strong key derivation from noisy sources benjamin fuller december 12, 2014 based on three works:...
TRANSCRIPT
![Page 1: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/1.jpg)
Strong Key Derivationfrom Noisy Sources
Benjamin Fuller
December 12, 2014
Based on three works:• Computational Fuzzy Extractors [FullerMengReyzin13]• When are Fuzzy Extractors Possible? [FullerSmithReyzin14]• Key Derivation from Noisy Sources with More Errors than
Entropy [CanettiFullerPanethSmithReyzin14]
![Page 2: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/2.jpg)
Key Derivation from Noisy SourcesPhysically Unclonable Functions (PUFs) Biometric Data
High-entropy sources are often noisy – Initial reading w0 ≠ later reading reading w1
– Source w0 = a1,…, ak, each symbol ai over alphabet Z
– Assume a bound on distance: d(w0, w1) ≤ t
d(w0, w1)=# of symbols in that differA B C A D B E F A A
A G C A B B E F C Bw0
w1
d(w0, w1)=4
![Page 3: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/3.jpg)
Key Derivation from Noisy SourcesPhysically Unclonable Functions (PUFs) Biometric Data
Goal of this talk: produce good outputsin scenarios we couldn’t handle before
High-entropy sources are often noisy – Initial reading w0 ≠ later reading reading w1
– Source w0 = a1,…, ak, each symbol ai over alphabet Z
– Assume a bound on distance: d(w0, w1) ≤ t
Goal: derive a stable cryptographically strong output– Want w0, w1 to map to same output
– The output should look uniform to the adversary
![Page 4: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/4.jpg)
Physical Unclonable Functions (PUFs)[PappuRechtTaylorGershenfeld02]
• Hardware that implements random function
• Impossible to copy precisely
• Large challenge/response space– On fixed challenge, responses close together
interference Gabor HashLaser
![Page 5: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/5.jpg)
Biometrics• Measure unique physical phenomenon• Unique, collectable, permanent, universal• Repeated readings exhibit significant noise• Uniqueness/Noise vary widely• Human iris believed to be “best”
[Daugman04], [PrabhakarPankantiJain03]
![Page 6: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/6.jpg)
Two Physical Processesw0w0 – create a new biometric or
hardware device, take initial reading
w1 – take new reading from a fixed biometric or hardware device
w1
Two readings may not be subject to same noise. Often less error in original reading
Uncertainty
Errors
![Page 7: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/7.jpg)
Outline
• Strong Authentication through Key Derivation• Key Derivation from Noisy Sources• Limitations of Traditional Approaches/Lessons• New Constructions
![Page 8: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/8.jpg)
Key Derivation from Noisy SourcesInteractive Protocols
[Wyner75] … [BennettBrassardRobert85,88] …lots of work…
w1w0
Parties agree on cryptographic key
Problem: User must store initial reading w0 at server
Want approach where w0 is not stored!
![Page 9: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/9.jpg)
Fuzzy Extractors: Functionality [JuelsWattenberg99], …, [DodisOstrovskyReyzinSmith04] …
• Enrollment algorithm Gen: Take a measurement w0 from the source. Use it to “lock up” random r in a nonsecret value p.
• Subsequent algorithm Rep: give same output if d(w0, w1) < t
• Security: r looks uniform even given p,when the source is good enough
w0p
w1
< t
Gen
Rep
Traditionally, security def. is information theoreticr
r
![Page 10: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/10.jpg)
Fuzzy Extractors: Goals• Goal 1: handle as many sources as possible
(typically, any source in which w0 is 2k-hard to guess)• Goal 2: handle as much error as possible
(typically, any w1 within distance t)• Most previous approaches are analyzed in terms of t and k
w0p
w1
< t
Gen
Rep
entropy k
Traditional approaches do not support sources with t > k (many practical sources)
r
r
![Page 11: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/11.jpg)
Contribution
• Three lessons on how to constructfuzzy extractors for practical sources– Eliminate Secure Sketches [FMR13]– Exploit Distributional Structure [FRS14]– Define Objects Computational [FMR13]
• Constructions of fuzzy extractors for large classes of distributions where t > k [CFPRS14]
• Reusable fuzzy extractor for arbitrary correlation between repeated readings [CFPRS14]
![Page 12: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/12.jpg)
Gen
Repw0p
Ext
Ext
(converts high-entropy sources to uniform, e.g., via universal hashing [CarterWegman77])
w1
Fuzzy Extractors: Typical Construction
< t
entropy k
- correct errors using a secure sketch
- derive r using a randomness extractor
(gives recovery of the original from a noisy signal)[DodisOstrovskyReyzinSmith08]
r
r
![Page 13: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/13.jpg)
Gen
Repw0p
Ext
Ext
w1
Fuzzy Extractors: Typical Construction
SketchRec
w0
< t
entropy k
- correct errors using a secure sketch
- derive r using a randomness extractor
(gives recovery of the original from a noisy signal)
(converts high-entropy sources to uniform, e.g., via universal hashing [CarterWegman77])
[DodisOstrovskyReyzinSmith08]
r
r
![Page 14: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/14.jpg)
Secure SketchesGenerate
ReproduceExt
ExtSketch Rec
Code Offset Sketch[JuelsWattenberg99]
p =c w0
c
r
rp
w0
w1
< t
C – Error correcting code correcting t errors
![Page 15: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/15.jpg)
Secure Sketches
c’=Decode(c*)
p w1 = c*p =c w0
c
If decoding succeeds, w0 = c’ p.
Generate
ReproduceExt
ExtSketch Rec
p
w0
w1
< t
r
r
Code Offset Sketch[JuelsWattenberg99]
C – Error correcting code correcting t errors
![Page 16: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/16.jpg)
p w1 = c*p =c w0
p w’1
Secure SketchesGenerate
ReproduceExt
ExtSketch Rec
p
w0
w’1
> t
r
r
Code Offset Sketch[JuelsWattenberg99]
p has info about w0. How much does it hurt security?
C – Error correcting code correcting t errors
![Page 17: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/17.jpg)
Outline
• Strong Authentication through Key Derivation• Key Derivation from Noisy Sources• Limitations of Traditional Approaches/Lessons• New Constructions
![Page 18: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/18.jpg)
Gen
Repw0p
Ext
Ext
w1
• p must store enough information to recover w0
• How much information is that?
Problem with Secure Sketches
SketchRec
w0
entropy k
< t
r
r
![Page 19: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/19.jpg)
Repw0 p
Ext
w1
• p must store enough information to recover w0
• How much information is that? • If all Rep knows about source is entropy,
w0 can be anywhere within distance t, so log |Bt | > t bits• Current approaches provide no security if t > k
Problem with Secure Sketches
Recw0
< t Bt
r
stores t bits about w0 has k < t bits of entropy
r
![Page 20: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/20.jpg)
Repw0 p
Ext
w1
• Fuzzy extractors and secure sketches have upper bounds on key length based on error tolerance
• Secure sketches subject to stronger bounds• Thm [FMR13]:
Secure sketches with computational security limited:
Problem with Secure Sketches
Recw0
< t Bt
r
stores t bits about w0 has k < t bits of entropy
r
Can build sketches with info-theoretic security from sketches that provide computational security
![Page 21: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/21.jpg)
Lessons
1. Stop using secure sketches– Subject to strong bounds– Bounds apply with computational security
![Page 22: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/22.jpg)
Is it possible to handle “more errors than entropy” (t > k)?
Support of w0
• This distribution has 2k points• Why might we hope to extract
from this distribution?• Points are far apart
• No need to deconflict original reading
w1
![Page 23: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/23.jpg)
Is it possible to handle “more errors than entropy” (t > k)?
Support of w0
Left and right have same number of points and error tolerance
Support of v0
r
Since t > k there is a distribution v0
where all points lie in a single ball
![Page 24: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/24.jpg)
Is it possible to handle “more errors than entropy” (t > k)?
Support of v0
Support of w0
v1
rRep
For any construction adversary learns r by running with v1
r t
r
r
Recall: adversary can run Rep on any point
w1
rRep
? t
The likelihood of adversary picking a point w1 close enough to recover r is low
![Page 25: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/25.jpg)
Is it possible to handle “more errors than entropy” (t > k)?
Support of v0
Support of w0
Key derivation may be possible for w0, impossible for v0
v1
rRep
For any construction adversary learns r by running with v1
r t
r
w1
tr
Rep?
To distinguish between w0 and v0 must consider more than just t and k
The likelihood of adversary picking a point w1 close enough to recover r is low
![Page 26: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/26.jpg)
Lessons
1. Stop using secure sketches
2. Exploit structure of source beyond entropy– Need to understand what structure is helpful
![Page 27: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/27.jpg)
Understand the structure of source
w1r
Rep t
• Minimum necessary condition for fuzzy extraction:weight inside any Bt must be small
• Let Hfuzz(W0) = log (1/max wt(Bt))
• Big Hfuzz(W0) is necessary
• Q: Is big Hfuzz(W0) sufficient for fuzzy extractors?
![Page 28: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/28.jpg)
Is big Hfuzz(W0) sufficient?
• Thm [FRS]: Yes, if algorithms know exact distribution of W0
• Imprudent to assume construction and adversary have same view of W0
– Should assume adversary knows more about W0
– Deal with adversary knowledge by providing security for family V of W0, security should hold for whole family
• Thm [FRS]: No if W0 is only known to come from a family V• A3: Yes if security is computational (using obfuscation)
[Bitansky Canetti Kalai Paneth 14]• A4: No if security is information-theoretic• A5: No if you try to build (computational) secure sketch
Will show negative result for secure sketches(negative result for fuzzy extractors more complicated)
![Page 29: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/29.jpg)
Thm [FRS]: No if W0 comes from a family V• Describe a family of distributions V
• For any fuzzy extractor Gen, Repfor most W0 in V, few w* in W0 could produce p
• Implies W0 has little entropy conditioned on p
Repw0 p
w1
Recw0
< t Bt
![Page 30: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/30.jpg)
• Adversary specifies V• Goal: build Sketch, Rec
maximizing H(W | p), for all W in V
• First consider one dist. W• For w0, Rec(w0, p) =w0
• For nearby w1, Rec(w1, p) = w0
• Call augmented fixed point• To maximize H(W | p) make
as many points of W augmented fixed points
• Augmented fixed points at least distance t apart (exponentially small fraction of space)
w0 = Rec(w0, p)
w1
W
Now we’ll consider family V, Goal: for most W in V, can’t include many augmented fixed points
![Page 31: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/31.jpg)
• Adversary specifies V• Goal: build Sketch, Rec
maximizing H(W | p), for all W in V
• Sketch must create augmented fixed points based only on w0
• Build family with many possible distributions for each w0
• Sketch can’t tell W from w0
w0
W
![Page 32: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/32.jpg)
w0
W• Adversary specifies V• Goal: build Sketch, Rec
maximizing H(W | p), for all W in V
• Sketch must create augmented fixed points based only on w0
• Build family with many possible distributions for each w0
• Sketch can’t tell W from w0
![Page 33: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/33.jpg)
w0
W• Adversary specifies V• Goal: build Sketch, Rec
maximizing H(W | p), for all W in V
• Sketch must create augmented fixed points based only on w0
• Build family with many possible distributions for each w0
• Sketch can’t tell W from w0
![Page 34: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/34.jpg)
Viable points set by Gen
Adversary knows color of w0
• Adversary specifies V• Goal: build Sketch, Rec
maximizing H(W | p), for all W in V
• Sketch must create augmented fixed points based only on w0
• Build family with many possible distributions for each w0
• Sketch can’t tell W from w0
• Distributions only share w0
– Sketch must include augmented fixed points from all distributions with w0
w0
![Page 35: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/35.jpg)
Viable points set by Gen
Adversary knows color of w0
• Adversary specifies V• Goal: build Sketch, Rec
maximizing H(W | p), for all W in V
• Sketch must create augmented fixed points based only on w0
• Build family with many possible distributions for each w0
• Sketch can’t tell W from w0
• Distributions only share w0
– Sketch must include augmented fixed points from all distributions with w0
Maybe this was a bad choice of viable points?
Adversary’s search space
w0
![Page 36: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/36.jpg)
Adversary knows color of w0
• Adversary specifies V• Goal: build Sketch, Rec
maximizing H(W | p), for all W in V
• Sketch must create augmented fixed points based only on w0
• Build family with many possible distributions for each w0
• Sketch can’t tell W from w0
• Distributions only share w0
– Sketch must include augmented fixed points from all distributions with w0
w0
Alternative Points
![Page 37: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/37.jpg)
Adversary knows color of w0
• Adversary specifies V• Goal: build Sketch, Rec
maximizing H(W | p), for all W in V
• Sketch must create augmented fixed points based only on w0
• Build family with many possible distributions for each w0
• Sketch can’t tell W from w0
• Distributions only share w0
– Sketch must include augmented fixed points from all distributions with w0
w0
Alternative Points
Adversary’s search space
Thm: Sketch, Rec can include at most 4 augmented fixed points from members of V on average
![Page 38: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/38.jpg)
• Thm [FRS]: Yes, if algorithms know exact distribution of W0
• Imprudent to assume construction and adversary have same view of W0
– Deal with adversary knowledge by providing security for family V of W0, security should hold for whole family
• Thm [FRS]: No if adversary knows more about W0 thanfuzzy extractor creator
• A3: Yes if security is computational (using obfuscation) [Bitansky Canetti Kalai Paneth 14]
• A4: No if security is information-theoretic• A5: No if you try to build (computational) secure sketch
Is big Hfuzz(W0) sufficient?
Fuzzy extractors defined information-theoretically (used info-theory tools), No compelling need for info-theory security
![Page 39: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/39.jpg)
Lessons
1. Stop using secure sketches
2. Exploit structure of source beyond entropy
3. Define objects computationally
![Page 40: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/40.jpg)
Outline
• Strong Authentication through Key Derivation• Key Derivation from Noisy Sources• Lessons
1. Stop using secure sketches2. Exploit structure of source beyond entropy3. Define objects computationally
• New Constructions
![Page 41: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/41.jpg)
Idea [CFPRS14]: “encrypt” r using parts of w0
w0 = a1 a2 a3 a4 a5 a6 a7 a8 a9
Gen: - get random combinations of symbols in w0
r
pGen
a3 a9 a5
rr
a1 a9 a2
rr
a3 a4 a5
rr
a7 a5 a6
rr
a2 a8 a7
rr
a3 a5 a2
rr
- “lock” r using these combinationsr
![Page 42: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/42.jpg)
w0 = a1 a2 a3 a4 a5 a6 a7 a8 a9
r
pGen
a3 a9 a5
rr
a1 a9 a2
rr
a3 a4 a5
rr
a7 a5 a6
rr
a2 a8 a7
rr
a3 a5 a2
rr
Gen: - get random combinations of symbols in w0 - “lock” r using these combinationsr
Idea [CFPRS14]: “encrypt” r using parts of w0
![Page 43: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/43.jpg)
w0 = a1 a2 a3 a4 a5 a6 a7 a8 a9
r
pGen
a3 a9 a5
rr
a1 a9 a2
rr
a3 a4 a5
rr
a7 a5 a6
rr
a2 a8 a7
rr
a3 a5 a2
rr
Gen: - get random combinations of symbols in w0 - “lock” r using these combinationsr
Idea [CFPRS14]: “encrypt” r using parts of w0
![Page 44: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/44.jpg)
w0 = a1 a2 a3 a4 a5 a6 a7 a8 a9
a1 a9 a2
r
a3 a9 a5
r
a3 a4 a5
r
a7 a5 a6
r
a2 a8 a7
r
a3 a5 a2
r
- = locks + positions of symbols needed to unlock
r
pGen
p
Gen: - get random combinations of symbols in w0 - “lock” r using these combinationsr
Idea [CFPRS14]: “encrypt” r using parts of w0
![Page 45: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/45.jpg)
w0 = a1 a2 a3 a4 a5 a6 a7 a8 a9
a1 a9 a2
r
a3 a9 a5
r
a3 a4 a5
r
a7 a5 a6
r
a2 a8 a7
r
a3 a5 a2
r
r
pGen
- = locks + positions of symbols needed to unlockp
Gen: - get random combinations of symbols in w0 - “lock” r using these combinationsr
Idea [CFPRS14]: “encrypt” r using parts of w0
![Page 46: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/46.jpg)
a1 a9 a2
r
a3 a9 a5
r
a3 a4 a5
r
a7 a5 a6
r
a2 a8 a7
r
a3 a5 a2
r
p
- = locks + positions of symbols needed to unlockp
Gen: - get random combinations of symbols in w0 - “lock” r using these combinationsr
Idea [CFPRS14]: “encrypt” r using parts of w0
![Page 47: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/47.jpg)
a1 a9 a2
r
a3 a9 a5
r
a3 a4 a5
r
a7 a5 a6
r
a2 a8 a7
r
a3 a5 a2
r
p
Rep:
w1 = a1 a2 a3 a4 a5 a6 a7 a8 a9 rRep
- = locks + positions of symbols needed to unlockp
Gen: - get random combinations of symbols in w0 - “lock” r using these combinationsr
Idea [CFPRS14]: “encrypt” r using parts of w0
![Page 48: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/48.jpg)
a1 a9 a2
r
a3 a4 a5
r
a7 a5 a6
r
a2 a8 a7
r
a3 a5 a2
r
p
w1 = a1 a2 a3 a4 a5 a6 a7 a8 a9 rRep
a3 a9 a5
r
Rep:
- = locks + positions of symbols needed to unlockp
Gen: - get random combinations of symbols in w0 - “lock” r using these combinationsr
Idea [CFPRS14]: “encrypt” r using parts of w0
![Page 49: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/49.jpg)
a1 a9 a2
r
a3 a4 a5
r
a7 a5 a6
r
a2 a8 a7
r
a3 a5 a2
r
p
w1 = a1 a2 a3 a4 a5 a6 a7 a8 a9 rRep
a3 a9 a5
r
Rep: Use the symbols of w1 to open at least one lock
- = locks + positions of symbols needed to unlockp
Gen: - get random combinations of symbols in w0 - “lock” r using these combinationsr
Idea [CFPRS14]: “encrypt” r using parts of w0
![Page 50: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/50.jpg)
a1 a9 a2
r
a3 a4 a5
r
a7 a5 a6
r
a2 a8 a7
r
a3 a5 a2
r
p
w1 = a1 a2 a3 a4 a5 a6 a7 a8 a9 rRep
Rep: Use the symbols of w1 to open at least one lock
a3 a9 a5
rr
- = locks + positions of symbols needed to unlockp
Gen: - get random combinations of symbols in w0 - “lock” r using these combinationsr
Idea [CFPRS14]: “encrypt” r using parts of w0
![Page 51: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/51.jpg)
a1 a9 a2
r
a3 a4 a5
r
a7 a5 a6
r
a2 a8 a7
r
a3 a5 a2
r
Rep: Use the symbols of w1 to open at least one lock
a3 a9 a5
rr
Error-tolerance: one combination must unlock with high probabilitySecurity: each combination must have enough entropy
- = locks + positions of symbols needed to unlockp
Gen: - get random combinations of symbols in w0 - “lock” r using these combinationsr
(sampling of symbols must preserve sufficient entropy)
Idea [CFPRS14]: “encrypt” r using parts of w0
![Page 52: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/52.jpg)
How to implement locks?• A lock is the following program:
– If input = a1 a9 a2, output r– Else output – One implementation (R.O. model):
lock = r H(a1 a9 a2) a1 a9 a2
r
• Ideally: Obfuscate this program– Obfuscation: preserve functionality, hide the program– Obfuscating this specific program called “digital locker”
![Page 53: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/53.jpg)
Digital Lockers
• Digital Locker is obfuscation of– If input = a1 a9 a2, output r– Else output
• Equivalent to encryption of r that is secureeven multiple times with correlated, weak keys[CanettiKalaiVariaWichs10]
• Digital lockers are practical (R.O. or DL-based) [CanettiDakdouk08], [BitanskyCanetti10]
• Hides r if input can’t be exhaustively searched(superlogarithmic entropy)
a1 a9 a2
r
![Page 54: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/54.jpg)
• Digital Locker is obfuscation of– If input = a1 a9 a2, output r– Else output
• Equivalent to encryption of r that is secureeven multiple times with correlated and weak keys[CanettiKalaiVariaWichs10]
• Digital lockers are practical (R.O. or DL-based) [CanettiDakdouk08], [BitanskyCanetti10]
• Hides r if input can’t be exhaustively searched(superlogarithmic entropy)
Digital Lockers
• Q: if you are going to use obfuscation, why bother?Why not just obfuscate the following program for p– If distance between w0 and the input is less than t, output r– Else output
• A: you can do that [BitanskyCanettiKalaiPaneth14], except it’s very impractical + has a very strong assumption
a1 a9 a2
r
![Page 55: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/55.jpg)
How good is this construction?• Handles sources with t > k• For correctness: t < constant fraction of symbols
a1 a9 a2
r
a3 a9 a5
r
a3 a4 a5
r
a7 a5 a6
r
a2 a8 a7
r
a3 a5 a2
r
![Page 56: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/56.jpg)
How good is this construction?• Handles sources with t > k• For correctness: t < constant fraction of symbols
a1 a9 a2
r
a3 a9 a5
r
a3 a4 a5
r
a7 a5 a6
r
a2 a8 a7
r
a3 a5 a2
r
Construction 2:
Supports t= constant fraction but only for really large alphabets
Construction 3:
Similar parameters but info-theoretic security
Why did I tell you about computation constructional?
![Page 57: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/57.jpg)
How good is this construction?• It is reusable!
– Same source can be enrolled multiple times with multiple independent services
w0r
pGen
w0'r'
p'Gen
w0''r''
p''Gen
Secret even givenp, p', p'', r, r''
![Page 58: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/58.jpg)
How good is this construction?• It is reusable!
– Same source can be enrolled multiple times with multiple independent services
– Follows from composability of obfuscation– In the past: difficult to achieve, because typically
new enrollments leak fresh information– Only previous construction [Boyen2004]:
all reading must differ by fixed constants (unrealistic)– Our construction:
each reading individually must satisfy our conditions
![Page 59: Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf8e1a28abf838c8cdad/html5/thumbnails/59.jpg)
Conclusion• Lessons:
• Don’t use secure sketches (i.e., full error correction)
• Exploit structure in source
• Provide computational security
• It is possible to cover sourceswith more errors than entropy!
• Also get reusability!
t
Questions?