The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor one-way function, a public-key cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the so-called Diffie-Hellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.

Abstract. Unconditional cryptographic security cannot be generated simply from scratch, but must be based on some given primitive to start with (such as, most typically, a private key). Whether or not this implies that such a high level of security is necessarily impractical depends on how weak these basic primitives can be, and how realistic it is therefore to realize or find them in—classical or quantum—reality. A natural way of minimizing the required resources for information-theoretic security is to reduce the length of the private key. In this paper, we focus on the level of its secrecy instead and show that even if the communication channel is completely insecure, a shared string of which an arbitrarily large fraction is known to the adversary can be used for achieving fundamental cryptographic goals such as message authentication and encryption. More precisely, we give protocols—using such a weakly secret key—allowing for both the exchange of authenticated messages and the extraction of the key’s entire amount of privacy into a shorter virtually secret key. Our schemes, which are highly interactive, show the power of two-way communication in this context: Under the given conditions, the same objectives cannot be achieved by one-way communication only. Keywords. Information-theoretic security, authentication, privacy amplification, extractors, quantum key agreement.

Abstract. After carrying out a protocol for quantum key agreement over a noisy quantum channel, the parties Alice and Bob must process the raw key in order to end up with identical keys about which the adversary has virtually no information. In principle, both classical and quantum protocols can be used for this processing. It is a natural question which type of protocols is more powerful. We show that the limits of tolerable noise are identical for classical and quantum protocols in many cases. More specifically, we prove that a quantum state between two parties is entangled if and only if the classical random variables resulting from optimal measurements provide some mutual classical information between the parties. In addition, we present evidence which strongly suggests that the potentials of classical and of quantum protocols are equal in every situation. An important consequence, in the purely classical regime, of such a correspondence would be the existence of a classical counterpart of so-called bound entanglement, namely “bound information” that cannot be used for generating a secret key by any protocol. This stands in sharp contrast to what was previously believed. Keywords. Secret-key agreement, intrinsic information, secret-key rate, quantum privacy amplification, purification, entanglement. 1

Abstract. A family of pseudorandom generators based on the decisional Diffie-Hellman assumption is proposed. The new construction is a modified and generalized version of the Dual Elliptic Curve generator proposed by Barker and Kelsey. Although the original Dual Elliptic Curve generator is shown to be insecure, the modified version is provably secure and very efficient in comparison with the other pseudorandom generators based on discrete log assumptions. Our generator can be based on any group of prime order provided that an additional requirement is met (i.e., there exists an efficiently computable function that in some sense enumerates the elements of the group). Two specific instances are presented. The techniques used to design the instances, for example, the new probabilistic randomness extractor are of independent interest for other applications. 1

A threshold cryptosystem or signature scheme is a system with n participants where an honest majority can successfully decrypt a message or issue a signature, but where the security and functionality properties of the system are retained even as the adversary corrupts up to t players. The natural adversary one can imagine in this setting is the adaptive adversary, i.e. one that chooses which player to corrupt at which step based on all the information available to it at that step. Recently, Canetti et al. [CGJ 99] showed how to implement threshold DSS and RSA secure against such an adversary. We extend their contribution in two main directions: (1) for the first time in threshold cryptography, we propose practical distributed cryptographic systems that are secure against the adaptive adversary in the concurrent setting; and (2) we propose simple and clean methods for achieving security against the adaptive adversary. Our new techniques allow us to implement the threshold version of the Cramer-Shoup cryptosystem such that it withstands active attacks from the adaptive adversary. This is the most secure known practical threshold cryptosystem, since the underlying Cramer-Shoup [CS98] cryptosystem is secure against adaptive chosen ciphertext attack. We note that our techniques apply to transforming virtually any discrete-logarithm-based cryptosystem into its threshold counterpart secure against the adaptive adversary.

A threshold cryptosystem or signature scheme is a system with n participants where an honest majority can successfully decrypt a message or issue a signature, but where the security and functionality properties of the system are retained even as the adversary corrupts up to t players. We present the novel technique of a committed proof, which is a new general tool that enables security of threshold cryptosystems in the presence of the adaptive adversary. We also put forward a new measure of security for threshold schemes secure in the adaptive adversary model: security under concurrent composition. Using committed proofs, we construct concurrently and adaptively secure threshold protocols for a variety of cryptographic applications. In particular, based on the recent scheme by Cramer-Shoup, we construct adaptively secure threshold cryptosystems secure against adaptive chosen ciphertext attack under the DDH intractability assumption.

Abstract. A modified version of the Bellare and Rogaway (1993) adversarial model is encoded using Asynchronous Product Automata (APA). A model checker tool, Simple Homomorphism Verification Tool (SHVT), is then used to perform state-space analysis on the Automata in the setting of planning problem. The three-party identity-based secret public key protocol (3P-ID-SPK) protocol of Lim and Paterson (2006), which claims to provide explicit key authentication, is used as a case study. We then refute its heuristic security argument by revealing a previously unpublished flaw in the protocol using SHVT. We then show how our approach can automatically repair the protocol. This is, to the best of our knowledge, the first work that integrates an adversarial model from the computational complexity paradigm with an automated tool from the computer security paradigm to analyse protocols in an artificial intelligence problem setting – planning problem – and, more importantly, to repair protocols. Key words: key establishment protocols, model checker, key authentication, provable security, planning problem.

The model of information-theoretic secret-key agreement from joint randomness by public discussion was recently extended to the case where the insecure communication is not even authentic. It has been shown that the ability of generating a virtually-secret key is then directly linked to a certain simulatability condition formulated in terms of the involved random variables. More generally, this condition is important in the context of identication and authentication among parties sharing some correlated but not necessarily identical partiallysecret keys. Unfortunately, the simulatability condition is a priori not very useful since it is not even clear whether it is veriable in nite time. We introduce a new intuitive formalism, based on a mechanical model for representing the involved quantities, for dealing with discrete joint distributions of random variables and their manipulations by noisy channels, and show that this representation leads to a simple and ecient characterizatio...

this paper. Convention 1 R will be a commutative ring and M shall be a cyclic (left) R-module (written RM) generated by an element m

It was recently pointed out that there is a close connection between information-theoretic key agreement and quantum entanglement purification. This suggests that the concept of bound entanglement (entanglement which cannot be purified) has a classical counterpart: bound information, which cannot be used to generate a secret key by any protocol. We analyze a probability distribution which results when a specific bound entangled quantum state is measured. We show strong evidence for the fact that the corresponding mutual information is indeed bound. The probable existence of such information contrasts previous beliefs in classical information theory.