Strengthening key agreement using hard-core sets

Given an authentic communication channel, a key agreement protocol enables two parties to obtain a common bit string (the key), such that an eavesdropper does not have any information about it, even if he observes the whole communication. While no such protocol is secure in an information theoretic sense, it seems possible to give a key agreement protocol which is secure against eavesdroppers which do not have exceedingly large computational power. In fact, many protocols which promise to achieve such computational security are used in practice today. This holds even though no such protocol has been proven secure. Instead, the security of such a protocol is based on an unproven, but plausible assumption. The goal of this thesis is to construct a computationally secure key agreement protocol whose security is based on an assumption which is as weak as possible. The assumption we use is the existence of a “weak key agreement protocol”. Such a protocol works partially: in some executions the honest parties get the same key, but sometimes their respective keys differ. Furthermore, in some cases the resulting key is secret, while sometimes information about the key is leaked to an eavesdropper. We then strengthen such a protocol; i.e., we make it both secret and correct. In order to simplify the study, we restrict the given weak key agreement protocol to yield a single key bit. To strengthen a weak key agreement protocol, we proceed in two steps. In a first step, we solve a related, completely information theoretic problem. More concretely we assume that some trusted source distributes random variables to the honest parties and to an eavesdropper according to a fixed and commonly known distribution. We then study whether the honest parties can use this randomness in order to obtain an information theoretically secure key. Such information theoretic key agreement from correlated information is a problem which has been studied before. It is interesting in its own right, and we look at it in some depth. In a second step we show that certain protocols for the information theoretic setting we described can be used in the computational setting as well. Thus, we first use the weak key agreement protocol to obtain