Strong security against active attacks in information-theoretic secret-key agreement

Abstract

The problem of unconditionally secure key agreement, in particular privacy amplification, by communication over an insecure and not even authentic channel, is investigated. The previous definitions of such protocols were weak in the sense that it was only required that after the communication not both parties falsely believe that the key agreement was successful. In such a protocol however it is possible that Eve deceives one of the legitimate partners, i.e., makes him accept the outcome of the protocol although no secret key has been generated. In this paper we introduce the notion of strong protocols which protect each of the parties simultaneously and, in contrast to previous pessimism, it is shown that such protocols exist. For the important special case of privacy amplification, a strong protocol is presented that is based on a new, interactive way of message authentication with an only partially secret key. The use of feedback in such authentication allows to reduce the size of the authenticator, hence of the additional information about the key leaked to the adversary, without increasing the success probability of an active attack. Finally, it is shown that in the scenario where the parties and the adversary have access to repeated realizations of a random experiment, previously derived criteria for the possibility of secret-key agreement against active opponents hold for the new, strong definition of robustness against active attacks rather than for the earlier definition.