Privacy amplification secure against active adversaries

  • Ueli Maurer
  • Stefan Wolf
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1294)


Privacy amplification allows two parties Alice and Bob knowing a partially secret string S to extract, by communication over a public channel, a shorter, highly secret string S'. Bennett, Brassard, Crépeau, and Maurer showed that the length of S' can be almost equal to the conditional Rényi entropy of S given an opponent Eve's knowledge. All previous results on privacy amplification assumed that Eve has access to the public channel but is passive or, equivalently, that messages inserted by Eve can be detected by Alice and Bob. In this paper we consider privacy amplification secure even against active opponents. First it is analyzed under what conditions information-theoretically secure authentication is possible even though the common key is only partially secret. This result is used to prove that privacy amplification can be secure against an active opponent and that the size of S' can be almost equal to Eve's min-entropy about S minus 2n/3 if 5 is an n-bit string. Moreover, it is shown that for sufficiently large n privacy amplification is possible when Eve's min-entropy about S exceeds only n/2 rather than 2n/3.


Privacy amplification Secret-key agreement Unconditional secrecy Authentication codes Information theory Extractors 


  1. 1.
    C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, Generalized privacy amplification, IEEE Transactions on Information Theory, Vol. 41, Nr. 6, 1995.Google Scholar
  2. 2.
    C. H. Bennett, G. Brassard, and J.-M. Robert, Privacy amplification by public discussion, SIAM Journal on Computing, Vol. 17, pp. 210–229, 1988.CrossRefMathSciNetGoogle Scholar
  3. 3.
    C. Cachin, Smooth entropy and Rényi entropy, Advances in Cryptology — EUROCRYPT '97, Lecture Notes in Computer Science, Vol. 1233, pp. 193–208, Springer-Verlag, 1997.Google Scholar
  4. 4.
    T. M. Cover and J. A. Thomas, Elements of information theory, Wiley Series in Telecommunications, 1992.Google Scholar
  5. 5.
    P. Gemmell and M. Naor, Codes for interactive authentication, Advances in Cryptology — CRYPTO '93, Lecture Notes in Computer Science, Vol. 773, pp. 355–367, Springer-Verlag, 1993.Google Scholar
  6. 6.
    U. Maurer, Information-theoretically secure secret-key agreement by NOT authenticated public discussion, Advances in Cryptology — EUROCRYPT '97, Lecture Notes in Computer Science, Vol. 1233, pp. 209–225, Springer-Verlag, 1997.Google Scholar
  7. 7.
    U. M. Maurer, A unified and generalized treatment of authentication theory, Proceedings 13th Symp. on Theoretical Aspects of Computer Science — STACS '96, Lecture Notes in Computer Science, Vol. 1046, pp. 387–398, Springer-Verlag, 1996.Google Scholar
  8. 8.
    U. M. Maurer, Secret key agreement by public discussion from common information, IEEE Transactions on Information Theory, Vol. 39, No. 3, pp. 733–742, 1993.zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    N. Nisan, Extracting randomness: how and why — a survey, preprint, 1996.Google Scholar
  10. 10.
    N. Nisan and D. Zuckerman, Randomness is linear in space, Journal of Computer and System Sciences, Vol. 52, No. 1, pp. 43–52, 1996.zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    G. J. Simmons, A survey of information authentication, Proc. of the IEEE, Vol. 76, pp. 603–620, 1988.CrossRefGoogle Scholar
  12. 12.
    D. R. Stinson, Universal hashing and authentication codes, Advances in Cryptology — CRYPTO '91, Lecture Notes in Computer Science, Vol. 576, pp. 74–85, Springer-Verlag, 1992.Google Scholar

Copyright information

© Springer-Verlag 1997

Authors and Affiliations

  • Ueli Maurer
    • 1
  • Stefan Wolf
    • 1
  1. 1.Department of Computer ScienceSwiss Federal Institute of Technology (ETH Zürich)ZürichSwitzerland

Personalised recommendations