This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard and Robert [1] for a special scenario. The results have applications to unconditionally-secure secret-key agreement protocols, quantum cryptography and to a non-asymptotic and constructive treatment of the secrecy capacity of wire-tap and broadcast channels, even for a considerably strengthened definition of secrecy capacity. I. Introduction This paper is concerned with unconditionally-secure secretkey agreement by two communicating parties Alice and Bob who both know a random variable W, for instance a random n--bit string, about which an eavesdropper Eve has incomplete information characterized by the random variable V jointly distributed with W according to PV W . This distribution may partially be under Eve's control. Alice and Bob know nothing about PV W , except that it satisfies a certain constraint. We present protocols by which Alice and Bob can us...

We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the sent and received versions of this transmission estimate the extent of eavesdropping that might have taken place on it, and finally 3) if this estimate is small enough, distill from the sent and received versions a smaller body of shared random information, which is certifiably secret in the sense that any third party's expected information on it is an exponentially small fraction of one bit. Because the system depends on the uncertainty principle of quantum physics, instead of usual mathematical assumptions such as the difficulty of factoring, it remains secure against an adversary with unlimited computing power. A preliminary version of this paper was presented at Eurocrypt '90, May 21 ...

\Gamma We consider the following adversarial situation. Let n, m and t be arbitrary integers, and let f : f0; 1g n 7! f0; 1g m be a function. An adversary, knowing the function f , sets t of the n input bits, while the rest (n \Gamma t input bits) are chosen at random (independently and with uniform probability distribution). The adversary tries to prevent the outcome of f from being uniformly distributed in f0; 1g m . The question addressed is for what values of n, m and t does the adversary necessarily fail in biasing the outcome of f : f0; 1g n 7! f0; 1g m , when being restricted to set t of the input bits of f . We present various lower and upper bounds on m's allowing an affirmative answer. These bounds are relatively close for t n=3 and for t 2n=3. Our results have applications in the fields of fault-tolerance and cryptography. 1. INTRODUCTION The bit extraction problem formulated above The bit extraction problem was suggested by Brassard and Robert [BRref] and by V...

We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two one-bit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about both messages (he will learn his chosen bit's value with exponentially small error probability and may gain at most exponentially little information about the value of the other bit), and Alice will be entirely ignorant of which bit he received. Neither party can cheat (ie deviate from the protocol while appearing to follow it) in such a way as to obtain more information than what is given by the description of the protocol. Our protocol is easy to modify in order to implement the All-or-Nothing Disclosure of one out of two string messages, and it can be used to implement bit commitment and oblivious circuit evaluation without complexity-theoretic assumptions, in a way that remains secure e...

We propose a protocol for oblivious transfer that is unconditionally secure under the sole assumption that the memory size of the receiver is bounded. The model assumes that a random bit string slightly larger than the receiver's memory is broadcast (either by the sender or by a third party). In our construction, both parties need memory of size in (n 2 2 ) for some < 1 2 , when a random string of size N = n 2 is broadcast, for > > 0, whereas a malicious receiver can have up to N bits of memory for any < 1. In the course of our analysis, we provide a direct study of an interactive hashing protocol closely related to that of Naor et al. [27]. 1. Introduction Oblivious transfer is an important primitive in modern cryptography. It was introduced to cryptography in several variations by Rabin and Even et al. [29, 20] and had been studied already by Wiesner [31] (under the name of "multiplexing "), in a paper that marked the birth of quantum cryptography. Oblivious t...

... In this paper, we focus on another collection of recent applications in the general area of communications, including cryptography and networking. Applications have been chosen to represent those in which design theory plays a useful, and sometimes central, role. Moreover, applications have been chosen to reflect in addition the genesis of new and interesting problems in design theory in order to treat the practical concerns. Of many candidates, thirteen applications areas have been included. They are as follows:

cachinlacm.org Abstract. We show that oblivious transfer can be based on a very general notion of asymmetric information difference. We investigate a Universal Oblivious Ransfer, denoted UOT(X, Y), that gives Bob the free-dom to access Alice’s input X in an arbitrary way as long as he does not obtain full information about X. Alice does not learn which information Bob has chosen. We show that oblivious transfer can be reduced to a sin-gle execution of UOT(X, Y) with Bob’s knowledge Y restricted in terms of RCnyi entropy of order a> 1. For independently repeated UOT the reduction works even if only Bob’s Shannon information is restricted, i.e. if H(XIY)> 0 in every UOT(X, Y). Our protocol requires that honest Bob obtains at least half of Alice’s information X without error.

to Bob, she encrypts x using the encryption rule e K . That is, she computes y = e K (x), and sends y to Bob over the channel. When Bob receives y, he decrypts it using the decryption function dK , obtaining x. Informally, perfect secrecy means that observation of a ciphertext gives no information about the corresponding plaintext. This idea can be stated more precisely using probability distributions. Suppose there is are probability distributions pP on P, and pK on K. Then a probability distribution p C is induced on C. A cryptosystem is said to provide perfect secrecy provided that pP (xjy) = pP<F24.

The notion of smooth entropy allows a unifying, generalized formulation of privacy amplification and entropy smoothing. Smooth entropy is a measure for the number of almost uniform random bits that can be extracted from a random source by probabilistic algorithms. It is known that the R'enyi entropy of order at least 2 of a random variable is a lower bound for its smooth entropy. On the other hand, an assumption about Shannon entropy (which is R'enyi entropy of order 1) is too weak to guarantee any non-trivial amount of smooth entropy. In this work we close the gap between R'enyi entropy of order 1 and 2. In particular, we show that R'enyi entropy of order ff for any 1 ! ff ! 2 is a lower bound for smooth entropy, up to a small parameter depending on ff, the alphabet size and the failure probability. The results have applications in cryptography for unconditionally secure protocols such as quantum key agreement, key agreement from correlated information, oblivious transfer, and bit com...

Christian Cachin Ueli Maurer Institute for Theoretical Computer Science ETH Zurich CH-8092 Zurich, Switzerland cachin@acm.org maurer@inf.ethz.ch September 30, 1996 Abstract We introduce smooth entropy as a measure for the number of almost uniform random bits that can be extracted from a source by probabilistic algorithms. The extraction process should be universal in the sense that it does not require the distribution of the source to be known. Rather, it should work for all sources with a certain structural property, such as a bound on the maximal probability of any value. The concept of smooth entropy unifies previous work on privacy amplification and entropy smoothing in pseudorandom generation. It enables us to systematically investigate the spoiling knowledge proof technique to obtain lower bounds on smooth entropy and to show new connections to R'enyi entropy of order ff ? 1.