A Bound For Multiparty Secret Key Agreement And Implications For A Problem Of Secure Computing. Himanshu Tyagi and Shun Watanabe
|
|
- Julian Howard
- 5 years ago
- Views:
Transcription
1 A Bound For Multiparty Secret Key Agreement And Implications For A Problem Of Secure Computing Himanshu Tyagi and Shun Watanabe
2 Multiparty Secret Key Agreement COMMUNICATION NETWORK F X 1 X 2 X m K 1 K 2 Party i computes K i (X i,f) K; K m Eavesdropper observes F,Z K 1,...,K m constitute an (ǫ,δ)-secret key of length logk if P(K 1 = K 2 =... = K m ) 1 ǫ, :Recoverability 1 2 P K 1 FZ P unif P FZ 1 δ, :Secrecy 1
3 Alternative Definition of a Secret Key K 1,...,K m constitute an ǫ-secret key of length logk if 1 2 P K 1 K 2...K mfz P unif,m P FZ 1 ǫ, where P unif,m (k 1,...,k m ) = 1 K ½(k 1 =...k m ). 2
4 Alternative Definition of a Secret Key K 1,...,K m constitute an ǫ-secret key of length logk if 1 2 P K 1 K 2...K mfz P unif,m P FZ 1 ǫ, where P unif,m (k 1,...,k m ) = 1 K ½(k 1 =...k m ). Lemma (ǫ, δ)-sk (ǫ + δ)-sk, and conversely, ǫ-sk (ǫ, ǫ)-sk. 2
5 Multiparty Secret Key Agreement COMMUNICATION NETWORK F X 1 X 2 X m K 1 K 2 K m K 1,...,K m constitute an ǫ-secret key of length logk if Definition 1 2 P K 1 K 2...K mfz P unif,m P FZ 1 ǫ. S ǫ (X 1,...,X m Z) maximum length of an ǫ-secret key 3
6 Upper bound for S ǫ (X 1,...,X m Z)
7 No Correlation No Secret Key If X 1 and X 2 are independent conditioned on Z: S ǫ (X 1,X 2 Z) 0 5
8 No Correlation No Secret Key If X 1 and X 2 are independent conditioned on Z: S ǫ (X 1,X 2 Z) 0 If for some partition π = {π 1,...,π k } of {1,...,m}, X π1,...,x πk are independent conditioned on Z: S ǫ (X 1,...,X m Z) 0 5
9 No Correlation No Secret Key If X 1 and X 2 are independent conditioned on Z: S ǫ (X 1,X 2 Z) 0 If for some partition π = {π 1,...,π k } of {1,...,m}, X π1,...,x πk are independent conditioned on Z: S ǫ (X 1,...,X m Z) 0 Bound S ǫ (X 1,...,X m Z) in terms of how far is P X1,...,X mz is from a conditionally independent distribution 5
10 Digression: Binary Hypothesis Testing Consider the following binary hypothesis testing problem: Define H0 : X P vs. H1 : X Q β ǫ (P,Q) inf Q(x)T(0 x), x X where the inf is over all random tests T : X {0, 1} s.t. P(x)T(1 x) ǫ. x X 6
11 Digression: Binary Hypothesis Testing Consider the following binary hypothesis testing problem: Define H0 : X P vs. H1 : X Q β ǫ (P,Q) inf Q(x)T(0 x), x X where the inf is over all random tests T : X {0, 1} s.t. P(x)T(1 x) ǫ. x X Data processing. For every stochastic matrix W : X Y β ǫ (P,Q) β ǫ (PW,QW) 6
12 Reduction Argument Given a partition π = {π 1,...,π k } of {1,...,m} Let Q(x 1,...,x m z) = k i=1 Q(x π i z) For the binary hypothesis testing: H0 : X 1,...,X m,z P, H1 : X 1,...,X m,z Q, consider the degraded observations K 1,...,K m,f,z. 7
13 Reduction Argument Given a partition π = {π 1,...,π k } of {1,...,m} Let Q(x 1,...,x m z) = k i=1 Q(x π i z) For the binary hypothesis testing: H0 : X 1,...,X m,z P, H1 : X 1,...,X m,z Q, consider the degraded observations K 1,...,K m,f,z. Let W K1...K mf X 1...X mz represent the protocol. 7
14 Reduction Argument Consider the degraded binary hypothesis testing: H0 : K 1,...,K m,f,z P K1...,K mfz = PW H1 : K 1,...,K m,f,z Q K1...,K mfz = QW Consider a test with the acceptance region A defined by: { } P unif,m (K 1,...,K m ) A log Q K1...K m FZ(K 1...K m F,Z) λ π where λ π = ( π 1)log K π log(1/η) 8
15 Reduction Argument Consider the degraded binary hypothesis testing: H0 : K 1,...,K m,f,z P K1...,K mfz = PW H1 : K 1,...,K m,f,z Q K1...,K mfz = QW Consider a test with the acceptance region A defined by: { } P unif,m (K 1,...,K m ) A log Q K1...K m FZ(K 1...K m F,Z) λ π where λ π = ( π 1)log K π log(1/η) Likelihood ratio test with P K1...K m FZ replaced by P unif,m - recall: 1 2 P K 1 K 2...K mfz P unif,m P FZ 1 ǫ 8
16 Reduction Argument Missed Detection: Q K1...K mfz(a) K 1 π η π False Alarm: P K1...K mfz(a c ) ǫ+η 9
17 Reduction Argument Missed Detection: Q K1...K mfz(a) K 1 π η π - easy False Alarm: P K1...K mfz(a c ) ǫ+η - requires work Lemma (Reduction) For every 0 ǫ < 1 and 0 < η < 1 ǫ, S ǫ (X 1,...,X m Z) 1 π 1 [ logβ ǫ+η(pw,qw)+ π log(1/η)]. 9
18 Reduction Argument Missed Detection: Q K1...K mfz(a) K 1 π η π - easy False Alarm: P K1...K mfz(a c ) ǫ+η - requires work Lemma (Reduction) For every 0 ǫ < 1 and 0 < η < 1 ǫ, S ǫ (X 1,...,X m Z) 1 π 1 [ logβ ǫ+η(pw,qw)+ π log(1/η)]. By data processing: β ǫ+η (PW,QW) β ǫ+η (P,Q) 9
19 Conditional Independence Testing Bound Theorem For every 0 ǫ < 1 and 0 < η < 1 ǫ, S ǫ (X 1,...,X m Z) 1 π 1 [ logβ ǫ+η(p,q)+ π log(1/η)], where k Q(x 1,...,x m z) = Q(x πi z). i=1 For two parties: S ǫ (X 1,X 2 Z) logβ ǫ+η ( PX1 X 2 Z,P X1 ZP X2 ZP Z ) +2log(1/η) 10
20 Conditional Independence Testing Bound Theorem For every 0 ǫ < 1 and 0 < η < 1 ǫ, S ǫ (X 1,...,X m Z) 1 π 1 [ logβ ǫ+η(p,q)+ π log(1/η)], where k Q(x 1,...,x m z) = Q(x πi z). i=1 For two parties: S ǫ (X 1,X 2 Z) logβ ǫ+η ( PX1 X 2 Z,P X1 ZP X2 ZP Z ) +2log(1/η) Connections to meta-converse of Polyanskiy, Poor, and Vérdu 10
21 Implications of the Upper Bound
22 1. Strong Converse for Secret Key Agreement [Maurer 93] [Ahlswede-Csiszár 93] [Csiszar-Narayan 04] Consider IID observations X 1,...,X m X n 1,...,Xn m, Z = (ǫ,δ)-secret Key Capacity: C ǫ,δ := liminf n Secret Key Capacity: C := inf ǫ,δ C ǫ,δ. 1 n S ǫ,δ(x n 1,...,X n m) 12
23 1. Strong Converse for Secret Key Agreement [Maurer 93] [Ahlswede-Csiszár 93] [Csiszar-Narayan 04] Consider IID observations X 1,...,X m X n 1,...,Xn m, Z = (ǫ,δ)-secret Key Capacity: C ǫ,δ := liminf n Secret Key Capacity: Theorem For 0 < ǫ,δ with ǫ+δ < 1, C := inf ǫ,δ C ǫ,δ. C ǫ,δ = C, 1 n S ǫ,δ(x n 1,...,X n m) and for all ǫ+δ 1, C ǫ,δ =. 12
24 2. Information Theoretically Secure OT X 1 K 0, K 1 F X 2 B ˆK K B [Even-Goldreich-Lempel 85],..., [Nascimento-Winters 06] ( ) Reliability: P ˆK KB ǫ Security 1: 1 2 P BK 0 K 1 X 1 F P B P K0 K 1 X 1 F 1 δ 1 Security 2: 1 P KB BX 2 2 F P KB P BX2 F 1 δ 2 13
25 2. Information Theoretically Secure OT X 1 K 0, K 1 F X 2 B ˆK K B [Even-Goldreich-Lempel 85],..., [Nascimento-Winters 06] ( ) Reliability: P ˆK KB ǫ Security 1: 1 2 P BK 0 K 1 X 1 F P B P K0 K 1 X 1 F 1 δ 1 Security 2: 1 P KB BX 2 2 F P KB P BX2 F 1 δ 2 How large can the length l of OT be? 13
26 Bounds on the Efficiency of OT Theorem (Reduction of SK Agreement to OT) For an (ǫ,δ 1,δ 2 )-OT of length l l< min{s ǫ+δ1 +2δ 2 (X 1,X 2 ), S ǫ+δ1 +2δ 2 (X 1,(X 1,X 2 ) X 2 )} 14
27 Bounds on the Efficiency of OT Theorem (Reduction of SK Agreement to OT) For an (ǫ,δ 1,δ 2 )-OT of length l l< min{s ǫ+δ1 +2δ 2 (X 1,X 2 ), S ǫ+δ1 +2δ 2 (X 1,(X 1,X 2 ) X 2 )} OT Capacity (for IID observations): Maximum rate (l/n) of OT length (with δ 1n,δ 2n 0) C ǫ (X 1,X 2 ) min{i(x 1 X 2 ),H(X 1 X 2 )} Strong version of the Ahlswede-Csiszár upper bound 14
28 3. Information Theoretic Bit Commitment Commit X 1 X 2 F K Reveal X 1 X 2 K F K,X 1? Party 2 constructs a test T for the hypothesis: Secret is k" Recovery: P(T(K,X 1,X 2,F) = 1) ǫ Security: 1 2 P KX 2 F P K P X2 F 1 δ 1 Binding: P(T(K,X 1,X 2,F) = 0,K K) δ 2 15
29 3. Information Theoretic Bit Commitment Commit X 1 X 2 F K Reveal X 1 X 2 K F K,X 1? Party 2 constructs a test T for the hypothesis: Secret is k" Recovery: P(T(K,X 1,X 2,F) = 1) ǫ Security: 1 2 P KX 2 F P K P X2 F 1 δ 1 Binding: P(T(K,X 1,X 2,F) = 0,K K) δ 2 How large can the length l of BC be? 15
30 Bound on the Efficiency of BC Theorem (Reduction of SK Agreement to BC) For an (ǫ,δ 1,δ 2 )-BC of length l, l< S ǫ+δ1 +δ 2 (X 1,(X 1,X 2 ) X 2 ) 16
31 Bound on the Efficiency of BC Theorem (Reduction of SK Agreement to BC) For an (ǫ,δ 1,δ 2 )-BC of length l, l< S ǫ+δ1 +δ 2 (X 1,(X 1,X 2 ) X 2 ) Efficiency of reduction of BC to OT Given n-length OT: X 1 K 0,K 1 X 2 K B,B. The possible length l of BC is bounded as: l n+o(log(1 ǫ δ 1 δ 2 )) 16
32 Bound on the Efficiency of BC Theorem (Reduction of SK Agreement to BC) For an (ǫ,δ 1,δ 2 )-BC of length l, l< S ǫ+δ1 +δ 2 (X 1,(X 1,X 2 ) X 2 ) Efficiency of reduction of BC to OT Given n-length OT: X 1 K 0,K 1 X 2 K B,B. The possible length l of BC is bounded as: l n+o(log(1 ǫ δ 1 δ 2 )) Improves a bound of [Ranellucci et. al. 11] 16
33 Bound on the Efficiency of BC Theorem (Reduction of SK Agreement to BC) For an (ǫ,δ 1,δ 2 )-BC of length l, l< S ǫ+δ1 +δ 2 (X 1,(X 1,X 2 ) X 2 ) [Nascimento-Winters-Imai 03] BC capacity C = H(X 1 X 2 ) Strong converse for BC capacity C ǫ,δ1,δ 2 (X 1,X 2 ) H(X 1 X 2 ), ǫ+δ 1 +δ 2 < 1 16
34 4. Secure Computing with Trusted Parties Parties are trusted, the communication channel is not COMMUNICATION NETWORK F X 1 X 2 X m Party i computes G i (X i,f); g g g A function g is (ǫ,δ)-secure computable if Eavesdropper observes F,Z P(G 1 = G 2 =... = G m = g(x 1,...,X m )) 1 ǫ, :Recoverability 1 2 P GFZ P G P FZ 1 δ, :Secrecy 17
35 Characterization of securely computable functions [Tyagi-Gupta-Narayan 11] IID case with Z = A function g is secure computable (asymptotically) iff H(G) C 18
36 Characterization of securely computable functions [Tyagi-Gupta-Narayan 11] IID case with Z = A function g is secure computable (asymptotically) iff H(G) C A single-shot necessary condition Theorem If a function g is (ǫ, δ)-secure computable, then H ξ min (P 1 G)< π 1 logβ ( ) ǫ+δ+2ξ PXM Z,Q XM Z, where k Q(x 1,...,x m z) = Q(x πi z). i=1 18
37 In Closing... We derived converse results for IT cryptography, which are valid for the single-shot case 19
38 In Closing... We derived converse results for IT cryptography, which are valid for the single-shot case Key idea: Reduction of hypothesis testing to crypto primitives 19
39 In Closing... We derived converse results for IT cryptography, which are valid for the single-shot case Key idea: Reduction of hypothesis testing to crypto primitives By observing the outputs of any IT secure crypto primitive we can measure the correlation in the observations 19
40 In Closing... We derived converse results for IT cryptography, which are valid for the single-shot case Key idea: Reduction of hypothesis testing to crypto primitives By observing the outputs of any IT secure crypto primitive we can measure the correlation in the observations H. Tyagi and S. Watanabe, Converses for secret key agreement and secure computing, arxiv: ,
41 In Closing... We derived converse results for IT cryptography, which are valid for the single-shot case Key idea: Reduction of hypothesis testing to crypto primitives By observing the outputs of any IT secure crypto primitive we can measure the correlation in the observations H. Tyagi and S. Watanabe, Converses for secret key agreement and secure computing, arxiv: , 2014 How close do efficient schemes come to these performance bounds?? 19
Converses For Secret Key Agreement and Secure Computing
Converses For Secret Key Agreement and Secure Computing Himanshu Tyagi and Shun Watanabe Abstract We consider information theoretic secret key agreement and secure function computation by multiple parties
More informationSecret Key Agreement: General Capacity and Second-Order Asymptotics. Masahito Hayashi Himanshu Tyagi Shun Watanabe
Secret Key Agreement: General Capacity and Second-Order Asymptotics Masahito Hayashi Himanshu Tyagi Shun Watanabe Two party secret key agreement Maurer 93, Ahlswede-Csiszár 93 X F Y K x K y ArandomvariableK
More informationCommon Randomness Principles of Secrecy
Common Randomness Principles of Secrecy Himanshu Tyagi Department of Electrical and Computer Engineering and Institute of Systems Research 1 Correlated Data, Distributed in Space and Time Sensor Networks
More informationInteractive Communication for Data Exchange
Interactive Communication for Data Exchange Himanshu Tyagi Indian Institute of Science, Bangalore Joint work with Pramod Viswanath and Shun Watanabe The Data Exchange Problem [ElGamal-Orlitsky 84], [Csiszár-Narayan
More informationSecret Key Agreement: General Capacity and Second-Order Asymptotics
Secret Key Agreement: General Capacity and Second-Order Asymptotics Masahito Hayashi Himanshu Tyagi Shun Watanabe Abstract We revisit the problem of secret key agreement using interactive public communication
More informationSecret Key Agreement: General Capacity and Second-Order Asymptotics
Secret Key Agreement: General Capacity and Second-Order Asymptotics Masahito Hayashi Himanshu Tyagi Shun Watanabe 1 Abstract We revisit the problem of secret key agreement using interactive public communication
More informationSHARED INFORMATION. Prakash Narayan with. Imre Csiszár, Sirin Nitinawarat, Himanshu Tyagi, Shun Watanabe
SHARED INFORMATION Prakash Narayan with Imre Csiszár, Sirin Nitinawarat, Himanshu Tyagi, Shun Watanabe 2/40 Acknowledgement Praneeth Boda Himanshu Tyagi Shun Watanabe 3/40 Outline Two-terminal model: Mutual
More informationSecret Key Generation and Secure Computing
Secret Key Generation and Secure Computing Himanshu Tyagi Department of Electrical and Computer Engineering and Institute of System Research University of Maryland, College Park, USA. Joint work with Prakash
More informationSHARED INFORMATION. Prakash Narayan with. Imre Csiszár, Sirin Nitinawarat, Himanshu Tyagi, Shun Watanabe
SHARED INFORMATION Prakash Narayan with Imre Csiszár, Sirin Nitinawarat, Himanshu Tyagi, Shun Watanabe 2/41 Outline Two-terminal model: Mutual information Operational meaning in: Channel coding: channel
More informationInteractive Communication for Data Exchange
Interactive Communication for Data Exchange Himanshu Tyagi, Member, IEEE, Pramod Viswanath, Fellow, IEEE, and Shun Watanabe, Member, IEEE Abstract Two parties observing correlated data seek to exchange
More informationSecret Key and Private Key Constructions for Simple Multiterminal Source Models
Secret Key and Private Key Constructions for Simple Multiterminal Source Models arxiv:cs/05050v [csit] 3 Nov 005 Chunxuan Ye Department of Electrical and Computer Engineering and Institute for Systems
More informationMULTITERMINAL SECRECY AND TREE PACKING. With Imre Csiszár, Sirin Nitinawarat, Chunxuan Ye, Alexander Barg and Alex Reznik
MULTITERMINAL SECRECY AND TREE PACKING With Imre Csiszár, Sirin Nitinawarat, Chunxuan Ye, Alexander Barg and Alex Reznik Information Theoretic Security A complementary approach to computational security
More informationOn Oblivious Transfer Capacity
On Oblivious Transfer Capacity Rudolph Ahlswede 1 and Imre Csiszár 2, 1 University of Bielefeld, Germany 2 Rényi Institute of Mathematics, Budapest, Hungary Abstract. Upper and lower bounds to the oblivious
More informationPerfect Omniscience, Perfect Secrecy and Steiner Tree Packing
Perfect Omniscience, Perfect Secrecy and Steiner Tree Packing S. Nitinawarat and P. Narayan Department of Electrical and Computer Engineering and Institute for Systems Research University of Maryland College
More informationAN INTRODUCTION TO SECRECY CAPACITY. 1. Overview
AN INTRODUCTION TO SECRECY CAPACITY BRIAN DUNN. Overview This paper introduces the reader to several information theoretic aspects of covert communications. In particular, it discusses fundamental limits
More informationHypothesis Testing with Communication Constraints
Hypothesis Testing with Communication Constraints Dinesh Krithivasan EECS 750 April 17, 2006 Dinesh Krithivasan (EECS 750) Hyp. testing with comm. constraints April 17, 2006 1 / 21 Presentation Outline
More informationExplicit Capacity-Achieving Coding Scheme for the Gaussian Wiretap Channel. Himanshu Tyagi and Alexander Vardy
Explicit Capacity-Achieving Coding Scheme for the Gaussian Wiretap Channel Himanshu Tyagi and Alexander Vardy The Gaussian wiretap channel M Encoder X n N(0,σ 2 TI) Y n Decoder ˆM N(0,σ 2 WI) Z n Eavesdropper
More informationMinimum Energy Per Bit for Secret Key Acquisition Over Multipath Wireless Channels
Minimum Energy Per Bit for Secret Key Acquisition Over Multipath Wireless Channels Tzu-Han Chou Email: tchou@wisc.edu Akbar M. Sayeed Email: akbar@engr.wisc.edu Stark C. Draper Email: sdraper@ece.wisc.edu
More informationGroup Secret Key Agreement over State-Dependent Wireless Broadcast Channels
Group Secret Key Agreement over State-Dependent Wireless Broadcast Channels Mahdi Jafari Siavoshani Sharif University of Technology, Iran Shaunak Mishra, Suhas Diggavi, Christina Fragouli Institute of
More informationSecond-Order Asymptotics in Information Theory
Second-Order Asymptotics in Information Theory Vincent Y. F. Tan (vtan@nus.edu.sg) Dept. of ECE and Dept. of Mathematics National University of Singapore (NUS) National Taiwan University November 2015
More informationSecret Key Agreement Using Conferencing in State- Dependent Multiple Access Channels with An Eavesdropper
Secret Key Agreement Using Conferencing in State- Dependent Multiple Access Channels with An Eavesdropper Mohsen Bahrami, Ali Bereyhi, Mahtab Mirmohseni and Mohammad Reza Aref Information Systems and Security
More informationPerformance-based Security for Encoding of Information Signals. FA ( ) Paul Cuff (Princeton University)
Performance-based Security for Encoding of Information Signals FA9550-15-1-0180 (2015-2018) Paul Cuff (Princeton University) Contributors Two students finished PhD Tiance Wang (Goldman Sachs) Eva Song
More informationIN SECURE multiparty computation (MPC), mutually distrusting
2560 IEEE TRANSACTIONS ON INFORMATION THEORY VOL 63 NO 4 APRIL 2017 Wiretapped Oblivious Transfer Manoj Mishra Student Member IEEE Bikash Kumar Dey Member IEEE Vinod M Prabhakaran Member IEEE Suhas N Diggavi
More informationInformation Theoretic Limits of Randomness Generation
Information Theoretic Limits of Randomness Generation Abbas El Gamal Stanford University Shannon Centennial, University of Michigan, September 2016 Information theory The fundamental problem of communication
More informationExtracting a Secret Key from a Wireless Channel
Extracting a Secret Key from a Wireless Channel Suhas Mathur suhas@winlab.rutgers.edu W. Trappe, N. Mandayam (WINLAB) Chunxuan Ye, Alex Reznik (InterDigital) Suhas Mathur (WINLAB) Secret bits from the
More information1 Introduction to Predicate Resolution
1 Introduction to Predicate Resolution The resolution proof system for Predicate Logic operates, as in propositional case on sets of clauses and uses a resolution rule as the only rule of inference. The
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationPrivate Data Transfer over a Broadcast Channel
Private Data Transfer over a Broadcast Channel Manoj Mishra, Tanmay Sharma, Bikash K Dey Indian Institute of Technology Bombay, Mumbai {mmishra, tanmaysharma53, bikash}@eeiitbacin Vinod M Prabhakaran Tata
More informationTwo Applications of the Gaussian Poincaré Inequality in the Shannon Theory
Two Applications of the Gaussian Poincaré Inequality in the Shannon Theory Vincent Y. F. Tan (Joint work with Silas L. Fong) National University of Singapore (NUS) 2016 International Zurich Seminar on
More informationRefined Bounds on the Empirical Distribution of Good Channel Codes via Concentration Inequalities
Refined Bounds on the Empirical Distribution of Good Channel Codes via Concentration Inequalities Maxim Raginsky and Igal Sason ISIT 2013, Istanbul, Turkey Capacity-Achieving Channel Codes The set-up DMC
More informationLecture 22: Error exponents in hypothesis testing, GLRT
10-704: Information Processing and Learning Spring 2012 Lecture 22: Error exponents in hypothesis testing, GLRT Lecturer: Aarti Singh Scribe: Aarti Singh Disclaimer: These notes have not been subjected
More informationFinding the best mismatched detector for channel coding and hypothesis testing
Finding the best mismatched detector for channel coding and hypothesis testing Sean Meyn Department of Electrical and Computer Engineering University of Illinois and the Coordinated Science Laboratory
More informationA Tight Upper Bound on the Second-Order Coding Rate of Parallel Gaussian Channels with Feedback
A Tight Upper Bound on the Second-Order Coding Rate of Parallel Gaussian Channels with Feedback Vincent Y. F. Tan (NUS) Joint work with Silas L. Fong (Toronto) 2017 Information Theory Workshop, Kaohsiung,
More informationEfficient Protocols Achieving the Commitment Capacity of Noisy Correlations
Efficient Protocols Achieving the Commitment Capacity of Noisy Correlations Hideki Imai, Kirill Morozov, Anderson C. A. Nascimento, Andreas Winter Department of Electrical, Electronic and Communication
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationRoots and Coefficients Polynomials Preliminary Maths Extension 1
Preliminary Maths Extension Question If, and are the roots of x 5x x 0, find the following. (d) (e) Question If p, q and r are the roots of x x x 4 0, evaluate the following. pq r pq qr rp p q q r r p
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationAhmed S. Mansour, Rafael F. Schaefer and Holger Boche. June 9, 2015
The Individual Secrecy Capacity of Degraded Multi-Receiver Wiretap Broadcast Channels Ahmed S. Mansour, Rafael F. Schaefer and Holger Boche Lehrstuhl für Technische Universität München, Germany Department
More informationA Formula for the Capacity of the General Gel fand-pinsker Channel
A Formula for the Capacity of the General Gel fand-pinsker Channel Vincent Y. F. Tan Institute for Infocomm Research (I 2 R, A*STAR, Email: tanyfv@i2r.a-star.edu.sg ECE Dept., National University of Singapore
More informationOn Third-Order Asymptotics for DMCs
On Third-Order Asymptotics for DMCs Vincent Y. F. Tan Institute for Infocomm Research (I R) National University of Singapore (NUS) January 0, 013 Vincent Tan (I R and NUS) Third-Order Asymptotics for DMCs
More informationInformation-Theoretic Security: an overview
Information-Theoretic Security: an overview Rui A Costa 1 Relatório para a disciplina de Seminário, do Mestrado em Informática da Faculdade de Ciências da Universidade do Porto, sob a orientação do Prof
More informationarxiv: v1 [math.ap] 17 May 2017
ON A HOMOGENIZATION PROBLEM arxiv:1705.06174v1 [math.ap] 17 May 2017 J. BOURGAIN Abstract. We study a homogenization question for a stochastic divergence type operator. 1. Introduction and Statement Let
More informationCovert Communication with Channel-State Information at the Transmitter
Covert Communication with Channel-State Information at the Transmitter Si-Hyeon Lee Joint Work with Ligong Wang, Ashish Khisti, and Gregory W. Wornell July 27, 2017 1 / 21 Covert Communication Transmitter
More informationSoft Covering with High Probability
Soft Covering with High Probability Paul Cuff Princeton University arxiv:605.06396v [cs.it] 20 May 206 Abstract Wyner s soft-covering lemma is the central analysis step for achievability proofs of information
More informationEECS 750. Hypothesis Testing with Communication Constraints
EECS 750 Hypothesis Testing with Communication Constraints Name: Dinesh Krithivasan Abstract In this report, we study a modification of the classical statistical problem of bivariate hypothesis testing.
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationECE Information theory Final (Fall 2008)
ECE 776 - Information theory Final (Fall 2008) Q.1. (1 point) Consider the following bursty transmission scheme for a Gaussian channel with noise power N and average power constraint P (i.e., 1/n X n i=1
More informationThe Communication Complexity of Correlation. Prahladh Harsha Rahul Jain David McAllester Jaikumar Radhakrishnan
The Communication Complexity of Correlation Prahladh Harsha Rahul Jain David McAllester Jaikumar Radhakrishnan Transmitting Correlated Variables (X, Y) pair of correlated random variables Transmitting
More informationINFORMATION THEORY AND STATISTICS
CHAPTER INFORMATION THEORY AND STATISTICS We now explore the relationship between information theory and statistics. We begin by describing the method of types, which is a powerful technique in large deviation
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationG r a y T a k e s P o s t. A s N e w Y S e c ' y
Z- V XX,, P 10, 1942 26 k P x z V - P g U z - g P U B g,, k - g, x g P g,, B P,,, QU g P g P gz g g g g g, xg gz : J - U, ; z g, -; B x g W, ; U, g g B g k:, J z, g, zg, J, J, Jk,,, "" Pk, K, B K W P 2
More informationConverse bounds for private communication over quantum channels
Converse bounds for private communication over quantum channels Mark M. Wilde (LSU) joint work with Mario Berta (Caltech) and Marco Tomamichel ( Univ. Sydney + Univ. of Technology, Sydney ) arxiv:1602.08898
More informationLecture 7. Union bound for reducing M-ary to binary hypothesis testing
Lecture 7 Agenda for the lecture M-ary hypothesis testing and the MAP rule Union bound for reducing M-ary to binary hypothesis testing Introduction of the channel coding problem 7.1 M-ary hypothesis testing
More informationMGMT 69000: Topics in High-dimensional Data Analysis Falll 2016
MGMT 69000: Topics in High-dimensional Data Analysis Falll 2016 Lecture 14: Information Theoretic Methods Lecturer: Jiaming Xu Scribe: Hilda Ibriga, Adarsh Barik, December 02, 2016 Outline f-divergence
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More informationAchieving Shannon Capacity Region as Secrecy Rate Region in a Multiple Access Wiretap Channel
Achieving Shannon Capacity Region as Secrecy Rate Region in a Multiple Access Wiretap Channel Shahid Mehraj Shah and Vinod Sharma Department of Electrical Communication Engineering, Indian Institute of
More informationInformation-theoretic Secrecy A Cryptographic Perspective
Information-theoretic Secrecy A Cryptographic Perspective Stefano Tessaro UC Santa Barbara WCS 2017 April 30, 2017 based on joint works with M. Bellare and A. Vardy Cryptography Computational assumptions
More information(each row defines a probability distribution). Given n-strings x X n, y Y n we can use the absence of memory in the channel to compute
ENEE 739C: Advanced Topics in Signal Processing: Coding Theory Instructor: Alexander Barg Lecture 6 (draft; 9/6/03. Error exponents for Discrete Memoryless Channels http://www.enee.umd.edu/ abarg/enee739c/course.html
More informationDifferentially Private Multi-party Computation
ifferentially Private Multi-party Computation Peter Kairouz, Sewoong Oh, Pramod Viswanath epartment of Electrical and Computer Engineering University of Illinois at Urbana-Champaign {kairouz2, pramodv}@illinois.edu
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationFrans M.J. Willems. Authentication Based on Secret-Key Generation. Frans M.J. Willems. (joint work w. Tanya Ignatenko)
Eindhoven University of Technology IEEE EURASIP Spain Seminar on Signal Processing, Communication and Information Theory, Universidad Carlos III de Madrid, December 11, 2014 : Secret-Based Authentication
More informationCorrelation Detection and an Operational Interpretation of the Rényi Mutual Information
Correlation Detection and an Operational Interpretation of the Rényi Mutual Information Masahito Hayashi 1, Marco Tomamichel 2 1 Graduate School of Mathematics, Nagoya University, and Centre for Quantum
More informationLecture 6: Gaussian Channels. Copyright G. Caire (Sample Lectures) 157
Lecture 6: Gaussian Channels Copyright G. Caire (Sample Lectures) 157 Differential entropy (1) Definition 18. The (joint) differential entropy of a continuous random vector X n p X n(x) over R is: Z h(x
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More informationPrivacy-Preserving Outsourcing by Distributed Verifiable Computation. Meilof Veeningen Philips Research MPC 2016, Aarhus, May
Privacy-Preserving Outsourcing by Distributed Verifiable Computation Meilof Veeningen MPC 2016, Aarhus, May 30 2016 2 3 4 5 6 Outsourcing Computations on Sensitive Data (I) privacy? x f(x) correctness?
More informationA Zero-One Law for Secure Multi-Party Computation with Ternary Outputs
A Zero-One Law for Secure Multi-Party Computation with Ternary Outputs KTH Royal Institute of Technology gkreitz@kth.se TCC, Mar 29 2011 Model Limits of secure computation Our main result Theorem (This
More informationSecret Sharing. Qi Chen. December 14, 2015
Secret Sharing Qi Chen December 14, 2015 What is secret sharing? A dealer: know the secret S and distribute the shares of S to each party A set of n parties P n {p 1,, p n }: each party owns a share Authorized
More informationEE5139R: Problem Set 7 Assigned: 30/09/15, Due: 07/10/15
EE5139R: Problem Set 7 Assigned: 30/09/15, Due: 07/10/15 1. Cascade of Binary Symmetric Channels The conditional probability distribution py x for each of the BSCs may be expressed by the transition probability
More informationSolving LPN Using Covering Codes
Solving LPN Using Covering Codes Qian Guo 1,2 Thomas Johansson 1 Carl Löndahl 1 1 Dept of Electrical and Information Technology, Lund University 2 School of Computer Science, Fudan University ASIACRYPT
More information4F5: Advanced Communications and Coding Handout 2: The Typical Set, Compression, Mutual Information
4F5: Advanced Communications and Coding Handout 2: The Typical Set, Compression, Mutual Information Ramji Venkataramanan Signal Processing and Communications Lab Department of Engineering ramji.v@eng.cam.ac.uk
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationStatistical Security Conditions for Two-Party Secure Function Evaluation
Statistical Security Conditions for Two-Party Secure Function Evaluation Claude Crépeau 1 and Jürg Wullschleger 2 1 McGill University, Montréal, QC, Canada crepeau@cs.mcgill.ca 2 University of Bristol,
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationhttps://hal.inria.fr/hal /
https://hal.inria.fr/hal-00767404/ sk sk Encrypt sk (m ) = c Decrypt sk (c ) = m Encrypt sk (m ) = c Decrypt sk (c ) = m m, m c, c Encrypt Decrypt sk pk, sk Encrypt pk (m) = c Decrypt sk (c) = m pk sk
More informationFoundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography
More informationArimoto Channel Coding Converse and Rényi Divergence
Arimoto Channel Coding Converse and Rényi Divergence Yury Polyanskiy and Sergio Verdú Abstract Arimoto proved a non-asymptotic upper bound on the probability of successful decoding achievable by any code
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More informationDispersion of the Gilbert-Elliott Channel
Dispersion of the Gilbert-Elliott Channel Yury Polyanskiy Email: ypolyans@princeton.edu H. Vincent Poor Email: poor@princeton.edu Sergio Verdú Email: verdu@princeton.edu Abstract Channel dispersion plays
More informationImproved Boltzmann sampling for the Hadamard product of distributions
Improved Boltzmann sampling for the Hadamard product of distributions CNRS and LIPN, Université Paris Nord, Villetaneuse GASCom 06, La Marana, Corsica June 4th 06 The problem We have two probability distributions,
More informationThe peculiarities of the model: - it is allowed to use by attacker only noisy version of SG C w (n), - CO can be known exactly for attacker.
Lecture 6. SG based on noisy channels [4]. CO Detection of SG The peculiarities of the model: - it is alloed to use by attacker only noisy version of SG C (n), - CO can be knon exactly for attacker. Practical
More informationLecture 8: Channel Capacity, Continuous Random Variables
EE376A/STATS376A Information Theory Lecture 8-02/0/208 Lecture 8: Channel Capacity, Continuous Random Variables Lecturer: Tsachy Weissman Scribe: Augustine Chemparathy, Adithya Ganesh, Philip Hwang Channel
More informationKeyless authentication in the presence of a simultaneously transmitting adversary
Keyless authentication in the presence of a simultaneously transmitting adversary Eric Graves Army Research Lab Adelphi MD 20783 U.S.A. ericsgra@ufl.edu Paul Yu Army Research Lab Adelphi MD 20783 U.S.A.
More informationLecture 2: August 31
0-704: Information Processing and Learning Fall 206 Lecturer: Aarti Singh Lecture 2: August 3 Note: These notes are based on scribed notes from Spring5 offering of this course. LaTeX template courtesy
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationAchieving Oblivious Transfer Capacity of Generalized Erasure Channels in the Malicious Model
Achieving Oblivious Transfer Capacity of Generalized Erasure Channels in the Malicious Model AdrianaC.B.Pinto Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento November 23, 2009 Abstract Information-theoretically
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Hard Core Bits Coin Flipping Over the Phone Zero Knowledge Lecture 10 (version 1.1) Tel-Aviv University 18 March 2008. Slightly revised March 19. Hard Core
More informationREALIZING secret key generation in a variety of
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL., NO. 6, JUNE 206 39 Simultaneously Generating Secret and Private Keys in a Cooperative Pairwise-Independent Network Peng Xu, Zhiguo Ding, Senior
More informationMarch Algebra 2 Question 1. March Algebra 2 Question 1
March Algebra 2 Question 1 If the statement is always true for the domain, assign that part a 3. If it is sometimes true, assign it a 2. If it is never true, assign it a 1. Your answer for this question
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationDistributed Hypothesis Testing Over Discrete Memoryless Channels
1 Distributed Hypothesis Testing Over Discrete Memoryless Channels Sreejith Sreekumar and Deniz Gündüz Imperial College London, UK Email: {s.sreekumar15, d.gunduz}@imperial.ac.uk arxiv:1802.07665v6 [cs.it]
More informationLinear Secret-Sharing Schemes for Forbidden Graph Access Structures
Linear Secret-Sharing Schemes for Forbidden Graph Access Structures Amos Beimel 1, Oriol Farràs 2, Yuval Mintz 1, and Naty Peter 1 1 Ben Gurion University of the Negev, Be er Sheva, Israel 2 Universitat
More informationLECTURE 3. Last time:
LECTURE 3 Last time: Mutual Information. Convexity and concavity Jensen s inequality Information Inequality Data processing theorem Fano s Inequality Lecture outline Stochastic processes, Entropy rate
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationx = π m (a 0 + a 1 π + a 2 π ) where a i R, a 0 = 0, m Z.
ALGEBRAIC NUMBER THEORY LECTURE 7 NOTES Material covered: Local fields, Hensel s lemma. Remark. The non-archimedean topology: Recall that if K is a field with a valuation, then it also is a metric space
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationPrivacy Amplification Theorem for Noisy Main Channel
Privacy Amplification Theorem for Noisy Main Channel Valeri Korjik, Guillermo Morales-Luna, and Vladimir B. Balakirsky Telecommunications, CINVESTAV-IPN, Guadalajara Campus Prol. López Mateos Sur No. 590,
More informationThe Method of Types and Its Application to Information Hiding
The Method of Types and Its Application to Information Hiding Pierre Moulin University of Illinois at Urbana-Champaign www.ifp.uiuc.edu/ moulin/talks/eusipco05-slides.pdf EUSIPCO Antalya, September 7,
More informationA General Formula for Compound Channel Capacity
A General Formula for Compound Channel Capacity Sergey Loyka, Charalambos D. Charalambous University of Ottawa, University of Cyprus ETH Zurich (May 2015), ISIT-15 1/32 Outline 1 Introduction 2 Channel
More information7 Convergence in R d and in Metric Spaces
STA 711: Probability & Measure Theory Robert L. Wolpert 7 Convergence in R d and in Metric Spaces A sequence of elements a n of R d converges to a limit a if and only if, for each ǫ > 0, the sequence a
More information