Strong Security Against Active Attacks in Information-Theoretic Secret-Key Agreement
The problem of unconditionally secure key agreement, in particular privacy amplification, by communication over an insecure and not even authentic channel, is investigated. The previous definitions of such protocols were weak in the sense that it was only required that after the communication not both parties falsely believe that the key agreement was successful. In such a protocol however it is possible that Eve deceives one of the legitimate partners, i.e., makes him accept the outcome of the protocol although no secret key has been generated. In this paper we introduce the notion of strong protocols which protect each of the parties simultaneously and, in contrast to previous pessimism, it is shown that such protocols exist. For the important special case of privacy amplification, a strong protocol is presented that is based on a new, interactive way of message authentication with an only partially secret key. The use of feedback in such authentication allows to reduce the size of the authenticator, hence of the additional information about the key leaked to the adversary, without increasing the success probability ofan active attack. Finally, it is shown that in the scenario where the parties and the adversary have access to repeated realizations of a random experiment, previously derived criteria for the possibility of secret-key agreement against active opponents hold for the new, strong definition of robustness against active attacks rather than for the earlier definition.
KeywordsSecret-key agreement privacy amplification authentication unconditional secrecy information theory
- 1.C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, Generalized privacy amplification, IEEE Transactions on Information Theory, Vol. 41, Nr. 6, 1995.Google Scholar
- 3.C. Cachin, Entropy measures and unconditional security in cryptography, Ph. D. Thesis, ETH Zürich, Hartung-Gorre Verlag, Zürich, 1997.Google Scholar
- 4.U. M. Maurer, Information-theoretically secure secret-key agreement by NOT authenticated public discussion, Advances in Cryptology-EUROCRYPT’97, Lecture Notes in Computer Science, Vol. 1233, pp. 209–225, Springer-Verlag, 1997.Google Scholar
- 8.D. R. Stinson, Universal hashing and authentication codes, Advances in Cryptology-CRYPTO’91, Lecture Notes in Computer Science, Vol. 576, pp. 74–85, Springer-Verlag, 1992.Google Scholar