Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Leonid Reyzin Boston University Adam Smith Weizmann  IPAM  Penn State Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets Yevgeniy.

Published byBathsheba Stevenson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Leonid Reyzin Boston University Adam Smith Weizmann  IPAM  Penn State Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets Yevgeniy."— Presentation transcript:

1 1 Leonid Reyzin Boston University Adam Smith Weizmann  IPAM  Penn State Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets Yevgeniy Dodis New York University Jonathan Katz University of Maryland

2 2 setting 1: info-theoretic key agreement Allen Bonnie w not uniform Goal: from a nonuniform secret w agree on a uniform secret R No secure channel (else, trivial) Eve (e.g., knows something about it) Simple solution: use an extractor w R Ext seed i i w R Ext i w R i uniform jointly uniform minentropy m uniform Problem 1: What if Eve is active? i’i’ i Need robustness Problem 2: What if w is noisy? Need fuzziness w w’w’ i’i’ R’R’  i w’w’ R (if w  w ’ )

3 3 need: robust fuzzy extractor Extraction: generate uniform R from w (+ seed i ) Fuzziness: reproduce R from P and w ’  w Robustness: as long as w ’  w, if Eve( P ) produces P  P (with 1  negligible probability over w & coins of Rep, Eve) w R Gen P R Rep w’w’ P i P  w’w’ ~ ~ Fuzzy Extractor [Dodis, Ostrovsky, R., Smith] uniform even given P

4 4 setting 1: info-theoretic key agreement Allen Bonnie Eve P w w’w’ P ~ w R i P Gen Rep w’w’ R if P = P P ~  o/w ~  use R for encryption, MAC, etc. Previously considered: If w = w ’, or if w, w ’ and Eve’s info come from repeated i.i.d. [Maurer, Renner, Wolf in several papers] Using random oracles [Boyen, Dodis, Katz, Ostrovsky, Smith] Interactive (more than one message): [MR,W,RW – limits on errors] [BDKOS – computational security, using PAK]

5 5 setting 2: noisy secret keys User has: noisy key w (e.g., biometric) Next time: needs same R (to decrypt disk, …) Same problem as before, but noninteractivity essential! w R Gen P i use to encrypt disk, derive (SK, PK), sign messages,... P R Rep w’w’ no trusted storage ~ ~ various bad effects, depending on use of R if P  P,  o/w ~

6 6 Idea 0: w R Ext i MAC building robust fuzzy extractors  P = (i,  ) Key??? R ? But if i changes  R changes Circularity! i extracts from w w authenticates i

7 7 building robust fuzzy extractors Notation: |w| = n, H  (w) = m, “entropy gap” n  m = g Maurer-Wolf construction: a b c w = n/3  +  = bi + c i  R = [ai] 1  -secure if n/3 > g + loga 11  -uniform if n/3 > + g + 2 loga 11 i,i, P Extract m  2n/3

8 8 building robust fuzzy extractors Notation: |w| = n, H  (w) = m, “entropy gap” n  m = g Maurer-Wolf construction: a b c w = n/3  +  = bi + c i Extract m  2n/3 a b w = nvnv v i  R = [ai] 1 +  = [ai] 1 + b v Our construction: jointly  -uniform if v > g + 2 loga 11 Extract n  2g = 2(m  n/2) 11  -secure if v > g + log  R = [ai] v +1 nvnv

9 9 building robust fuzzy extractors a b w = nvnv v i +  = [ai] 1 + b v Our construction: jointly  -uniform if v > g + 2 loga 11 Extract n  2g = 2(m  n/2) 11  -secure if v > g + log  R = [ai] v +1 nvnv

10 10 building robust fuzzy extractors a b w = nvnv v i +  = [ai] 1 + b v Our construction: jointly  -uniform if v > g + 2 loga 11 Extract n  2g = 2(m  n/2) 11  -secure if v > g + log  R = [ai] v +1 nvnv Analysis: Extraction: (R,  )=ai + b is a universal hash family (few collisions) ( i is the key, w = (a, b) is the input) Robustness:  = [ai] 1 + b is strongly universal (2-wise indep.) ( w = (a, b) is the key, i is the input) v [ok by leftover hash lemma] [ok by Maurer-Wolf]

11 11 aside: strongly universal  MAC Suppose MAC w ( ) is pairwise independent:  i, j (if 2 n keys w, then each square contains 2 n /V 2 = 2 n  2v of them)...... 11 22 VV 33...... 33 w 13 w 23 wV3wV3 w 33...... VV w1Vw1V w2Vw2V w VV w3Vw3V... … … … … …...... 22 w 12 w 22 wV2wV2 w 32...... 11 w 11 w 21 wV1wV1 w 31 MAC w (i) MAC w (j) Eve sees  3 = MAC w (i) guesses  2 = MAC w (j) w 23 has 2 n  2v keys, each has prob. 2 v  m, so Pr[ success ] = 2 n  m  v = 2 g  v Notation: n = |w| m = H  (w) g = n  m v = |  | V = 2 v

12 12 building robust fuzzy extractors a b w = nvnv v i +  = [ai] 1 + b v Our construction: Extract n  2g = 2(m  n/2)  R = [ai] v +1 nvnv m > n/2 is necessary [Dodis-Spencer] before: needed m >2 n/3 ( also extracted fewer bits) w R Ext i MAC  P = (i,  ) key ?

13 13 tool: secure sketch [DORS] Compute k -bit sketch S(w) Recover w from S(w) and w ’  w For Hamming metric, S(w) can be a linear function (simply syndrome(w) in an [n, n  k, 2 t +1 ] 2 code) w S(w)S(w) S S(w)S(w) w Rec w’w’

14 14 building robust fuzzy extractors w P = (i, s,  ) R Ext i MAC  key S s How to MAC long messages?  = [a 2 s + ai] 1 + b (recall w = a|b ) v = MAC w (i, s) R Ext i Ver (  ) ok/  key w Rec s s w’w’ ~ ~ ~ ~ ~ key How to Rep ~ ~ oops…

15 15 the MAC problem  = MAC w (i, s) = [ (recall w = a|b ) i,i, Ver (  ) ok/  w Rec s s w’w’ ~ ~ ~ Authentication: Verification: Problem: circularity (MAC key depends on s, which is being authenticated by the MAC) ~ ~ a5+a5+ Hard to forge for any fixed  w Observe: knowing ( w ’  w and s  s )  w  w =  w Need:   w, given MAC w (i, s), hard to forge MAC w +  w (i, s) ~ ~ v a 2 s + ai] 1 + b

16 16 building robust fuzzy extractors w P = (i, s,  ) R Ext i MAC  key S s = MAC w (i, s) Recall: without errors, extract n  2g = m  g Problem: s reveals k bits about w  m decreases, g increases  ``lose 2k Can’t avoid decreasing m, but can avoid increasing g s = S(w) is linear. Let c = S  (w). | c|=|w|  k, but c has same entropy as w|s. Use c instead of w. c c

17 17 the bottom line Result for with t Hamming errors: given [n, n  k, 2 t +1 ] 2 linear code, extract 2(m  n/2)  k  2b bits ( b = log Vol(Ball(t)) < t log n ) 22 w w’w’ Result for with t set difference errors: ( w is a subset of a universe of size 2  ) extract 2(m  n/2)  3t  bits (uses BCH-based PinSketch of [DORS])

18 18 single user setting, revisited User has: noisy key w (e.g., biometric) Next time: needs same R (to decrypt disk, …) w R Gen P i use to encrypt disk, derive (SK, PK), sign messages,... P R Rep w’w’ ~ ~ if P  P,  o/w ~ But Eve sees effects of R (e.g., disk encrypted with R ) before coming up with P New, stronger robustness notion: allow Eve to see (P, R) “post-application” (vs. “pre-application”) robustness Our constructions work, but only extract 1/3 the bits ~

19 19 application to bounded storage model Alice (sk) Bob (sk) Eve P w sk w ’ sk P ~ w R i P Gen Rep w’w’ R if P = P P ~  o/w ~ HUGE X (Eve can’t store all of it) doesn’t know sk, hence w has entropy Lots of prior work [Maurer,Cachin,Dziembowski,Aumann,Ding,Rabin,Lu,Vadhan,…] Noisy case: [Ding, Dodis-Smith] —stateful A&B, or passive Eve Use robust fuzzy extractors: stateless A&B, active Eve But parameters not great—better solution? Yes: in this special case, A&B have sk

20 20 need: keyed robust fuzzy extractor Extraction: generate uniform R from w (+ seed i ) Fuzziness: reproduce R from P and w ’  w Robustness: as long as w ’  w, if Eve( P ) produces P  P Crucial: sk must be reusable w R Gen P R Rep w’w’ P i  ~ ~ sk P Rep w’w’ sk

21 21 building keyed robust fuzzy extractors w P = (i, s,  ) R Ext i MAC  key sk S s = MAC sk (i, s Problem: sk is not reusable Need: sk is random even given  Idea: use a MAC that is also an extractor i, s  Ext/MAC “seed” sk jointly uniform need entropy w,w, ), w Ext/ MAC

22 22 building extractor MACs Idea 1: use pairwise-independent hashing –Both good MAC and good extractor, but long sk  Ext/MAC seed/key sk unforgeable input m jointly uniform (note: unlike extractors, want short outputs  ) sk 1 input m sk 2  almost universal (few collisions) 2-wise indep. Idea 2 (modifying Srinivasan-Zuckerman): O(loga + log a + log n) 11 11 1+ log 11 |sk|=

23 23 conclusions Keyless robust fuzzy extractors –errorless case: previously |R| = m  2n/3, we |R| = 2(m  n/2) ( m > n/2 is minimum possible) –case with errors: previously only with random oracles, we solve Hamming distance and set difference without r.o. –new definition: post-application robustness, constructions that satisfy it Keyed case –Useful new notion: extractor-MAC –Application to stateless, active-attack-resistant, BSM with errors (previously stateful or passive attack only)

24 24 Thank you! obligatory clip art

Download ppt "1 Leonid Reyzin Boston University Adam Smith Weizmann  IPAM  Penn State Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets Yevgeniy."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Strong Key Derivation from Biometrics

Strong Key Derivation from Biometrics
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
Fuzzy Stuff 6.857 Lecture 24, 2006. Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.

Fuzzy Stuff Lecture 24, Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Serge Fehr & Christian Schaffner CWI Amsterdam, The Netherlands 1 Randomness Extraction via ± -Biased Masking in the Presence of a Quantum Attacker TCC.

Serge Fehr & Christian Schaffner CWI Amsterdam, The Netherlands 1 Randomness Extraction via ± -Biased Masking in the Presence of a Quantum Attacker TCC.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Fuzzy extractor based on universal hashes

Fuzzy extractor based on universal hashes
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,

New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
 Secure Authentication Using Biometric Data Karen Cui.

 Secure Authentication Using Biometric Data Karen Cui.

Similar presentations

Ads by Google