Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fuzzy extractor based on universal hashes

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Fuzzy extractor based on universal hashes"— Presentation transcript:

1 Fuzzy extractor based on universal hashes
Part 1: Fuzzy extractor based on universal hashes Part 2: Simplification of Controlled PUF primitives Dagstuhl, July 6-8, 2009

2 Part 1: Fuzzy extractor based on universal hashes
BŠ and Pim Tuyls

3 Fuzzy Extractor / Helper Data scheme
Dodis et al. 2003 Juels+Wattenberg 1999 Linnartz+Tuyls 2003 noisy Properties Secrecy and uniformity: Δ(WS; WU) ≤ ε. "S given W is almost uniform" Error correction: If X' sufficiently close to X, then S'=S. Robustness [Boyen et al. 2005]: Detection of active attack against W Applications privacy preserving biometrics anti-counterfeiting ("object biometrics") PUF-based key storage

4 Fuzzy Extractor: Efficiency
noisy What's so special? Redundancy data (in W) must not leak info about secret S. Make near-uniform S from non-uniform X. How to authenticate W when there is no PKI? "Efficiency" Extract as many reproducible bits from X as possible. Low storage requirements. Small computational load.

5 x x' Limited noise Common class of noise
Example Common class of noise Considerable prob. that x' ≠ x. Small number of likely x'. x x' Problematic for error correcting codes Most codes work best with low error rate Cannot exploit non-uniform error patterns (low entropy of errors) Entropy loss.

6 Def: δ-almost universal hash functions Fr. For fixed x and x':
Fr with random r L bits Def: δ-almost universal hash functions Fr. For fixed x and x': Not a cryptographic hash Main purpose: uniformity Light-weight implementation in hardware and software. Information-theoretic properties. Does not rely on unproven security assumptions

7 Fuzzy Extractor based on universal hash functions
p q r Publicly stored enrolment data: p,q,r,w, m:=MAC(v; pqrw) attack p', q', r', w', m' redundancy for error correction MAC key secret key Key reconstruction procedure Measure x'. Read p', q', r', w', m'. Make list L of likely candidates. Must be manageable! Find x in L such that Ψp'(x)=w'. Sort of Slepian-Wolf Compute v'=Γq'(x). Check if MAC(v'; p'q'r'w')=m'. If okay, reconstruct secret s=Φr'(x).

8 Robustness: KMS-MAC Theorem: If then Δ(PQRWM S; PQRWM U) ≤ ε . Robustness Ordinary MAC insufficient MAC with Key Manipulation Security? [Cramer et al, Eurocrypt 2008] Assumes strong attacker. Key Linearity: ΔK = known function of w and modified w'. We do not have the linearity property! (Also the case for other types of helper data.) Effect of modifying helper data unknown to attacker. KMS-MAC is overkill.

9 Simplification of Controlled PUF primitives
Part 2: Simplification of Controlled PUF primitives BŠ and Marc X. Makkes Eindhoven University of Technology

10 CPUF protocols Controlled PUFs (CPUFs) PUF shielded from the outside world by control layer control layer restricts PUF input & output more secure than "bare" PUF Protocols exploiting large number of Challenge-Response Pairs Gassend et al 2002, 2007, 2008 Each user has shared secret (CRP) with CPUF Symmetric crypto Certified Execution, Proof of Execution, key renewal, ... Presented as API code Self-referential 'hash blocks'

11 Self-referential use of program hashes
E-Proof generation: computes a hash over the hash block

12 Simplification Avoid hashes of control layer code Flowchart notation Basically the same protocols; minor modifications Helper data explicitly visible

13 Some wise concluding remarks
Boris: None of this is rocket science, and the results are far from spectacular ... so I will not complain if you don't put any of this in the schedule. Ahmad: (...) And we do not need rocket science. By the way, rocket science is very easy, this is a fairy-tale that rocket science is difficult. You buy some explosive powder and some metal container and you put them together.

Download ppt "Fuzzy extractor based on universal hashes"

Similar presentations

Many personal devices have rich set of capabilities: sensors, communication, computing power and data storage, and they are personal. Potentially they.

Many personal devices have rich set of capabilities: sensors, communication, computing power and data storage, and they are personal. Potentially they.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Strong Key Derivation from Biometrics

Strong Key Derivation from Biometrics
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Security with Noisy Data Boris Škorić TU Eindhoven Ei/Ψ anniversary, 24 April 2009 1.

Security with Noisy Data Boris Škorić TU Eindhoven Ei/Ψ anniversary, 24 April
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas.

1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas.
White-Box Cryptography

White-Box Cryptography
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Fuzzy Stuff 6.857 Lecture 24, 2006. Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.

Fuzzy Stuff Lecture 24, Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.

Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on.

Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on.
Anonymous Biometrics: Privacy Protection of Biometric Templates Pim Tuyls, E. Verbitskiy, D. Denteneer, J.P. Linnartz, J. Goseling, T. Ignatenko

Anonymous Biometrics: Privacy Protection of Biometric Templates Pim Tuyls, E. Verbitskiy, D. Denteneer, J.P. Linnartz, J. Goseling, T. Ignatenko
 Secure Authentication Using Biometric Data Karen Cui.

 Secure Authentication Using Biometric Data Karen Cui.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

Similar presentations

Ads by Google