Results 1  10
of
16
Generalized Privacy Amplification
 IEEE Transactions on Information Theory
, 1995
"... This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard and Robert [1] for a special scenario. The results have applications to unconditionallysecure secretkey agreement protocols, quantum cryptography and to a nonasymptotic ..."
Abstract

Cited by 212 (18 self)
 Add to MetaCart
This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard and Robert [1] for a special scenario. The results have applications to unconditionallysecure secretkey agreement protocols, quantum cryptography and to a nonasymptotic and constructive treatment of the secrecy capacity of wiretap and broadcast channels, even for a considerably strengthened definition of secrecy capacity. I. Introduction This paper is concerned with unconditionallysecure secretkey agreement by two communicating parties Alice and Bob who both know a random variable W, for instance a random nbit string, about which an eavesdropper Eve has incomplete information characterized by the random variable V jointly distributed with W according to PV W . This distribution may partially be under Eve's control. Alice and Bob know nothing about PV W , except that it satisfies a certain constraint. We present protocols by which Alice and Bob can us...
Experimental Quantum Cryptography
 Journal of Cryptology
, 1992
"... We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the ..."
Abstract

Cited by 198 (20 self)
 Add to MetaCart
We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the sent and received versions of this transmission estimate the extent of eavesdropping that might have taken place on it, and finally 3) if this estimate is small enough, distill from the sent and received versions a smaller body of shared random information, which is certifiably secret in the sense that any third party's expected information on it is an exponentially small fraction of one bit. Because the system depends on the uncertainty principle of quantum physics, instead of usual mathematical assumptions such as the difficulty of factoring, it remains secure against an adversary with unlimited computing power. A preliminary version of this paper was presented at Eurocrypt '90, May 21 ...
The Bit Extraction Problem or tResilient Functions
, 1985
"... \Gamma We consider the following adversarial situation. Let n, m and t be arbitrary integers, and let f : f0; 1g n 7! f0; 1g m be a function. An adversary, knowing the function f , sets t of the n input bits, while the rest (n \Gamma t input bits) are chosen at random (independently and with un ..."
Abstract

Cited by 153 (9 self)
 Add to MetaCart
\Gamma We consider the following adversarial situation. Let n, m and t be arbitrary integers, and let f : f0; 1g n 7! f0; 1g m be a function. An adversary, knowing the function f , sets t of the n input bits, while the rest (n \Gamma t input bits) are chosen at random (independently and with uniform probability distribution). The adversary tries to prevent the outcome of f from being uniformly distributed in f0; 1g m . The question addressed is for what values of n, m and t does the adversary necessarily fail in biasing the outcome of f : f0; 1g n 7! f0; 1g m , when being restricted to set t of the input bits of f . We present various lower and upper bounds on m's allowing an affirmative answer. These bounds are relatively close for t n=3 and for t 2n=3. Our results have applications in the fields of faulttolerance and cryptography. 1. INTRODUCTION The bit extraction problem formulated above The bit extraction problem was suggested by Brassard and Robert [BRref] and by V...
Practical Quantum Oblivious Transfer
, 1992
"... We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two onebit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about ..."
Abstract

Cited by 73 (12 self)
 Add to MetaCart
We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two onebit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about both messages (he will learn his chosen bit's value with exponentially small error probability and may gain at most exponentially little information about the value of the other bit), and Alice will be entirely ignorant of which bit he received. Neither party can cheat (ie deviate from the protocol while appearing to follow it) in such a way as to obtain more information than what is given by the description of the protocol. Our protocol is easy to modify in order to implement the AllorNothing Disclosure of one out of two string messages, and it can be used to implement bit commitment and oblivious circuit evaluation without complexitytheoretic assumptions, in a way that remains secure e...
Oblivious Transfer with a MemoryBounded Receiver
, 1998
"... We propose a protocol for oblivious transfer that is unconditionally secure under the sole assumption that the memory size of the receiver is bounded. The model assumes that a random bit string slightly larger than the receiver's memory is broadcast (either by the sender or by a third party). In our ..."
Abstract

Cited by 45 (1 self)
 Add to MetaCart
We propose a protocol for oblivious transfer that is unconditionally secure under the sole assumption that the memory size of the receiver is bounded. The model assumes that a random bit string slightly larger than the receiver's memory is broadcast (either by the sender or by a third party). In our construction, both parties need memory of size in (n 2 2 ) for some < 1 2 , when a random string of size N = n 2 is broadcast, for > > 0, whereas a malicious receiver can have up to N bits of memory for any < 1. In the course of our analysis, we provide a direct study of an interactive hashing protocol closely related to that of Naor et al. [27]. 1. Introduction Oblivious transfer is an important primitive in modern cryptography. It was introduced to cryptography in several variations by Rabin and Even et al. [29, 20] and had been studied already by Wiesner [31] (under the name of "multiplexing "), in a paper that marked the birth of quantum cryptography. Oblivious t...
Applications of Combinatorial Designs to Communications, Cryptography, and Networking
, 1999
"... ... In this paper, we focus on another collection of recent applications in the general area of communications, including cryptography and networking. Applications have been chosen to represent those in which design theory plays a useful, and sometimes central, role. Moreover, applications have been ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
... In this paper, we focus on another collection of recent applications in the general area of communications, including cryptography and networking. Applications have been chosen to represent those in which design theory plays a useful, and sometimes central, role. Moreover, applications have been chosen to reflect in addition the genesis of new and interesting problems in design theory in order to treat the practical concerns. Of many candidates, thirteen applications areas have been included. They are as follows:
On the foundations of oblivious transfer
, 1998
"... cachinlacm.org Abstract. We show that oblivious transfer can be based on a very general notion of asymmetric information difference. We investigate a Universal Oblivious Ransfer, denoted UOT(X, Y), that gives Bob the freedom to access Alice’s input X in an arbitrary way as long as he does not obtai ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
cachinlacm.org Abstract. We show that oblivious transfer can be based on a very general notion of asymmetric information difference. We investigate a Universal Oblivious Ransfer, denoted UOT(X, Y), that gives Bob the freedom to access Alice’s input X in an arbitrary way as long as he does not obtain full information about X. Alice does not learn which information Bob has chosen. We show that oblivious transfer can be reduced to a single execution of UOT(X, Y) with Bob’s knowledge Y restricted in terms of RCnyi entropy of order a> 1. For independently repeated UOT the reduction works even if only Bob’s Shannon information is restricted, i.e. if H(XIY)> 0 in every UOT(X, Y). Our protocol requires that honest Bob obtains at least half of Alice’s information X without error.
Informationtheoretically secret key generation for fading wireless channels
 IEEE Trans on Information Forensics and Security
, 2010
"... Abstract—The multipathrich wireless environment associated with typical wireless usage scenarios is characterized by a fading channel response that is timevarying, locationsensitive, and uniquely shared by a given transmitter–receiver pair. The complexity associated with a richly scattering envir ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
Abstract—The multipathrich wireless environment associated with typical wireless usage scenarios is characterized by a fading channel response that is timevarying, locationsensitive, and uniquely shared by a given transmitter–receiver pair. The complexity associated with a richly scattering environment implies that the shortterm fading process is inherently hard to predict and best modeled stochastically, with rapid decorrelation properties in space, time, and frequency. In this paper, we demonstrate how the channel state between a wireless transmitter and receiver can be used as the basis for building practical secret key generation protocols between two entities. We begin by presenting a scheme based on level crossings of the fading process, which is wellsuited for the Rayleigh and Rician fading models associated with a richly scattering environment. Our level crossing algorithm is simple, and incorporates a selfauthenticating mechanism to prevent adversarial manipulation of message exchanges during the protocol. Since the level crossing algorithm is best suited for fading processes that exhibit symmetry in their underlying distribution, we present a second and more powerful approach that is suited for more general channel state distributions. This second approach is motivated by observations from quantizing jointly Gaussian processes, but exploits empirical measurements to set quantization boundaries and a heuristic log likelihood ratio estimate to achieve an improved secret key generation rate. We validate both proposed protocols through experimentations using a customized 802.11a platform, and show for the typical WiFi channel that reliable secret key establishment can be accomplished at rates on the order of 10 b/s. Index Terms—Informationtheoretic security, key generation, PHY layer security. I.
Applications of Designs to Cryptography
"... to Bob, she encrypts x using the encryption rule e K . That is, she computes y = e K (x), and sends y to Bob over the channel. When Bob receives y, he decrypts it using the decryption function dK , obtaining x. Informally, perfect secrecy means that observation of a ciphertext gives no informatio ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
to Bob, she encrypts x using the encryption rule e K . That is, she computes y = e K (x), and sends y to Bob over the channel. When Bob receives y, he decrypts it using the decryption function dK , obtaining x. Informally, perfect secrecy means that observation of a ciphertext gives no information about the corresponding plaintext. This idea can be stated more precisely using probability distributions. Suppose there is are probability distributions pP on P, and pK on K. Then a probability distribution p C is induced on C. A cryptosystem is said to provide perfect secrecy provided that pP (xjy) = pP<F24.
Smooth Entropy and Renyi Entropy
 ADVANCES IN CRYPTOLOGY  EUROCRYPT '97, LECTURE NOTES IN COMPUTER SCIENCE
, 1997
"... The notion of smooth entropy allows a unifying, generalized formulation of privacy amplification and entropy smoothing. Smooth entropy is a measure for the number of almost uniform random bits that can be extracted from a random source by probabilistic algorithms. It is known that the R'enyi entropy ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
The notion of smooth entropy allows a unifying, generalized formulation of privacy amplification and entropy smoothing. Smooth entropy is a measure for the number of almost uniform random bits that can be extracted from a random source by probabilistic algorithms. It is known that the R'enyi entropy of order at least 2 of a random variable is a lower bound for its smooth entropy. On the other hand, an assumption about Shannon entropy (which is R'enyi entropy of order 1) is too weak to guarantee any nontrivial amount of smooth entropy. In this work we close the gap between R'enyi entropy of order 1 and 2. In particular, we show that R'enyi entropy of order ff for any 1 ! ff ! 2 is a lower bound for smooth entropy, up to a small parameter depending on ff, the alphabet size and the failure probability. The results have applications in cryptography for unconditionally secure protocols such as quantum key agreement, key agreement from correlated information, oblivious transfer, and bit com...