196 research outputs found
Linking information reconciliation and privacy amplification
Information reconciliation allows two parties knowing correlated random variables, such as a noisy version of the partner's random bit string, to agree on a shared string. Privacy amplification allows two parties sharing a partially secret string about which an opponent has some partial information, to distill a shorter but almost completely secret key by communicating only over an insecure channel, as long as an upper bound on the opponent's knowledge about the string is known. The relation between these two techniques has not been well understood. In particular, it is important to understand the effect of side-information, obtained by the opponent through an initial reconciliation step, on the size of the secret key that can be distilled safely by subsequent privacy amplification. The purpose of this paper is to provide the missing link between these techniques by presenting bounds on the reduction of the Rényi entropy of a random variable induced by side-information. We show that, except with negligible probability, each bit of side-information reduces the size of the key that can be safely distilled by at most two bits. Moreover, in the important special case of side-information and raw key data generated by many independent repetitions of a random experiment, each bit of side-information reduces the size of the secret key by only about one bit. The results have applications in unconditionally secure key agreement protocols and in quantum cryptograph
Optimal Randomizer Efficiency in the Bounded-Storage Model
In the bounded-storage model for information-theoretically secure encryption and key-agreement one can prove the security of a cipher based on the sole assumption that the adversary's storage capacity is bounded, say by bits, even if her computational power is unlimited. Assume that a random -bit string is either publicly available (e.g., the signal of a deep-space radio source) or broadcast by one of the legitimate parties. If ), or the adversary was assumed to be able to store only actual bits of rather than arbitrary bits of information about , or the adversary received a non-negligible amount of information about . In this paper we prove the first non-restricted security result in the bounded-storage model: is short, is very long, and needs to be only moderately larger than . In fact, can be arbitrarily close to and hence the storage bound is essentially optimal. The security can be proved also if is not uniformly random, provided that the min-entropy of is sufficiently greater than $s
Toward an Algebraic Theory of Systems
We propose the concept of a system algebra with a parallel composition
operation and an interface connection operation, and formalize
composition-order invariance, which postulates that the order of composing and
connecting systems is irrelevant, a generalized form of associativity.
Composition-order invariance explicitly captures a common property that is
implicit in any context where one can draw a figure (hiding the drawing order)
of several connected systems, which appears in many scientific contexts. This
abstract algebra captures settings where one is interested in the behavior of a
composed system in an environment and wants to abstract away anything internal
not relevant for the behavior. This may include physical systems, electronic
circuits, or interacting distributed systems.
One specific such setting, of special interest in computer science, are
functional system algebras, which capture, in the most general sense, any type
of system that takes inputs and produces outputs depending on the inputs, and
where the output of a system can be the input to another system. The behavior
of such a system is uniquely determined by the function mapping inputs to
outputs. We consider several instantiations of this very general concept. In
particular, we show that Kahn networks form a functional system algebra and
prove their composition-order invariance.
Moreover, we define a functional system algebra of causal systems,
characterized by the property that inputs can only influence future outputs,
where an abstract partial order relation captures the notion of "later". This
system algebra is also shown to be composition-order invariant and appropriate
instantiations thereof allow to model and analyze systems that depend on time
Causal Boxes: Quantum Information-Processing Systems Closed under Composition
Complex information-processing systems, for example quantum circuits,
cryptographic protocols, or multi-player games, are naturally described as
networks composed of more basic information-processing systems. A modular
analysis of such systems requires a mathematical model of systems that is
closed under composition, i.e., a network of these objects is again an object
of the same type. We propose such a model and call the corresponding systems
causal boxes.
Causal boxes capture superpositions of causal structures, e.g., messages sent
by a causal box A can be in a superposition of different orders or in a
superposition of being sent to box B and box C. Furthermore, causal boxes can
model systems whose behavior depends on time. By instantiating the Abstract
Cryptography framework with causal boxes, we obtain the first composable
security framework that can handle arbitrary quantum protocols and relativistic
protocols.Comment: 44+24 pages, 16 figures. v3: minor edits based on referee comments,
matches published version up to layout. v2: definition of causality weakened,
new reference
07381 Executive Summary - Cryptography
The topics covered in the seminar spanned most areas of cryptography,
in one way or another, both in terms of the types of schemes
(public-key cryptography, symmetric cryptography, hash functions and
other cryptographic functions, multi-party protocols, etc.) and in terms of the
mathematical methods and techniques used (algebra, number theory,
elliptic curves, probability theory, information theory,
combinatorics, quantum theory, etc.). The range of applications
addressed in the various talks was broad, ranging from secure
communication, key management, authentication, digital signatures and
payment systems to e-voting and Internet security.
While the initial plan had been to focus more exclusively on public-key
cryptography, it turned out that this sub-topic branches out into
many other areas of cryptography and therefore the organizers
decided to expand the scope, emphasizing quality rather than
close adherence to public-key cryptography. This decision turned
out to be a wise one.
What was common to almost all the talks is that rigorous mathematical
proofs for the security of the presented schemes were given. In fact,
a central topic of many of the talks were proof methodologies for
various contexts
07381 Abstracts Collection -- Cryptography
From 16.09.2007 to 21.09.2007 the Dagstuhl Seminar 07381 ``Cryptography\u27\u27 was held
in the International Conference and Research Center (IBFI), Schloss Dagstuhl.
During the seminar, several participants presented their current
research, and ongoing work and open problems were discussed. Abstracts of
the presentations given during the seminar as well as abstracts of
seminar results and ideas are put together in this paper. The first section
describes the seminar topics and goals in general.
Links to extended abstracts or full papers are provided, if available
On Broadcast in Generalized Network and Adversarial Models
Broadcast is a primitive which allows a specific party to distribute a message consistently among n parties, even if up to t parties exhibit malicious behaviour. In the classical model with a complete network of bilateral authenticated channels, the seminal result of Pease et al. [Pease et al., 1980] shows that broadcast is achievable if and only if t < n/3. There are two generalizations suggested for the broadcast problem - with respect to the adversarial model and the communication model. Fitzi and Maurer [Fitzi and Maurer, 1998] consider a (non-threshold) general adversary that is characterized by the subsets of parties that could be corrupted, and show that broadcast can be realized from bilateral channels if and only if the union of no three possible corrupted sets equals the entire set of n parties. On the other hand, Considine et al. [Considine et al., 2005] extend the standard model of bilateral channels with the existence of b-minicast channels that allow to locally broadcast among any subset of b parties; the authors show that in this enhanced model of communication, secure broadcast tolerating up to t corrupted parties is possible if and only if t < (b-1)/(b+1)n. These generalizations are unified in the work by Raykov [Raykov P., 2015], where a tight condition on the possible corrupted sets is presented such that broadcast is achievable from a complete set of b-minicasts.
This paper investigates the achievability of broadcast in general networks, i.e., networks where only some subsets of minicast channels may be available, thereby addressing open problems posed in [Jaffe et al., 2012; Raykov P., 2015]. To that end, we propose a hierarchy over all possible general adversaries, and identify for each class of general adversaries 1) a set of minicast channels that are necessary to achieve broadcast and 2) a set of minicast channels that are sufficient to achieve broadcast. In particular, this allows us to derive bounds on the amount of b-minicasts that are necessary and that suffice towards constructing broadcast in general b-minicast networks
- …