region are derived. In particular, the secrecy capacity region is established for the basic Gaussian BCC. The secrecy capacity results are then
The Gaussian Multiple Access Wiretap Channel
 IEEE TRANSACTION ON INFORMATION THEORY
, 2008
"... We consider the Gaussian multiple access wiretap channel (GMACWT). In this scenario, multiple users communicate with an intended receiver in the presence of an intelligent and informed wiretapper who receives a degraded version of the signal at the receiver. We define suitable security measures ..."
Abstract

Cited by 60 (8 self)
 Add to MetaCart
We consider the Gaussian multiple access wiretap channel (GMACWT). In this scenario, multiple users communicate with an intended receiver in the presence of an intelligent and informed wiretapper who receives a degraded version of the signal at the receiver. We define suitable security measures for this multiaccess environment. Using codebooks generated randomly according to a Gaussian distribution, achievable secrecy rate regions are identified using superposition coding and timedivision multiple access (TDMA) coding schemes. An upper bound for the secrecy sumrate is derived, and our coding schemes are shown to achieve the sum capacity. Numerical results are presented showing the new rate region and comparing it with the capacity region of the Gaussian multipleaccess channel (GMAC) with no secrecy constraints, which quantifies the price paid for secrecy.
Correcting errors without leaking partial information
 In 37th Annual ACM Symposium on Theory of Computing (STOC
, 2005
"... This paper explores what kinds of information two parties must communicate in order to correct errors which occur in a shared secret string W. Any bits they communicate must leak a significant amount of information about W — that is, from the adversary’s point of view, the entropy of W will drop sig ..."
Abstract

Cited by 56 (10 self)
 Add to MetaCart
This paper explores what kinds of information two parties must communicate in order to correct errors which occur in a shared secret string W. Any bits they communicate must leak a significant amount of information about W — that is, from the adversary’s point of view, the entropy of W will drop significantly. Nevertheless, we construct schemes with which Alice and Bob can prevent an adversary from learning any useful information about W. Specifically, if the entropy of W is sufficiently high, then there is no function f(W) which the adversary can learn from the errorcorrection information with significant probability. This leads to several new results: (a) the design of noisetolerant “perfectly oneway” hash functions in the sense of Canetti et al. [7], which in turn leads to obfuscation of proximity queries for high entropy secrets W; (b) private fuzzy extractors [11], which allow one to extract uniformly random bits from noisy and nonuniform data W, while also insuring that no sensitive information about W is leaked; and (c) noise tolerance and stateless key reuse in the Bounded Storage Model, resolving the main open problem of Ding [10]. The heart of our constructions is the design of strong randomness extractors with the property that the source W can be recovered from the extracted randomness and any string W ′ which is close to W.
Informationtheoretic key agreement: From weak to strong secrecy for free
 Lecture Notes in Computer Science
, 2000
"... Abstract. One of the basic problems in cryptography is the generation of a common secret key between two parties, for instance in order to communicate privately. In this paper we consider informationtheoretically secure key agreement. Wyner and subsequently Csiszár and Körner described and analyzed ..."
Abstract

Cited by 54 (2 self)
 Add to MetaCart
Abstract. One of the basic problems in cryptography is the generation of a common secret key between two parties, for instance in order to communicate privately. In this paper we consider informationtheoretically secure key agreement. Wyner and subsequently Csiszár and Körner described and analyzed settings for secretkey agreement based on noisy communication channels. Maurer as well as Ahlswede and Csiszár generalized these models to a scenario based on correlated randomness and public discussion. In all these settings, the secrecy capacity and the secretkey rate, respectively, have been defined as the maximal achievable rates at which a highlysecret key can be generated by the legitimate partners. However, the privacy requirements were too weak in all these definitions, requiring only the ratio between the adversary’s information and the length of the key to be negligible, but hence tolerating her to obtain a possibly substantial amount of information about the resulting key in an absolute sense. We give natural stronger definitions of secrecy capacity and secretkey rate, requiring that the adversary obtains virtually no information about the entire key. We show that not only secretkey agreement satisfying the strong secrecy condition is possible, but even that the achievable keygeneration rates are equal to the previous weak notions of secrecy capacity and secretkey rate. Hence the unsatisfactory old definitions can be completely replaced by the new ones. We prove these results by a generic reduction of strong to weak key agreement. The reduction makes use of extractors, which allow to keep the required amount of communication negligible as compared to the length of the resulting key.
Secrecy Capacity of Wireless Channels
 in Proc. IEEE Int. Symp. Information Theory (ISIT
, 2006
"... Abstract — We consider the transmission of confidential data over wireless channels with multiple communicating parties. Based on an informationtheoretic problem formulation in which two legitimate partners communicate over a quasistatic fading channel and an eavesdropper observes their transmissi ..."
Abstract

Cited by 52 (3 self)
 Add to MetaCart
Abstract — We consider the transmission of confidential data over wireless channels with multiple communicating parties. Based on an informationtheoretic problem formulation in which two legitimate partners communicate over a quasistatic fading channel and an eavesdropper observes their transmissions through another independent quasistatic fading channel, we define the secrecy capacity in terms of outage probability and provide a complete characterization of the maximum transmission rate at which the eavesdropper is unable to decode any information. In sharp contrast with known results for Gaussian wiretap channels (without feedback), our contribution shows that in the presence of fading informationtheoretic security is achievable even when the eavesdropper has a better average signaltonoise ratio (SNR) than the legitimate receiver — fading thus turns out to be a friend and not a foe. I.
Efficient Cryptographic Protocols based on Noisy Channels
, 1996
"... The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a crypto ..."
Abstract

Cited by 51 (0 self)
 Add to MetaCart
The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a cryptographic scenario of two possibly dishonest people facing each other. Unfortunately this result is rather impractical as it requires\Omega\Gamma n 11 ) bits to be transmitted through the BSC to accomplish a single OT. The current paper provides efficient protocols to achieve the cryptographic primitives of Bit Commitment and Oblivious Transfer based on the existence of a Binary Symmetric Channel. Our protocols respectively require sending O(n) and O(n 3 ) bits through the BSC. These results are based on a technique known as Generalized Privacy Amplification [1] that allow two people to extract secret information from partially compromised data. 1 Introduction The cryptographic power of...
The general Gaussian multiple access and twoway wiretap channels: Achievable rates and cooperative jamming
 IEEE Trans. Inf. Theory
, 2008
"... We consider the General Gaussian Multiple Access WireTap Channel (GGMACWT) and the Gaussian TwoWay WireTap Channel (GTWWT) which are commonly found in multiuser wireless communication scenarios and serve as building blocks for adhoc networks. In the GGMACWT, multiple users communicate with a ..."
Abstract

Cited by 50 (24 self)
 Add to MetaCart
We consider the General Gaussian Multiple Access WireTap Channel (GGMACWT) and the Gaussian TwoWay WireTap Channel (GTWWT) which are commonly found in multiuser wireless communication scenarios and serve as building blocks for adhoc networks. In the GGMACWT, multiple users communicate with an intended receiver in the presence of an intelligent and informed eavesdropper who receives their signals through another GMAC. In the GTWWT, two users communicate with each other with an eavesdropper listening through a GMAC. We consider a secrecy measure that is suitable for this multiterminal environment, and identify achievable such secrecy regions for both channels using Gaussian codebooks. In the special case where the GGMACWT is degraded, we show that Gaussian codewords achieve the strong secret key sumcapacity. For both GGMACWT and GTWWT, we find the power allocations that maximize the achievable secrecy sumrate, and find that the optimum policy may prevent some terminals from transmission in order to preserve the secrecy of the system. Inspired by this construct, we next propose a new scheme which we call cooperative jamming, where users who are not transmitting according to the sumrate maximizing power allocation can help the remaining users by “jamming ” the eavesdropper. This scheme is shown to increase the achievable secrecy sumrate, and in some cases allow a previously nontransmitting terminal to be able to transmit with secrecy. Overall,