Deep Random based Key Exchange protocol resisting unlimited MITM

We present a protocol enabling two legitimate partners sharing an initial secret to mutually authenticate and to exchange an encryption session key. The opponent is an active Man In The Middle (MITM) with unlimited computation and storage capacities. The resistance to unlimited MITM is obtained through the combined use of Deep Random secrecy, formerly introduced and proved as unconditionally secure against passive opponent for key exchange, and universal hashing techniques. We prove the resistance to MITM interception attacks, and show that (i) upon successful completion, the protocol leaks no residual information about the current value of the shared secret to the opponent, and (ii) that any unsuccessful completion is detectable by the legitimate partners. We also discuss implementation techniques.Comment: 14 pages. V2: Updated reminder in the formalism of Deep Random assumption. arXiv admin note: text overlap with arXiv:1611.01683, arXiv:1507.0825

Information-Theoretic Secret-Key Agreement: The Asymptotically Tight Relation Between the Secret-Key Rate and the Channel Quality Ratio

Information-theoretically secure secret-key agreement between two parties Alice and Bob is a well-studied problem that is provably impossible in a plain model with public (authenticated) communication, but is known to be possible in a model where the parties also have access to some correlated randomness. One particular type of such correlated randomness is the so-called satellite setting, where a source of uniform random bits (e.g., sent by a satellite) is received by the parties and the adversary Eve over inherently noisy channels. The antenna size determines the error probability, and the antenna is the adversary\u27s limiting resource much as computing power is the limiting resource in traditional complexity-based security. The natural assumption about the adversary is that her antenna is at most $Q$ times larger than both Alice\u27s and Bob\u27s antenna, where, to be realistic, $Q$ can be very large. The goal of this paper is to characterize the secret-key rate per transmitted bit in terms of $Q$. Traditional results in this so-called satellite setting are phrased in terms of the error probabilities $\epsilon_A$, $\epsilon_B$, and $\epsilon_E$, of the binary symmetric channels through which the parties receive the bits and, quite surprisingly, the secret-key rate has been shown to be strictly positive unless Eve\u27s channel is perfect ($\epsilon_E=0$) or either Alice\u27s or Bob\u27s channel output is independent of the transmitted bit (i.e., $\epsilon_A=0.5$ or $\epsilon_B=0.5$). However, the best proven lower bound, if interpreted in terms of the channel quality ratio $Q$, is only exponentially small in $Q$. The main result of this paper is that the secret-key rate decreases asymptotically only like $1/Q^2$ if the per-bit signal energy, affecting the quality of all channels, is treated as a system parameter that can be optimized. Moreover, this bound is tight if Alice and Bob have the same antenna sizes. Motivated by considering a fixed sending signal power, in which case the per-bit energy is inversely proportional to the bit-rate, we also propose a definition of the secret-key rate per second (rather than per transmitted bit) and prove that it decreases asymptotically only like $1/Q$

Secrecy Results for Compound Wiretap Channels

We derive a lower bound on the secrecy capacity of the compound wiretap channel with channel state information at the transmitter which matches the general upper bound on the secrecy capacity of general compound wiretap channels given by Liang et al. and thus establishing a full coding theorem in this case. We achieve this with a stronger secrecy criterion and the maximum error probability criterion, and with a decoder that is robust against the effect of randomisation in the encoding. This relieves us from the need of decoding the randomisation parameter which is in general not possible within this model. Moreover we prove a lower bound on the secrecy capacity of the compound wiretap channel without channel state information and derive a multi-letter expression for the capacity in this communication scenario.Comment: 25 pages, 1 figure. Accepted for publication in the journal "Problems of Information Transmission". Some of the results were presented at the ITW 2011 Paraty [arXiv:1103.0135] and published in the conference paper available at the IEEE Xplor

Simple Schemes in the Bounded Storage Model

The bounded storage model promises unconditional security proofs against computationally unbounded adversaries, so long as the adversary’s space is bounded. In this work, we develop simple new constructions of two-party key agreement, bit commitment, and oblivious transfer in this model. In addition to simplicity, our constructions have several advantages over prior work, including an improved number of rounds and enhanced correctness. Our schemes are based on Raz’s lower bound for learning parities

Quantum key distribution using gaussian-modulated coherent states

Quantum continuous variables are being explored as an alternative means to implement quantum key distribution, which is usually based on single photon counting. The former approach is potentially advantageous because it should enable higher key distribution rates. Here we propose and experimentally demonstrate a quantum key distribution protocol based on the transmission of gaussian-modulated coherent states (consisting of laser pulses containing a few hundred photons) and shot-noise-limited homodyne detection; squeezed or entangled beams are not required. Complete secret key extraction is achieved using a reverse reconciliation technique followed by privacy amplification. The reverse reconciliation technique is in principle secure for any value of the line transmission, against gaussian individual attacks based on entanglement and quantum memories. Our table-top experiment yields a net key transmission rate of about 1.7 megabits per second for a loss-free line, and 75 kilobits per second for a line with losses of 3.1 dB. We anticipate that the scheme should remain effective for lines with higher losses, particularly because the present limitations are essentially technical, so that significant margin for improvement is available on both the hardware and software.Comment: 8 pages, 4 figure

Tight Reductions for Diffie-Hellman Variants in the Algebraic Group Model

Fuchsbauer, Kiltz, and Loss~(Crypto\u2718) gave a simple and clean definition of an ¥emph{algebraic group model~(AGM)} that lies in between the standard model and the generic group model~(GGM). Specifically, an algebraic adversary is able to exploit group-specific structures as the standard model while the AGM successfully provides meaningful hardness results as the GGM. As an application of the AGM, they show a tight computational equivalence between the computing Diffie-Hellman~(CDH) assumption and the discrete logarithm~(DL) assumption. For the purpose, they used the square Diffie-Hellman assumption as a bridge, i.e., they first proved the equivalence between the DL assumption and the square Diffie-Hellman assumption, then used the known equivalence between the square Diffie-Hellman assumption and the CDH assumption. In this paper, we provide an alternative proof that directly shows the tight equivalence between the DL assumption and the CDH assumption. The crucial benefit of the direct reduction is that we can easily extend the approach to variants of the CDH assumption, e.g., the bilinear Diffie-Hellman assumption. Indeed, we show several tight computational equivalences and discuss applicabilities of our techniques

Secret Sharing over Fast-Fading MIMO Wiretap Channels

Secret sharing over the fast-fading MIMO wiretap channel is considered. A source and a destination try to share secret information over a fast-fading MIMO channel in the presence of a wiretapper who also makes channel observations that are different from but correlated to those made by the destination. An interactive authenticated unrestricted public channel is also available for use by the source and destination in the secret sharing process. This falls under the "channel-type model with wiretapper" considered by Ahlswede and Csiszar. A minor extension of their result (to continuous channel alphabets) is employed to evaluate the key capacity of the fast-fading MIMO wiretap channel. The effects of spatial dimensionality provided by the use of multiple antennas at the source, destination, and wiretapper are then investigated.Comment: Revision submitted to EURASIP Journal on Wireless Communications and Networking, Special Issue on Wireless Physical Layer Security, Sept. 2009. v.3: Fixes to proofs. Matthieu Bloch added as co-author for contributions to proof

Privacy Amplification from Non-malleable Codes

Non-malleable Codes give us the following property: their codewords cannot be tampered into codewords of related messages. Privacy Amplification allows parties to convert their weak shared secret into a fully hidden, uniformly distributed secret key, while communicating on a fully tamperable public channel. In this work, we show how to construct a constant round privacy amplification protocol from any augmented split-state non-malleable code. Existentially, this gives us another primitive (in addition to optimal non-malleable extractors) whose optimal construction would solve the long-standing open problem of building constant round privacy amplification with optimal entropy loss. Instantiating our code with the current best known NMC gives us an $8$-round privacy amplification protocol with entropy loss $O(\log(n)+ \kappa \log (\kappa))$ and min-entropy requirement $\Omega(\log(n) +\kappa\log (\kappa))$, where $\kappa$ is the security parameter and $n$ is the length of the shared weak secret. In fact, for our result, even the weaker primitive of Non-malleable Randomness Encoders suffice. We view our result as an exciting connection between two of the most fascinating and well-studied information theoretic primitives, non-malleable codes and privacy amplification

Extended Generalized Feistel Networks using Matrix Representation

International audienceWhile Generalized Feistel Networks have been widely studied in the literature as a building block of a block cipher, we propose in this paper a unified vision to easily represent them through a matrix representation. We then propose a new class of such schemes called Extended Generalized Feistel Networks well suited for cryptographic applications. We instantiate those proposals into two particular constructions and we finally analyze their security

10-Round Feistel is Indifferentiable from an Ideal Cipher

We revisit the question of constructing an ideal cipher from a random oracle. Coron et al.~(Journal of Cryptology, 2014) proved that a 14-round Feistel network using random, independent, keyed round functions is indifferentiable from an ideal cipher, thus demonstrating the feasibility of such a construction. Left unresolved is the best possible efficiency of the transformation. We improve upon the result of Coron et al.\ and show that 10 rounds suffice