可证安全消息传输协议中的若干问题研究
|
摘要
作为社会交流平台的一个重要组成部分,计算机网络通常承载着大量的敏感信息,而由于网络的开放性,如何保证这些敏感信息的安全性,如私密性和可靠性,也就自然成为了社会关注的焦点话题。当通信双方之间只有一条公开信道且攻击者计算能力无限时,Shannon的研究表明,为了实现完善保密性,通信双方必须预先共享一个不短于明文消息长度的密钥。而在实际应用中,这种需求未免有些过于苛刻了。
为此,安全消息传输(SMT)协议从两个方面对Shannon模型进行了弱化:一方面,若通信双方存在多条( )信道,且攻击者只能虏获其中的一部分( )时,即使(通信双方)预先未共享任何密钥也能实现完善保密的目标;另一方面,若通信双方只有一条公开认证信道,但攻击者计算能力有限(如概率多项式时间算法)且某些困难性猜想成立时,通信双方也可能在未共享任何密钥的前提下实现足够安全的保密目标。这两种情况分别对应了信息论安全和计算上安全的消息传输协议问题。自提出以来,这两个问题均得到了密码学界的广泛研究。不过细心分析可以发现,对这两个问题的研究还远未达到完美的状态,特别是在高效协议设计以及复杂度下界证明方面仍留有很大的想象空间。
为此,本文同时从计算上安全和信息论安全这两个角度研究了高效SMT协议的构造和通信复杂度下界证明问题,并取得了以下原创性成果:
(1)在计算上安全的消息传输协议方面,本文主要考虑如何提高可证安全伪随机生成器算法的效率。为此,本文研究了如何将标准的DDH(Diffie-Hellman判定困难性)假定由二变量推广至多变量的情形;并以此为基础,在模为素数的素阶子群及RSA合数的二次剩余类子群上分别构造了一个伪随机生成器算法。这两个算法在每个指数长度为比特的模幂运算下分别能输出比特和比特。通过与目前已知最好的算法在同一具体安全级别上的比较发现,我们的第一个算法是目前基于标准假定下最快的;而第二个算法也是改进前的(Goldreich-Rosen)算法的两倍快。
本文后续研究都是针对信息论安全的消息传输协议展开的。
(2)为了回答Garay和Ostrovsky提出的一个开放问题,本文证明了任何公开讨论信道模型下的SMT协议(即SMT-PD)都需要进行三轮通信,且其中两轮需要使用公开讨论信道;并给出了一个通信轮数最优的SMT-PD协议。该协议是计算上有效的,且当消息长度满足一定条件时,通信复杂度接近最优。
(3)通过降低安全性要求,分析了如何设计具有最优通信复杂度的1-轮概率SMT协议的问题。首先,针对条件(其中)和分别
设计了一个概率SMT协议以分别实现最优的传输率和。这些协议都能实现完善的保密性,但有很小的失败概率。其次,通过采用一个类似于加密方案语义安全性的私密性定义,还在条件下设计了一个具有最优传输率的1-轮概率SMT协议。该协议完全可靠,但攻击者有可能获得一些秘密信息。
(4)由于SMT标准模型假定可用信道中有些是完全保密且没有任何噪音的,因此在一个攻击气氛弥漫的网络中可能不太合理。为此提出了敌手信道模型,不仅允许攻击者能完全控制一些信道,还允许她通过引入噪音来篡改其它信道中的部分消息。在新模型中设计了一个轮复杂性最优的SMT协议。相比于标准模型下的协议,该协议只增加了一些很小的计算和通信开销。
(5)提出了一个被称为“多信道密钥扩展”的新问题(KEoW)以研究如何在多条信道上将一个共享的弱密钥扩展为一个任意长的强密钥。证明了KEoW问题在即使只存在一条未虏获信道的情况下都是可以解决的,不过当被虏获的信道数多于一半时,KEoW协议无法实现完善可靠性。利用该问题与SMT问题的关系还分析了KEoW协议的通信复杂性,同时还证明了带初始弱密钥的SMT协议的通信复杂性实际上得不到显著的改善。最后证明了当存在初始弱密钥时无需公开讨论信道就可实现条件下的SMT协议。
As an important part of the infrastructure of social communication, computer networks usually carry a large amount of sensitive information. For the public accessibility of the transmission system, the problem of guaranteeing the security, e.g., privacy and reliability, has been becoming a hot topic of social life. When the adversary is computationally unbounded and only one public channel is available to the communicants, Shannon’s result on achieving perfect security shows that a uniformly random key, not shorter than the corresponding plaintext, has to be shared initially. Obviously, this inconvenient requirement sets up a barrier to the extensive application of cryptography.
To break the deadlock, the study on secure message transmission protocols selects to weaken Shannon’s model in two ways: On the one hand, provided that there are multiple (say ) channels available and only part of them (say ) could be corrupted by a (computationally unbounded) adversary, reasonable (or even perfect) privacy and reliability might be realized even no random key is shared initially. On the other hand, in the scenario that only one authenticated channel is available, reasonable security is also achievable as long as the potential adversary is of limited computability (e.g., probabilistic-polynomial-time computability) and some hardness assumptions holds. The two considerations correspond respectively to the two problems of secure message transmission (SMT) with information-theoretical and computational security. Though both of the two problems have been extensively studied in the last decades, a careful analysis will find out that the research on SMT is still far from complete, especially the problems of constructing practically efficient SMT protocols and proving complexity bounds of them.
For this reason, we consider how to improve the efficiency, and prove the lower bounds of communication complexity of SMT protocols in this thesis. The main results we achieved are listed as follows.
(1) On computationally secure message transmission problem, we mainly consider how to improve the efficiency of probable pseudorandom generators. We first generalize the standard two-variable DDH (Decisional Diffie-Hellman hardness) assumption to multi-variable case, then present two pseudorandom generators under the prime order subgroup modulo a prime and the subgroup of quadratic residue modulo a RSA composite respectively, which can respectively output or bits when the exponent is -bit long. Under the same concrete security level, our first generator is one of the fastest generators under standard assumptions, while the second construction is also twice faster than the original (Goldreich-Rosen) algorithm.
The rest of the research mainly focuses on information theoretically secure message transmission protocols.
(2) To answer the open question raised by Garay and Ostrovsky on the round complexity of secure message transmission by public discussion (SMT-PD) protocols, we prove that any SMT-PD protocol should be at least 3-round totally, and two of them must invoke the public discussion channel. Then we present a round optimal SMT-PD protocol, which is computationally efficient and almost optimal in communication complexity when the message is long enough.
(3) By weakening the requirement of security, we consider the problem of constructing communication-optimal 1-round Almost SMT protocols. For each of the two conditions of (where ) and , we present one Almost SMT protocols to achieve optimal transmission rate ( and respectively). Both of the two protocols are perfectly private and probabilistically reliable. Then, by adopting a privacy definition similar to the notion of semantic security of encryption schemes, we construct a 1-round SMT protocol under the condition of to achieve optimal transmission rate (that is ). The protocol is perfectly reliable though its privacy is weaker than perfect SMT protocols.
(4) The standard model of SMT, assuming some of the available channels are completely secure and no noise, won’t work any more when all the available channels may be affected by the adversarial actions. We suggest a new model (called the adversarial channel model) to capture the scenario where the adversary can not only fully control some channels but also partially modify the other channels by introducing adversarial noises. A round-optimal SMT protocol under the new model is presented, which only involves a little more computation and communication complexity in comparing with SMT protocols under the standard model.
(5) We finally formalize a new problem, called Key Expansion over Wires (KEoW), to fulfill the requirement of expanding a weak key to a much longer and stronger key over multiple wires. The problem, as we prove in this thesis, is solvable when only one of the available channels is uncorrupted. We then bound the communication complexity of KEoW protocols by analyzing the relation between KEoW and SMT protocols, while we prove that the communication complexity of SMT protocols with initial weak keys cannot be reduced substantially. Finally, we prove that, even without the help of public discussion channel , the SMT protocols under condition is constructible when a weak key is shared initially.
为此,安全消息传输(SMT)协议从两个方面对Shannon模型进行了弱化:一方面,若通信双方存在多条( )信道,且攻击者只能虏获其中的一部分( )时,即使(通信双方)预先未共享任何密钥也能实现完善保密的目标;另一方面,若通信双方只有一条公开认证信道,但攻击者计算能力有限(如概率多项式时间算法)且某些困难性猜想成立时,通信双方也可能在未共享任何密钥的前提下实现足够安全的保密目标。这两种情况分别对应了信息论安全和计算上安全的消息传输协议问题。自提出以来,这两个问题均得到了密码学界的广泛研究。不过细心分析可以发现,对这两个问题的研究还远未达到完美的状态,特别是在高效协议设计以及复杂度下界证明方面仍留有很大的想象空间。
为此,本文同时从计算上安全和信息论安全这两个角度研究了高效SMT协议的构造和通信复杂度下界证明问题,并取得了以下原创性成果:
(1)在计算上安全的消息传输协议方面,本文主要考虑如何提高可证安全伪随机生成器算法的效率。为此,本文研究了如何将标准的DDH(Diffie-Hellman判定困难性)假定由二变量推广至多变量的情形;并以此为基础,在模为素数的素阶子群及RSA合数的二次剩余类子群上分别构造了一个伪随机生成器算法。这两个算法在每个指数长度为比特的模幂运算下分别能输出比特和比特。通过与目前已知最好的算法在同一具体安全级别上的比较发现,我们的第一个算法是目前基于标准假定下最快的;而第二个算法也是改进前的(Goldreich-Rosen)算法的两倍快。
本文后续研究都是针对信息论安全的消息传输协议展开的。
(2)为了回答Garay和Ostrovsky提出的一个开放问题,本文证明了任何公开讨论信道模型下的SMT协议(即SMT-PD)都需要进行三轮通信,且其中两轮需要使用公开讨论信道;并给出了一个通信轮数最优的SMT-PD协议。该协议是计算上有效的,且当消息长度满足一定条件时,通信复杂度接近最优。
(3)通过降低安全性要求,分析了如何设计具有最优通信复杂度的1-轮概率SMT协议的问题。首先,针对条件(其中)和分别
设计了一个概率SMT协议以分别实现最优的传输率和。这些协议都能实现完善的保密性,但有很小的失败概率。其次,通过采用一个类似于加密方案语义安全性的私密性定义,还在条件下设计了一个具有最优传输率的1-轮概率SMT协议。该协议完全可靠,但攻击者有可能获得一些秘密信息。
(4)由于SMT标准模型假定可用信道中有些是完全保密且没有任何噪音的,因此在一个攻击气氛弥漫的网络中可能不太合理。为此提出了敌手信道模型,不仅允许攻击者能完全控制一些信道,还允许她通过引入噪音来篡改其它信道中的部分消息。在新模型中设计了一个轮复杂性最优的SMT协议。相比于标准模型下的协议,该协议只增加了一些很小的计算和通信开销。
(5)提出了一个被称为“多信道密钥扩展”的新问题(KEoW)以研究如何在多条信道上将一个共享的弱密钥扩展为一个任意长的强密钥。证明了KEoW问题在即使只存在一条未虏获信道的情况下都是可以解决的,不过当被虏获的信道数多于一半时,KEoW协议无法实现完善可靠性。利用该问题与SMT问题的关系还分析了KEoW协议的通信复杂性,同时还证明了带初始弱密钥的SMT协议的通信复杂性实际上得不到显著的改善。最后证明了当存在初始弱密钥时无需公开讨论信道就可实现条件下的SMT协议。
As an important part of the infrastructure of social communication, computer networks usually carry a large amount of sensitive information. For the public accessibility of the transmission system, the problem of guaranteeing the security, e.g., privacy and reliability, has been becoming a hot topic of social life. When the adversary is computationally unbounded and only one public channel is available to the communicants, Shannon’s result on achieving perfect security shows that a uniformly random key, not shorter than the corresponding plaintext, has to be shared initially. Obviously, this inconvenient requirement sets up a barrier to the extensive application of cryptography.
To break the deadlock, the study on secure message transmission protocols selects to weaken Shannon’s model in two ways: On the one hand, provided that there are multiple (say ) channels available and only part of them (say ) could be corrupted by a (computationally unbounded) adversary, reasonable (or even perfect) privacy and reliability might be realized even no random key is shared initially. On the other hand, in the scenario that only one authenticated channel is available, reasonable security is also achievable as long as the potential adversary is of limited computability (e.g., probabilistic-polynomial-time computability) and some hardness assumptions holds. The two considerations correspond respectively to the two problems of secure message transmission (SMT) with information-theoretical and computational security. Though both of the two problems have been extensively studied in the last decades, a careful analysis will find out that the research on SMT is still far from complete, especially the problems of constructing practically efficient SMT protocols and proving complexity bounds of them.
For this reason, we consider how to improve the efficiency, and prove the lower bounds of communication complexity of SMT protocols in this thesis. The main results we achieved are listed as follows.
(1) On computationally secure message transmission problem, we mainly consider how to improve the efficiency of probable pseudorandom generators. We first generalize the standard two-variable DDH (Decisional Diffie-Hellman hardness) assumption to multi-variable case, then present two pseudorandom generators under the prime order subgroup modulo a prime and the subgroup of quadratic residue modulo a RSA composite respectively, which can respectively output or bits when the exponent is -bit long. Under the same concrete security level, our first generator is one of the fastest generators under standard assumptions, while the second construction is also twice faster than the original (Goldreich-Rosen) algorithm.
The rest of the research mainly focuses on information theoretically secure message transmission protocols.
(2) To answer the open question raised by Garay and Ostrovsky on the round complexity of secure message transmission by public discussion (SMT-PD) protocols, we prove that any SMT-PD protocol should be at least 3-round totally, and two of them must invoke the public discussion channel. Then we present a round optimal SMT-PD protocol, which is computationally efficient and almost optimal in communication complexity when the message is long enough.
(3) By weakening the requirement of security, we consider the problem of constructing communication-optimal 1-round Almost SMT protocols. For each of the two conditions of (where ) and , we present one Almost SMT protocols to achieve optimal transmission rate ( and respectively). Both of the two protocols are perfectly private and probabilistically reliable. Then, by adopting a privacy definition similar to the notion of semantic security of encryption schemes, we construct a 1-round SMT protocol under the condition of to achieve optimal transmission rate (that is ). The protocol is perfectly reliable though its privacy is weaker than perfect SMT protocols.
(4) The standard model of SMT, assuming some of the available channels are completely secure and no noise, won’t work any more when all the available channels may be affected by the adversarial actions. We suggest a new model (called the adversarial channel model) to capture the scenario where the adversary can not only fully control some channels but also partially modify the other channels by introducing adversarial noises. A round-optimal SMT protocol under the new model is presented, which only involves a little more computation and communication complexity in comparing with SMT protocols under the standard model.
(5) We finally formalize a new problem, called Key Expansion over Wires (KEoW), to fulfill the requirement of expanding a weak key to a much longer and stronger key over multiple wires. The problem, as we prove in this thesis, is solvable when only one of the available channels is uncorrupted. We then bound the communication complexity of KEoW protocols by analyzing the relation between KEoW and SMT protocols, while we prove that the communication complexity of SMT protocols with initial weak keys cannot be reduced substantially. Finally, we prove that, even without the help of public discussion channel , the SMT protocols under condition is constructible when a weak key is shared initially.
引文
[1] W. Diffie, M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 1976, 22(6):644-654.
[2] R. L. Rivest, A. Shamir, L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 1978, 21(2):120-126.
[3] T. ElGamal. A public-key cryptosystem and a signature scheme based on discrete logarithms.IEEE Transactions on Information Theory, 1985, 31(4):469–472.
[4] A. Fiat, A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. Proc. of the Advances in Cryptology-Crypto, LNCS 263, 1986, 186-194.
[5] O. Goldreich, S. Micali, A. Wigderson. How to play any mental game or a completeness theorem for protocols with honest majority. Proc. of the ACM Symposium on Theory of Computing (STOC) , 1987, 218-229.
[6] A. Shamir. How to share a secret. Commun. ACM, 1979, 22(11):612-613.
[7] M. Wegman, J. Carter. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences, 1981, 22(2):265-279.
[8] H. Bennett, G. Brassard, C. Crepeau, U. M. Maurer. Generalized privacy amplification. IEEE Transactions on Information Theory, 1995, 41(6):1915-1923.
[9] U. Maurer. Secret key agreement by public discussion from common information. IEEE Transactions on Information Theory, 1993, 39(3):733-742.
[10] M. Ben-Or, S. Goldwasser, A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). Proc. of the ACM Symposium on Theory of Computing (STOC) , 1988, 1-10.
[11] D. Chaum, C. Crpeau, I. Damgard. Multiparty unconditionally secure protocols (extended abstract). Proc. of the IEEE Annual Symposium on Foundations of Computer Science (FOCS), 1988, 11-19.
[12] P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Computing, 1997, 26(5):1484-1509.
[13] O. Regev. Quantum computation and lattice problems. SIAM J. Computing, 2004, 33(3):738-760.
[14] J. Katz, Y. Lindell. Introduction to Modern Cryptography. Chapman & Hall/CRC Press, 2007.
[15] E. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 1949, 28(4):656-715.
[16] A. Russell, H. Wang. How to fool an unbounded adversary with a short key. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 2332, 2002, 133-148.
[17] Y. Dodis, A. Smith. Entropic security and the encryption of high entropy messages. Theory of Cryptography Conference(TCC), LNCS 3378, 2005, 556-577.
[18] A. C. Yao. Theory and applications of trapdoor functions. Proc. of the IEEE Annual Symposium on Foundations of Computer Science(FOCS), 1982, 80-91.
[19] M. Blum, S. Micali. How to generate cryptographically strong sequences of pseudorandom bits. SIAM J. Computing, 1984, 13(4):850-864.
[20] O. Goldreich, S. Goldwasser, S.Micali. How to construct random functions. Journal of ACM, 1986, 33(4):792-807.
[21] S. Goldwasser, S. Micali. Probabilistic encryptions. Journal of Computer and System Science, 1984, 28(2):270-299.
[22] M. Luby, C. Rackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Computing, 1988, 17(2):373-386.
[23] M. Bellare, R. Canetti, H. Krawczyk. Pseudorandom functions revisited: The cascade construction and its concrete security. Proc. of the IEEE Annual Symposium on Foundations of Computer Science(FOCS) , 1996, 514-523.
[24] M. Naor, M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. ACM Symposium on Theory of Computing (STOC) , 1990, 427-437.
[25] J. Katz, M. Yung. Complete characterization of security notions for probabilistic private-key encryption. In ACM Symposium on Theory of Computing (STOC) , 2000, 245-254.
[26] D. Dolev, C. Dwork, O. Waarts, M. Yung. Journal of ACM, 1993, 40(1):17-47.
[27] K. Kurosawa, K.Suzuki. Almost-everywhere secure computation. Proc. of the Advances in Cryptology- Eurocrypt, LNCS 4965, 2008, 324-340.
[28] H. Sayeed, H. Abu-Amara. Efficient perfectly secure message transmission in synchronous networks. Information and Communication, 1996,126(1):3-61.
[29] K. Srinathan, A. Narayanan, C. Pandu Rangan. Optimal perfectly secure message transmission. Proc. of the Advances in Cryptology-Crypto, LNCS 3152, 2004, 545-561.
[30] S. Agarwal, R. Cramer, R. de Haan. Asymptotically optimal two-round perfectly secure message transmission. Proc. of the Advances in Cryptology-Crypto, LNCS 4117, 2006, 394-408.
[31] M. Fitzi, M. Franklin, J. Garay, et al. Towards optimal and efficient perfectly secure message transmission. Theory of Cryptography Conference (TCC), LNCS 4392, 2007, 311-322.
[32] M. Franklin, R. N. Wright. Secure communication in minimal connectivity models. Journal of Cryptology, 2000, 13(1):9-30.
[33] A. Patra, A. Choudhary, K. Srinathan, C. Pandu Rangan. Unconditionally reliable and secure message transmission in undirected synchronous networks: Possibility, feasibility and optimality. Technical report, Cryptology ePrint Archive, 2008, 141.
[34] Y. Desmedt, Y. Wang. Perfectly secure message transmission revisited. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 2332, 2002, 502-517.
[35] K. Kurosawa, K. Suzuki. Almost secure (1-round, n-channel) message transmission scheme. IEICE Transactions, 2009, 92A(1):105-112.
[36] T. Araki. Almost secure 1-round message transmission scheme with polynomial-time message decryption. Proc. of the ICITS, LNCS 5155, 2008, 2-13.
[37] J. Garay, R. Ostrovsky. Almost-everywhere secure computation. Proc. of the Advances in Cryptology- Eurocrypt, LNCS 4965, 2008, 307-323.
[38] Y. Wang, Y. Desmedt. Perfectly secure message transmission revisited. IEEE Transactions on Information Theory, 2008, 54(6):2582-2595.
[39] H. Sayeed, H. Abu-Amara. Perfectly secure message transmission in asynchronous networks. Proc. of the IEEE Symposium on Parallel and Distributed Processing, 1995, 100-105.
[40] A. Choudhary, A. Patra, B. V. Ashwinkumar, et al. On minimal connectivity requirement for secure message transmission in asynchronous networks. ICDCN, 2009, 148-162.
[41] M. Kumar, P. Goundan, K. Srinathan, C. Rangan. On perfectly secure communication over arbitrary networks. Proc. of the ACM Symposium on Principles of Distributed Computing, 2002, 193-202.
[42] O. Goldreich. Foundations of Cryptography: Vol I & II. Cambridge University Press, 2001 & 2004.
[43] O. Goldreich, V. Rosen. On the security of modular exponentiation with application to the construction of pseudorandom generators. Journal of Cryptology, 2003, 16(2):71-93.
[44] J. Garay, C. Givens, R. Ostrovsky. Secure message transmission with small public discussion. Will appear in Advances in Cryptology-Eurocrypt, 2010.
[45] J. Wullschleger. Oblivious Transfer Amplification. PhD thesis, ETH, 2007.
[46] Y. Dodis, D. Wichs. Non-malleable extractors and symmetric key cryptography from weak secrets. Proc. of the ACM Symposium on Theory of Computing (STOC) , 2009, 601-610.
[47] A. Juels, M. Jakobsson, E. Shriver, B. K. Hillyer. How to turn loaded dice into fair coins. IEEE Transactions on Information Theory, 2000, 46(3):911-921.
[48] O. Goldreich, A. Wigderson. Tiny family of functions with random properties: A quality-size tradeoff for hashing. Proc. of the ACM Symposium on Theory of Computing (STOC) , 1994, 574-584.
[49] R. Shaltiel. Recent developments in explicit constructions of extractors. In Bull. Eu. Assoc. Theor. Comput. Sci. , 2002, 67-95.
[50] H. Shi, S. Jiang, Z. Qin. More efficient DDH pseudorandom generators. Journal of Designs, Codes and Cryptography, 2010, 55(1).
[51] D. L. Long, A. Wigderson. How discreet is the discrete log. Proc. of the ACM Symposium on Theory of Computing (STOC) , 1983, 413-420.
[52] R. Peralta. Simultaneous security of bits in the discrete log. Proc. of the Advances in Cryptology- Eurocrypt, LNCS 219, 1986, 62-72.
[53] S. Patel, G. S. Sundaram. An efficient discrete log pseudo random generator. Proc. of the Advances in Cryptology-Crypto, LNCS 1462, 1998, 304-317.
[54] R. Gennaro. An improved pseudo-random generator based on the discrete logarithm problem. Journal of Cryptology, 2006, 18(2):91-110.
[55] R. Steinfeld, J. Pieprzyk, H. Wang. On the provable security of an efficient rsa-based pseudorandom generator. Proc. of the Advances in Cryptology-Asiacrypt, LNCS 4284, 2006, 194-209.
[56] L. Blum, M. Blum, M. Shub. A simple unpredictable pseudorandom number generator. SIAM J. Computing, 1986, 15(2):364-383.
[57] W. Alexi, B. Chor, O. Goldreich, C. Schnorr. RSA and rabin functions: Certain parts are as hard as the whole. SIAM J. Computing, 1988, 17(2):194-209.
[58] R. Fischlin, C. Schnorr. Stronger security proofs for rsa and rabin bits. Journal of Cryptology, 2000, 13(2):221-244.
[59] A. Sidorenko, B. Schoenmakers. Concrete security of the blum-blum-shub pseudorandom generator. Proc. of the Conference of Cryptography and Coding, LNCS 3796, 2005, 355-375.
[60] S. Jiang. Efficient primitives from exponentiation in zp. The 11th Australasian Conference Information Security and Privacy (ACISP), LNCS 4058, 2006, 259-270.
[61] R. R. Farashahi, B. Schoenmakers, A.Sidorenko. Efficient pseudo-random generators based on the ddh assumption. Proc. of the Conference of Public Key Cryptography (PKC), LNCS 4450, 2007, 426-441.
[62] L. A. Levin. One-Way Function and Pseudorandom Generators. Combinatorica, 1987, 7(1):357-363.
[63] O. Goldreich, L. A. Levin. Hard-Core Predicate for Any One-Way Function. Proc. of the ACM Symposium on Theory of Computing (STOC) , 1989, 25-32.
[64] J. Hastad, R. Impagliazzo, L. A. Levin, M. Luby. Construction of a pseudo-random generator from any one-way function. SIAM J. COMPUT., 1999, 28(4):1364-1396.
[65] V. Shoup. A Computational Introduction to Number Theory and Algebra. Cambridge University Press, 2008.
[66] D. Boneh, S. Halevi, N.A.Howgrave-Graham. The modular inversion hidden number problem. Proc. of the Advances in Cryptology-Asiacrypt, LNCS 2248, 2001, 36-51.
[67] R. Impagliazzo, M. Naor. Efficient cryptographic schemes provably as secure as subset sum. Journal of Cryptology, 1996, 9(4):199-216.
[68] M. Bellare, A. Boldyreva, K. Kurosawa, J.Staddon. Multi-recipient encryption schemes: Efficient constructions and their security. IEEE Transactions on Information Theory, 2007, 53(11):3927-3943.
[69] D. Boneh. The decision Diffie-Hellman problem. Proc. of the Algorithmic Number Theory Symposium, LNCS 1423, 1998, 48-63.
[70] M. Bellare, A. Boldyreva, S. Micali. Public-key encryption in a multi-user setting: Security proofs and improvements. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 1807, 2000, 259-274.
[71] V. Shoup. On formal models for secure key exchange. Technical report, 1999. Available at http://philby.ucsd.edu/cryptolib/1999.html.
[72] S. Jiang, G. Gong. Security of a server-assisted group password-authenticated key exchange protocol. Technical report, Technical Report CACR 2005, 17.
[73] O. Chevassut, P. A. Fouque, P. Gaudry, D. Pointcheval. Key derivation and randomness extraction. Technical report, 2005, 061.
[74] V. Shoup. Lower bounds for discrete logarithms and related problems. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 1233, 1997, 256-266.
[75] A. K. Lenstra, E. R. Verheul. Selecting cryptographic key sizes. Journal of Cryptology, 2001, 14(4):255-293.
[76] M. I. Gonzalez Vasco, M. Naslund, I.E. Shparlinski. New results on the hardness of Diffie-Hellman bits. Proc. of the Conference of Public Key Cryptography(PKC), LNCS 2947, 2004, 159-172.
[77] C. Lim, P. Lee. More flexible exponentiation with precomputation. Proc. of the Advances in Cryptology- Crypto, LNCS 839, 1994, 95-107.
[78] W. Dai. Crypto++ library. http://www.cryptopp.com.
[79] H. Shi, S. Jiang, R. Safavi-Naini, M. Tuhin. Optimal secure message transmission by public discussion. Proc. of the International Symposium on Information Theory, 2009, 1313-1317.
[80] T. Rabin, M. Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). Proc. of the ACM Symposium on Theory of Computing (STOC) , 1989, 73-85.
[81] E. Upfal. Tolerating linear number of faults in networks of bounded degree. ACM Symposium on Principles of Distributed Computing, 1992, 83-89.
[82] J. Garay. Partially connected networks: Information theoretically secure protocols and open problems. An invited talk in ICITS 2008.
[83] M. Tuhin, H. Shi, R. Safavi-Naini. (epsilon, 0)-secure message transmission. Proc. of the Canadian Workshop on Information Theory, 2009, 152-156.
[84] R. Cramer, I. Damgard, S. Fehr. On the cost of reconstructing a secret, or vss with optimal reconstruction phase. Proc. of the Advances in Cryptology-Crypto, LNCS 2139, 2001, 503-523.
[85] A. Patra, A. Choudharyy, C. Pandu Rangan. On Round Complexity of Unconditionally Secure VSS. 2008, http://eprint.iacr.org/2008/172.
[86] E. Berlekamp, L. Welch. Error correction of algebraic block codes. US Patent 4,633,470.
[87]石竑松,秦志光.敌手信道模型中的安全消息传输.计算机工程,录用, 2010.
[88] A. Smith. Scrambling adversarial errors using few random bits. Proc. of the ACM-SIAM Symposium on Discrete Algorithms (SODA) , 2007, 395-404.
[89] M. Langberg. Private codes or succinct random codes that are (almost) perfect. Proc. of the IEEE Annual Symposium on Foundations of Computer Science (FOCS), 2004, 325-334.
[90] A. R. Cramer, Y. Dodis, S. Fehr, et al. Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 4965, 2008, 471-488.
[91] C. E. Shannon. A mathematical theory of communication. Bell Systems Technical Journal, 1948, 27(1):379-423 & 623-656.
[92] M. Sudan. Algorithmic introduction to coding theory-course note. Available at: http://people.csail.mit.edu/madhu/coding/course.html.
[93] H. Shi, S. Jiang, R. Safavi-Naini. Secure Key Expansion over Wires. 2010. In writing.
[94] A. Akavia, S. Goldwasser, V. Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks. Proc. of the Theory of Cryptography Conference (TCC), LNCS 5444, 2009, 474-495.
[95] J. Halderman, S. Schoen, N. Heninger, et al. Lest we remember: Cold boot attacks on encryption keys. Commun. ACM, 2009, 52(5):91-98.
[96] S. Micali, L. Reyzin. Physically observable cryptography (extended abstract). Proc. of the Theory of Cryptography Conference (TCC), LNCS 2951, 2004, 278-296.
[97] U. M. Maurer, S. Wolf. Privacy amplification secure against active adversaries. Proc. of the Advances in Cryptology-Crypto, LNCS 1294, 1997, 307-321.
[98] U. M. Maurer, S. Wolf. Secret-key agreement over unauthenticated public channels iii: Privacy amplification. IEEE Transactions on Information Theory, 2003, 49(4):839-851.
[99] R. Renner, S. Wolf. Unconditional authenticity and privacy from an arbitrarily weak secret. Proc. of the Advances in Cryptology-Crypto, LNCS 2729, 2003, 78-95.
[100] H. Bennett, G. Brassard. Quantum cryptography: public key distribution and coin tossing. Proc. of the IEEE International Conference on Computers, Systems and Signal Processing, 1984, 175-179.
[101] S. Wolf. Information theoretically and computationally secure key agreement in cryptography. PhD thesis, ETH No.13138, 1999.
[102] R. Renner, S. Wolf. The exact price for unconditionally secure asymmetric cryptography. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 3027, 2004, 109-125.
[103] B. Kanukurthi, L. Reyzin. Key agreement from close secrets over unsecured channels. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 5479, 2009, 206-223.
[104] H. Bennett, G. Brassard, J.Robert. Privacy amplification by public discussion. SIAM J. Computing, 1988, 17(2):210-229.
[105] A. D. Wyner. The wire-tap channel. Bell Systems Technical Journal, 1975, 54(8):1355-1387.
[106] O. Goldreich, Y. Lindell. Session-key generation using human passwords only. Proc. of the Advances in Cryptology-Crypto, LNCS 2139, 2001, 408-432.
[107] K. Srinathan, N. R. Prasad, C. Pandu Rangan. On the optimal communication complexity of multiphase protocols for perfect communication. Proc. of the IEEE Symposium on Security and Privacy, 2007, 311-320.
[108] A. Patra, A. Choudhary, K. Srinathan, et al. Constant phase bit optimal protocols for perfectly reliable and secure message transmission. Proc. of the INDOCRYPT, LNCS 4329, 2006, 221-235.
[2] R. L. Rivest, A. Shamir, L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 1978, 21(2):120-126.
[3] T. ElGamal. A public-key cryptosystem and a signature scheme based on discrete logarithms.IEEE Transactions on Information Theory, 1985, 31(4):469–472.
[4] A. Fiat, A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. Proc. of the Advances in Cryptology-Crypto, LNCS 263, 1986, 186-194.
[5] O. Goldreich, S. Micali, A. Wigderson. How to play any mental game or a completeness theorem for protocols with honest majority. Proc. of the ACM Symposium on Theory of Computing (STOC) , 1987, 218-229.
[6] A. Shamir. How to share a secret. Commun. ACM, 1979, 22(11):612-613.
[7] M. Wegman, J. Carter. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences, 1981, 22(2):265-279.
[8] H. Bennett, G. Brassard, C. Crepeau, U. M. Maurer. Generalized privacy amplification. IEEE Transactions on Information Theory, 1995, 41(6):1915-1923.
[9] U. Maurer. Secret key agreement by public discussion from common information. IEEE Transactions on Information Theory, 1993, 39(3):733-742.
[10] M. Ben-Or, S. Goldwasser, A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). Proc. of the ACM Symposium on Theory of Computing (STOC) , 1988, 1-10.
[11] D. Chaum, C. Crpeau, I. Damgard. Multiparty unconditionally secure protocols (extended abstract). Proc. of the IEEE Annual Symposium on Foundations of Computer Science (FOCS), 1988, 11-19.
[12] P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Computing, 1997, 26(5):1484-1509.
[13] O. Regev. Quantum computation and lattice problems. SIAM J. Computing, 2004, 33(3):738-760.
[14] J. Katz, Y. Lindell. Introduction to Modern Cryptography. Chapman & Hall/CRC Press, 2007.
[15] E. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 1949, 28(4):656-715.
[16] A. Russell, H. Wang. How to fool an unbounded adversary with a short key. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 2332, 2002, 133-148.
[17] Y. Dodis, A. Smith. Entropic security and the encryption of high entropy messages. Theory of Cryptography Conference(TCC), LNCS 3378, 2005, 556-577.
[18] A. C. Yao. Theory and applications of trapdoor functions. Proc. of the IEEE Annual Symposium on Foundations of Computer Science(FOCS), 1982, 80-91.
[19] M. Blum, S. Micali. How to generate cryptographically strong sequences of pseudorandom bits. SIAM J. Computing, 1984, 13(4):850-864.
[20] O. Goldreich, S. Goldwasser, S.Micali. How to construct random functions. Journal of ACM, 1986, 33(4):792-807.
[21] S. Goldwasser, S. Micali. Probabilistic encryptions. Journal of Computer and System Science, 1984, 28(2):270-299.
[22] M. Luby, C. Rackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Computing, 1988, 17(2):373-386.
[23] M. Bellare, R. Canetti, H. Krawczyk. Pseudorandom functions revisited: The cascade construction and its concrete security. Proc. of the IEEE Annual Symposium on Foundations of Computer Science(FOCS) , 1996, 514-523.
[24] M. Naor, M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. ACM Symposium on Theory of Computing (STOC) , 1990, 427-437.
[25] J. Katz, M. Yung. Complete characterization of security notions for probabilistic private-key encryption. In ACM Symposium on Theory of Computing (STOC) , 2000, 245-254.
[26] D. Dolev, C. Dwork, O. Waarts, M. Yung. Journal of ACM, 1993, 40(1):17-47.
[27] K. Kurosawa, K.Suzuki. Almost-everywhere secure computation. Proc. of the Advances in Cryptology- Eurocrypt, LNCS 4965, 2008, 324-340.
[28] H. Sayeed, H. Abu-Amara. Efficient perfectly secure message transmission in synchronous networks. Information and Communication, 1996,126(1):3-61.
[29] K. Srinathan, A. Narayanan, C. Pandu Rangan. Optimal perfectly secure message transmission. Proc. of the Advances in Cryptology-Crypto, LNCS 3152, 2004, 545-561.
[30] S. Agarwal, R. Cramer, R. de Haan. Asymptotically optimal two-round perfectly secure message transmission. Proc. of the Advances in Cryptology-Crypto, LNCS 4117, 2006, 394-408.
[31] M. Fitzi, M. Franklin, J. Garay, et al. Towards optimal and efficient perfectly secure message transmission. Theory of Cryptography Conference (TCC), LNCS 4392, 2007, 311-322.
[32] M. Franklin, R. N. Wright. Secure communication in minimal connectivity models. Journal of Cryptology, 2000, 13(1):9-30.
[33] A. Patra, A. Choudhary, K. Srinathan, C. Pandu Rangan. Unconditionally reliable and secure message transmission in undirected synchronous networks: Possibility, feasibility and optimality. Technical report, Cryptology ePrint Archive, 2008, 141.
[34] Y. Desmedt, Y. Wang. Perfectly secure message transmission revisited. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 2332, 2002, 502-517.
[35] K. Kurosawa, K. Suzuki. Almost secure (1-round, n-channel) message transmission scheme. IEICE Transactions, 2009, 92A(1):105-112.
[36] T. Araki. Almost secure 1-round message transmission scheme with polynomial-time message decryption. Proc. of the ICITS, LNCS 5155, 2008, 2-13.
[37] J. Garay, R. Ostrovsky. Almost-everywhere secure computation. Proc. of the Advances in Cryptology- Eurocrypt, LNCS 4965, 2008, 307-323.
[38] Y. Wang, Y. Desmedt. Perfectly secure message transmission revisited. IEEE Transactions on Information Theory, 2008, 54(6):2582-2595.
[39] H. Sayeed, H. Abu-Amara. Perfectly secure message transmission in asynchronous networks. Proc. of the IEEE Symposium on Parallel and Distributed Processing, 1995, 100-105.
[40] A. Choudhary, A. Patra, B. V. Ashwinkumar, et al. On minimal connectivity requirement for secure message transmission in asynchronous networks. ICDCN, 2009, 148-162.
[41] M. Kumar, P. Goundan, K. Srinathan, C. Rangan. On perfectly secure communication over arbitrary networks. Proc. of the ACM Symposium on Principles of Distributed Computing, 2002, 193-202.
[42] O. Goldreich. Foundations of Cryptography: Vol I & II. Cambridge University Press, 2001 & 2004.
[43] O. Goldreich, V. Rosen. On the security of modular exponentiation with application to the construction of pseudorandom generators. Journal of Cryptology, 2003, 16(2):71-93.
[44] J. Garay, C. Givens, R. Ostrovsky. Secure message transmission with small public discussion. Will appear in Advances in Cryptology-Eurocrypt, 2010.
[45] J. Wullschleger. Oblivious Transfer Amplification. PhD thesis, ETH, 2007.
[46] Y. Dodis, D. Wichs. Non-malleable extractors and symmetric key cryptography from weak secrets. Proc. of the ACM Symposium on Theory of Computing (STOC) , 2009, 601-610.
[47] A. Juels, M. Jakobsson, E. Shriver, B. K. Hillyer. How to turn loaded dice into fair coins. IEEE Transactions on Information Theory, 2000, 46(3):911-921.
[48] O. Goldreich, A. Wigderson. Tiny family of functions with random properties: A quality-size tradeoff for hashing. Proc. of the ACM Symposium on Theory of Computing (STOC) , 1994, 574-584.
[49] R. Shaltiel. Recent developments in explicit constructions of extractors. In Bull. Eu. Assoc. Theor. Comput. Sci. , 2002, 67-95.
[50] H. Shi, S. Jiang, Z. Qin. More efficient DDH pseudorandom generators. Journal of Designs, Codes and Cryptography, 2010, 55(1).
[51] D. L. Long, A. Wigderson. How discreet is the discrete log. Proc. of the ACM Symposium on Theory of Computing (STOC) , 1983, 413-420.
[52] R. Peralta. Simultaneous security of bits in the discrete log. Proc. of the Advances in Cryptology- Eurocrypt, LNCS 219, 1986, 62-72.
[53] S. Patel, G. S. Sundaram. An efficient discrete log pseudo random generator. Proc. of the Advances in Cryptology-Crypto, LNCS 1462, 1998, 304-317.
[54] R. Gennaro. An improved pseudo-random generator based on the discrete logarithm problem. Journal of Cryptology, 2006, 18(2):91-110.
[55] R. Steinfeld, J. Pieprzyk, H. Wang. On the provable security of an efficient rsa-based pseudorandom generator. Proc. of the Advances in Cryptology-Asiacrypt, LNCS 4284, 2006, 194-209.
[56] L. Blum, M. Blum, M. Shub. A simple unpredictable pseudorandom number generator. SIAM J. Computing, 1986, 15(2):364-383.
[57] W. Alexi, B. Chor, O. Goldreich, C. Schnorr. RSA and rabin functions: Certain parts are as hard as the whole. SIAM J. Computing, 1988, 17(2):194-209.
[58] R. Fischlin, C. Schnorr. Stronger security proofs for rsa and rabin bits. Journal of Cryptology, 2000, 13(2):221-244.
[59] A. Sidorenko, B. Schoenmakers. Concrete security of the blum-blum-shub pseudorandom generator. Proc. of the Conference of Cryptography and Coding, LNCS 3796, 2005, 355-375.
[60] S. Jiang. Efficient primitives from exponentiation in zp. The 11th Australasian Conference Information Security and Privacy (ACISP), LNCS 4058, 2006, 259-270.
[61] R. R. Farashahi, B. Schoenmakers, A.Sidorenko. Efficient pseudo-random generators based on the ddh assumption. Proc. of the Conference of Public Key Cryptography (PKC), LNCS 4450, 2007, 426-441.
[62] L. A. Levin. One-Way Function and Pseudorandom Generators. Combinatorica, 1987, 7(1):357-363.
[63] O. Goldreich, L. A. Levin. Hard-Core Predicate for Any One-Way Function. Proc. of the ACM Symposium on Theory of Computing (STOC) , 1989, 25-32.
[64] J. Hastad, R. Impagliazzo, L. A. Levin, M. Luby. Construction of a pseudo-random generator from any one-way function. SIAM J. COMPUT., 1999, 28(4):1364-1396.
[65] V. Shoup. A Computational Introduction to Number Theory and Algebra. Cambridge University Press, 2008.
[66] D. Boneh, S. Halevi, N.A.Howgrave-Graham. The modular inversion hidden number problem. Proc. of the Advances in Cryptology-Asiacrypt, LNCS 2248, 2001, 36-51.
[67] R. Impagliazzo, M. Naor. Efficient cryptographic schemes provably as secure as subset sum. Journal of Cryptology, 1996, 9(4):199-216.
[68] M. Bellare, A. Boldyreva, K. Kurosawa, J.Staddon. Multi-recipient encryption schemes: Efficient constructions and their security. IEEE Transactions on Information Theory, 2007, 53(11):3927-3943.
[69] D. Boneh. The decision Diffie-Hellman problem. Proc. of the Algorithmic Number Theory Symposium, LNCS 1423, 1998, 48-63.
[70] M. Bellare, A. Boldyreva, S. Micali. Public-key encryption in a multi-user setting: Security proofs and improvements. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 1807, 2000, 259-274.
[71] V. Shoup. On formal models for secure key exchange. Technical report, 1999. Available at http://philby.ucsd.edu/cryptolib/1999.html.
[72] S. Jiang, G. Gong. Security of a server-assisted group password-authenticated key exchange protocol. Technical report, Technical Report CACR 2005, 17.
[73] O. Chevassut, P. A. Fouque, P. Gaudry, D. Pointcheval. Key derivation and randomness extraction. Technical report, 2005, 061.
[74] V. Shoup. Lower bounds for discrete logarithms and related problems. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 1233, 1997, 256-266.
[75] A. K. Lenstra, E. R. Verheul. Selecting cryptographic key sizes. Journal of Cryptology, 2001, 14(4):255-293.
[76] M. I. Gonzalez Vasco, M. Naslund, I.E. Shparlinski. New results on the hardness of Diffie-Hellman bits. Proc. of the Conference of Public Key Cryptography(PKC), LNCS 2947, 2004, 159-172.
[77] C. Lim, P. Lee. More flexible exponentiation with precomputation. Proc. of the Advances in Cryptology- Crypto, LNCS 839, 1994, 95-107.
[78] W. Dai. Crypto++ library. http://www.cryptopp.com.
[79] H. Shi, S. Jiang, R. Safavi-Naini, M. Tuhin. Optimal secure message transmission by public discussion. Proc. of the International Symposium on Information Theory, 2009, 1313-1317.
[80] T. Rabin, M. Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). Proc. of the ACM Symposium on Theory of Computing (STOC) , 1989, 73-85.
[81] E. Upfal. Tolerating linear number of faults in networks of bounded degree. ACM Symposium on Principles of Distributed Computing, 1992, 83-89.
[82] J. Garay. Partially connected networks: Information theoretically secure protocols and open problems. An invited talk in ICITS 2008.
[83] M. Tuhin, H. Shi, R. Safavi-Naini. (epsilon, 0)-secure message transmission. Proc. of the Canadian Workshop on Information Theory, 2009, 152-156.
[84] R. Cramer, I. Damgard, S. Fehr. On the cost of reconstructing a secret, or vss with optimal reconstruction phase. Proc. of the Advances in Cryptology-Crypto, LNCS 2139, 2001, 503-523.
[85] A. Patra, A. Choudharyy, C. Pandu Rangan. On Round Complexity of Unconditionally Secure VSS. 2008, http://eprint.iacr.org/2008/172.
[86] E. Berlekamp, L. Welch. Error correction of algebraic block codes. US Patent 4,633,470.
[87]石竑松,秦志光.敌手信道模型中的安全消息传输.计算机工程,录用, 2010.
[88] A. Smith. Scrambling adversarial errors using few random bits. Proc. of the ACM-SIAM Symposium on Discrete Algorithms (SODA) , 2007, 395-404.
[89] M. Langberg. Private codes or succinct random codes that are (almost) perfect. Proc. of the IEEE Annual Symposium on Foundations of Computer Science (FOCS), 2004, 325-334.
[90] A. R. Cramer, Y. Dodis, S. Fehr, et al. Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 4965, 2008, 471-488.
[91] C. E. Shannon. A mathematical theory of communication. Bell Systems Technical Journal, 1948, 27(1):379-423 & 623-656.
[92] M. Sudan. Algorithmic introduction to coding theory-course note. Available at: http://people.csail.mit.edu/madhu/coding/course.html.
[93] H. Shi, S. Jiang, R. Safavi-Naini. Secure Key Expansion over Wires. 2010. In writing.
[94] A. Akavia, S. Goldwasser, V. Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks. Proc. of the Theory of Cryptography Conference (TCC), LNCS 5444, 2009, 474-495.
[95] J. Halderman, S. Schoen, N. Heninger, et al. Lest we remember: Cold boot attacks on encryption keys. Commun. ACM, 2009, 52(5):91-98.
[96] S. Micali, L. Reyzin. Physically observable cryptography (extended abstract). Proc. of the Theory of Cryptography Conference (TCC), LNCS 2951, 2004, 278-296.
[97] U. M. Maurer, S. Wolf. Privacy amplification secure against active adversaries. Proc. of the Advances in Cryptology-Crypto, LNCS 1294, 1997, 307-321.
[98] U. M. Maurer, S. Wolf. Secret-key agreement over unauthenticated public channels iii: Privacy amplification. IEEE Transactions on Information Theory, 2003, 49(4):839-851.
[99] R. Renner, S. Wolf. Unconditional authenticity and privacy from an arbitrarily weak secret. Proc. of the Advances in Cryptology-Crypto, LNCS 2729, 2003, 78-95.
[100] H. Bennett, G. Brassard. Quantum cryptography: public key distribution and coin tossing. Proc. of the IEEE International Conference on Computers, Systems and Signal Processing, 1984, 175-179.
[101] S. Wolf. Information theoretically and computationally secure key agreement in cryptography. PhD thesis, ETH No.13138, 1999.
[102] R. Renner, S. Wolf. The exact price for unconditionally secure asymmetric cryptography. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 3027, 2004, 109-125.
[103] B. Kanukurthi, L. Reyzin. Key agreement from close secrets over unsecured channels. Proc. of the Advances in Cryptology-Eurocrypt, LNCS 5479, 2009, 206-223.
[104] H. Bennett, G. Brassard, J.Robert. Privacy amplification by public discussion. SIAM J. Computing, 1988, 17(2):210-229.
[105] A. D. Wyner. The wire-tap channel. Bell Systems Technical Journal, 1975, 54(8):1355-1387.
[106] O. Goldreich, Y. Lindell. Session-key generation using human passwords only. Proc. of the Advances in Cryptology-Crypto, LNCS 2139, 2001, 408-432.
[107] K. Srinathan, N. R. Prasad, C. Pandu Rangan. On the optimal communication complexity of multiphase protocols for perfect communication. Proc. of the IEEE Symposium on Security and Privacy, 2007, 311-320.
[108] A. Patra, A. Choudhary, K. Srinathan, et al. Constant phase bit optimal protocols for perfectly reliable and secure message transmission. Proc. of the INDOCRYPT, LNCS 4329, 2006, 221-235.