## Secret-Key Reconciliation by Public Discussion (1994)

Citations: | 101 - 3 self |

### BibTeX

@INPROCEEDINGS{Brassard94secret-keyreconciliation,

author = {Gilles Brassard and Louis Salvail},

title = {Secret-Key Reconciliation by Public Discussion},

booktitle = {},

year = {1994},

pages = {410--423},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

. Assuming that Alice and Bob use a secret noisy channel (modelled by a binary symmetric channel) to send a key, reconciliation is the process of correcting errors between Alice's and Bob's version of the key. This is done by public discussion, which leaks some information about the secret key to an eavesdropper. We show how to construct protocols that leak a minimum amount of information. However this construction cannot be implemented efficiently. If Alice and Bob are willing to reveal an arbitrarily small amount of additional information (beyond the minimum) then they can implement polynomial-time protocols. We also present a more efficient protocol, which leaks an amount of information acceptably close to the minimum possible for sufficiently reliable secret channels (those with probability of any symbol being transmitted incorrectly as large as 15%). This work improves on earlier reconciliation approaches [R, BBR, BBBSS]. 1 Introduction Unlike public key cryptosystems, the securi...

### Citations

708 |
Universal classes of hash functions
- Carter, Wegman
- 1977
(Show Context)
Citation Context ...f leaked information is asymptotically equal to nh(p). ut To solve the problem that choosing a random function from a huge set is unreasonable, we choose it from a universal 2 class of hash functions =-=[CW]-=-. 3 Bin(n; p) is the binomial probability distribution. Definition 5 ([CW]). Let H be a class of functions from F to G. We say that H is universal 2 if for all x; y 2 F such that x 6= y, the number of... |

348 | New hash functions and their use in authentication and set equality - Wegman, Carter - 1981 |

238 |
On the Inherent Intractability of Certain Coding Problems
- Berlekamp, McEliece, et al.
- 1978
(Show Context)
Citation Context ...ms, let C denote the class of problems that are polynomially equivalent to some problem in C. Let X be the problem of executing step 3 of protocol 1 and let X H3 be the same problem when H 3 is used. =-=[BMT]-=- shows that determining least-weight solution in a system of linear equations in GF (2) is NP--hard. This problem is equivalent to X H3 . Moreover we can easily show that X 2 ( P p 2 ) . We want to sh... |

213 | Experimental quantum cryptography
- Bennett, Bessette, et al.
- 1991
(Show Context)
Citation Context ...Fcar. ?? Supported by an Nserc scholarship. is expensive, we would like to minimize the information that a reconciliation protocol divulges. A quantum public key distribution protocol is described in =-=[BBBSS]-=-, which also discusses a way to combine together reconciliation and privacy amplification. The problem of reconciliation has been previously studied in [R, BBR, BBBSS]. Key distribution using independ... |

196 | Privacy Amplification by Public Discussion - Brassard - 1988 |

86 |
Coding for noisy channels
- Elias
- 1955
(Show Context)
Citation Context ...60 4.01 4.64 0.10 7 3.81 3.28 3.99 0.15 5 3.80 3.05 4.12 8 Conclusions The reconciliation problem is a variant of the noisy coding problem. The extension of the noisy coding theorem [Sh] due to Elias =-=[E]-=- shows that there exist optimal linear codes. Thus, it is not surprising that there exist optimal reconciliation protocols. One must use the systematic version of an optimal linear code to obtain an o... |

84 |
Codes and Cryptography
- Welsh
- 1988
(Show Context)
Citation Context ...ting in string B 0 such that dist(B; B 0 ) is minimal over all strings D such that f(D) = f(A). The proof of theorem 4 is similar to earlier ones showing the Shannon noisy coding theorem for BSC (see =-=[W]-=-). Theorem 4. Protocol 1 is optimal for an adequate choice of parameter m. Proof (sketch). Let p be the BSC parameter. Let p e be the decoding error probability. Let C = A \Phi B and E be the event as... |

80 | Practical Quantum Oblivious Transfer
- Bernett, Brassard, et al.
- 1992
(Show Context)
Citation Context ...ities between these two problems when a non-interactive protocol such as protocol 1 is being considered. The noninteractive scheme is relevant for some applications such as quantum oblivious transfer =-=[BBCS]-=-. We will see that using H 3 (defined below, for more details consult [CW]) yields a decoding time complexity equivalent to that of solving the general problem of decoding linear codes. Definition 7. ... |

33 |
A mathematical theory of communication, part i
- Shannon
- 1948
(Show Context)
Citation Context ...89 6.81 0.05 14 4.60 4.01 4.64 0.10 7 3.81 3.28 3.99 0.15 5 3.80 3.05 4.12 8 Conclusions The reconciliation problem is a variant of the noisy coding problem. The extension of the noisy coding theorem =-=[Sh]-=- due to Elias [E] shows that there exist optimal linear codes. Thus, it is not surprising that there exist optimal reconciliation protocols. One must use the systematic version of an optimal linear co... |

18 |
Probabilistic quantifiers and games
- Zachos
- 1988
(Show Context)
Citation Context ...hat X 2 ( P p 2 ) . We want to show that X H3 2 BPP , NP ` BPP. The left to right direction of this statement is obviously true since X H3 is NP--hard. To prove the other direction we use a result of =-=[Z]-=- showing that NP ` BPP , PH ` BPP combined with the fact that X 2 ( P p 2 ) . ut 6 Almost-Ideal Protocols To be useful in practice a reconciliation protocol need not be optimal. Before execution of th... |

16 | Perfect cryptographic security from partially independent channels
- Maurer
- 1991
(Show Context)
Citation Context ...discusses a way to combine together reconciliation and privacy amplification. The problem of reconciliation has been previously studied in [R, BBR, BBBSS]. Key distribution using independent channels =-=[M]-=- also requires reconciliation. In section 3 we define the problem and introduce the notion of optimality; in section 4 we show how to construct optimal protocols. In section 5 we discuss efficiency; i... |

3 | D'etection et correction d'erreurs en cryptographie", Masters Thesis, D'epartement d'informatique et de recherche op'erationnelle, Universit'e de - Robert - 1985 |

1 |
Le Probl`eme de R'econciliation en Cryptographie, Master thesis, D'epartement d'informatique et de recherche op'erationnelle, Universit'e de Montr 'eal
- Salvail
- 1991
(Show Context)
Citation Context ... e j j) with p s (e) = e X j=0 p 0 s\Gamma1 (j)p 0 s\Gamma1 (e \Gamma j): Moreover p 0 1 (0) = 1 \Gamma ffi k 2 ; p 0 1 (1) = ffi k 2 : We can prove the following theorem by induction on s and e (see =-=[Sa]-=- for the proof): Theorem 10. (8ffi ks1 2 )(8e ? 0)(8ss1) p 0 s (e)s1 2 s+e\Gamma1 : The failure probability is less than k n and tends to 0 as n increases. Hence the condition 1 from the definition of... |