| Cryptographic protocols, though used in a wide range of everyday tasks, are typically built for certain unrealistic ideal conditions in which the user is assumed to work. For example, one such condition that is implicitly assumed is that the user has perfect randomness that she can use as her cryptographic secret key. Another commonly made assumption is that the user runs her cryptographic tasks (such as encryption) on a device that is perfectly secure; that is, its internals are not tampered with or even observed by an adversary.;In this thesis, we focus on designing cryptographic techniques that are secure under less-than-ideal conditions. In order to remove the assumption that users share perfectly random secret keys, we study the problem of "privacy amplification": key agreement between two parties who both know a weak secret w, such as a password. The goal of the protocol is to convert this non-uniform secret w into a uniformly distributed string R that is fully secret from the adversary. R may then be used as a key for running symmetric cryptographic protocols (such as encryption or authentication). Because we make no computational assumptions, the entropy in R can come only from w. Thus such a protocol must minimize the entropy loss during its execution, so that R is as long as possible. In this thesis, we present the first protocol for information-theoretic key agreement that has entropy loss linear in the security parameter. The result is optimal up to constant factors. We also extend our results to the case where the users share correlated secrets w and w' . This setting occurs, for example, when the secrets are biometric readings taken at different points of time and is more generally known as "information-reconciliation". |
