# Secret Key Agreement by Public Discussion from Common Information

Save this PDF as:

Size: px
Start display at page:

## Transcription

5 MAURER: SECRET KEY AGREEMENT BY PUBLIC DISCUSSION FROM COMMON INFORMATION 131 By Fano s Lemma (cf. [3, p. 156]), condition (8) implies that H(S I S ) 5 h(e) + log,(lsi - 1) (10) where IS1 denotes the number of distinct values that S takes on with nonzero probability. Note that H(S I S ) -+ 0 as E + 0. If one requires that P[S # S ] = 0 and I(S; Ct) = 0 (i.e., that E = 0 in (8) and S = 0 in (9)) it appear intuitive but not obvious that I(X;Y) is an upper bound on H(S). It appears to be similarly intuitive that H(S) 5 I(X; Y 12)= I(XZ; YZ) - H(Z) because even under the assumption that Alice and Bob could learn 2, the remaining information shared by Alice and Bob is an upper bound on the information they can share in secrecy. The following theorem, whose proof is not completely obvious, summarizes these results. Theorem 1: For every key agreement protocol satisfying (4)-(7), In particular, H(S) 5 I(X; Y 12)+ H(S I S ) + I(S; CtZ) * H(S) 5 I(X; Y) + H(S I SI) + I(S; ct). Proof: Note first of all that the second part is a special case of the first where Z is a constant random variable. It remains to prove the first part. We have H(S) = I(S;CtZ) + H(SICtZ), where H(S I CtZ) can be bounded above as follows: H(S I CtZ) = H(SX I CtZ) - H(X I CtSZ) = H(X I CtZ) + H(S I CtXZ) - H(XICtS2) 5 H(X I CtZ) - H(X I CtSYZ) = H(X I CtZ) - H(XS I CtYZ) + H(S1CtYZ) = H(X I CtZ) - H(X I CtYZ) + H(S1CtYZ) 5 I(X; Y I Ct 2) + H(S I S ). (11) (12) In the first inequality and in the last equality we have made use of (6) and the fact that conditioning on further random variables cannot increase entropy. The second inequality follows from (7) which implies H(SICtY2) = H(SICtS Y2) I: H(S1S ). We continue the proof by showing that public discussion cannot increase the mutual information shared by Alice and Bob when given Eve s total information consisting of Ct and 2. Without loss of generality, assume that t is odd, i.e., that the last public message Ct is sent by Alice and thus H(Ct ICt-lX) = 0. The proof for even t is analogous. I(X; Y I CtZ) = H(Y ICtZ) - H(Y I CtXZ) = H(Y I CtZ) - H(Y I ct-1x.z) I: H(Y I ct-12) - H(Y I ct-lxz) = I(X; Y I ct-12). (13) The second step follows from (4). By repeating this argument t times, but for even t with X and Y interchanged, we arrive at I(X; Y I CtZ) 5 I(X; Y 12) that together with (12) and (11) completes the proof of the theorem. 0 Corollary 1: For every key agreement protocol satisfying (4)-(9), H(S) 5 min[i(x; Y), I(X; Y I Z)] + S + h(e) + Elog,(lsI - 1). Proof: Immediate consequence of Theorem 1, inequality (lo), and the fact that I(S; Ct) 5 I(S; CtZ). U It should be pointed out that I(X;Y) < I(X;Y 12)is possible. Consider as an example the case where X and Y are independent, binary and symmetrically distributed (i.e., P[X = 01 = P[Y = 01 = l/2) and where Z is the modulo 2 sun of X and Y. Then, I(X; Y) = 0 whereas I(X; Y 12)= H(X) = 1. Furthermore, I(X;Y) > I(X;YIZ) is also possible, for instance, when I(X; Y) > 0 and when Z = X. Iv. THE SECRET KEY RATE: UPPER AND LOWER BOUNDS In order to be able to prove lower bounds on the achievable size of a key shared by Alice and Bob in secrecy, we need to make more specific assumptions about the distribution PXYZ. One natural assumption is that the random experiment generating XY Z is repeated many times independently: Alice, Bob and Eve receive XN = [X~,...,XN], YN = [Yl,..., YN] and ZN = [&,..., ZN], respectively, where N a=1 and where Px,Y,z, = PXYZ for 1 5 i 5 N. For such a scenario of independent repetitions of a random experiment, which is well motivated by models such as discrete memoryless sources and channels previously considered in information theory, the quantity that appears to be of most interest is defined as follows. Definition 2: The secret key rate of X and Y with respect to 2, denoted S(X; YllZ), is the maximum rate at which Alice and Bob can agree on a secret key S while keeping the rate at which Eve obtains information arbitrarily small, i.e., it is the maximal R such that for every E > 0 there exists a protocol for sufficiently large N satisfying (4)-(8) with X and Y replaced by XN and YN, respectively, satisfying and achieving 1 - N I(S; CtZN) 5 E, 1 -H(S) N 2 R -E. In all the protocols discussed next, S will be uniformly distributed. However, if for some other protocol the secret key generated by Alice and Bob were not uniformly distributed,

9 MAURER SECRET KEY AGREEMENT BY PUBLIC DISCUSSION FROM COMMON INFORMATION 741 Alice's and Bob's reliability for the shared string. Some pmtncc?!s that a!aw Alice and Rnb ta sh2re a sllbstantia! amount of secret key even when Eve's channel is a few orders of magnitude more reliable than Alice's and Bob's channels are discussed in [lo]. VI. CONCLUSION In Shannon's classical view of cryptology [13], a necessary condition for two parties Alice and Bob to be able to communicate in secrecy is that they have a common advantage over potential enemies, be it a physically protected communication channel connecting them or a shared secret key. This view was dramatically revised by the publication of the seminal paper of Diffie and Hellman [6]. Public-key cryptology demonstrates that (computationally) secure communications can be achieved even if only the receiver of a message, but not necessarily the sender, has an advantage over all potential enemy receivers. The results of this paper can be interpreted as a further step in the same direction, namely as demonstrating that only a difference in the received signals, but not necessarily with an advantage for either of the legitimate communicants, suffices for achieving perfect cryptographic security, regardless of the enemy's computing power. The paper suggests the following conclusion for the implementation of cryptographic systems on given noisy communication channels. Such channels should not be converted into error-free channels by means of error-correcting codes, followed by a cryptographic protocol based on error-free channels because this design strategy would imply that Shannon's pessimistic inequality (2) applies and therefore perfect secrecy cannot be achieved unless an impractically large amount of shared secret key is available. Instead, cryptographic coding and error-control coding should be combined, resulting in a system achieving virtually perfect secrecy, with a (short) secret key being required only for authentication. The author hopes that this paper and a subsequent paper on practical implementations will help to move perfect secrecy closer to being practical. (12). It remains to prove that I(X"; YN I CNZN) 5 N. maxi(x; Y 12). (20) In the following derivations, the index i is understood to range from 1 to N. Alice's choice of Px, depends only on Ci-' and xi-1, but not further on Yi-l and Zi-', i.e., H(Xi I ci-1xi-lyi-1zi-l) = H(Xi I ci-1x2-1). (21) Similarly, the ith broadcast channel output [Y,, Zi] depends on ci-l xi-1 yi-1 > >, and Zip' only through its dependence on Xi, which can be written as H(Y&zi I c"-1xiyz-12i-l) = H(Y,Z; I Xi). (22) One similarly has px H(2i ICi-lXiYi-lZi-l) = H(Z; \Xi) (23) when only the 2-output of the channel is considered. Note that these conditions can be interpreted as corresponding to the first equality in [3, p. 331, proof of Theorem stating that feedback cannot increase the capacity of a discrete memoryless channel. We now derive two equalities that will be used later. First, using (22) and (23) one obtains H(Y; I ci-1xiyi-lzi) = H(Y,Z, I ci-1xiyi-1zi-l) - qzi I ci-lxiyi-lzi-l) = H(Y,Z; I Zi) - H(Zi I Xi) = H(Y, 1 Xi&). (24) Second, expanding the following conditional entropy in two different ways, rr, TI ~ ~ i CP - I 1 ni-1 ~7i-l ";-I\ A- L- ntnir- L~IL- - H(XiZi I ci-lxi-lzi-1) + q yi-l (ci-lxizi) - H(XiZi 1 ci-lxi-lyi-1zi-1) + q yi-l 1 ci-lxi-lzi-l), APPENDIX Proof of Theorem 4: The lower bound is trivial. In proving the upper bound, our goal is to show in analogy to Theorem 3 that 1 + -I(S;CNZN) N 1 - H( S 1 5'') N and using H(XiZi I ~i-lxi-lyi-1~i-l) = H(Xi (ci-1xi-lyi-1zi-1) + H(zi I ci-lxiyi-1zi-l) - H(Xi (Ci-1Xi-1zi-l) + H(Zi Ici-1xZzi-l) = H(XiZi I ci-1xi-lzi-l), According to (9), (10) and the definition of secrecy capacity where the second step follows from applications of (21) and the last two terms must vanish as N -+ ca. That H(S)/N 5 (23), leads to maxp, I(X; Y) follows from H(S)/N 5 maxp, I(X; Y (2) ~(yi-l(c"'-ixizi) = ~(yi-1 (ci-1xi-lzi-1). by choosing 2 as a constant random variable. (25) In order to prove (19), note that Repeating the argument leading to (13) for every pub- + H(S) 5 I(XN; YN (CNZN) + H(S( S') + I(S; CNZN) lic message of step i, i.e., for Cil, s., (?it%, where in the derivation of (13), X,Y, and 2 are replaced by Xi,Yi, can be derived in exact analogy to the derivation of (11) and and Zi, respectively, Ct is replaced by [Ci-', Cil,..., Cij]

10 742 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 39, NO. 3, MAY 1993 in the (ti- j)th application, and the term I(Xi, Yi I Ci-lCil ACKNOWLEDGMENT. e. is expressed as a difference of conditional entropies It is a pleasure to thank c. H. Bennett, G. Brassard7 and J. of Ya and xi according to whether Alice or Bob is the sender Massey for interesting and helpful discuss~ons~ of message Cij, respectively, one arrives at REFERENCES I(Xa; Yz I CzZz) 5 I(Xa; Yz I C2- Za). (26) Now, using the trivial inequalities H(yi-l Ici-lzi) 5 jy(yi-1 Ici-lzi-1) and Inequality (20) and hence the theorem follow by consecutive applications of (26) and (27) for i = N, N - 1,..., 1 and the fact that for all i, [l] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, Experimental quantum crytography, J. Cryptol., vol. 5, no. 1, pp. 3-28, [2] C. H. Bennett, G. Brassard, and J. -M. Robert, Privacy amplification by public discussion, SIAM J. Computing, vol. 17, no. 2, pp , [3] R. E. Blahut, Principles and Practice of Information Theory. Reading, MA Addison-Wesley, [4] G. Brassard, Modern Cryptology:A Tutorial (Lecture Notes in Computer Science), vol Berlin: Springer-Verlag, [5] I. Csiszir and J. Korner, Broadcast channels with confidential messages, IEEE Trans. Znform. Theory, vol. IT-24, pp , May [6] W. Diffie and M. E. Hellman, New directions in crytography, IEEE Trans. Inform. Theory, vol. IT-22, pp , Nov [7] S. K. Leung-Yan-Cheong, Multi-user and wiretap channels including feedback, Tech. Rep. No , Stanford Univ., Information Systems Lab., July U. M. Maurer, Conditionally-uerfect secrecy and a provably-secure randomizer cipher, J. Crypk:, vol. 5, no. 1; pp , [9], Perfect cryptographic security from partially independent channels, in Proc. 23rd ACM Symp. Theory of Computing, New Orleans, LA, May 6-8, pp , [lo] -, Protocols for secret key agreement based on common information, presented at CRYPTO 92, Santa Barbara, CA, Aug , [ll] R.L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Commun. ACM, vol. 21, no. 2, pp , [12] C. E. Shannon, A mathematical theory of communication, Bell Syst. Tech. J., vol. 27, pp and , [13], Communication theory of secrecy systems, Bell Syst. Tech: J., vol. 28, pp , Oct [14] G.S. Vernam, Cipher printing telegraph systems for secret wire and radio telegraphic communications, J. Amer. Inst. Elect. Eng., vol. 55, pp , [15] M. N. Wegman and J. L. Carter, New hash functions and their use in authentication and set equality, J. Comput. Syst. Sci., vol. 22, pp , [16] A. D. Wyner, The wire-tap channel, Bell Syst. Tech. J., vol. 54, no. 8, pp , 1975.

### PRIVACY AMPLIFICATION BY PUBLIC DISCUSSION*

SIAM J. COMPUT. Vol. 17, No. 2, April 1988 (C) 1988 Society for Industrial and Applied Mathematics O03 PRIVACY AMPLIFICATION BY PUBLIC DISCUSSION* CHARLES H. BENNETT?, GILLES BRASSARD\$ AND JEAN-MARC ROBERT

### Communication Theory of Secrecy Systems

Communication Theory of Secrecy Systems By C. E. SHANNON 1 INTRODUCTION AND SUMMARY The problems of cryptography and secrecy systems furnish an interesting application of communication theory 1. In this

### New Directions in Cryptography

644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions in Cryptography Invited Paper WHITFIELD DIFFIE AND MARTIN E. HELLMAN, MEMBER, IEEE Abstract-Two kinds of contemporary

### A Method for Obtaining Digital Signatures and Public-Key Cryptosystems

A Method for Obtaining Digital Signatures and Public-Key Cryptosystems R.L. Rivest, A. Shamir, and L. Adleman Abstract An encryption method is presented with the novel property that publicly revealing

### High-Rate Codes That Are Linear in Space and Time

1804 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 48, NO 7, JULY 2002 High-Rate Codes That Are Linear in Space and Time Babak Hassibi and Bertrand M Hochwald Abstract Multiple-antenna systems that operate

### Subspace Pursuit for Compressive Sensing: Closing the Gap Between Performance and Complexity

Subspace Pursuit for Compressive Sensing: Closing the Gap Between Performance and Complexity Wei Dai and Olgica Milenkovic Department of Electrical and Computer Engineering University of Illinois at Urbana-Champaign

### How to Use Expert Advice

NICOLÒ CESA-BIANCHI Università di Milano, Milan, Italy YOAV FREUND AT&T Labs, Florham Park, New Jersey DAVID HAUSSLER AND DAVID P. HELMBOLD University of California, Santa Cruz, Santa Cruz, California

### CLoud Computing is the long dreamed vision of

1 Enabling Secure and Efficient Ranked Keyword Search over Outsourced Cloud Data Cong Wang, Student Member, IEEE, Ning Cao, Student Member, IEEE, Kui Ren, Senior Member, IEEE, Wenjing Lou, Senior Member,

### Decoding by Linear Programming

Decoding by Linear Programming Emmanuel Candes and Terence Tao Applied and Computational Mathematics, Caltech, Pasadena, CA 91125 Department of Mathematics, University of California, Los Angeles, CA 90095

### Generalized compact knapsacks, cyclic lattices, and efficient one-way functions

Generalized compact knapsacks, cyclic lattices, and efficient one-way functions Daniele Micciancio University of California, San Diego 9500 Gilman Drive La Jolla, CA 92093-0404, USA daniele@cs.ucsd.edu

### Generalized Compact Knapsacks are Collision Resistant

Generalized Compact Knapsacks are Collision Resistant Vadim Lyubashevsky Daniele Micciancio University of California, San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404, USA {vlyubash,daniele}@cs.ucsd.edu

### Proofs that Yield Nothing But Their Validity All Languages in NP Have Zero-Knowledge Proof Systems

Proofs that Yield Nothing But Their Validity All Languages in NP Have Zero-Knowledge Proof Systems or ODED GOLDREICH Technion, Haifa, Israel SILVIO MICALI Massachusetts Institute of Technology, Catnbridge,

### An Efficient and Parallel Gaussian Sampler for Lattices

An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert April 13, 2011 Abstract At the heart of many recent lattice-based cryptographic schemes is a polynomial-time algorithm that, given

### A new probabilistic public key algorithm based on elliptic logarithms

A new probabilistic public key algorithm based on elliptic logarithms Afonso Comba de Araujo Neto, Raul Fernando Weber 1 Instituto de Informática Universidade Federal do Rio Grande do Sul (UFRGS) Caixa

### The Limits of Two-Party Differential Privacy

The Limits of Two-Party Differential Privacy Andrew McGregor, Ilya Mironov, Toniann Pitassi, Omer Reingold, Kunal Talwar, Salil Vadhan Department of Computer Science University of Massachusetts, Amherst.

### Maximizing the Spread of Influence through a Social Network

Maximizing the Spread of Influence through a Social Network David Kempe Dept. of Computer Science Cornell University, Ithaca NY kempe@cs.cornell.edu Jon Kleinberg Dept. of Computer Science Cornell University,

### Information and Computation

Information and Computation 207 (2009) 849 866 Contents lists available at ScienceDirect Information and Computation journal homepage: www.elsevier.com/locate/ic The myriad virtues of Wavelet Trees Paolo

### Approximately Detecting Duplicates for Streaming Data using Stable Bloom Filters

Approximately Detecting Duplicates for Streaming Data using Stable Bloom Filters Fan Deng University of Alberta fandeng@cs.ualberta.ca Davood Rafiei University of Alberta drafiei@cs.ualberta.ca ABSTRACT

### Regular Languages are Testable with a Constant Number of Queries

Regular Languages are Testable with a Constant Number of Queries Noga Alon Michael Krivelevich Ilan Newman Mario Szegedy Abstract We continue the study of combinatorial property testing, initiated by Goldreich,

### Fairplay A Secure Two-Party Computation System

Fairplay A Secure Two-Party Computation System Dahlia Malkhi 1, Noam Nisan 1, Benny Pinkas 2, and Yaron Sella 1 1 The School of Computer Science and Engineering The Hebrew University of Jerusalem E-mail:

### On Collisions for MD5

Eindhoven University of Technology Department of Mathematics and Computing Science MASTER S THESIS On Collisions for MD5 By M.M.J. Stevens Supervisor: Prof. dr. ir. H.C.A. van Tilborg Advisors: Dr. B.M.M.

### RECENTLY, there has been a great deal of interest in

IEEE TRANSACTIONS ON SIGNAL PROCESSING, VOL. 47, NO. 1, JANUARY 1999 187 An Affine Scaling Methodology for Best Basis Selection Bhaskar D. Rao, Senior Member, IEEE, Kenneth Kreutz-Delgado, Senior Member,

### Fast Solution of l 1 -norm Minimization Problems When the Solution May be Sparse

Fast Solution of l 1 -norm Minimization Problems When the Solution May be Sparse David L. Donoho and Yaakov Tsaig October 6 Abstract The minimum l 1 -norm solution to an underdetermined system of linear

### Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP Nikita Borisov UC Berkeley nikitab@cs.berkeley.edu Ian Goldberg Zero-Knowledge Systems ian@cypherpunks.ca Eric Brewer UC Berkeley brewer@cs.berkeley.edu

### Embedding Covert Channels into TCP/IP

1 Embedding Covert Channels into TCP/IP Steven J. Murdoch and Stephen Lewis University of Cambridge, Computer Laboratory, 15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom http://www.cl.cam.ac.uk/users/{sjm217,

### An efficient reconciliation algorithm for social networks

An efficient reconciliation algorithm for social networks Nitish Korula Google Inc. 76 Ninth Ave, 4th Floor New York, NY nitish@google.com Silvio Lattanzi Google Inc. 76 Ninth Ave, 4th Floor New York,

### Monte Carlo methods in PageRank computation: When one iteration is sufficient

Monte Carlo methods in PageRank computation: When one iteration is sufficient K.Avrachenkov, N. Litvak, D. Nemirovsky, N. Osipova Abstract PageRank is one of the principle criteria according to which Google

### THE PROBLEM OF finding localized energy solutions

600 IEEE TRANSACTIONS ON SIGNAL PROCESSING, VOL. 45, NO. 3, MARCH 1997 Sparse Signal Reconstruction from Limited Data Using FOCUSS: A Re-weighted Minimum Norm Algorithm Irina F. Gorodnitsky, Member, IEEE,