Transcript scws3 6769

Robust Fuzzy Extractors
&
Authenticated Key Agreement
from Close Secrets
Yevgeniy Dodis
Jonathan Katz
New York University
University of Maryland
Leonid Reyzin
Adam Smith
Boston University
Weizmann  IPAM  Penn State
1
setting 1: info-theoretic key agreement
not uniform w w w’
ii
Allen
w
i
Ext
Bonnie
i’
w’
ii’
R
Ext
R’ R

(if w  w’)
(e.g., Eve knows something about it)
Goal: from a nonuniform secret w
agree on a uniform secret R
No secure channel (else, trivial)
minentropy m
w
Simple solution: use an extractor
R
Ext
seed i
Problem 1: What if Eve is active? Need robustness
Problem 2: What if w is noisy? Needuniform
fuzziness
uniform
jointly uniform
2
need: robust fuzzy extractor
Fuzzy Extractor
• Fuzziness: reproduce R from P and w’  w
w’
R
Rep
P
[Dodis, Ostrovsky, R., Smith]
• Extraction: generate uniform R from w (+ seed i)
uniform even
w
R
Gen
given P
i
P
~
• Robustness: as long as w’  w, if Eve(P) produces P  P
w’

Rep
~P
(with 1negligible probability over w & coins of Rep, Eve)
3
setting 1: info-theoretic key agreement
w  w’
P
Allen
w
i
Gen
R
P
~
P
Bonnie
w’
~
P
Rep
Eve
use R for encryption, MAC, etc.
~
R if P = P
 o/w
Previously considered:
• If w = w’, or if w, w’ and Eve’s info come from repeated i.i.d.
[Maurer, Renner, Wolf in several papers]
• Using random oracles [Boyen, Dodis, Katz, Ostrovsky, Smith]
• Interactive (more than one message): [MR,W,RW – limits on errors]
[BDKOS – computational security, using PAK]
4
setting 2: noisy secret keys
• User has: noisy key w (e.g., biometric)
w
i
Gen
R
P
use to encrypt disk,
derive (SK, PK),
sign messages, ...
• Next time: needs same R (to decrypt disk, …)
~
w’
~
R if P  P,  o/w
Rep
~
P
no trusted
storage
various bad effects,
depending on use of R
• Same problem as before, but noninteractivity essential!
5
building robust fuzzy extractors
Idea 0:
w
i
Key???
Ext
R
MAC

P = (i, )
R? But if i changes  R changes
Circularity!
i extracts from w
w authenticates i
6
building robust fuzzy extractors
Notation: |w| = n, H(w) = m, “entropy gap” n  m = g
Maurer-Wolf
construction:
w=
Extract m  2n/3
n/3
n/3
n/3
a
b
c

R=
-uniform
if n/3 > l + g + 2loga1
i
l
[ai]1

+
i,  = bi + c
P
-secure 1
if n/3 > g + loga
7
building robust fuzzy extractors
Notation: |w| = n, H(w) = m, “entropy gap” n  m = g
Maurer-Wolf
construction:
w=
Extract m  2n/3
n/3
n/3
n/3
a
b
c

R=
Our
construction: w =
Extract n 2g =
i
2(mn/2)
jointly -uniform
if v > g + 2loga1

i
+
 = bi + c
l
[ai]1
nv
v
a
b

R=
+
[ai]nv
v +1
 = [ai]v1 + b
-secure 1
if v > g + log 
8
building robust fuzzy extractors
Our
construction: w =
Extract n 2g =
i
2(mn/2)
jointly -uniform
if v > g + 2loga1
nv
v
a
b

R=
+
[ai]nv
v +1
 = [ai]v1 + b
-secure 1
if v > g + log 
9
building robust fuzzy extractors
Our
construction: w =
Extract n 2g =
i
2(mn/2)
jointly -uniform
if v > g + 2loga1
nv
v
a
b

R=
+
[ai]nv
v +1
=
v
[ai]1
-secure 1
if v > g + log 
+b
Analysis:
• Extraction: (R, )=ai + b is a universal hash family (few collisions)
(i is the key, w = (a, b) is the input) [ok by leftover hash lemma]
• Robustness:  = [ai]v1 + b is strongly universal (2-wise indep.)
(w = (a, b) is the key, i is the input) [ok by Maurer-Wolf]
10
aside: strongly universal  MAC
MACw (j)
• Suppose MACw (•) is pairwise independent:  i, j
MACw (i)
Notation:
1 2 3 … V
n = |w|
1 w11 w12 w13 … w1V
m = H(w)
2 w21 w22 w23 … w2V
g=nm
3 w31 w32 w33 … w3V
v = ||
... ...
... ...
...
...
v
V
=
2
V wV1 wV2 wV3 … wVV
(if 2n keys w, then each square contains 2n/V 2 = 2n2v of them)
• Eve sees 3 = MACw (i) guesses 2 = MACw (j)
• w23 has 2n2v keys, each has prob. 2vm, so
Pr[success] = 2nmv = 2gv
11
?
building robust fuzzy extractors
Our
construction: w =
Extract n 2g =
i
2(mn/2)
nv
v
a
b

R=
+
[ai]nv
v +1
=
v
[ai]1
+b
m>n/2 is necessary [Dodis-Spencer]
before: needed m>2n/3 (also extracted fewer bits)
w
i
key
key
Ext
R
MAC

P = (i, )
12
tool: secure sketch [DORS]
• Compute k-bit sketch S(w)
w
S
• Recover w from S(w) and w’  w
w’
Rec
S(w)
S(w)
w
• For Hamming metric, S(w) can be a linear function
(simply syndrome(w) in an [n, nk, 2t+1]2 code)
13
building robust fuzzy extractors
w
i
S
key
s
Ext
R
MAC
 = MACw(i, s)
P = (i, s, )
How to MAC long messages?  = [a2s + ai]v1 + b
(recall w = a|b)
How to Rep
key
w’
~s Rec
~
w
i
key
Ext
~s Ver()
~
key
~
R
~ ~
ok/
oops…
14
the MAC problem
Authentication:
v
2
5
 = MACw(i, s) = [a s+ + ai]1 + b
(recall w = a|b)
Verification:
w’
~s Rec
~
w
i, ~s
Ver()
Hard to forge for
any fixed w
ok/
Problem: circularity (MAC key depends on s, which
is being authenticated by the MAC)
~  w = w
Observe: knowing (w’  w and s~  s)  w
~
Need:  w, given MACw(i, s), hard to forge MACw +w(i, ~
15
building robust fuzzy extractors
c
w
i
key
S cs
key
Ext
R
MAC
 = MACw(i, s)
P = (i, s, )
Recall: without errors, extract n 2g = m  g
Problem: s reveals k bits about w 
m decreases, g increases 
lose 2k
Can’t avoid decreasing m, but can avoid increasing g
s = S(w) is linear. Let c = S(w).
|c|=|w|k, but c has same entropy as w|s. Use c instead of w.
16
the bottom line
Result for with t Hamming errors:
given [n, nk, 2t+1]2 linear code,
extract 2(m  n/2)k2b bits
(b = log Vol(Ball(t)) < t log n)
Result for with t set difference errors:
(w is a subset of a universe of size 2)
extract 2(m  n/2)3t bits
w
w’
2
(uses BCH-based PinSketch of [DORS])
17
single user setting, revisited
• User has: noisy key w (e.g., biometric)
w
i
Gen
R
P
use to encrypt disk,
derive (SK, PK),
sign messages, ...
• Next time: needs same R (to decrypt disk, …)
~
w’
~
R if P  P,  o/w
Rep
~
P
• But Eve sees effects of R (e.g., disk encrypted with R)
~
before coming up with P
• New, stronger robustness notion: allow Eve to see (P, R)
• “post-application” (vs. “pre-application”) robustness
• Our constructions work, but only extract 1/3 the bits
18
application to bounded storage model
HUGE X (Eve can’t store all of it)
wsk
P
Alice (sk)
w
R
i Gen P
w’sk
Bob (sk)
~
P
Eve
w’
~
P
Rep
~
R if P = P
 o/w
doesn’t know sk, hence w has entropy
•
•
•
•
•
Lots of prior work [Maurer,Cachin,Dziembowski,Aumann,Ding,Rabin,Lu,Vadhan,…]
Noisy case: [Ding, Dodis-Smith]—stateful A&B, or passive Eve
Use robust fuzzy extractors: stateless A&B, active Eve
But parameters not great—better solution?
Yes: in this special case, A&B have sk
19
need: keyed robust fuzzy extractor
• Extraction: generate uniform R from w (+ seed i)
w
R
i
Gen
P
sk
• Fuzziness: reproduce R from P and w’  w
w’
R
P
Rep
sk
~
• Robustness: as long as w’  w, if Eve(P) produces P  P
w
’
~

Rep
P
sk
• Crucial: sk must be reusable
20
building keyed robust fuzzy extractors
w
i
S
key
s
sk
Ext
R
Ext/
MAC
MAC
 = MACsk(i, s,) w
P = (i, s, )
• Problem: sk is not reusable
• Need: sk is random even given  need entropy
w, i, s
• Idea: use a MAC that is
Ext/MAC
“seed”
sk
also an extractor

jointly uniform
21
building extractor MACs
input m
seed/key sk

Ext/MAC
unforgeable
jointly uniform
(note: unlike extractors, want short outputs )
• Idea 1: use pairwise-independent hashing
– Both good MAC and good extractor, but long sk
• Idea 2 (modifying Srinivasan-Zuckerman):
input m
sk1
almost universal
(few collisions)
sk2
2-wise
indep.
1+log 1

1 + log n)
1
O(loga
+
log
a
|sk|=


22
conclusions
• Keyless robust fuzzy extractors
– errorless case: previously |R| = m  2n/3, we |R| = 2(m  n/2)
(m > n/2 is minimum possible)
– case with errors: previously only with random oracles,
we solve Hamming distance and set difference without r.o.
– new definition: post-application robustness, constructions that
satisfy it
• Keyed case
– Useful new notion: extractor-MAC
– Application to stateless, active-attack-resistant, BSM with errors
(previously stateful or passive attack only)
23
Thank you!
obligatory
clip art
24