robustly reusable fuzzy extractor from standard
play

Robustly Reusable Fuzzy Extractor from Standard Assumptions Yunhua - PowerPoint PPT Presentation

Robustly Reusable Fuzzy Extractor from Standard Assumptions Yunhua Wen and Shengli Liu Shanghai Jiao Tong University Problem Randomness is crucial in cryptography (e.g. sk). However, uniformly distributed and accurately reproducible


  1. Robustly Reusable Fuzzy Extractor from Standard Assumptions Yunhua Wen and Shengli Liu Shanghai Jiao Tong University

  2. Problem • Randomness is crucial in cryptography (e.g. sk). • However, uniformly distributed and accurately reproducible string is rare in practice. • There are many imperfect random sources, e.g. Biometric Information Physically Unclonable Functions (PUFs)

  3. Problem • Randomness is crucial in cryptography (e.g. sk). • However, uniformly distributed and accurately reproducible string is rare in practice. • There are many imperfect random sources, e.g. Biometric Information Physically Unclonable Functions (PUFs) Problem : How to use such imperfect random sources in cryptography?

  4. Fuzzy Extractor • Gen(w) • Input : a weak random secret w. • Output : the extracted key R and a public helper string P . • Rep(w’, P) • Input : a noisy version w’ and the public helper string P . • Output : the extracted key R’. W’ R Gen Rep W R’ P P

  5. Fuzzy Extractor • Gen(w) • Input : a weak random secret w. • Output : the extracted key R and a public helper string P . • Rep(w’, P) • Input : a noisy version w’ and the public helper string P . • Output : the extracted key R’. W’ R Gen Rep W R’ P P Correctness : If w’ is close enough to w, R’=R. Security : R is pseudorandom given P .

  6. Applications Application in Encryption and Decryption : m C C Enc m Dec R R Gen Rep P P Users do not need to store the secret key R.

  7. Robust Fuzzy Extractor m C C Enc m’ Dec R R’ Gen Rep P’ P The user may get a wrong key R’ without notifications.

  8. Robust Fuzzy Extractor m C Enc R Failure Gen Rep P’ P Security : If P is modified, then Rep will output .

  9. <latexit sha1_base64="6l+5XTJqwS4y0umxge8kwfB1dmU=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVZIi6LoRncV7ANqKcl02oamTCZFEtx4Q+41T8T/0D/wjtjCmoRnZDkzLn3nJl7rx+HQaIc5zVnLS2vrK7l1wsbm1vbO8XdvUYiUsl4nYlQyJbvJTwMIl5XgQp5K5bcG/shb/qjCx1vTrhMAhHdqGnMO2NvEAX9gHlKU8moW+kWS07ZMcteBG4GSshWTRfcIseBhSjMERQREO4SGhpw0XDmLiOpgRJwkFJs5xjwJpU8rilOERO6LvgHbtjI1orz0To2Z0SkivJKWNI9IypOE9Wm2iafGWbO/ec+Mp7blP5+5jUmVmFI7F+6eZ/dboWhT7OTA0B1RQbRlfHMpfUdEXf3P5SlSKHmDiNexSXhJlRzvtsG01iate9Uz8zWRqVu9ZlpviXd+SBuz+HOciaFTKrlN2r09K1fNs1Hkc4BDHNM9TVHGJGurkPcQjnvBsXVnCmlh3n6lWLtPs49uyHj4AKb2Qkg=</latexit> <latexit sha1_base64="6l+5XTJqwS4y0umxge8kwfB1dmU=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVZIi6LoRncV7ANqKcl02oamTCZFEtx4Q+41T8T/0D/wjtjCmoRnZDkzLn3nJl7rx+HQaIc5zVnLS2vrK7l1wsbm1vbO8XdvUYiUsl4nYlQyJbvJTwMIl5XgQp5K5bcG/shb/qjCx1vTrhMAhHdqGnMO2NvEAX9gHlKU8moW+kWS07ZMcteBG4GSshWTRfcIseBhSjMERQREO4SGhpw0XDmLiOpgRJwkFJs5xjwJpU8rilOERO6LvgHbtjI1orz0To2Z0SkivJKWNI9IypOE9Wm2iafGWbO/ec+Mp7blP5+5jUmVmFI7F+6eZ/dboWhT7OTA0B1RQbRlfHMpfUdEXf3P5SlSKHmDiNexSXhJlRzvtsG01iate9Uz8zWRqVu9ZlpviXd+SBuz+HOciaFTKrlN2r09K1fNs1Hkc4BDHNM9TVHGJGurkPcQjnvBsXVnCmlh3n6lWLtPs49uyHj4AKb2Qkg=</latexit> <latexit sha1_base64="6l+5XTJqwS4y0umxge8kwfB1dmU=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVZIi6LoRncV7ANqKcl02oamTCZFEtx4Q+41T8T/0D/wjtjCmoRnZDkzLn3nJl7rx+HQaIc5zVnLS2vrK7l1wsbm1vbO8XdvUYiUsl4nYlQyJbvJTwMIl5XgQp5K5bcG/shb/qjCx1vTrhMAhHdqGnMO2NvEAX9gHlKU8moW+kWS07ZMcteBG4GSshWTRfcIseBhSjMERQREO4SGhpw0XDmLiOpgRJwkFJs5xjwJpU8rilOERO6LvgHbtjI1orz0To2Z0SkivJKWNI9IypOE9Wm2iafGWbO/ec+Mp7blP5+5jUmVmFI7F+6eZ/dboWhT7OTA0B1RQbRlfHMpfUdEXf3P5SlSKHmDiNexSXhJlRzvtsG01iate9Uz8zWRqVu9ZlpviXd+SBuz+HOciaFTKrlN2r09K1fNs1Hkc4BDHNM9TVHGJGurkPcQjnvBsXVnCmlh3n6lWLtPs49uyHj4AKb2Qkg=</latexit> <latexit sha1_base64="6l+5XTJqwS4y0umxge8kwfB1dmU=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVZIi6LoRncV7ANqKcl02oamTCZFEtx4Q+41T8T/0D/wjtjCmoRnZDkzLn3nJl7rx+HQaIc5zVnLS2vrK7l1wsbm1vbO8XdvUYiUsl4nYlQyJbvJTwMIl5XgQp5K5bcG/shb/qjCx1vTrhMAhHdqGnMO2NvEAX9gHlKU8moW+kWS07ZMcteBG4GSshWTRfcIseBhSjMERQREO4SGhpw0XDmLiOpgRJwkFJs5xjwJpU8rilOERO6LvgHbtjI1orz0To2Z0SkivJKWNI9IypOE9Wm2iafGWbO/ec+Mp7blP5+5jUmVmFI7F+6eZ/dboWhT7OTA0B1RQbRlfHMpfUdEXf3P5SlSKHmDiNexSXhJlRzvtsG01iate9Uz8zWRqVu9ZlpviXd+SBuz+HOciaFTKrlN2r09K1fNs1Hkc4BDHNM9TVHGJGurkPcQjnvBsXVnCmlh3n6lWLtPs49uyHj4AKb2Qkg=</latexit> <latexit sha1_base64="JgBloVbAcfdqwB87xrJ6F5wSc=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVRIRdFl0o7sKthVqKcl02obmxWRSLMWFP+BW/0z8A/0L74xTUIvohCRnzr3nzNx7/TQMuk4rwVrYXFpeaW4Wlpb39jcKm/vNLMkF4w3WBIm4sb3Mh4GMW/IQIb8JhXci/yQt/zRuYq3xlxkQRJfy0nKO5E3iIN+wDypqGzUdbvlilN19LngWtABWbVk/ILbtFDAoYcEThiSMIhPGT0tOHCQUpcB1PiBKFAxznuUSJtTlmcMjxiR/Qd0K5t2Jj2yjPTakanhPQKUto4IE1CeYKwOs3W8Vw7K/Y376n2VHeb0N83XhGxEkNi/9LNMv+rU7VI9HGqawioplQzqjpmXHLdFXVz+0tVkhxS4hTuUVwQZlo567OtNZmuXfXW0/E3nalYtWcmN8e7uiUN2P05znQPKq6TtW9Oq7Uzsyoi9jDPg5pnieo4QJ1NMh7iEc84dm6tBJrbN19ploFo9nFt2U9fAnXZCR</latexit> <latexit sha1_base64="JgBloVbAcfdqwB87xrJ6F5wSc=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVRIRdFl0o7sKthVqKcl02obmxWRSLMWFP+BW/0z8A/0L74xTUIvohCRnzr3nzNx7/TQMuk4rwVrYXFpeaW4Wlpb39jcKm/vNLMkF4w3WBIm4sb3Mh4GMW/IQIb8JhXci/yQt/zRuYq3xlxkQRJfy0nKO5E3iIN+wDypqGzUdbvlilN19LngWtABWbVk/ILbtFDAoYcEThiSMIhPGT0tOHCQUpcB1PiBKFAxznuUSJtTlmcMjxiR/Qd0K5t2Jj2yjPTakanhPQKUto4IE1CeYKwOs3W8Vw7K/Y376n2VHeb0N83XhGxEkNi/9LNMv+rU7VI9HGqawioplQzqjpmXHLdFXVz+0tVkhxS4hTuUVwQZlo567OtNZmuXfXW0/E3nalYtWcmN8e7uiUN2P05znQPKq6TtW9Oq7Uzsyoi9jDPg5pnieo4QJ1NMh7iEc84dm6tBJrbN19ploFo9nFt2U9fAnXZCR</latexit> <latexit sha1_base64="JgBloVbAcfdqwB87xrJ6F5wSc=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVRIRdFl0o7sKthVqKcl02obmxWRSLMWFP+BW/0z8A/0L74xTUIvohCRnzr3nzNx7/TQMuk4rwVrYXFpeaW4Wlpb39jcKm/vNLMkF4w3WBIm4sb3Mh4GMW/IQIb8JhXci/yQt/zRuYq3xlxkQRJfy0nKO5E3iIN+wDypqGzUdbvlilN19LngWtABWbVk/ILbtFDAoYcEThiSMIhPGT0tOHCQUpcB1PiBKFAxznuUSJtTlmcMjxiR/Qd0K5t2Jj2yjPTakanhPQKUto4IE1CeYKwOs3W8Vw7K/Y376n2VHeb0N83XhGxEkNi/9LNMv+rU7VI9HGqawioplQzqjpmXHLdFXVz+0tVkhxS4hTuUVwQZlo567OtNZmuXfXW0/E3nalYtWcmN8e7uiUN2P05znQPKq6TtW9Oq7Uzsyoi9jDPg5pnieo4QJ1NMh7iEc84dm6tBJrbN19ploFo9nFt2U9fAnXZCR</latexit> <latexit sha1_base64="JgBloVbAcfdqwB87xrJ6F5wSc=">ACx3icjVHLSsNAFD2Nr1pfVZdugkVwVRIRdFl0o7sKthVqKcl02obmxWRSLMWFP+BW/0z8A/0L74xTUIvohCRnzr3nzNx7/TQMuk4rwVrYXFpeaW4Wlpb39jcKm/vNLMkF4w3WBIm4sb3Mh4GMW/IQIb8JhXci/yQt/zRuYq3xlxkQRJfy0nKO5E3iIN+wDypqGzUdbvlilN19LngWtABWbVk/ILbtFDAoYcEThiSMIhPGT0tOHCQUpcB1PiBKFAxznuUSJtTlmcMjxiR/Qd0K5t2Jj2yjPTakanhPQKUto4IE1CeYKwOs3W8Vw7K/Y376n2VHeb0N83XhGxEkNi/9LNMv+rU7VI9HGqawioplQzqjpmXHLdFXVz+0tVkhxS4hTuUVwQZlo567OtNZmuXfXW0/E3nalYtWcmN8e7uiUN2P05znQPKq6TtW9Oq7Uzsyoi9jDPg5pnieo4QJ1NMh7iEc84dm6tBJrbN19ploFo9nFt2U9fAnXZCR</latexit> Reusable Fuzzy Extractor sk 1 sk 2 . . . • Biometric is unique and cannot be changed or created. • The security of multi-extraction from the same noisy source is not guaranteed by fuzzy extractor.

  10. Reusable Fuzzy Extractor Chosen by Adversary Perturbations Gen . . . Gen . . . Gen

  11. Reusable Fuzzy Extractor Chosen by Adversary Perturbations Gen R j is pseudorandom even given . . (P 1 , R 1 , …,P j, …,P n , R n ) . Gen . . . Gen

  12. Related Works FE schemes Robustness? Reusability? [DRS04], [FMR13] [Boyen04], [ABCG16], [CFPRS16], [ACEK17], [WL18], [WLH18] [BDKOS05], [DKRS06], [KR08], [CDFPW08] No fuzzy extractor considers robustness and reusability simultaneously.

  13. Our Contribution • We formally defined robustly reusable fuzzy extractor(rrFE). • We constructed the first rrFE based on standard assumptions.

  14. Robustly Reusable Fuzzy Extractor Chosen by Adversary R j is pseudorandom even Perturbations given Gen (P 1 , R 1 , …,P j , …,P n , R n ) . . . Gen . . . Gen

  15. Robustly Reusable Fuzzy Extractor Chosen by Adversary R j is pseudorandom even Perturbations given Gen (P 1 , R 1 , …,P j , …,P n , R n ) . . . Gen . It is hard for adversary to . . forge P j ’, st., Rep does not Gen output bot, even if it gets (P 1 , R 1 , …,P j , R j ,…,P n , R n ).

  16. Building Blocks • Homomorphic Secure Sketch (SS) • Homomorphic Extractor (Ext) • Symmetric Key Encapsulation Mechanism (SKEM) • Homomorphic Lossy Algebraic Filter (LAF) 


  17. Building Block-Secure Sketch • SS.Gen(w) SS.Gen W S • Input : a weak random secret w. • Output : a sketch s. • SS.Rec(w’, s) • Input : a noisy version w’ and the sketch s. W’ SS.Rec W S • Output : w. • Correctness : For w’ close to w, w can be recovered from s. • Privacy : s does not leak too much information of w.

  18. Building Block-Secure Sketch • SS.Gen(w) SS.Gen W S • Input : a weak random secret w. • Output : a sketch s. • SS.Rec(w’, s) • Input : a noisy version w’ and the sketch s. W’ SS.Rec W S • Output : w. • Correctness : For w’ close to w, w can be recovered from s. • Privacy : s does not leak too much information of w. Homomorphic secure sketch: SS.Gen(w+w’) = SS.Gen(w) + SS.Gen(w’).

  19. Building Block—Extractor Extractor Input : a weak secret w and a uniformly random seed i. Output : extracted key R = Ext(w; i). W Ext R i Security : R is uniformly random, even conditioned on the seed i. (Ext(W; i), i) ≈ (Uniform, i).

  20. Building Block—Extractor Extractor Input : a weak secret w and a uniformly random seed i. Output : extracted key R = Ext(w; i). W Ext R i Security : R is uniformly random, even conditioned on the seed i. (Ext(W; i), i) ≈ (Uniform, i). Homomorphic extractor: Ext(w+w’, i) =Ext(w; i) + Ext(w’; i).

  21. Building Block—SKEM Symmetric Key Encapsulation Mechanism is similar to traditional KEM. • SKEM.Enc(pp, sk) (c, k). • SKEM.Dec(c, sk)=k. Key-shift sk 1 (c 1 , k 1 ) SKEM k i is pseudorandom . even given . . (c 1 , k 1 , …,c j, …,c n , k n ) sk sk j (c j , k j ) SKEM . . . Key-Shift Security sk n (c n , k n ) SKEM

Recommend


More recommend