2,259 research outputs found
Universal Hashing for Information Theoretic Security
The information theoretic approach to security entails harnessing the
correlated randomness available in nature to establish security. It uses tools
from information theory and coding and yields provable security, even against
an adversary with unbounded computational power. However, the feasibility of
this approach in practice depends on the development of efficiently
implementable schemes. In this article, we review a special class of practical
schemes for information theoretic security that are based on 2-universal hash
families. Specific cases of secret key agreement and wiretap coding are
considered, and general themes are identified. The scheme presented for wiretap
coding is modular and can be implemented easily by including an extra
pre-processing layer over the existing transmission codes.Comment: Corrected an error in the proof of Lemma
Key recycling in authentication
In their seminal work on authentication, Wegman and Carter propose that to
authenticate multiple messages, it is sufficient to reuse the same hash
function as long as each tag is encrypted with a one-time pad. They argue that
because the one-time pad is perfectly hiding, the hash function used remains
completely unknown to the adversary.
Since their proof is not composable, we revisit it using a composable
security framework. It turns out that the above argument is insufficient: if
the adversary learns whether a corrupted message was accepted or rejected,
information about the hash function is leaked, and after a bounded finite
amount of rounds it is completely known. We show however that this leak is very
small: Wegman and Carter's protocol is still -secure, if
-almost strongly universal hash functions are used. This implies
that the secret key corresponding to the choice of hash function can be reused
in the next round of authentication without any additional error than this
.
We also show that if the players have a mild form of synchronization, namely
that the receiver knows when a message should be received, the key can be
recycled for any arbitrary task, not only new rounds of authentication.Comment: 17+3 pages. 11 figures. v3: Rewritten with AC instead of UC. Extended
the main result to both synchronous and asynchronous networks. Matches
published version up to layout and updated references. v2: updated
introduction and reference
Attacks on quantum key distribution protocols that employ non-ITS authentication
We demonstrate how adversaries with unbounded computing resources can break
Quantum Key Distribution (QKD) protocols which employ a particular message
authentication code suggested previously. This authentication code, featuring
low key consumption, is not Information-Theoretically Secure (ITS) since for
each message the eavesdropper has intercepted she is able to send a different
message from a set of messages that she can calculate by finding collisions of
a cryptographic hash function. However, when this authentication code was
introduced it was shown to prevent straightforward Man-In-The-Middle (MITM)
attacks against QKD protocols.
In this paper, we prove that the set of messages that collide with any given
message under this authentication code contains with high probability a message
that has small Hamming distance to any other given message. Based on this fact
we present extended MITM attacks against different versions of BB84 QKD
protocols using the addressed authentication code; for three protocols we
describe every single action taken by the adversary. For all protocols the
adversary can obtain complete knowledge of the key, and for most protocols her
success probability in doing so approaches unity.
Since the attacks work against all authentication methods which allow to
calculate colliding messages, the underlying building blocks of the presented
attacks expose the potential pitfalls arising as a consequence of non-ITS
authentication in QKD-postprocessing. We propose countermeasures, increasing
the eavesdroppers demand for computational power, and also prove necessary and
sufficient conditions for upgrading the discussed authentication code to the
ITS level.Comment: 34 page
Commitment and Oblivious Transfer in the Bounded Storage Model with Errors
The bounded storage model restricts the memory of an adversary in a
cryptographic protocol, rather than restricting its computational power, making
information theoretically secure protocols feasible. We present the first
protocols for commitment and oblivious transfer in the bounded storage model
with errors, i.e., the model where the public random sources available to the
two parties are not exactly the same, but instead are only required to have a
small Hamming distance between themselves. Commitment and oblivious transfer
protocols were known previously only for the error-free variant of the bounded
storage model, which is harder to realize
On an almost-universal hash function family with applications to authentication and secrecy codes
Universal hashing, discovered by Carter and Wegman in 1979, has many
important applications in computer science. MMH, which was shown to be
-universal by Halevi and Krawczyk in 1997, is a well-known universal
hash function family. We introduce a variant of MMH, that we call GRDH,
where we use an arbitrary integer instead of prime and let the keys
satisfy the
conditions (), where are
given positive divisors of . Then via connecting the universal hashing
problem to the number of solutions of restricted linear congruences, we prove
that the family GRDH is an -almost--universal family of
hash functions for some if and only if is odd and
. Furthermore, if these conditions are
satisfied then GRDH is -almost--universal, where is
the smallest prime divisor of . Finally, as an application of our results,
we propose an authentication code with secrecy scheme which strongly
generalizes the scheme studied by Alomair et al. [{\it J. Math. Cryptol.} {\bf
4} (2010), 121--148], and [{\it J.UCS} {\bf 15} (2009), 2937--2956].Comment: International Journal of Foundations of Computer Science, to appea
Polar Coding for Secure Transmission and Key Agreement
Wyner's work on wiretap channels and the recent works on information
theoretic security are based on random codes. Achieving information theoretical
security with practical coding schemes is of definite interest. In this note,
the attempt is to overcome this elusive task by employing the polar coding
technique of Ar{\i}kan. It is shown that polar codes achieve non-trivial
perfect secrecy rates for binary-input degraded wiretap channels while enjoying
their low encoding-decoding complexity. In the special case of symmetric main
and eavesdropper channels, this coding technique achieves the secrecy capacity.
Next, fading erasure wiretap channels are considered and a secret key agreement
scheme is proposed, which requires only the statistical knowledge of the
eavesdropper channel state information (CSI). The enabling factor is the
creation of advantage over Eve, by blindly using the proposed scheme over each
fading block, which is then exploited with privacy amplification techniques to
generate secret keys.Comment: Proceedings of the 21st Annual IEEE International Symposium on
Personal, Indoor, and Mobile Radio Communications (PIMRC 2010), Sept. 2010,
Istanbul, Turke
Unconditional security from noisy quantum storage
We consider the implementation of two-party cryptographic primitives based on
the sole assumption that no large-scale reliable quantum storage is available
to the cheating party. We construct novel protocols for oblivious transfer and
bit commitment, and prove that realistic noise levels provide security even
against the most general attack. Such unconditional results were previously
only known in the so-called bounded-storage model which is a special case of
our setting. Our protocols can be implemented with present-day hardware used
for quantum key distribution. In particular, no quantum storage is required for
the honest parties.Comment: 25 pages (IEEE two column), 13 figures, v4: published version (to
appear in IEEE Transactions on Information Theory), including bit wise
min-entropy sampling. however, for experimental purposes block sampling can
be much more convenient, please see v3 arxiv version if needed. See
arXiv:0911.2302 for a companion paper addressing aspects of a practical
implementation using block samplin
- …