Results 1  10
of
330
Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. Technical Report 2003/235, Cryptology ePrint archive, http://eprint.iacr.org, 2006. Previous version appeared at EUROCRYPT 2004
 34 [DRS07] [DS05] [EHMS00] [FJ01] Yevgeniy Dodis, Leonid Reyzin, and Adam
, 2004
"... We provide formal definitions and efficient secure techniques for • turning noisy information into keys usable for any cryptographic application, and, in particular, • reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying mater ..."
Abstract

Cited by 532 (38 self)
 Add to MetaCart
We provide formal definitions and efficient secure techniques for • turning noisy information into keys usable for any cryptographic application, and, in particular, • reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying material that, unlike traditional cryptographic keys, is (1) not reproducible precisely and (2) not distributed uniformly. We propose two primitives: a fuzzy extractor reliably extracts nearly uniform randomness R from its input; the extraction is errortolerant in the sense that R will be the same even if the input changes, as long as it remains reasonably close to the original. Thus, R can be used as a key in a cryptographic application. A secure sketch produces public information about its input w that does not reveal w, and yet allows exact recovery of w given another value that is close to w. Thus, it can be used to reliably reproduce errorprone biometric inputs without incurring the security risk inherent in storing them. We define the primitives to be both formally secure and versatile, generalizing much prior work. In addition, we provide nearly optimal constructions of both primitives for various measures of “closeness” of input data, such as Hamming distance, edit distance, and set difference.
Mixed state entanglement and quantum error correction
 Phys. Rev., A
, 1996
"... Entanglement purification protocols (EPP) and quantum errorcorrecting codes (QECC) provide two ways of protecting quantum states from interaction with the environment. In an EPP, perfectly entangled pure states are extracted, with some yield D, from a bipartite mixed state M; with a QECC, an arbitra ..."
Abstract

Cited by 195 (7 self)
 Add to MetaCart
(Show Context)
Entanglement purification protocols (EPP) and quantum errorcorrecting codes (QECC) provide two ways of protecting quantum states from interaction with the environment. In an EPP, perfectly entangled pure states are extracted, with some yield D, from a bipartite mixed state M; with a QECC, an arbitrary quantum state ξ〉 can be transmitted at some rate Q through a noisy channel χ without degradation. We prove that an EPP involving oneway classical communication and acting on mixed state ˆ M(χ) (obtained by sharing halves of EPR pairs through a channel χ) yields a QECC on χ with rate Q = D, and vice versa. We compare the amount of entanglement E(M) required to prepare a mixed state M by local actions with the amounts D1(M) and D2(M) that can be locally distilled from it by EPPs using one and twoway classical communication respectively, and give an exact expression for E(M) when M is Belldiagonal. While EPPs require classical communication, quantum channel coding does not, and we prove Q is not increased by adding oneway classical communication. However, both D and Q can be increased by adding twoway communication. We show that certain noisy quantum channels, for example a 50 % depolarizing channel, can be used for reliable transmission of quantum states if twoway communication is available, but cannot be used if only oneway communication is available. We exhibit a family of codes based on universal hashing able to achieve an asymptotic Q (or D) of 1S for simple noise models, where S is the error entropy. We also obtain a specific, simple 5bit singleerrorcorrecting quantum block code. We prove that iff a QECC results in perfect fidelity for the case of the noerror error syndrome the QECC can be recast into a form where the encoder is the matrix inverse of the decoder. 1 PACS numbers: 03.65.Bz, 42.50.Dv, 89.70.+c 1
Quantum cryptography
 Rev. Mod. Phys
, 2002
"... Quantum cryptography could well be the first application of quantum mechanics at the individual quanta level. The very fast progress in both theory and experiments over the recent years are reviewed, with emphasis on open questions and technological issues. Contents I ..."
Abstract

Cited by 182 (6 self)
 Add to MetaCart
(Show Context)
Quantum cryptography could well be the first application of quantum mechanics at the individual quanta level. The very fast progress in both theory and experiments over the recent years are reviewed, with emphasis on open questions and technological issues. Contents I
Wireless informationtheoretic security  part I: Theoretical aspects
 IEEE Trans. on Information Theory
, 2006
"... In this twopart paper, we consider the transmission of confidential data over wireless wiretap channels. The first part presents an informationtheoretic problem formulation in which two legitimate partners communicate over a quasistatic fading channel and an eavesdropper observes their transmissi ..."
Abstract

Cited by 155 (12 self)
 Add to MetaCart
(Show Context)
In this twopart paper, we consider the transmission of confidential data over wireless wiretap channels. The first part presents an informationtheoretic problem formulation in which two legitimate partners communicate over a quasistatic fading channel and an eavesdropper observes their transmissions through another independent quasistatic fading channel. We define the secrecy capacity in terms of outage probability and provide a complete characterization of the maximum transmission rate at which the eavesdropper is unable to decode any information. In sharp contrast with known results for Gaussian wiretap channels (without feedback), our contribution shows that in the presence of fading informationtheoretic security is achievable even when the eavesdropper has a better average signaltonoise ratio (SNR) than the legitimate receiver — fading thus turns out to be a friend and not a foe. The issue of imperfect channel state information is also addressed. Practical schemes for wireless informationtheoretic security are presented in Part II, which in some cases comes close to the secrecy capacity limits given in this paper.
Informationtheoretic key agreement: From weak to strong secrecy for free
 Lecture Notes in Computer Science
, 2000
"... Abstract. One of the basic problems in cryptography is the generation of a common secret key between two parties, for instance in order to communicate privately. In this paper we consider informationtheoretically secure key agreement. Wyner and subsequently Csiszár and Körner described and analyzed ..."
Abstract

Cited by 126 (2 self)
 Add to MetaCart
(Show Context)
Abstract. One of the basic problems in cryptography is the generation of a common secret key between two parties, for instance in order to communicate privately. In this paper we consider informationtheoretically secure key agreement. Wyner and subsequently Csiszár and Körner described and analyzed settings for secretkey agreement based on noisy communication channels. Maurer as well as Ahlswede and Csiszár generalized these models to a scenario based on correlated randomness and public discussion. In all these settings, the secrecy capacity and the secretkey rate, respectively, have been defined as the maximal achievable rates at which a highlysecret key can be generated by the legitimate partners. However, the privacy requirements were too weak in all these definitions, requiring only the ratio between the adversary’s information and the length of the key to be negligible, but hence tolerating her to obtain a possibly substantial amount of information about the resulting key in an absolute sense. We give natural stronger definitions of secrecy capacity and secretkey rate, requiring that the adversary obtains virtually no information about the entire key. We show that not only secretkey agreement satisfying the strong secrecy condition is possible, but even that the achievable keygeneration rates are equal to the previous weak notions of secrecy capacity and secretkey rate. Hence the unsatisfactory old definitions can be completely replaced by the new ones. We prove these results by a generic reduction of strong to weak key agreement. The reduction makes use of extractors, which allow to keep the required amount of communication negligible as compared to the length of the resulting key.
The Gaussian Multiple Access Wiretap Channel
 IEEE TRANSACTION ON INFORMATION THEORY
, 2008
"... We consider the Gaussian multiple access wiretap channel (GMACWT). In this scenario, multiple users communicate with an intended receiver in the presence of an intelligent and informed wiretapper who receives a degraded version of the signal at the receiver. We define suitable security measures ..."
Abstract

Cited by 110 (12 self)
 Add to MetaCart
(Show Context)
We consider the Gaussian multiple access wiretap channel (GMACWT). In this scenario, multiple users communicate with an intended receiver in the presence of an intelligent and informed wiretapper who receives a degraded version of the signal at the receiver. We define suitable security measures for this multiaccess environment. Using codebooks generated randomly according to a Gaussian distribution, achievable secrecy rate regions are identified using superposition coding and timedivision multiple access (TDMA) coding schemes. An upper bound for the secrecy sumrate is derived, and our coding schemes are shown to achieve the sum capacity. Numerical results are presented showing the new rate region and comparing it with the capacity region of the Gaussian multipleaccess channel (GMAC) with no secrecy constraints, which quantifies the price paid for secrecy.
Reusable cryptographic fuzzy extractors
 ACM CCS 2004, ACM
, 2004
"... We show that a number of recent definitions and constructions of fuzzy extractors are not adequate for multiple uses of the same fuzzy secret—a major shortcoming in the case of biometric applications. We propose two particularly stringent security models that specifically address the case of fuzzy s ..."
Abstract

Cited by 95 (2 self)
 Add to MetaCart
We show that a number of recent definitions and constructions of fuzzy extractors are not adequate for multiple uses of the same fuzzy secret—a major shortcoming in the case of biometric applications. We propose two particularly stringent security models that specifically address the case of fuzzy secret reuse, respectively from an outsider and an insider perspective, in what we call a chosen perturbation attack. We characterize the conditions that fuzzy extractors need to satisfy to be secure, and present generic constructions from ordinary building blocks. As an illustration, we demonstrate how to use a biometric secret in a remote error tolerant authentication protocol that does not require any storage on the client’s side. 1
Common randomness and secret key generation with a helper
 IEEE Trans. Inform. Theory
, 2000
"... Abstract—We consider the generation of common randomness (CR), secret or not secret, by two user terminals with aid from a “helper ” terminal. Each terminal observes a different component of a discrete memoryless multiple source. The helper aids the users by transmitting information to them over a n ..."
Abstract

Cited by 93 (11 self)
 Add to MetaCart
Abstract—We consider the generation of common randomness (CR), secret or not secret, by two user terminals with aid from a “helper ” terminal. Each terminal observes a different component of a discrete memoryless multiple source. The helper aids the users by transmitting information to them over a noiseless public channel subject to a rate constraint. Furthermore, one of the users is allowed to transmit to the other user over a public channel under a similar rate constraint. We study the maximum rate of CR which can be thus generated, including under additional secrecy conditions when it must be concealed from a wiretapper. Lower bounds for the corresponding capacities are provided, and singleletter capacity formulas are obtained for several special cases of interest. Index Terms — Capacity, common randomness, correlated sources, multiuser information theory, private key, secret key, wiretapper. I.
The general Gaussian multiple access and twoway wiretap channels: Achievable rates and cooperative jamming
 IEEE Trans. Inf. Theory
, 2008
"... We consider the General Gaussian Multiple Access WireTap Channel (GGMACWT) and the Gaussian TwoWay WireTap Channel (GTWWT) which are commonly found in multiuser wireless communication scenarios and serve as building blocks for adhoc networks. In the GGMACWT, multiple users communicate with a ..."
Abstract

Cited by 90 (32 self)
 Add to MetaCart
(Show Context)
We consider the General Gaussian Multiple Access WireTap Channel (GGMACWT) and the Gaussian TwoWay WireTap Channel (GTWWT) which are commonly found in multiuser wireless communication scenarios and serve as building blocks for adhoc networks. In the GGMACWT, multiple users communicate with an intended receiver in the presence of an intelligent and informed eavesdropper who receives their signals through another GMAC. In the GTWWT, two users communicate with each other with an eavesdropper listening through a GMAC. We consider a secrecy measure that is suitable for this multiterminal environment, and identify achievable such secrecy regions for both channels using Gaussian codebooks. In the special case where the GGMACWT is degraded, we show that Gaussian codewords achieve the strong secret key sumcapacity. For both GGMACWT and GTWWT, we find the power allocations that maximize the achievable secrecy sumrate, and find that the optimum policy may prevent some terminals from transmission in order to preserve the secrecy of the system. Inspired by this construct, we next propose a new scheme which we call cooperative jamming, where users who are not transmitting according to the sumrate maximizing power allocation can help the remaining users by “jamming ” the eavesdropper. This scheme is shown to increase the achievable secrecy sumrate, and in some cases allow a previously nontransmitting terminal to be able to transmit with secrecy. Overall,