## Secret Key Agreement by Public Discussion From Common Information (1993)

Venue: | IEEE Transactions on Information Theory |

Citations: | 265 - 18 self |

### BibTeX

@ARTICLE{Maurer93secretkey,

author = {Ueli M. Maurer},

title = {Secret Key Agreement by Public Discussion From Common Information},

journal = {IEEE Transactions on Information Theory},

year = {1993},

volume = {39},

pages = {733--742}

}

### Years of Citing Articles

### OpenURL

### Abstract

. The problem of generating a shared secret key S by two parties knowing dependent random variables X and Y , respectively, but not sharing a secret key initially, is considered. An enemy who knows the random variable Z, jointly distributed with X and Y according to some probability distribution PXY Z , can also receive all messages exchanged by the two parties over a public channel. The goal of a protocol is that the enemy obtains at most a negligible amount of information about S. Upper bounds on H(S) as a function of PXY Z are presented. Lower bounds on the rate H(S)=N (as N !1) are derived for the case where X = [X 1 ; : : : ; XN ], Y = [Y 1 ; : : : ; YN ] and Z = [Z 1 ; : : : ; ZN ] result from N independent executions of a random experiment generating X i ; Y i and Z i , for i = 1; : : : ; N . In particular it is shown that such secret key agreement is possible for a scenario where all three parties receive the output of a binary symmetric source over independent binary symmetr...

### Citations

6512 | A mathematical theory of communication - Shannon - 1948 |

3047 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...ever, for no existing cipher can the computational security be proved (without invoking an unproven intractability hypothesis). For instance the security of the well-known RSA public-key cryptosystem =-=[11]-=- is based on the (unproven) difficulty of factoring large integers, and many other cryptographic systems and protocols are based on the similarly unproven difficulty of computing discrete logarithms i... |

2826 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...al enemies, be it a physically protected communication channel connecting them or a shared secret key. This view was dramatically revised by the publication of the seminal paper of Diffie and Hellman =-=[6]-=-. Public-key cryptography demonstrates that (computationally) secure communications can be achieved even if only the receiver of a message, but not necessarily the sender, has an advantage over all po... |

842 |
Communication theory of secrecy systems
- Shannon
- 1949
(Show Context)
Citation Context ... communication channel such that an enemy (Eve) with access to this channel is unable to obtain useful information about M . In the classical model of a cryptosystem (or cipher) introduced by Shannon =-=[13]-=-, Eve has perfect access to the insecure channel; thus she is assumed to receive an identical copy of the ciphertext C received by the legitimate receiver Bob, where C is obtained by Alice as a functi... |

371 |
Broadcast channels with confidential messages
- Csiszár, Körner
- 1978
(Show Context)
Citation Context ...mentation of our protocols) and in the randomized cipher it is used to select a feasible number of the public random bits for generating the keystream. Wyner [16] and subsequently Csisz'ar and Korner =-=[5]-=- considered a scenario in which the enemy Eve is assumed to receive messages transmitted by the sender Alice over a channel that is noisier than the legitimate receiver Bob's channel. The assumption t... |

335 |
New hash functions and their use in authentication and set equality
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...out being detected. If this last assumption cannot realistically be made, authenticity and data integrity can be ensured by using an unconditionally secure authentication scheme, for instance that of =-=[15]-=- based on universal hashing, which requires that Alice and Bob share a short secret key initially. As for the protocols discussed in Bennett's and Brassard's work on quantum cryptography [1], the purp... |

311 |
Principles and Practice of Information Theory
- Blahut
- 1987
(Show Context)
Citation Context ... ]sffl (8) and I(S; C t Z)sffi (9) for some specified (small) ffi and ffl. (These two parameters should not be confused with the bit error probabilities of the previous section.) By Fano's Lemma (cf. =-=[3]-=-, p. 156) condition (8) implies that H(SjS 0 )sh(ffl) + ffl log 2 (jSj \Gamma 1) (10) where jSj denotes the number of distinct values that S takes on with non-zero probability. Note that H(SjS 0 ) ! 0... |

262 |
The wire-tap channel
- Wyner
- 1975
(Show Context)
Citation Context ... authentication (like in a realistic implementation of our protocols) and in the randomized cipher it is used to select a feasible number of the public random bits for generating the keystream. Wyner =-=[16]-=- and subsequently Csisz'ar and Korner [5] considered a scenario in which the enemy Eve is assumed to receive messages transmitted by the sender Alice over a channel that is noisier than the legitimate... |

205 | Experimental quantum cryptography
- Bennett, Bessette, et al.
- 1992
(Show Context)
Citation Context ...e approaches are either impractical or based on unrealistic assumptions about an enemy's accessible information. Quantum cryptography introduced by Wiesner and put forward by Bennett, Brassard et al. =-=[1, 4]-=-, which is for several reasons not truly practical (even though a prototype exists) is based on the (unproven but plausible) uncertainty principle of quantum physics: By measuring one component of the... |

193 |
Privacy amplification by public discussion
- Bennett, Brassard, et al.
- 1988
(Show Context)
Citation Context ...channel by two parties for extracting a secret key from an initially shared partially secret string was previously considered by Leung-Yan-Cheong [7] and independently by Bennett, Brassard and Robert =-=[2]-=-. This paper is concerned with key distribution as well as encryption: a shared secret key generated by one of our protocols can be used as the key sequence in the above mentioned one-time pad, thus a... |

82 | Conditionally-perfect secrecy and a provably-secure randomized cipher
- Maurer
- 1992
(Show Context)
Citation Context ... one component of the polarization of a photon Eve irreversibly loses the ability to perform a measurement for the orthogonal component of the polarization. The randomized cipher introduced by Maurer =-=[8]-=- makes use of a public random string that is too long to be read entirely in feasible time. This cipher is impractical because a source of the required large amount of randomness remains to be discove... |

81 |
Cipher printing telegraph systems for secret wire and radio telegraphic communications
- Vernam
- 1926
(Show Context)
Citation Context ...sage M , an enemy can do no better than guess M without even looking at the ciphertext C. Shannon gave as a simple example of a perfect cipher the so-called one-time pad previously proposed by Vernam =-=[14]-=- without proof of security; the binary plaintext is concealed by adding modulo 2 (EXOR) a random binary secret key of the same length. Of course, this system is completely impractical for most applica... |

29 |
Modern Cryptology: A Tutorial
- Brassard
- 1988
(Show Context)
Citation Context ...e approaches are either impractical or based on unrealistic assumptions about an enemy's accessible information. Quantum cryptography introduced by Wiesner and put forward by Bennett, Brassard et al. =-=[1, 4]-=-, which is for several reasons not truly practical (even though a prototype exists) is based on the (unproven but plausible) uncertainty principle of quantum physics: By measuring one component of the... |

16 | Perfect cryptographic security from partially independent channels - Maurer - 1991 |

7 |
Multi-user and wire-tap channels including feedback
- Leung-Yan-Cheong
- 1976
(Show Context)
Citation Context ...sequent instance of the protocol. The use of a public channel by two parties for extracting a secret key from an initially shared partially secret string was previously considered by Leung-Yan-Cheong =-=[7]-=- and independently by Bennett, Brassard and Robert [2]. This paper is concerned with key distribution as well as encryption: a shared secret key generated by one of our protocols can be used as the ke... |

7 |
Protocols for secret key agreement based on common information
- Maurer
- 1993
(Show Context)
Citation Context ...Some protocols that allow Alice and Bob to share a substantial amount of secret key even when Eve's channel is a few orders of magnitude more reliable than Alice's and Bob's channels are discussed in =-=[10]-=-. VI. Conclusions In Shannon's classical view of cryptography [13], a necessary condition for two parties Alice and Bob to be able to communicate in secrecy is that they have a common advantage over p... |