1 / 24

Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets

Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets. Leonid Reyzin Boston University. Yevgeniy Dodis New York University. Jonathan Katz University of Maryland. Adam Smith Weizmann  IPAM  Penn State. w. w. Ext. Ext. R. R. i. i. minentropy m. uniform .

trista
Download Presentation

Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Robust Fuzzy Extractors&Authenticated Key Agreement from Close Secrets Leonid ReyzinBoston University Yevgeniy DodisNew York University Jonathan KatzUniversity of Maryland Adam Smith Weizmann  IPAM  Penn State

  2. w w Ext Ext R R i i minentropy m uniform uniform jointly uniform setting 1: info-theoretic key agreement not uniform w w’ w i i’ i i Bonnie Allen w’  R R’ i’ (if w w’) Eve (e.g., knows something about it) Goal: from a nonuniform secret w agree on a uniform secret R No secure channel (else, trivial) w Simple solution: use an extractor Ext R seed i Problem 1: What if Eve is active? Needrobustness Problem 2: What if w is noisy? Needfuzziness

  3. uniform even given P Fuzzy Extractor[Dodis, Ostrovsky, R., Smith] need: robust fuzzy extractor • Extraction: generate uniform R from w (+ seed i) • Fuzziness: reproduceR from P and w’ w • Robustness: as long as w’ w, if Eve(P) produces P  P (with 1negligible probability over w& coins of Rep, Eve) w R Gen i P w’ Rep R P ~ w’ Rep  ~ P

  4. ~ P P ~ w w’ R R if P = P Gen Rep ~ i P  o/w P setting 1: info-theoretic key agreement  w w’ Previously considered: • If w = w’, or if w, w’ and Eve’s info come from repeated i.i.d. [Maurer, Renner, Wolf in several papers] • Using random oracles [Boyen, Dodis, Katz, Ostrovsky, Smith] • Interactive (more than one message): [MR,W,RW – limits on errors] [BDKOS – computational security, using PAK] Bonnie Allen Eve use R for encryption, MAC, etc.

  5. setting 2: noisy secret keys • User has: noisy key w (e.g., biometric) • Next time: needs same R (to decrypt disk, …) • Same problem as before, but noninteractivity essential! use to encrypt disk, derive (SK, PK), sign messages, ... w R Gen i P ~ w’ ~ Rep R if P P,  o/w ~ P various bad effects, depending on use of R no trusted storage

  6. Key??? building robust fuzzy extractors Idea 0: w Ext R i MAC P = (i,)  R? But if i changes  R changes Circularity! iextracts from ww authenticates i

  7. n/3 n/3 n/3 a c w = b   i +  = bi + c i, R = [ai]1 -uniform if n/3 >  + g + 2loga l P 1 -secure if n/3 > g + loga 1 building robust fuzzy extractors Notation: |w| = n,H(w) = m, “entropy gap” n  m = g Maurer-Wolf construction: Extract m 2n/3

  8. n/3 nv n/3 n/3 v a c w = b   i + +  = bi + c R = [ai]1 l i  = [ai]1 + b R = [ai]v+1 v nv jointly -uniform if v > g+2loga  -secure if v > g+log 1 1 building robust fuzzy extractors Notation: |w| = n,H(w) = m, “entropy gap” n  m = g Maurer-Wolf construction: Extract m 2n/3 Our construction: a w = b Extract n2g = 2(mn/2)

  9. nv v + Our construction: a w = b Extract n2g = 2(mn/2) i  = [ai]1 + b R = [ai]v+1 v nv jointly -uniform if v > g+2loga  -secure if v > g+log 1 1 building robust fuzzy extractors

  10. nv v Our construction: a w = b Extract n2g = 2(mn/2)  i  = [ai]1 + b R = [ai]v+1 v nv + 1 jointly -uniform if v > g+2loga -secure if v > g+log 1 building robust fuzzy extractors Analysis: • Extraction: (R, )=ai + b is a universal hash family (few collisions)(i is the key, w=(a, b) is the input) • Robustness:  = [ai]1 + b is strongly universal (2-wise indep.)(w=(a, b) is the key, i is the input) [ok by leftover hash lemma] v [ok by Maurer-Wolf]

  11. 1 2 3 … V 1 … w11 w12 w13 w1V 2 … w21 w22 w23 w2V 3 … w31 w32 w33 w3V . . . ... ... ... ... ... V … wV1 wV2 wV3 wVV aside: strongly universal  MAC • Suppose MACw (•) is pairwise independent:  i, j MACw (i) Notation: n = |w|m = H(w)g = n mv = ||V = 2v MACw (j) (if 2n keys w, then each square contains 2n/V2 = 2n2vof them) • Eve sees 3= MACw (i) guesses 2= MACw (j) • w23has 2n2vkeys, each has prob. 2vm, so Pr[success] = 2nmv = 2gv

  12. ? nv v  i  = [ai]1 + b R = [ai]v+1 v nv + w Ext R key i MAC P = (i,)  key building robust fuzzy extractors Our construction: a w = b Extract n2g = 2(mn/2) m>n/2 is necessary [Dodis-Spencer]before: needed m>2n/3 (also extracted fewer bits)

  13. tool: secure sketch [DORS] • Compute k-bit sketchS(w) • Recoverw from S(w) and w’ w • For Hamming metric, S(w) can be a linear function (simply syndrome(w) in an [n, nk, 2t+1]2 code) S w S(w) w’ Rec w S(w)

  14. Ext R key i  s MAC S key How to MAC long messages?  = [a2s + ai]1 + b (recall w = a|b) v w’ s key building robust fuzzy extractors w = MACw(i, s) P = (i, s, ) How to Rep ~ w ~ Rec Ext ~ R i oops… ~ ~ ~ Ver() ok/ s ~ key

  15. a2s + ai]1 + b v w’ s ~ ~ Need:  w,given MACw(i, s), hard to forge MACw +w(i, s) the MAC problem Authentication: Hard to forge for any fixed w  = MACw(i, s) = [ (recall w = a|b) a5+ Verification: ~ i, s ~ Ver() ok/ w Rec ~ Problem: circularity (MAC key depends on s, which is being authenticated by the MAC) ~ ~ Observe: knowing (w’ w ands s) w w = w

  16. Ext R key i  s MAC S key building robust fuzzy extractors c w = MACw(i, s) c P = (i, s, ) Recall: without errors, extract n2g= m  g Problem: s reveals k bits about wmdecreases, gincreases  `` lose 2k Can’t avoid decreasing m, but can avoid increasing g s= S(w)is linear. Let c = S(w). |c|=|w|k, but c has same entropy as w|s. Use c instead of w.

  17. w’ w 2 the bottom line Result for with t Hamming errors: given[n, nk, 2t+1]2 linear code, extract 2(m  n/2)k2b bits(b = log Vol(Ball(t)) < t log n) Result for with t set difference errors: (w is a subset of a universe of size 2) extract 2(m  n/2)3t bits (uses BCH-based PinSketch of [DORS])

  18. single user setting, revisited • User has: noisy key w (e.g., biometric) • Next time: needs same R (to decrypt disk, …) use to encrypt disk, derive (SK, PK), sign messages, ... w R Gen i P ~ w’ ~ Rep R if P P,  o/w ~ P • But Eve sees effects of R (e.g., disk encrypted with R) before coming up with P • New, stronger robustness notion: allow Eve to see (P, R) • “post-application” (vs. “pre-application”) robustness • Our constructions work, but only extract 1/3 the bits ~

  19. ~ P P ~ w w’ R R if P = P Gen Rep ~ i P  o/w P application to bounded storage model HUGE X(Eve can’t store all of it) w’sk wsk Bob (sk) Alice (sk) Eve doesn’t know sk, hence w has entropy • Lots of prior work [Maurer,Cachin,Dziembowski,Aumann,Ding,Rabin,Lu,Vadhan,…] • Noisy case: [Ding, Dodis-Smith]—stateful A&B, or passive Eve • Use robust fuzzy extractors: stateless A&B, active Eve • But parameters not great—better solution? • Yes: in this special case, A&B have sk

  20. need: keyedrobust fuzzy extractor • Extraction: generate uniform R from w (+ seed i) • Fuzziness:reproduce R from P and w’ w • Robustness: as long as w’ w, if Eve(P) produces P  P • Crucial: sk must be reusable w R Gen i P sk w’ Rep R P sk ~ w’ ~ Rep  P sk

  21. s S need entropy jointly uniform building keyed robust fuzzy extractors w • Problem: sk is not reusable • Need: sk is random even given  • Idea: use a MAC that isalso an extractor Ext R key i  = MACsk(i, s , w ) MAC Ext/MAC P = (i, s, ) sk w, i, s Ext/MAC  “seed” sk

  22. unforgeable jointly uniform 1 O(loga +log a+log n) 1 1 1+log building extractor MACs input m • Idea 1: use pairwise-independent hashing • Both good MAC and good extractor, but long sk Ext/MAC  seed/key sk (note: unlike extractors, want short outputs ) • Idea 2 (modifying Srinivasan-Zuckerman): input m 2-wiseindep. almost universal(few collisions)  sk2 sk1 |sk|=

  23. conclusions • Keyless robust fuzzy extractors • errorless case: previously |R| = m 2n/3, we |R| = 2(m n/2)(m > n/2 is minimum possible) • case with errors: previously only with random oracles,we solve Hamming distance and set difference without r.o. • new definition: post-application robustness, constructions that satisfy it • Keyed case • Useful new notion: extractor-MAC • Application to stateless, active-attack-resistant, BSM with errors(previously stateful or passive attack only)

  24. Thank you! obligatory clip art

More Related