Robustly Reusable Fuzzy Extractor from Standard Assumptions Yunhua - PowerPoint PPT Presentation

Robustly Reusable Fuzzy Extractor from Standard Assumptions Yunhua Wen and Shengli Liu Shanghai Jiao Tong University

Problem • Randomness is crucial in cryptography (e.g. sk). • However, uniformly distributed and accurately reproducible string is rare in practice. • There are many imperfect random sources, e.g. Biometric Information Physically Unclonable Functions (PUFs)

Problem • Randomness is crucial in cryptography (e.g. sk). • However, uniformly distributed and accurately reproducible string is rare in practice. • There are many imperfect random sources, e.g. Biometric Information Physically Unclonable Functions (PUFs) Problem : How to use such imperfect random sources in cryptography?

Fuzzy Extractor • Gen(w) • Input : a weak random secret w. • Output : the extracted key R and a public helper string P . • Rep(w’, P) • Input : a noisy version w’ and the public helper string P . • Output : the extracted key R’. W’ R Gen Rep W R’ P P

Fuzzy Extractor • Gen(w) • Input : a weak random secret w. • Output : the extracted key R and a public helper string P . • Rep(w’, P) • Input : a noisy version w’ and the public helper string P . • Output : the extracted key R’. W’ R Gen Rep W R’ P P Correctness : If w’ is close enough to w, R’=R. Security : R is pseudorandom given P .

Applications Application in Encryption and Decryption : m C C Enc m Dec R R Gen Rep P P Users do not need to store the secret key R.

Robust Fuzzy Extractor m C C Enc m’ Dec R R’ Gen Rep P’ P The user may get a wrong key R’ without notifications.

Robust Fuzzy Extractor m C Enc R Failure Gen Rep P’ P Security ： If P is modified, then Rep will output .

<latexit sha1_base64="6l+5XTJqwS4y0umxge8kwfB1dmU=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVZIi6LoRncV7ANqKcl02oamTCZFEtx4Q+41T8T/0D/wjtjCmoRnZDkzLn3nJl7rx+HQaIc5zVnLS2vrK7l1wsbm1vbO8XdvUYiUsl4nYlQyJbvJTwMIl5XgQp5K5bcG/shb/qjCx1vTrhMAhHdqGnMO2NvEAX9gHlKU8moW+kWS07ZMcteBG4GSshWTRfcIseBhSjMERQREO4SGhpw0XDmLiOpgRJwkFJs5xjwJpU8rilOERO6LvgHbtjI1orz0To2Z0SkivJKWNI9IypOE9Wm2iafGWbO/ec+Mp7blP5+5jUmVmFI7F+6eZ/dboWhT7OTA0B1RQbRlfHMpfUdEXf3P5SlSKHmDiNexSXhJlRzvtsG01iate9Uz8zWRqVu9ZlpviXd+SBuz+HOciaFTKrlN2r09K1fNs1Hkc4BDHNM9TVHGJGurkPcQjnvBsXVnCmlh3n6lWLtPs49uyHj4AKb2Qkg=</latexit> <latexit sha1_base64="6l+5XTJqwS4y0umxge8kwfB1dmU=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVZIi6LoRncV7ANqKcl02oamTCZFEtx4Q+41T8T/0D/wjtjCmoRnZDkzLn3nJl7rx+HQaIc5zVnLS2vrK7l1wsbm1vbO8XdvUYiUsl4nYlQyJbvJTwMIl5XgQp5K5bcG/shb/qjCx1vTrhMAhHdqGnMO2NvEAX9gHlKU8moW+kWS07ZMcteBG4GSshWTRfcIseBhSjMERQREO4SGhpw0XDmLiOpgRJwkFJs5xjwJpU8rilOERO6LvgHbtjI1orz0To2Z0SkivJKWNI9IypOE9Wm2iafGWbO/ec+Mp7blP5+5jUmVmFI7F+6eZ/dboWhT7OTA0B1RQbRlfHMpfUdEXf3P5SlSKHmDiNexSXhJlRzvtsG01iate9Uz8zWRqVu9ZlpviXd+SBuz+HOciaFTKrlN2r09K1fNs1Hkc4BDHNM9TVHGJGurkPcQjnvBsXVnCmlh3n6lWLtPs49uyHj4AKb2Qkg=</latexit> <latexit sha1_base64="6l+5XTJqwS4y0umxge8kwfB1dmU=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVZIi6LoRncV7ANqKcl02oamTCZFEtx4Q+41T8T/0D/wjtjCmoRnZDkzLn3nJl7rx+HQaIc5zVnLS2vrK7l1wsbm1vbO8XdvUYiUsl4nYlQyJbvJTwMIl5XgQp5K5bcG/shb/qjCx1vTrhMAhHdqGnMO2NvEAX9gHlKU8moW+kWS07ZMcteBG4GSshWTRfcIseBhSjMERQREO4SGhpw0XDmLiOpgRJwkFJs5xjwJpU8rilOERO6LvgHbtjI1orz0To2Z0SkivJKWNI9IypOE9Wm2iafGWbO/ec+Mp7blP5+5jUmVmFI7F+6eZ/dboWhT7OTA0B1RQbRlfHMpfUdEXf3P5SlSKHmDiNexSXhJlRzvtsG01iate9Uz8zWRqVu9ZlpviXd+SBuz+HOciaFTKrlN2r09K1fNs1Hkc4BDHNM9TVHGJGurkPcQjnvBsXVnCmlh3n6lWLtPs49uyHj4AKb2Qkg=</latexit> <latexit sha1_base64="6l+5XTJqwS4y0umxge8kwfB1dmU=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVZIi6LoRncV7ANqKcl02oamTCZFEtx4Q+41T8T/0D/wjtjCmoRnZDkzLn3nJl7rx+HQaIc5zVnLS2vrK7l1wsbm1vbO8XdvUYiUsl4nYlQyJbvJTwMIl5XgQp5K5bcG/shb/qjCx1vTrhMAhHdqGnMO2NvEAX9gHlKU8moW+kWS07ZMcteBG4GSshWTRfcIseBhSjMERQREO4SGhpw0XDmLiOpgRJwkFJs5xjwJpU8rilOERO6LvgHbtjI1orz0To2Z0SkivJKWNI9IypOE9Wm2iafGWbO/ec+Mp7blP5+5jUmVmFI7F+6eZ/dboWhT7OTA0B1RQbRlfHMpfUdEXf3P5SlSKHmDiNexSXhJlRzvtsG01iate9Uz8zWRqVu9ZlpviXd+SBuz+HOciaFTKrlN2r09K1fNs1Hkc4BDHNM9TVHGJGurkPcQjnvBsXVnCmlh3n6lWLtPs49uyHj4AKb2Qkg=</latexit> <latexit sha1_base64="JgBloVbAcfdqwB87xrJ6F5wSc=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVRIRdFl0o7sKthVqKcl02obmxWRSLMWFP+BW/0z8A/0L74xTUIvohCRnzr3nzNx7/TQMuk4rwVrYXFpeaW4Wlpb39jcKm/vNLMkF4w3WBIm4sb3Mh4GMW/IQIb8JhXci/yQt/zRuYq3xlxkQRJfy0nKO5E3iIN+wDypqGzUdbvlilN19LngWtABWbVk/ILbtFDAoYcEThiSMIhPGT0tOHCQUpcB1PiBKFAxznuUSJtTlmcMjxiR/Qd0K5t2Jj2yjPTakanhPQKUto4IE1CeYKwOs3W8Vw7K/Y376n2VHeb0N83XhGxEkNi/9LNMv+rU7VI9HGqawioplQzqjpmXHLdFXVz+0tVkhxS4hTuUVwQZlo567OtNZmuXfXW0/E3nalYtWcmN8e7uiUN2P05znQPKq6TtW9Oq7Uzsyoi9jDPg5pnieo4QJ1NMh7iEc84dm6tBJrbN19ploFo9nFt2U9fAnXZCR</latexit> <latexit sha1_base64="JgBloVbAcfdqwB87xrJ6F5wSc=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVRIRdFl0o7sKthVqKcl02obmxWRSLMWFP+BW/0z8A/0L74xTUIvohCRnzr3nzNx7/TQMuk4rwVrYXFpeaW4Wlpb39jcKm/vNLMkF4w3WBIm4sb3Mh4GMW/IQIb8JhXci/yQt/zRuYq3xlxkQRJfy0nKO5E3iIN+wDypqGzUdbvlilN19LngWtABWbVk/ILbtFDAoYcEThiSMIhPGT0tOHCQUpcB1PiBKFAxznuUSJtTlmcMjxiR/Qd0K5t2Jj2yjPTakanhPQKUto4IE1CeYKwOs3W8Vw7K/Y376n2VHeb0N83XhGxEkNi/9LNMv+rU7VI9HGqawioplQzqjpmXHLdFXVz+0tVkhxS4hTuUVwQZlo567OtNZmuXfXW0/E3nalYtWcmN8e7uiUN2P05znQPKq6TtW9Oq7Uzsyoi9jDPg5pnieo4QJ1NMh7iEc84dm6tBJrbN19ploFo9nFt2U9fAnXZCR</latexit> <latexit sha1_base64="JgBloVbAcfdqwB87xrJ6F5wSc=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVRIRdFl0o7sKthVqKcl02obmxWRSLMWFP+BW/0z8A/0L74xTUIvohCRnzr3nzNx7/TQMuk4rwVrYXFpeaW4Wlpb39jcKm/vNLMkF4w3WBIm4sb3Mh4GMW/IQIb8JhXci/yQt/zRuYq3xlxkQRJfy0nKO5E3iIN+wDypqGzUdbvlilN19LngWtABWbVk/ILbtFDAoYcEThiSMIhPGT0tOHCQUpcB1PiBKFAxznuUSJtTlmcMjxiR/Qd0K5t2Jj2yjPTakanhPQKUto4IE1CeYKwOs3W8Vw7K/Y376n2VHeb0N83XhGxEkNi/9LNMv+rU7VI9HGqawioplQzqjpmXHLdFXVz+0tVkhxS4hTuUVwQZlo567OtNZmuXfXW0/E3nalYtWcmN8e7uiUN2P05znQPKq6TtW9Oq7Uzsyoi9jDPg5pnieo4QJ1NMh7iEc84dm6tBJrbN19ploFo9nFt2U9fAnXZCR</latexit> <latexit sha1_base64="JgBloVbAcfdqwB87xrJ6F5wSc=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVRIRdFl0o7sKthVqKcl02obmxWRSLMWFP+BW/0z8A/0L74xTUIvohCRnzr3nzNx7/TQMuk4rwVrYXFpeaW4Wlpb39jcKm/vNLMkF4w3WBIm4sb3Mh4GMW/IQIb8JhXci/yQt/zRuYq3xlxkQRJfy0nKO5E3iIN+wDypqGzUdbvlilN19LngWtABWbVk/ILbtFDAoYcEThiSMIhPGT0tOHCQUpcB1PiBKFAxznuUSJtTlmcMjxiR/Qd0K5t2Jj2yjPTakanhPQKUto4IE1CeYKwOs3W8Vw7K/Y376n2VHeb0N83XhGxEkNi/9LNMv+rU7VI9HGqawioplQzqjpmXHLdFXVz+0tVkhxS4hTuUVwQZlo567OtNZmuXfXW0/E3nalYtWcmN8e7uiUN2P05znQPKq6TtW9Oq7Uzsyoi9jDPg5pnieo4QJ1NMh7iEc84dm6tBJrbN19ploFo9nFt2U9fAnXZCR</latexit> Reusable Fuzzy Extractor sk 1 sk 2 . . . • Biometric is unique and cannot be changed or created. • The security of multi-extraction from the same noisy source is not guaranteed by fuzzy extractor.

Reusable Fuzzy Extractor Chosen by Adversary Perturbations Gen . . . Gen . . . Gen

Reusable Fuzzy Extractor Chosen by Adversary Perturbations Gen R j is pseudorandom even given . . (P 1 , R 1 , …,P j, …,P n , R n ) . Gen . . . Gen

Related Works FE schemes Robustness? Reusability? [DRS04], [FMR13] [Boyen04], [ABCG16], [CFPRS16], [ACEK17], [WL18], [WLH18] [BDKOS05], [DKRS06], [KR08], [CDFPW08] No fuzzy extractor considers robustness and reusability simultaneously.

Our Contribution • We formally defined robustly reusable fuzzy extractor(rrFE). • We constructed the first rrFE based on standard assumptions.

Robustly Reusable Fuzzy Extractor Chosen by Adversary R j is pseudorandom even Perturbations given Gen (P 1 , R 1 , …,P j , …,P n , R n ) . . . Gen . . . Gen

Robustly Reusable Fuzzy Extractor Chosen by Adversary R j is pseudorandom even Perturbations given Gen (P 1 , R 1 , …,P j , …,P n , R n ) . . . Gen . It is hard for adversary to . . forge P j ’, st., Rep does not Gen output bot, even if it gets (P 1 , R 1 , …,P j , R j ,…,P n , R n ).

Building Blocks • Homomorphic Secure Sketch (SS) • Homomorphic Extractor (Ext) • Symmetric Key Encapsulation Mechanism (SKEM) • Homomorphic Lossy Algebraic Filter (LAF) 


Building Block-Secure Sketch • SS.Gen(w) SS.Gen W S • Input : a weak random secret w. • Output : a sketch s. • SS.Rec(w’, s) • Input : a noisy version w’ and the sketch s. W’ SS.Rec W S • Output : w. • Correctness : For w’ close to w, w can be recovered from s. • Privacy : s does not leak too much information of w.

Building Block-Secure Sketch • SS.Gen(w) SS.Gen W S • Input : a weak random secret w. • Output : a sketch s. • SS.Rec(w’, s) • Input : a noisy version w’ and the sketch s. W’ SS.Rec W S • Output : w. • Correctness : For w’ close to w, w can be recovered from s. • Privacy : s does not leak too much information of w. Homomorphic secure sketch: SS.Gen(w+w’) = SS.Gen(w) + SS.Gen(w’).

Building Block—Extractor Extractor Input : a weak secret w and a uniformly random seed i. Output : extracted key R = Ext(w; i). W Ext R i Security : R is uniformly random, even conditioned on the seed i. (Ext(W; i), i) ≈ (Uniform, i).

Building Block—Extractor Extractor Input : a weak secret w and a uniformly random seed i. Output : extracted key R = Ext(w; i). W Ext R i Security : R is uniformly random, even conditioned on the seed i. (Ext(W; i), i) ≈ (Uniform, i). Homomorphic extractor: Ext(w+w’, i) =Ext(w; i) + Ext(w’; i).

Building Block—SKEM Symmetric Key Encapsulation Mechanism is similar to traditional KEM. • SKEM.Enc(pp, sk) (c, k). • SKEM.Dec(c, sk)=k. Key-shift sk 1 (c 1 , k 1 ) SKEM k i is pseudorandom . even given . . (c 1 , k 1 , …,c j, …,c n , k n ) sk sk j (c j , k j ) SKEM . . . Key-Shift Security sk n (c n , k n ) SKEM