Privacy Amplification Secure Against Active Adversaries

Privacy ampliication allows two parties Alice and Bob knowing a partially secret string S to extract, by communication over a public channel, a shorter, highly secret string S 0. Bennett, Brassard, Cr epeau, and Maurer showed that the length of S 0 can be almost equal to the conditional R enyi entropy of S given an opponent Eve's knowledge. All previous results on privacy ampliication assumed that Eve has access to the public channel but is passive or, equivalently, that messages inserted by Eve can be detected by Alice and Bob. In this paper we consider privacy ampliication secure even against active opponents. First it is analyzed under what conditions information-theoretically secure authentication is possible even though the common key is only partially secret. This result is used to prove that privacy ampliication can be secure against an active opponent and that the size of S 0 can be almost equal to Eve's min-entropy about S minus 2n=3 if S is an n-bit string. Moreover, it is shown that for suuciently large n privacy ampliication is possible when Eve's min-entropy about S exceeds only n=2 rather than 2n=3.