We introduce a new technique for constructing a family of universal hash functions.

Privacy amplification allows two parties Alice and Bob knowing a partially secret string S to extract, by communication over a public channel, a shorter, highly secret string S'. Bennett, Brassard, Cr'epeau, and Maurer showed that the length of S' can be almost equal to the conditional R'enyi entropy of S given an opponent Eve's knowledge. All previous results on privacy amplification assumed that Eve has access to the public channel but is passive or, equivalently, that messages inserted by Eve can be detected by Alice and Bob. In this paper we consider privacy amplification secure even against active opponents. First it is analyzed under what conditions information-theoretically secure authentication is possible even though the common key is only partially secret. This result is used to prove that privacy amplification can be secure against an active opponent and that the size of S' can be almost equal to Eve's min-entropy about S minus 2n=3 if S is an n-bit ...

Abstract. Unconditional cryptographic security cannot be generated simply from scratch, but must be based on some given primitive to start with (such as, most typically, a private key). Whether or not this implies that such a high level of security is necessarily impractical depends on how weak these basic primitives can be, and how realistic it is therefore to realize or find them in—classical or quantum—reality. A natural way of minimizing the required resources for information-theoretic security is to reduce the length of the private key. In this paper, we focus on the level of its secrecy instead and show that even if the communication channel is completely insecure, a shared string of which an arbitrarily large fraction is known to the adversary can be used for achieving fundamental cryptographic goals such as message authentication and encryption. More precisely, we give protocols—using such a weakly secret key—allowing for both the exchange of authenticated messages and the extraction of the key’s entire amount of privacy into a shorter virtually secret key. Our schemes, which are highly interactive, show the power of two-way communication in this context: Under the given conditions, the same objectives cannot be achieved by one-way communication only. Keywords. Information-theoretic security, authentication, privacy amplification, extractors, quantum key agreement.

Abstract — We design codes to transmit information over a network, some subset of which is controlled by a malicious adversary. The computationally unbounded, hidden adversary knows the message to be transmitted, and can observe and change information over the part of the network he controls. The network nodes do not share resources such as shared randomness or a private key. We first consider a unicast problem in a network with |E | parallel, unit-capacity, directed edges. The rate-region has two parts. If the adversary controls a fraction p<0.5 of the |E | edges, the maximal throughput equals (1 − p)|E|. We describe low-complexity codes that achieve this rate-region. We then extend these results to investigate more general multicast problems in directed, acyclic networks. I.

Abstract. A completely insecure communication channel can only be transformed into an unconditionally secure channel if some informationtheoretic primitive is given to start from. All previous approaches to realizing such authenticity and privacy from weak primitives were symmetric in the sense that security for both parties was achieved. We show that asymmetric information-theoretic security can, however, be obtained at a substantially lower price than two-way security—like in the computational-security setting, as the example of public-key cryptography demonstrates. In addition to this, we show that also an unconditionally secure bidirectional channel can be obtained under weaker conditions than previously known. One consequence of these results is that the assumption usually made in the context of quantum key distribution that the two parties share a short key initially is unnecessarily strong. Keywords. Information-theoretic security, authentication, information reconciliation, privacy amplification, quantum key agreement, reductions

We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ɛ < 1 there exists a log ∗ n-round protocol for authenticating n-bit messages, in which only 2 log(1/ɛ)+O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ɛ to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/ɛ) − O(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. We apply the proof technique above to obtain a lower bound of 2 log(1/ɛ) − 2 on the

iii But it’s not who you are underneath, it’s what you do that defines you. – Rachel Dawes iv To Mom, George, Michelle, and the good people at the Caltech Y. Chapter 1 Acknowledgements v Pour undergraduate student in vat, ferment for five years, decant out a Ph.D. As with any reaction, this one required many ingredients, environmental controls, and catalysts. (Warning – do not try this at home.) Here’s a list of some of the many people who deserve much of the credit but none of the blame. Claude Elwood Shannon, who was there before anyone else. Michelle Effros, who showed me the way in more ways than one. Radhika Gowaikar and Chu-hsin Liang were there when I needed them, and how. Naveed Near-Ansari, John Lilley, and Michael Potter protected the world from my evil hacker-genius ways, and Linda Dozsa, Veronica Robles, and Shirley Beatty made sure the paper trail always led

It is a standard result in the theory of quantum error-correcting codes that no code of length n can fix more than n/4 arbitrary errors, regardless of the dimension of the coding and encoded Hilbert spaces. However, this bound only applies to codes which recover the message exactly. Naively, one might expect that correcting errors to very high fidelity would only allow small violations of this bound. This intuition is incorrect: in this paper we describe quantum error-correcting codes capable of correcting up to ⌊(n − 1)/2⌋ arbitrary errors with fidelity exponentially close to 1, at the price of increasing the size of the registers (i.e., the coding alphabet). This demonstrates a sharp distinction between exact and approximate quantum error correction. The codes have the property that any t components reveal no information about the message, and so they can also be viewed as error-tolerant secret sharing schemes. The construction has several interesting implications for cryptography and quantum information theory. First, it suggests that secret sharing is a better classical analogue to quantum error correction than is classical error correction. Second, it highlights an error in a purported proof that verifiable quantum secret sharing (VQSS) is impossible when the number of cheaters t is n/4. In particular, the construction directly yields an honest-dealer VQSS scheme for t = ⌊(n − 1)/2⌋. We believe the codes could also potentially lead to improved protocols for dishonest-dealer VQSS and secure multi-party quantum computation. More generally, the construction illustrates a difference between exact and approximate requirements in quantum cryptography and (yet again) the delicacy of security proofs and impossibility results in the quantum model. 1

Gemmell and Naor proposed a new protocol for the authen- tication of long messages which was based on block codes and which used a transmission channel k times. This multiround authentication makes it possible to limit the key size independently of the message length.

It is a standard result in the theory of quantum error-correcting codes that no code of length n can fix more than n/4 arbitrary errors, regardless of the dimension of the coding and encoded Hilbert spaces. However, this bound only applies to codes which exactly correct errors. Naively, one might expect that correcting errors to very high fidelity would only allow small violations of this bound. However, this intuition is incorrect: we construct in this paper quantum error-correcting codes capable of correcting up to n/2 1 arbitrary errors with fidelity exponentially close to 1. This demonstrates a severe distinction between exact quantum error correction and approximate quantum error correction.