Robust fuzzy extractors and authenticated key agreement from close secrets

Yevgeniy Dodis, Bhavana Kanukurthi, Jonathan Katz, Leonid Reyzin, Adam Smith

Research output: Contribution to journalArticle

Abstract

Consider two parties holding samples from correlated distributions W and W′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret {\ssr SK Ext that they can use to generate a sequence of session keys {R j} using multiple pairs {(W j, W′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects. 1) The best prior solution for the keyless case with no errors (i.e., t=0) requires the min-entropy of W to exceed 2n/3 , where n is the bit length of W. Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. 2) Previous solutions for the keyless case in the presence of errors (i.e., t < 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. 3) Previous solutions for the keyed case were stateful. We give the first stateless solution.

Original languageEnglish (US)
Article number6203415
Pages (from-to)6207-6222
Number of pages16
JournalIEEE Transactions on Information Theory
Volume58
Issue number9
DOIs
StatePublished - 2012

Fingerprint

entropy
Entropy
Biometrics
Authentication
biometrics

Keywords

  • Fuzzy extractors
  • information reconciliation
  • information-theoretic cryptography
  • key-agreement
  • weak secrets

ASJC Scopus subject areas

  • Information Systems
  • Computer Science Applications
  • Library and Information Sciences

Cite this

Robust fuzzy extractors and authenticated key agreement from close secrets. / Dodis, Yevgeniy; Kanukurthi, Bhavana; Katz, Jonathan; Reyzin, Leonid; Smith, Adam.

In: IEEE Transactions on Information Theory, Vol. 58, No. 9, 6203415, 2012, p. 6207-6222.

Research output: Contribution to journalArticle

Dodis, Yevgeniy ; Kanukurthi, Bhavana ; Katz, Jonathan ; Reyzin, Leonid ; Smith, Adam. / Robust fuzzy extractors and authenticated key agreement from close secrets. In: IEEE Transactions on Information Theory. 2012 ; Vol. 58, No. 9. pp. 6207-6222.
@article{8120380eb3f149df945c8f000e94c8a4,
title = "Robust fuzzy extractors and authenticated key agreement from close secrets",
abstract = "Consider two parties holding samples from correlated distributions W and W′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret {\ssr SK Ext that they can use to generate a sequence of session keys {R j} using multiple pairs {(W j, W′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects. 1) The best prior solution for the keyless case with no errors (i.e., t=0) requires the min-entropy of W to exceed 2n/3 , where n is the bit length of W. Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. 2) Previous solutions for the keyless case in the presence of errors (i.e., t < 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. 3) Previous solutions for the keyed case were stateful. We give the first stateless solution.",
keywords = "Fuzzy extractors, information reconciliation, information-theoretic cryptography, key-agreement, weak secrets",
author = "Yevgeniy Dodis and Bhavana Kanukurthi and Jonathan Katz and Leonid Reyzin and Adam Smith",
year = "2012",
doi = "10.1109/TIT.2012.2200290",
language = "English (US)",
volume = "58",
pages = "6207--6222",
journal = "IEEE Transactions on Information Theory",
issn = "0018-9448",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "9",

}

TY - JOUR

T1 - Robust fuzzy extractors and authenticated key agreement from close secrets

AU - Dodis, Yevgeniy

AU - Kanukurthi, Bhavana

AU - Katz, Jonathan

AU - Reyzin, Leonid

AU - Smith, Adam

PY - 2012

Y1 - 2012

N2 - Consider two parties holding samples from correlated distributions W and W′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret {\ssr SK Ext that they can use to generate a sequence of session keys {R j} using multiple pairs {(W j, W′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects. 1) The best prior solution for the keyless case with no errors (i.e., t=0) requires the min-entropy of W to exceed 2n/3 , where n is the bit length of W. Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. 2) Previous solutions for the keyless case in the presence of errors (i.e., t < 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. 3) Previous solutions for the keyed case were stateful. We give the first stateless solution.

AB - Consider two parties holding samples from correlated distributions W and W′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret {\ssr SK Ext that they can use to generate a sequence of session keys {R j} using multiple pairs {(W j, W′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects. 1) The best prior solution for the keyless case with no errors (i.e., t=0) requires the min-entropy of W to exceed 2n/3 , where n is the bit length of W. Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. 2) Previous solutions for the keyless case in the presence of errors (i.e., t < 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. 3) Previous solutions for the keyed case were stateful. We give the first stateless solution.

KW - Fuzzy extractors

KW - information reconciliation

KW - information-theoretic cryptography

KW - key-agreement

KW - weak secrets

UR - http://www.scopus.com/inward/record.url?scp=84865393678&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84865393678&partnerID=8YFLogxK

U2 - 10.1109/TIT.2012.2200290

DO - 10.1109/TIT.2012.2200290

M3 - Article

VL - 58

SP - 6207

EP - 6222

JO - IEEE Transactions on Information Theory

JF - IEEE Transactions on Information Theory

SN - 0018-9448

IS - 9

M1 - 6203415

ER -