Quantum key distribution or secret key distribution (SKD) has been studied to deliver a secrete key for secure communications, whose security is physically guaranteed. For practical deployment, such systems are desired to be overlaid onto existing wavelength-multiplexing transmission systems, without using a dedicated transmission line. This study analytically investigates the feasibility of the intensity-modulation/direction-detection (IM/DD) SKD scheme being wavelength-multiplexed with conventional wavelength-division-multiplexed (WDM) signals, concerning spontaneous Raman scattering light from conventional optical signals. Simulation results indicate that IM/DD SKD systems are not degraded when they are overlaid onto practically deployed dense WDM transmission systems in the C-band, owing to the feature of the IM/DD SKD scheme, which uses a signal light with an intensity level comparable to conventional optical signals unlike conventional quantum key distribution schemes.

Most aggregate signature schemes are relying on pairings, but high computational and storage costs of pairings limit the feasibility of those schemes in practice. Zhao proposed the first pairing-free aggregate signature scheme (AsiaCCS 2019). However, the security of Zhao's scheme is based on the hardness of a newly introduced non-standard computational problem. The recent impossibility results of Drijvers et al. (IEEE S&P 2019) on two-round pairing-free multi-signature schemes whose security based on the standard discrete logarithm (DL) problem have strengthened the view that constructing a pairing-free aggregate signature scheme which is proven secure based on standard problems such as DL problem is indeed a challenging open problem. In this paper, we offer a novel solution to this open problem. We introduce a new paradigm of aggregate signatures, i.e., aggregate signatures with an additional pre-communication stage. In the pre-communication stage, each signer interacts with the aggregator to agree on a specific random value before deciding messages to be signed. We also discover that the impossibility results of Drijvers et al. take effect if the adversary can decide the whole randomness part of any individual signature. Based on the new paradigm and our discovery of the applicability of the impossibility result, we propose a pairing-free aggregate signature scheme such that any individual signature includes a random nonce which can be freely generated by the signer. We prove the security of our scheme based on the hardness of the standard DL problem. As a trade-off, in contrast to the plain public-key model, which Zhao's scheme uses, we employ a more restricted key setup model, i.e., the knowledge of secret-key model.

In this paper, a deep learning-based secret key generation scheme is proposed for FDD multiple-input and multiple-output (MIMO) systems. We built an encoder-decoder based convolutional neural network to characterize the wireless environment to learn the mapping relationship between the uplink and downlink channel. The designed neural network can accurately predict the downlink channel state information based on the estimated uplink channel state information without any information feedback. Random secret keys can be generated from downlink channel responses predicted by the neural network. Simulation results show that deep learning based SKG scheme can achieve significant performance improvement in terms of the key agreement ratio and achievable secret key rate.

Secret key generation based on channel characteristics is an effective physical-layer security method for 5G wireless networks. The issues of how to ensure the high key generation rate and correlation of the secret key under active attack are needed to be addressed. In this paper, a new practical secret key generation scheme with high rate and correlation is proposed. In our proposed scheme, Alice and Bob transmit independent random sequences instead of known training sequences or probing signals; neither Alice nor Bob can decode these random sequences or estimate the channel. User's random sequences together with the channel effects are used as common random source to generate the secret key. With this solution, legitimate users are able to share secret keys with sufficient length and high security under active attack. We evaluate the proposed scheme through both analytic and simulation studies. The results show that our proposed scheme achieves high key generation rate and key security, and is suitable for 5G wireless networks with resource-constrained devices.

We consider secret key agreement for multiple terminals based on radio propagation characteristics in a wireless relaying system where more than two terminals communicate with each other via a relay. In this system, the multiple terminals share a common secret key generated from their radio propagation characteristics with the help of the relay in the presence of an eavesdropper. In this paper, we present three secret key agreement schemes: an amplify-and-forward (AF) scheme, a signal-combining amplify-and-forward (SC-AF) scheme, and a multiple-access amplify-and-forward (MA-AF) scheme. The key idea of these schemes is that each terminal shares the fading coefficients between all terminals and the relay, and use them as the source of a secret key. The AF scheme is based on a conventional amplify-and-forward two-way relaying method, whereas in the SC-AF scheme and the MA-AF scheme, we apply the idea of analog network coding to secret key agreement. We analyze eavesdropping strategies and show that the AF scheme is not secure if the eavesdropper is located near the relay and can receive signals from the relay without multipath fading and noise. Simulation results show that the SC-AF and MA-AF schemes are effective.

We investigate the secret key agreement from correlated Gaussian sources in which the legitimate parties can use the public communication with limited rate. For the class of protocols with the one-way public communication, we show a closed form expression of the optimal trade-off between the rate of key generation and the rate of the public communication. Our results clarify an essential difference between the key agreement from discrete sources and that from continuous sources.

Privacy amplification is a technique to distill a secret key from a random variable by a function so that the distilled key and eavesdropper's random variable are statistically independent. There are three kinds of security criteria for the key distilled by privacy amplification: the normalized divergence criterion, which is also known as the weak security criterion, the variational distance criterion, and the divergence criterion, which is also known as the strong security criterion. As a technique to distill a secret key, it is known that the encoder of a Slepian-Wolf (the source coding with full side-information at the decoder) code can be used as a function for privacy amplification if we employ the weak security criterion. In this paper, we show that the encoder of a Slepian-Wolf code cannot be used as a function for privacy amplification if we employ the criteria other than the weak one.

Differential-phase-shift (DPS) quantum key distribution (QKD) is one scheme of quantum key distribution whose security is based on the quantum nature of lightwave. This protocol features simplicity, a high key creation rate, and robustness against photon-number-splitting attacks. We describe DPS-QKD in this paper, including its setup and operation, eavesdropping against DPS-QKD, system performance, and modified systems to improve the system performance.

Secret key agreement is a procedure for agreeing on a secret key by exchanging messages over a public channel when a sender, a legitimate receiver (henceforth referred to as a receiver), and an eavesdropper have access to correlated sources. Maurer [6] defined secret key capacity, which is the least upper bound of the key generation rate of the secret key agreement, and presented an upper and a lower bound for the secret key capacity. The advantage distillation capacity is introduced and it is shown that this quantity equals to the secret key capacity. Naive information theoretical expressions of the secret key capacity and the advantage distillation capacity are also presented. An example of correlated sources, for which an analytic expression of the secret key capacity can be obtained, is also presented.

This paper deals with a secret key agreement problem from correlated random numbers. It is proved that there is a pair of linear matrices that yields a secret key agreement in the situation wherein a sender, a legitimate receiver, and an eavesdropper have access to correlated random numbers. A relation between the coding problem of correlated sources and a secret key agreement problem from correlated random numbers are also discussed.

This letter deals with the common randomness problem formulated by Ahlswede and Csiszar. Especially, we consider their source-type models without wiretapper for ergodic sources, and clarify the secret key-capacity by using the bin coding technique proposed by Cover.

Suppose that there are players in two hierarchical groups and a computationally unlimited eavesdropper. Using a random deal of cards, a player in the higher group wishes to send a one-bit message information-theoretically securely either to all the players in her group or to all the players in the two groups. This can be done by the so-called 2-level key set protocol. In this paper we give a necessary and sufficient condition for the 2-level key set protocol to succeed.

We show some numerical results of computer simulations of secret key reconciliation (SKR) protocol "Cascade" and clarify its properties. By using these properties, we propose to improve the protocol performance on the number of publicly exchanged bits which should be as few as possible.

Designing a protocol to exchange a secret key is one of the most fundamental subjects in cryptography. Using a random deal of cards, pairs of card players (agents) can share secret keys that are information-theoretically secure against an eavesdropper. A key set protocol, which uses a random deal of cards, can perform an Eulerian secret key exchange, in which the pairs of players sharing secret keys form an Eulerian circuit passing through all players. Along the Eulerian circuit any designated player can send a message to the rest of players and the message can be finally sent back to the sender. Checking the returned message with the original one, the sender can know whether the message circulation has not been influenced by a possible single transmission error or false alteration. It has been known that any Eulerian circuit formed by the protocol has length at most 3/2k, where k is the number of players. Note that the length corresponds to the time required to send the message to all players and acknowledge the secure receipt. In this paper, we show that the average length of Eulerian circuits is approximately k+ln k.

RDES cryptosystem is an n-round DES in which an probabilistic swapping is added onto the right half of the input in each round. It is more effective than a simple increase of DES rounds for a countermeasure against differential attack. In this paper, we show that the RDES is also effective against linear cryptanalysis. We applied Matsui's search algorithm to find the best expression for RDES-1 and RDES-2. The results are as follows: (a) The 16-round RDES-1 is approximately as strong as a 22-round DES, and the 16-round RDES-2 is approximately as strong as a 29-round DES. (b) Linear cryptanalysis for a 16-round RDES-1 and a 16-round RDES-2 requires more than 264 known-plaintexts.

This paper proposes a dynamically randomized version of DES (called RDES) in which a input-dependent swapping Sk(X) is added onto the right half of the input in each round of DES. This new scheme decreases the probability of success in differential cryptanalysis because it decreases the characteristic probability. Each "best" two-round characteristic probability is analyzed for typical schemes of the RDES: (i) RDES-1 with a simple one-level swapping, (ii) RDES-1' with an optimal one-level swapping, (iii) RDES-2 with a simple two-level swapping, and (iv) RDES-2' with an optimal two-level swapping. The main results are as follows. (a) The differential attacks on the 16-round RDES-1' and the 16-round RDES-2 require more computational time than the exhaustive search. (b) A differential attack is substantially inapplicable to the 16-round RDES-2' because more than 263 chosen plaintext pairs are required. (c) The encryption/decryption speed of the n-round RDES is almost the same as that of the n-round DES.