This paper provides a general treatment of privacy amplification by public discussion, a concept introduced by Bennett, Brassard and Robert [1] for a special scenario. The results have applications to unconditionally-secure secret-key agreement protocols, quantum cryptography and to a non-asymptotic and constructive treatment of the secrecy capacity of wire-tap and broadcast channels, even for a considerably strengthened definition of secrecy capacity. I. Introduction This paper is concerned with unconditionally-secure secretkey agreement by two communicating parties Alice and Bob who both know a random variable W, for instance a random n--bit string, about which an eavesdropper Eve has incomplete information characterized by the random variable V jointly distributed with W according to PV W . This distribution may partially be under Eve's control. Alice and Bob know nothing about PV W , except that it satisfies a certain constraint. We present protocols by which Alice and Bob can us...

. The problem of generating a shared secret key S by two parties knowing dependent random variables X and Y , respectively, but not sharing a secret key initially, is considered. An enemy who knows the random variable Z, jointly distributed with X and Y according to some probability distribution PXY Z , can also receive all messages exchanged by the two parties over a public channel. The goal of a protocol is that the enemy obtains at most a negligible amount of information about S. Upper bounds on H(S) as a function of PXY Z are presented. Lower bounds on the rate H(S)=N (as N !1) are derived for the case where X = [X 1 ; : : : ; XN ], Y = [Y 1 ; : : : ; YN ] and Z = [Z 1 ; : : : ; ZN ] result from N independent executions of a random experiment generating X i ; Y i and Z i , for i = 1; : : : ; N . In particular it is shown that such secret key agreement is possible for a scenario where all three parties receive the output of a binary symmetric source over independent binary symmetr...

Abstract We put forward a new paradigm for building hybrid encryption schemes from constrainedchosen-ciphertext secure (CCCA) key-encapsulation mechanisms (KEMs) plus authenticated

We describe a practical identity-based encryption scheme that is secure in the standard model against chosen-ciphertext attacks. Our construction applies “direct chosen-ciphertext techniques ” to Waters ’ chosen-plaintext secure scheme and is not based on hierarchical identity-based encryption. Furthermore, we give an improved concrete security analysis for Waters ’ scheme. As a result, one can instantiate the scheme in smaller groups, resulting in efficiency improvements. 1

Three parties, Alice, Bob and Eve, know the sequences of random variables X N = [X 1 ; X 2 ; : : : XN ], Y N = [Y 1 ; Y 2 ; : : : Y N ] and Z N = [Z 1 ; Z 2 ; : : : ZN ], respectively, where the triples (X i Y i Z i ), for 1 i N , are generated by a discrete memoryless source according to some probability distribution PXY Z . Motivated by Wyner's and Csisz'ar and Korner's pioneering definition of, and work on, the secrecy capacity of a broadcast channel, the secret key rate of PXY Z was defined by Maurer as the maximal rate M=N at which Alice and Bob can generate secret shared random key bits S 1 ; : : : ; SM by exchanging messages over an insecure public channel accessible to Eve, such that the rate at which Eve obtains information about the key is arbitrarily small, i.e., such that lim N!1 I(S 1 ; : : : ; SM ; Z N ; C t )=N = 0, where C t is the collection of messages exchanged between Alice and Bob over the public channel. However, this definition is n...

Quantum theory has found a new field of applications in the realm of information and computation during the recent years. This paper reviews how quantum physics allows information coding in classically unexpected and subtle nonlocal ways, as well as information processing with an efficiency largely surpassing that of the present and foreseeable classical computers. Some outstanding aspects of classical and quantum information theory will be addressed here. Quantum teleportation, dense coding, and quantum cryptography are discussed as a few samples of the impact of quanta in the transmission of information. Quantum logic gates and quantum algorithms are also discussed as instances of the improvement in information processing by a quantum computer. We provide finally some examples of current experimental

Several protocols are presented that allow two parties Alice and Bob not sharing any secret information initially (except possibly a short key to be used for authentication) to generate a long shared secret key such that even an enemy Eve with unlimited computing power is unable to obtain a non-negligible amount of information (in Shannon's sense) about this key. Two different models are considered. In a first model we assume that Alice can send information to Bob over a noisy main channel but that Eve is able to receive the same information over a parallel independent noisy channel from Alice to Eve. In a second, more general model we assume that Alice, Bob and Eve receive the output of a random source (e.g., a satellite broadcasting random bits) over three independent individual channels. The condition that the channels be independent can be replaced by the condition that they be independent only to a known, arbitrarily small degree. We demonstrate that even when Eve's channel is sup...

We characterize the complete set of protocols that may be used to securely encrypt n quantum bits using secret and random classical bits. In addition to the application of such quantum encryption protocols to quantum data security, our framework allows for generalizations of many classical cryptographic protocols to quantum data. We show that the encrypted state gives no information without the secret classical data, and that 2n random classical bits are the minimum necessary for informationally secure quantum encryption. Moreover, the quantum operations are shown to have a surprising structure in a canonical inner product space. This quantum encryption protocol is a generalization of the classical one time pad concept. A connection is made between quantum encryption and quantum teleportation[1], and this allows for a new proof of optimality of teleportation. 1

Abstract. After carrying out a protocol for quantum key agreement over a noisy quantum channel, the parties Alice and Bob must process the raw key in order to end up with identical keys about which the adversary has virtually no information. In principle, both classical and quantum protocols can be used for this processing. It is a natural question which type of protocols is more powerful. We show that the limits of tolerable noise are identical for classical and quantum protocols in many cases. More specifically, we prove that a quantum state between two parties is entangled if and only if the classical random variables resulting from optimal measurements provide some mutual classical information between the parties. In addition, we present evidence which strongly suggests that the potentials of classical and of quantum protocols are equal in every situation. An important consequence, in the purely classical regime, of such a correspondence would be the existence of a classical counterpart of so-called bound entanglement, namely “bound information” that cannot be used for generating a secret key by any protocol. This stands in sharp contrast to what was previously believed. Keywords. Secret-key agreement, intrinsic information, secret-key rate, quantum privacy amplification, purification, entanglement. 1

Abstract. Perfectly secret message transmission can be realized with only partially secret and weakly correlated information shared by the parties as soon as this information allows for the extraction of informationtheoretically secret bits. The best known upper bound on the rate S at which such key bits can be generated has been the intrinsic information of the distribution modeling the parties’, including the adversary’s, knowledge. Based on a new property of the secret-key rate S, we introduce a conditional mutual information measure which is a stronger upper bound on S. Having thus seen that the intrinsic information of a distribution P is not always suitable for determining the number of secret bits extractable from P, we prove a different significance of it in the same context: It is a lower bound on the number of key bits required to generate P by public communication. Taken together, these two results imply that sometimes, (a possibly arbitrarily large fraction of) the correlation contained in distributed information cannot be extracted in the form of secret keys by any protocol. Keywords. Information-theoretic security, secret-key agreement, reductions among primitives, information measures, quantum entanglement purification.