Results 1  10
of
12
Bucket Hashing and its Application to Fast Message Authentication
, 1995
"... We introduce a new technique for constructing a family of universal hash functions. ..."
Abstract

Cited by 51 (4 self)
 Add to MetaCart
We introduce a new technique for constructing a family of universal hash functions.
Privacy Amplification Secure Against Active Adversaries
 IN PROC. CRYPTO’97
, 1997
"... Privacy amplification allows two parties Alice and Bob knowing a partially secret string S to extract, by communication over a public channel, a shorter, highly secret string S'. Bennett, Brassard, Cr'epeau, and Maurer showed that the length of S' can be almost equal to the conditi ..."
Abstract

Cited by 38 (5 self)
 Add to MetaCart
Privacy amplification allows two parties Alice and Bob knowing a partially secret string S to extract, by communication over a public channel, a shorter, highly secret string S'. Bennett, Brassard, Cr'epeau, and Maurer showed that the length of S' can be almost equal to the conditional R'enyi entropy of S given an opponent Eve's knowledge. All previous results on privacy amplification assumed that Eve has access to the public channel but is passive or, equivalently, that messages inserted by Eve can be detected by Alice and Bob. In this paper we consider privacy amplification secure even against active opponents. First it is analyzed under what conditions informationtheoretically secure authentication is possible even though the common key is only partially secret. This result is used to prove that privacy amplification can be secure against an active opponent and that the size of S' can be almost equal to Eve's minentropy about S minus 2n=3 if S is an nbit ...
Unconditional authenticity and privacy from an arbitrarily weak secret
 In Proc. CRYPTO’03
, 2003
"... Abstract. Unconditional cryptographic security cannot be generated simply from scratch, but must be based on some given primitive to start with (such as, most typically, a private key). Whether or not this implies that such a high level of security is necessarily impractical depends on how weak thes ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
Abstract. Unconditional cryptographic security cannot be generated simply from scratch, but must be based on some given primitive to start with (such as, most typically, a private key). Whether or not this implies that such a high level of security is necessarily impractical depends on how weak these basic primitives can be, and how realistic it is therefore to realize or find them in—classical or quantum—reality. A natural way of minimizing the required resources for informationtheoretic security is to reduce the length of the private key. In this paper, we focus on the level of its secrecy instead and show that even if the communication channel is completely insecure, a shared string of which an arbitrarily large fraction is known to the adversary can be used for achieving fundamental cryptographic goals such as message authentication and encryption. More precisely, we give protocols—using such a weakly secret key—allowing for both the exchange of authenticated messages and the extraction of the key’s entire amount of privacy into a shorter virtually secret key. Our schemes, which are highly interactive, show the power of twoway communication in this context: Under the given conditions, the same objectives cannot be achieved by oneway communication only. Keywords. Informationtheoretic security, authentication, privacy amplification, extractors, quantum key agreement.
Verifiable delegation of computation over large datasets
 In Proceedings of the 31st annual conference on Advances in cryptology, CRYPTO’11
, 2011
"... We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial func ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial functions. Such functions can be used, for example, to make predictions based on polynomials fitted to a large number of sample points in an experiment. In addition to the many noncryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs of retrievability. Our constructions are based on the DDH assumption and its variants, and achieve adaptive security, which was left as an open problem by Gennaro et al (albeit for general functionalities). Our second result is a primitive which we call a verifiable database (VDB). Here, a weak client outsources a large table to an untrusted server, and makes retrieval and update queries. For each query, the server provides a response and a proof that the response was computed correctly. The goal is to minimize the resources required by the client. This is made particularly challenging if the number of update queries is unbounded. We present a VDB scheme based on the hardness of the subgroup
Correction of adversarial errors in networks
 in Proceedings of International Symposium in Information Theory and its Applications
, 2005
"... Abstract — We design codes to transmit information over a network, some subset of which is controlled by a malicious adversary. The computationally unbounded, hidden adversary knows the message to be transmitted, and can observe and change information over the part of the network he controls. The ne ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
Abstract — We design codes to transmit information over a network, some subset of which is controlled by a malicious adversary. The computationally unbounded, hidden adversary knows the message to be transmitted, and can observe and change information over the part of the network he controls. The network nodes do not share resources such as shared randomness or a private key. We first consider a unicast problem in a network with E  parallel, unitcapacity, directed edges. The rateregion has two parts. If the adversary controls a fraction p<0.5 of the E  edges, the maximal throughput equals (1 − p)E. We describe lowcomplexity codes that achieve this rateregion. We then extend these results to investigate more general multicast problems in directed, acyclic networks. I.
The exact price for unconditionally secure asymmetric cryptography
 In Advances in Cryptology  EUROCRYPT ’04, Lecture Notes in Computer Science
, 2004
"... Abstract. A completely insecure communication channel can only be transformed into an unconditionally secure channel if some informationtheoretic primitive is given to start from. All previous approaches to realizing such authenticity and privacy from weak primitives were symmetric in the sense that ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. A completely insecure communication channel can only be transformed into an unconditionally secure channel if some informationtheoretic primitive is given to start from. All previous approaches to realizing such authenticity and privacy from weak primitives were symmetric in the sense that security for both parties was achieved. We show that asymmetric informationtheoretic security can, however, be obtained at a substantially lower price than twoway security—like in the computationalsecurity setting, as the example of publickey cryptography demonstrates. In addition to this, we show that also an unconditionally secure bidirectional channel can be obtained under weaker conditions than previously known. One consequence of these results is that the assumption usually made in the context of quantum key distribution that the two parties share a short key initially is unnecessarily strong. Keywords. Informationtheoretic security, authentication, information reconciliation, privacy amplification, quantum key agreement, reductions
Design and Analysis of Network Codes
, 2005
"... iii But it’s not who you are underneath, it’s what you do that defines you. – Rachel Dawes iv To Mom, George, Michelle, and the good people at the Caltech Y. Chapter 1 Acknowledgements v Pour undergraduate student in vat, ferment for five years, decant out a Ph.D. As with any reaction, this one requ ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
iii But it’s not who you are underneath, it’s what you do that defines you. – Rachel Dawes iv To Mom, George, Michelle, and the good people at the Caltech Y. Chapter 1 Acknowledgements v Pour undergraduate student in vat, ferment for five years, decant out a Ph.D. As with any reaction, this one required many ingredients, environmental controls, and catalysts. (Warning – do not try this at home.) Here’s a list of some of the many people who deserve much of the credit but none of the blame. Claude Elwood Shannon, who was there before anyone else. Michelle Effros, who showed me the way in more ways than one. Radhika Gowaikar and Chuhsin Liang were there when I needed them, and how. Naveed NearAnsari, John Lilley, and Michael Potter protected the world from my evil hackergenius ways, and Linda Dozsa, Veronica Robles, and Shirley Beatty made sure the paper trail always led
Approximate Quantum ErrorCorrecting Codes and Secret Sharing Schemes
 In Advances in Cryptology: Proceedings of EUROCRYPT 2005, SpringerVerlag’s Lecture Notes in Computer Science, Volume 3494
, 2005
"... It is a standard result in the theory of quantum errorcorrecting codes that no code of length n can fix more than n/4 arbitrary errors, regardless of the dimension of the coding and encoded Hilbert spaces. However, this bound only applies to codes which recover the message exactly. Naively, one mig ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
It is a standard result in the theory of quantum errorcorrecting codes that no code of length n can fix more than n/4 arbitrary errors, regardless of the dimension of the coding and encoded Hilbert spaces. However, this bound only applies to codes which recover the message exactly. Naively, one might expect that correcting errors to very high fidelity would only allow small violations of this bound. This intuition is incorrect: in this paper we describe quantum errorcorrecting codes capable of correcting up to ⌊(n − 1)/2⌋ arbitrary errors with fidelity exponentially close to 1, at the price of increasing the size of the registers (i.e., the coding alphabet). This demonstrates a sharp distinction between exact and approximate quantum error correction. The codes have the property that any t components reveal no information about the message, and so they can also be viewed as errortolerant secret sharing schemes. The construction has several interesting implications for cryptography and quantum information theory. First, it suggests that secret sharing is a better classical analogue to quantum error correction than is classical error correction. Second, it highlights an error in a purported proof that verifiable quantum secret sharing (VQSS) is impossible when the number of cheaters t is n/4. In particular, the construction directly yields an honestdealer VQSS scheme for t = ⌊(n − 1)/2⌋. We believe the codes could also potentially lead to improved protocols for dishonestdealer VQSS and secure multiparty quantum computation. More generally, the construction illustrates a difference between exact and approximate requirements in quantum cryptography and (yet again) the delicacy of security proofs and impossibility results in the quantum model. 1
Tight bounds for unconditional authentication protocols in the manual channel and shared key models
 IN ADVANCES IN CRYPTOLOGY  CRYPTO ’06
, 2006
"... We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a lowbandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiv ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a lowbandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ɛ < 1 there exists a log ∗ nround protocol for authenticating nbit messages, in which only 2 log(1/ɛ)+O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ɛ to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/ɛ) − O(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. We apply the proof technique above to obtain a lower bound of 2 log(1/ɛ) − 2 on the
Cryptanalysis of the Gemmell and Naor Multiround Authentication Protocol
, 1994
"... Gemmell and Naor proposed a new protocol for the authen tication of long messages which was based on block codes and which used a transmission channel k times. This multiround authentication makes it possible to limit the key size independently of the message length. ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Gemmell and Naor proposed a new protocol for the authen tication of long messages which was based on block codes and which used a transmission channel k times. This multiround authentication makes it possible to limit the key size independently of the message length.