Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret SKBSM that they can use to generate a sequence of session keys {Rj} using multiple pairs {(Wj, W ′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects: • The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bit-length of W. Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. • Previous solutions for the keyless case in the presence of errors (i.e., t> 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. • Previous solutions for the keyed case were stateful. We give the first stateless solution. 1

BHAVANA KANUKURTHI

We consider information-theoretic key agreement between two parties sharing somewhat different versions of a secret w that has relatively little entropy. Such key agreement, also known as information reconciliation and privacy amplification over unsecured channels, was shown to be theoretically feasible by Renner and Wolf (Eurocrypt 2004), although no protocol that runs in polynomial time was described. We propose a protocol that is not only polynomial-time, but actually practical, requiring only a few seconds on consumer-grade computers. Our protocol can be seen as an interactive version of robust fuzzy extractors (Boyen et al., Eurocrypt 2005, Dodis et al., Crypto 2006). While robust fuzzy extractors, due to their noninteractive nature, require w to have entropy at least half its length, we have no such constraint. In fact, unlike in prior solutions, in our solution the entropy loss is essentially unrelated to the length or the entropy of w, and depends only on the security parameter. 1

Abstract—We consider a communication scenario where the source and the destination can communicate only via a relay node who is both an eavesdropper and a Byzantine attacker. Hence for secure communication, two requirements must be met simultaneously: the transmitted message must be kept secret, and a Byzantine attack must be detected reliably. Both a discrete noiseless adder model with the relay receiving the real sum of two signals and a Gaussian model are considered. In both models, the loss in rate due to Byzantine detection can be made arbitrarily small. For the discrete adder model, we show that the probability that the adversary wins decreases exponentially with the number of channel uses. For the Gaussian model, we show that this probability decreases exponentially with the square root of the number of channel uses. The rate derived in this paper is the strong secrecy rate, and the rate loss incurred due to the untrusted and Byzantine relay is measured with respect to the achievable secrecy rate when the relay is untrusted but honest. The result is obtained via a careful combination of the algebraic manipulation detection (AMD) code, the linear wiretap code constructed from low density parity check (LDPC) code, randomly generated wire-tap code and for the Gaussian model the lattice code. I.

Abstract. For secure two-party and multi-party computation with abort, classification of which primitives are complete has been extensively studied in the literature. However, for fair secure computation, where (roughly speaking) either all parties learn the output or none do, the question of complete primitives has remained largely unstudied. In this work, we initiate a rigorous study of completeness for primitives that allow fair computation. We show the following results: – No “short ” primitive is complete for fairness. In surprising contrast to other notions of security for secure two-party computation, we show that for fair secure computation, no primitive of size O(log k) is complete, where k is a security parameter. This is the case even if we can enforce parallelism in calls to the primitives (i.e., the adversary does not get output from any primitive in a parallel call until it sends input to all of them). This negative result holds regardless of any computational assumptions. – A fairness hierarchy. We clarify the fairness landscape further by exhibiting the existence of a “fairness hierarchy”. We show that for every “short ” ℓ =

Secret sharing in user hierarchy represents a challenging area for research. Although a lot of work has already been done in this direction, this paper presents a novel approach to share a secret among a hierarchy of users while overcoming the limitations of the already existing mechanisms. Our work is based on traditional (k + 1, n)-threshold secret sharing, which is secure as long as an adversary can compromise not more than k secret shares. But in real life it is often feasible for an adversary to obtain more than k shares over a long period of time. So, in our work we also present a way to overcome this vulnerability, while implementing our hierarchical secret sharing scheme. The use of Elliptic Curve Cryptography makes the computations easier and faster in our work.

Abstract—We consider a Gaussian two-hop link where the source and the destination can communicate only via a relay node who is both an eavesdropper and a Byzantine attacker. Both the source and the destination have transmission capability, and the relay node receives a superposition of their transmitted signals plus noise. The proposed coding scheme ensures that the probability of an undetected Byzantine attack decreases exponentially fast with respect to the number of channel uses NT while the loss in the secrecy rate can be made arbitrarily small. This improves our previous result where this probability only decreased exponentially with respect to √ NT. I.

authentication without trusted readers and

Fuzzy extractors are used to generate reliably reproducible randomness from a biased, noisy source. Known constructions of fuzzy extractors are built from a strong extractor, and a secure sketch, a function that transforms a biased noisy secret value into a public value, simultaneously hiding the secret and allowing for error correction. A robust sketch is secure against adversarial modification: no adversary can make a new valid sketch of a secret after seeing one valid sketch of that secret. Prior constructions of robust sketches are proven secure against an unbounded adversary that sees one and only one valid sketch of a secret. In this paper we examine the notion of strong robustness, that is, robustness even when the adversary receives multiple sketches of related secrets. Strong robustness can be used to prove that a fuzzy extractor is secure in a fully adaptive setting (called “insider security ” by Boyen [3]). We demonstrate that previous secure sketches are not strongly robust, and give a proof of impossibility which demonstrates that sketches cannot be strongly robust against an unbounded adversary, for any reasonable set of perturbations. We then give two constructions of sketches that are strongly robust against a computationally bounded adversary. The first construction is proven secure assuming the existence of an xor related-key secure MAC in the CRS model, while the second construction is proven in the random oracle model. We show that our constructions can be adapted in the natural way into a strongly robust fuzzy extractor, and we demonstrate that these strongly robust fuzzy extractors are insider secure. It remains an open problem [3] to find a fuzzy extractor that is insider secure against an unbounded adversary, but our impossibility result implies that one cannot achieve such an extractor via robustness. 1

efficient fuzzy extractor for limited noise