Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany 5155 Reihaneh Safavi-Naini (Ed.) Information Theoretic Security Third International Conference, ICITS 2008 Calgary, Canada, August 10-13, 2008 Proceedings 13 Volume Editor Reihaneh Safavi-Naini University of Calgary Department of Computer Science ICT Building, 2500 University Drive NW Calgary, AB, T2N 1N4, Canada E-mail: rei@cpsc.ucalgary.ca Library of Congress Control Number: 2008931579 CR Subject Classification (1998): E.3, D.4.6, F.2.1, C.2, K.4.4, K.6.5 LNCS Sublibrary: SL – Security and Cryptology ISSN ISBN-10 ISBN-13 0302-9743 3-540-85092-9 Springer Berlin Heidelberg New York 978-3-540-85092-2 Springer Berlin Heidelberg New York This work is subject to copyright All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer Violations are liable to prosecution under the German Copyright Law Springer is a part of Springer Science+Business Media springer.com © Springer-Verlag Berlin Heidelberg 2008 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12444649 06/3180 543210 Preface ICITS 2008, the Third International Conference on Information Theoretic Security, was held in Calgary, Alberta, Canada, during August 10–13, 2008, at the University of Calgary This series of conferences was started with the 2005 IEEE Information Theory Workshop on Theory and Practice in Information-Theoretic Security (ITW 2005, Japan), held on Awaji Island, Japan, October 16–19, 2005 The conference series aims at bringing focus to security research when there is no unproven computational assumption on the adversary This is the framework proposed by Claude Shannon in his seminal paper formalizing modern unclassified research on cryptography Over the last few decades, Shannon’s approach to formalizing security has been used in various other areas including authentication, secure communication, key exchange, multiparty computation and information hiding to name a few Coding theory has also proven to be a powerful tool in the construction of security systems with information theoretic security There were 43 submitted papers of which 14 were accepted Each contributed paper was reviewed by three members of the Program Committee In the case of co-authorship by a Program Committee member the paper was reviewed by five members of the committee (no committee member reviewed their own submission) In addition to the accepted papers, the conference also included nine invited speakers, whose contributions were not refereed These proceedings contain the accepted papers with any revisions required by the Program Committee as well as the contributions by invited speakers The invited speakers were: Jo˜ ao Barros Claude Cr`epeau Juan Garay Strong Secrecy for Wireless Channels Interactive Hashing: An Information Theoretic Tool Partially Connected Networks: Information Theoretically Secure Protocols and Open Problems Venkatesan Guruswami List Error-Correction with Optimal Information Rate Goichiro Hanaoka Some Information-Theoretic Arguments for Encryption: Non-malleability and Chosen-Ciphertext Security Norbert Lă utkenhaus Theory of Quantum Key Distribution: The Road Ahead Pierre Moulin Perfectly Secure Information Hiding Serge Vaudenay The Complexity of Distinguishing Distributions Moti Yung Does Physical Security of Cryptographic Devices Need a Formal Study? VI Preface Submissions to ICITS 2008 were required to be anonymous The task of selecting 14 papers out of 43 submissions was challenging Each paper was carefully discussed until a consensus was reached It was a great pleasure to work with such a high-caliber and meticulous Program Committee External referees helped the Program Committee in reaching their decisions, and I thank them for their effort A list of all external referees appears later in these proceedings I would like to thank the General Chair of the conference, Barry Sanders, and the Organizing Committee (listed below), whose unrelenting effort ensured the smooth running of the conference I would like to thank Michal Sramka and Karl-Peter Marzlin, in particular, for their continued effort in maintaining the conference website and submission system (iChair), and lending a hand whenever it was required The conference benefited enormously from the generous financial support of the University of Calgary, the Informatics Circle of Research Excellence in Alberta, the Pacific Institute of Mathematical Sciences, the Canadian Institute for Advanced Research and Quantum Works Finally, I would like to thank the authors of all submitted papers for their hard work and all attendees of the conference whose support ensured the success of the conference August 2008 Reihaneh Safavi-Naini ICITS 2008 The Third International Conference on Information Theoretic Security University of Calgary, Canada August 10–13, 2008 General Chair Barry Sanders QIS1 ,University of Calgary, Canada Program Chair Reihaneh Safavi-Naini iCIS Lab2 , University of Calgary, Canada Program Committee Simon Blackurn Carlo Blundo Stefan Dziembowski Cunsheng Ding Yevgeniy Dodis Paolo D’Arco Serge Fehr Matthias Fitzi Hideki Imai Kaoru Kurosawa Jă orn Mă uller-Quade Dingyi Pei C Pandu Rangan Renato Renner Alain Tapp Huaxiong Wang Wolfgang Tittel Moti Yung Yuliang Zheng Royal Holloway University of London, UK University of Salerno, Italy Universit´ a La Sapienza, Italy Hong Kong University of Science and Technology, Hong Kong New York University, USA University of Salerno, Italy CWI, The Netherland ETH, Switzerland Chuo University, Japan Ibaraki University, Japan Universită at Karlsruhe, Germany Academia Sinica, P.R China Indian Institute of Technology, India ETH, Switzerland Universit´e de Montr´eal, Canada Nanyang Technological University, Singapore University of Calgary, Canada Google and Columbia University, USA University of North Carolina, USA Institute for Quantum Information Sciences iCORE Information Security Laboratory VIII Organization Steering Committee Carlo Blundo Gilles Brassard Ronald Cramer Yvo Desmedt, Chair Hideki Imai Kaoru Kurosawa Ueli Maurer Reihaneh Safavi-Naini Doug Stinson Moti Yung Yuliang Zheng University of Salerno, Italy University of Montreal, Canada CWI, The Netherlands University College London, UK National Institute of Advanced Industrial Science and Technology, Japan Ibaraki University, Japan ETH, Switzerland University of Calgary, Canada University of Waterloo, Canada Google and Columbia University, USA University of North Carolina, USA Organizing Committee Mina Askari Catherine Giacobbo Jeong San Kim Itzel Lucio Martinez Karl-Peter Marzlin Xiaofan Mo Michal Sramka iCIS Lab, University of Calgary, Canada QIS, University of Calgary, Canada QIS, University of Calgary, Canada QIS, University of Calgary, Canada QIS, University of Calgary, Canada QIS, University of Calgary, Canada iCIS Lab, University of Calgary, Canada External Referees Nuttapong Attrapadung Kai Yuen Cheong Ashish Choudary Yang Cui Yvo Desmedt Dejan Dukaric Nelly Fazio Jun Furukawa Clemente Galdi Robbert de Haan Manabu Hagiwara Martin Hirt Shaoquan Jiang Masaru Kamada Aggelos Kiayias Varad kirtane Takeshi Koshiba Donggang Liu Anderson C.A Nascimento Frederique Oggier Arpita Patra Krzysztof Pietrzak Hongsng Shi Takeshi Shimoyama SeongHan Shin Hitoshi Tanuma Ashraful Tuhin Ivan Visconti Table of Contents Secure and Reliable Communication I Partially Connected Networks: Information Theoretically Secure Protocols and Open Problems (Invited Talk) Juan A Garay Almost Secure 1-Round Message Transmission Scheme with Polynomial-Time Message Decryption Toshinori Araki Quantum Information and Communication Interactive Hashing: An Information Theoretic Tool (Invited Talk) Claude Cr´epeau, Joe Kilian, and George Savvides Distributed Relay Protocol for Probabilistic Information-Theoretic Security in a Randomly-Compromised Network Travis R Beals and Barry C Sanders 14 29 Networks and Devices Strong Secrecy for Wireless Channels (Invited Talk) Jo˜ ao Barros and Matthieu Bloch Efficient Key Predistribution for Grid-Based Wireless Sensor Networks Simon R Blackburn, Tuvi Etzion, Keith M Martin, and Maura B Paterson Does Physical Security of Cryptographic Devices Need a Formal Study? (Invited Talk) Fran¸cois-Xavier Standaert, Tal G Malkin, and Moti Yung 40 54 70 Mulitparty Computation A Single Initialization Server for Multi-party Cryptography Hugue Blier and Alain Tapp Statistical Security Conditions for Two-Party Secure Function Evaluation Claude Crepeau and Jă urg Wullschleger 71 86 X Table of Contents Information Hiding and Tracing Upper Bounds for Set Systems with the Identifiable Parent Property Michael J Collins 100 Coding Theory and Security Oblivious Transfer Based on the McEliece Assumptions Rafael Dowsley, Jeroen van de Graaf, Jă orn Mă uller-Quade, and Anderson C.A Nascimento 107 List Error-Correction with Optimal Information Rate (Invited Talk) Venkatesan Guruswami 118 Quantum Computation Theory of Quantum Key Distribution: The Road Ahead (Invited Talk) Norbert Lă utkenhaus Susceptible Two-Party Quantum Computations Andreas Jakoby, Maciej Li´skiewicz, and Aleksander Madry 120 121 Secure and Reliable Communication II Perfectly Reliable and Secure Communication Tolerating Static and Mobile Mixed Adversary Ashish Choudhary, Arpita Patra, B.V Ashwinkumar, K Srinathan, and C Pandu Rangan 137 Key Refreshing in Wireless Sensor Networks Simon R Blackburn, Keith M Martin, Maura B Paterson, and Douglas R Stinson 156 Efficient Traitor Tracing from Collusion Secure Codes Olivier Billet and Duong Hieu Phan 171 Foundation Revisiting the Karnin, Greene and Hellman Bounds Yvo Desmedt, Brian King, and Berry Schoenmakers Simple Direct Reduction of String (1, 2)-OT to Rabin’s OT without Privacy Amplification Kaoru Kurosawa and Takeshi Koshiba The Complexity of Distinguishing Distributions (Invited Talk) Thomas Baign`eres and Serge Vaudenay 183 199 210 A Proof of Security in O(2n ) for the Xor of Two Random Permutations 235 the bi values are randomly chosen in Inm , and σ(H) the standard deviation of H when the bi values are randomly chosen in Inm (Therefore we can call our general proof strategy the “Hσ technique”, since we use the coefficient H technique plus n| the evaluation of σ(H)) We will prove that E(H) = |B 2nm and that σ(H) = |Bn |2 m 32 2nm O( 2n ) , with an explicit O function, i.e that σ(H) From Bienayme-Tchebichev Theorem, we have P r |H − E(H)| ≤ αE(H) ≥ − So P r H ≥ E(H)(1 − α) ≥ − E(H) when m σ (H) α2 E (H) σ (H) α2 E (H) Therefore from Theorem we will have for all α > 0: AdvPRF ≤ α+ φ σ (H) α2 E (H) σ(H) 2/3 V (H) 1/3 =2 So if E(H) E (H) n| = O( 2mn )3/2 , and E(H) = |B 2nm , Theorem comes from Theorem With α = σ(H) E(H) 2n σ(H) 2/3 , E(H) this gives AdvPRF ≤2 φ Introducing N instead of H H is (by definition) the number of (f, g) ∈ Bn2 such that ∀i, ≤ i ≤ m, f (ai ) ⊕ g(ai ) = bi ∀i, ≤ i ≤ m, let xi = f (ai ) Let N be the number of sequences xi , ≤ i ≤ m, xi ∈ In , such that: The xi are pairwise distinct, ≤ i ≤ m The xi ⊕ bi are pairwise distinct, ≤ i ≤ m We see that H = N · |Bn |2 (Since when xi is fixed, f and g are fixed on exactly n n n (2 −1) (2 −m+1) m pairwise distinct points by ∀i, ≤ i ≤ m, f (ai ) = xi and g(ai ) = bi ⊕ xi ) σ(H) 2/3 σ(N ) 2/3 =2 (3.1) Therefore, instead E(H) E(N ) of evaluating E(H) and σ(H), we can evaluate E(N ) and σ(N ), and our aim is to prove that Thus we have AdvPRF ≤2 φ E(N ) = (2n (2n − 1) (2n − m + 1))2 and that σ(N ) 2nm E(N ) when m 2n As we will see, the most difficult part will be the evaluation of σ(N ) (We will see in Section that this evaluation of σ(N ) leads us to a purely combinatorial problem: the evaluation of values that we will call λα ) Remark: We will not it, nor need it, in this paper, but it is possible to improve slightly the bounds by using a more precise evaluation than the BienaymeTchebichev Theorem: instead of P r(|N − E(N )| ≥ tσ(N )) ≤ , t2 236 J Patarin it is possible to prove that for our variables N , and for t >> 1, we have something like this: P r(|N − E(N )| ≥ tσ(N )) ≤ t e (For this we would have to analyze more precisely the law of distribution of N : it follows almost a Gaussian and this gives a better evaluation than just the general t12 ) Computation of E(N ) Let b = (b1 , , bm ), and x = (x1 , , xm ) For x ∈ Inm , let δx = ⇔ The xi are pairwise distinct, 1≤i≤m The xi ⊕ bi are pairwise distinct, ≤ i ≤ m and δx = ⇔ δx = Let Jnm be the set of all sequences xi such that all the xi are pairwise distinct, ≤ i ≤ m Then |Jnm | = 2n (2n − 1) (2n − m + 1) and N = x∈J m δx So we have E(N ) = x∈J m E(δx ) For x ∈ Jnm , n n E(δx ) = P rb∈R Inm (All the xi ⊕ bi are pairwise distinct) = 2n (2n − 1) (2n − m + 1) 2nm Therefore E(N ) = |Jnm | · 2n (2n − 1) (2n − m + 1) (2n (2n − 1) (2n − m + 1))2 = nm 2nm as expected First Results on V (N ) We denote by V (N ) the variance of N when b ∈R Inm We have seen that our aim (cf(3.1)) is to prove that V (N ) E (N ) when m 2n (with E (N ) = (2n (2n −1) (2n −m+1))4 ) With the same notations as in Section above, N = 22nm m δx Since the variance of a sum is the sum of the variances plus the sum x∈Jn of all covariances we have: E(δx δx )−E(δx ) E(δx ) V (δx )+ V (N ) = m x∈Jn (5.1) m x,x ∈Jn x=x We will now study the terms in (5.1), i.e the terms in V (δx ), the terms in E(δx δx ) and the terms in E(δx ) E(δx ) Terms in V (δx ) V (δx ) = E(δx2 ) − (E(δx ))2 = E(δx ) − (E(δx ))2 A Proof of Security in O(2n ) for the Xor of Two Random Permutations V (δx ) = So 237 2n (2n − 1) (2n − m + 1) (2n (2n − 1) (2n − m + 1))2 − 2nm 22nm V (δx ) = m x∈Jn (2n (2n − 1) (2n − m + 1))2 (2n (2n − 1) (2n − m + 1))3 − 2nm 22nm This term is less than E(N ) and therefore is much less than E (N ) Terms in E(δx ) E(δx ) E(δx ) E(δx ) = (5.2) (2n (2n − 1) (2n − m + 1))2 22nm [2n (2n− 1) (2n − m+1) − 1][2n (2n − 1) (2n−m+1)]3 22nm E(δx )E(δx ) = m x,x ∈Jn x=x (2n (2n − 1) (2n − m + 1))4 = E (N ) 22nm Terms in E(δx δx ) Therefore the last term Am that we have to evaluate in (5.1) is Am =def E(δx δx (5.3) = m x=x x,x ∈Jn P rb∈Inm m x,x ∈Jn x=x 1≤i≤m The xi are pairwise distinct, The xi ⊕ bi are pairwise distinct, ≤ i ≤ m Let λm =def the number of sequences (xi , xi , bi ), ≤ i ≤ m such that The The The The xi are pairwise distinct, ≤ i ≤ m xi are pairwise distinct, ≤ i ≤ m xi ⊕ bi are pairwise distinct, ≤ i ≤ m xi ⊕ bi are pairwise distinct, ≤ i ≤ m We have Am = obtained: λm 2nm (5.4) Therefore from (5.1), (5.2), (5.3), (5.4), we have V (N ) ≤ E(N ) + E (N ) − We want to prove that V (N ) λm 2nm ·E (N ) = λm 2nm (5.5) E (N ) Therefore, our aim is to prove that (2n (2n − 1) (2n − m + 1))4 2nm (5.6) Change of variables Let fi = xi and gi = xi , hi = xi ⊕ bi We see that λm is also the number of sequences (fi , gi , hi ), ≤ i ≤ m, fi ∈ In , gi ∈ In , hi ∈ In , such that 238 J Patarin The The The The fi are pairwise distinct, ≤ i ≤ m gi are pairwise distinct, ≤ i ≤ m hi are pairwise distinct, ≤ i ≤ m fi ⊕ gi ⊕ hi are pairwise distinct, ≤ i ≤ m We will call these conditions 1.2.3.4 the “conditions λα ” (Examples of λm values are given in Appendix A) In order to get (5.6), we see that a sufficient condition is finally to prove that λm = m (2n (2n − 1) (2n − m + 1))4 + O( n ) 2nm (5.7) with an explicit O function So we have transformed our security proof against all CPA-2 for f ⊕ g, f, g ∈R Bn , to this purely combinatorial problem (5.7) on the λm values (We can notice that in E(N ) and σ(N ) we evaluate the values when the bi values are randomly chosen, while here, on the λm values, we not have such bi values anymore) The proof of this combinatorial property is given below and in the eprint version (Unfortunately the proof of this combinatorial property (5.7) is not obvious: we will need a few pages However, fortunately, the mathematics that we will use are simple) First Results in λα The values λα have been introduced in Section Our aim is to prove (5.7), (or k+1 something similar, for example with O( m2nk ) for any integer k) with explicit O functions For this, we will proceed like this: in this Section we will give a first evaluation of the values λα Then, in Section 7, we will prove an induction formula (7.2) on λα Finally, in the Appendices, we will use this induction formula (7.2) to get our property on λα n [2n (2n − 1) (2n − α + 1)]4 We have Uα+1 = (2 2−α) Uα Let Uα = n nα Uα+1 = 23n 1− 4α 6α2 4α3 α4 Uα + − + 2n 22n 23n 24n (6.1) Similarly, we want to obtain an induction formula on λα , i.e we want to evaluate λα+1 λα+1 Uα+1 1+ λα More precisely our aim is to prove something like this: λα = Uα O( 21n ) + O( 2α2n ) (6.2) Notice that here we have O( 2α2n ) and not O( 2αn ) Therefore we want something like this: λα+1 4α 6α2 4α3 α4 = − + − + 23n · λα 2n 22n 23n 24n + O( α ) + O( 2n ) n 2 (6.3) (with some specific O functions) Then, from (6.2) used for all ≤ i ≤ α and since λ1 = U1 = 23n , we will get λα = λα λα−1 λα−1 λ2 α λ1 = Uα + O( n ) + O( 2n ) λα−2 λ1 2 α A Proof of Security in O(2n ) for the Xor of Two Random Permutations 239 α ) as wanted Notice 2n α α that to get here 0( 2n ) we have used 0( 22n ) in (6.2) By definition λα+1 is the number of sequences (fi , gi , hi ), ≤ i ≤ α + such that we have: and therefore we will get property (5.4): λα = Uα + O( The conditions λα fα+1 ∈ / {f1 , , fα } gα+1 ∈ / {g1 , , gα } hα+1 ∈ / {h1 , , hα } fα+1 ⊕ gα+1 ⊕ hα+1 ∈ / {f1 ⊕ g1 ⊕ h1 , , fα ⊕ gα ⊕ hα } We will denote by β1 , , β4α the 4α equalities that should not be satisfied here: β1 : fα+1 = f1 , β2 : fα+1 = f2 , , β4α : fα+1 ⊕ gα+1 ⊕ hα+1 = fα ⊕ gα ⊕ hα First evaluation When fi , gi , hi values are fixed, ≤ i ≤ α, such that they satisfy conditions λα , for fα+1 that satisfy 2), we have 2n − α solutions and for gα+1 that satisfy 3) we have 2n − α solutions Now when fi , gi , hi , ≤ i ≤ α, and fα+1 , gα+1 are fixed such that they satisfy 1), 2), 3), for hα+1 that satisfy 4) and 5) we have between ) we have: 2n − α and 2n − 2α possibilities Therefore (first evaluation for λλα+1 α λα (2n − α)2 (2n − 2α) ≤ λα+1 ≤ λα (2n − α)2 (2n − α) 4α λα+1 ≤ 3n ≤ (6.4) This an approximation in O( 2αn ) and n 2 · λα α α α2 from it we get λα = Uα + O( n ) , i.e λα = Uα + O( n ) , i.e we get 2 √ security until α2 2n , i.e.√until α 2n However, we want security until α 2n and not only α 2n , so we want a better evaluation for 2λ3nα+1 ·λα (i.e we want something like (6.3) instead of (6.4)) Therefore, − An Induction Formula on λα A more precise evaluation For each i, ≤ i ≤ 4α, we will denote by Bi the set of (f1 , , fα+1 , g1 , , gα+1 , h1 , , hα+1 ), that satisfy the conditions λα and the conditions βi Therefore we have: λα+1 = 23n λα − | ∪4α i=1 Bi | We know that for any set Ai and any integer μ, we have: μ | ∪μi=1 Ai | = |Ai | − i=1 |Ai1 ∩ Ai2 | i1