# Information-Theoretically Secure Secret-Key Agreement by NOT Authenticated Public Discussion

## Abstract

All information-theoretically secure key agreement protocols (e.g. based on quantum cryptography or on noisy channels) described in the literature are secure only against passive adversaries in the sense that they assume the existence of an authenticated public channel. The goal of this paper is to investigate information-theoretic security even against active adversaries with complete control over the communication channel connecting the two parties who want to agree on a secret key. Several impossibility results are proved and some scenarios are characterized in which secret-key agreement secure against active adversaries is possible. In particular, when each of the parties, including the adversary, can observe a sequence of random variables that are correlated between the parties, the rate at which key agreement against active adversaries is possible is characterized completely: it is either 0 or equal to the rate achievable against passive adversaries, and the condition for distinguishing between the two cases is given.

## Keywords

Active Adversary Quantum Cryptography Random String Binary Symmetric Channel Privacy Amplification## References

- 1.R. Ahlswede and I. Csiszár, Common Randomness in information theory and cryptography — part I: secret sharing,
*IEEE Transactions on Information Theory*, Vol. IT-39, 1993, pp. 1121–1132.CrossRefGoogle Scholar - 2.C. H. Bennett, F. Bessette, G. Brassard, L. Salvail and J. Smolin, “Experimental quantum cryptography”,
*Journal of Cryptology*, Vol. 5, no. 1, 1992, pp. 3–28.CrossRefzbMATHGoogle Scholar - 3.C.H. Bennett, G. Brassard, C. Crépeau, and U.M. Maurer, “Generalized privacy amplification”, to appear in
*IEEE Transactions on Information Theory*, Nov. 1995.Google Scholar - 4.C. H. Bennett, G. Brassard and J.-M. Robert, “Privacy amplification by public discussion”,
*SIAM Journal on Computing*, Vol. 17, no. 2, April 1988, pp. 210–229.CrossRefMathSciNetGoogle Scholar - 5.R. E. Blahut,
*Theory and Practice of Error Control Codes*, Reading, MA: Addison-Wesley, 1983.zbMATHGoogle Scholar - 6.R. E. Blahut,
*Principles and Practice of Information Theory*, Reading, MA: Addison-Wesley, 1987.zbMATHGoogle Scholar - 7.J. L. Carter and M. N. Wegman, “Universal classes of hash functions”,
*Journal of Computer and System Sciences*, Vol. 18, 1979, pp. 143–154.CrossRefzbMATHMathSciNetGoogle Scholar - 8.I. Csiszár and J. Körner, “Broadcast channels with confidential messages”,
*IEEE Transactions on Information Theory*, Vol. IT-24, no. 3, 1978, pp. 339–348.CrossRefGoogle Scholar - 9.W. Diffie and M. E. Hellman, “New directions in cryptography”,
*IEEE Transactions on Information Theory*, Vol. IT-22, 1976, pp. 644–654.CrossRefMathSciNetGoogle Scholar - 10.P. Gemmell and M. Naor, Codes for interactive authentication
*Advances in Cryptology — Proceedings of Crypto’ 93*, Lecture Notes in Computer Science, Vol. 773, Springer-Verlag, Berlin, 1994, pp. 355–367.Google Scholar - 11.E. N. Gilbert, F. J. MacWilliams, and N. J. A. Sloane, Codes which detect deception,
*Bell Syst. Tech. J.*, Vol. 53, No. 3, 1974, pp. 405–424.MathSciNetGoogle Scholar - 12.R. L. Graham, D. E. Knuth and O. Patashnik,
*Concrete mathematics*, Reading, MA: Addison-Wesley, 1990.Google Scholar - 13.U.M. Maurer, Protocols for secret key agreement by public discussion based on common information,
*Advances in Cryptology — CRYPTO’ 92*, Lecture Notes in Computer Science, Berlin: Springer-Verlag, vol. 740, pp. 461–470, 1993.Google Scholar - 14.U. M. Maurer, Secret key agreement by public discussion from common information,
*IEEE Transactions on Information Theory*, vol. IT-39, 1993, pp. 733–742.CrossRefMathSciNetGoogle Scholar - 15.U. M. Maurer, The strong secret key rate of discrete random triples,
*Communications and Cryptography, Two Sides of one Tapestry*, R.E. Blahut et al. (editors), Kluwer Academic Publishers, 1994, pp. 271–285.Google Scholar - 16.U. M. Maurer and P.E. Schmid, A calculus for security bootstrapping in distributed systems,
*Journal of Computer Security*, vol. 4, no. 1, pp. 55–80, 1996.Google Scholar - 17.U. M. Maurer and S. Wolf, Towards characterizing when information-theoretic secret key agreement is possible,
*Advances in Cryptology — ASIACRYPT’ 96*, K. Kim and T. Matsumoto (Eds.), Lecture Notes in Computer Science, Berlin: Springer-Verlag, vol. 1163, pp. 145–158, 1996.Google Scholar - 18.U. M. Maurer and S. Wolf, The intrinsic conditional mutual information and perfect secrecy, to appear in
*Proc. 1997 IEEE Symposium on Information Theory*, (Abstracts), Ulm, Germany, June 29–July 4, 1997.Google Scholar - 19.U. M. Maurer and S. Wolf, Privacy amplification secure against active adversaries, preprint, 1997.Google Scholar
- 20.R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems,
*Communications of the ACM*, Vol. 21, No. 2, 1978, pp. 120–126.CrossRefzbMATHMathSciNetGoogle Scholar - 21.C. E. Shannon, Communication theory of secrecy systems,
*Bell System Technical Journal*, Vol. 28, October 1949, pp. 656–715.MathSciNetGoogle Scholar - 22.G. J. Simmons, Authentication theory/coding theory, in
*Advances in Cryptology — CRYPTO 84*, G.R. Blakley and D. Chaum (Eds.), Lecture Notes in Computer Science, No. 196, Berlin: Springer Verlag, 1985, pp. 411–431.Google Scholar - 23.D. R. Stinson, Universal hashing and authentication codes,
*Advances in Cryptology — Proceedings of Crypto’ 91*, Lecture Notes in Computer Science, Vol. 576, Springer-Verlag, Berlin, 1994, pp. 74–85.Google Scholar - 24.M. N. Wegman and J. L. Carter, New hash functions and their use in authentication and set equality,
*Journal of Computer and System Sciences*, Vol. 22, 1981, pp. 265–279.CrossRefzbMATHMathSciNetGoogle Scholar - 25.A. D. Wyner, The wire-tap channel,
*Bell System Technical Journal*, Vol. 54, no. 8, 1975, pp. 1355–1387.MathSciNetGoogle Scholar