Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When.

Slides:



Advertisements
Similar presentations
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Advertisements

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Why Simple Hash Functions Work : Exploiting the Entropy in a Data Stream Michael Mitzenmacher Salil Vadhan And improvements with Kai-Min Chung.
Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Strong Key Derivation from Biometrics
Inpainting Assigment – Tips and Hints Outline how to design a good test plan selection of dimensions to test along selection of values for each dimension.
Physical Unclonable Functions and Applications
1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas.
Fuzzy Stuff Lecture 24, Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Fuzzy extractor based on universal hashes
1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”
 Secure Authentication Using Biometric Data Karen Cui.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CS151 Complexity Theory Lecture 10 April 29, 2004.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Foundations of Privacy Lecture 11 Lecturer: Moni Naor.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Collecting Correlated Information from a Sensor Network Micah Adler University of Massachusetts, Amherst.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.
Section 8.1 Estimating  When  is Known In this section, we develop techniques for estimating the population mean μ using sample data. We assume that.
Information Coding in noisy channel error protection:-- improve tolerance of errors error detection: --- indicate occurrence of errors. Source.
Why Extractors? … Extractors, and the closely related “Dispersers”, exhibit some of the most “random-like” properties of explicitly constructed combinatorial.
Threshold Phenomena and Fountain Codes Amin Shokrollahi EPFL Joint work with M. Luby, R. Karp, O. Etesami.
1 A Randomized Space-Time Transmission Scheme for Secret-Key Agreement Xiaohua (Edward) Li 1, Mo Chen 1 and E. Paul Ratazzi 2 1 Department of Electrical.
Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.
Key Derivation from Noisy Sources with More Errors Than Entropy Benjamin Fuller Joint work with Ran Canetti, Omer Paneth, and Leonid Reyzin May 5, 2014.
Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)
Privacy-preserving rule mining. Outline  A brief introduction to association rule mining  Privacy preserving rule mining Single party  Perturbation.
1 Private codes or Succinct random codes that are (almost) perfect Michael Langberg California Institute of Technology.
1 Markov Decision Processes Infinite Horizon Problems Alan Fern * * Based in part on slides by Craig Boutilier and Daniel Weld.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
The question Can we generate provable random numbers? …. ?
Randomness Extraction Beyond the Classical World Kai-Min Chung Academia Sinica, Taiwan 1 Based on joint works with Xin Li, Yaoyun Shi, and Xiaodi Wu.
WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter
1 Leonid Reyzin Boston University Adam Smith Weizmann  IPAM  Penn State Robust Fuzzy Extractors & Authenticated Key Agreement from Close Secrets Yevgeniy.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
When is Key Derivation from Noisy Sources Possible?
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
Correcting Errors Without Leaking Partial Information Yevgeniy Dodis New York University Adam SmithWeizmann Institute To appear in STOC 2005
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Secure Remote Authentication Using Biometrics Portions of this work done with Xavier Boyen, Yevgeniy Dodis, Rafail Ostrovsky, Adam Smith Jonathan Katz.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Strong Key Derivation from Noisy Sources
Reusable Fuzzy Extractors for Low-Entropy Distributions
Computational Fuzzy Extractors
Digital Signature Schemes and the Random Oracle Model
Cryptographic Hash Functions Part I
Background: Lattices and the Learning-with-Errors problem
Cryptography Lecture 4.
When are Fuzzy Extractors Possible?
The Curve Merger (Dvir & Widgerson, 2008)
Linear sketching over
When are Fuzzy Extractors Possible?
Information Theoretical Analysis of Digital Watermarking
Presentation transcript:

Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When are Fuzzy Extractors Possible? [FullerSmithReyzin14] Key Derivation from Noisy Sources with More Errors than Entropy [CanettiFullerPanethSmithReyzin14]

Key Derivation from Noisy Sources Physically Unclonable Functions (PUFs) Biometric Data High-entropy sources are often noisy –Initial reading w 0 ≠ later reading reading w 1 – Source w 0 = a 1,…, a k, each symbol a i over alphabet Z –Assume a bound on distance: d(w 0, w 1 ) ≤ t d(w 0, w 1 ) = # of symbols in that differ ABCADBEFAA AGCABBEFCB w0w0 w1w1 d(w 0, w 1 )=4

Key Derivation from Noisy Sources Physically Unclonable Functions (PUFs) Biometric Data Goal of this talk: produce good outputs in scenarios we couldn’t handle before High-entropy sources are often noisy –Initial reading w 0 ≠ later reading reading w 1 – Source w 0 = a 1,…, a k, each symbol a i over alphabet Z –Assume a bound on distance: d(w 0, w 1 ) ≤ t Goal: derive a stable cryptographically strong output –Want w 0, w 1 to map to same output –The output should look uniform to the adversary

Physical Unclonable Functions (PUFs) [PappuRechtTaylorGershenfeld02] Hardware that implements random function Impossible to copy precisely Large challenge/response space – On fixed challenge, responses close together interference Gabor Hash Laser

Biometrics Measure unique physical phenomenon Unique, collectable, permanent, universal Repeated readings exhibit significant noise Uniqueness/Noise vary widely Human iris believed to be “best” [Daugman04], [PrabhakarPankantiJain03]

Two Physical Processes w0w0 w 0 – create a new biometric or hardware device, take initial reading w 1 – take new reading from a fixed biometric or hardware device w1w1 Two readings may not be subject to same noise. Often less error in original reading Uncertainty Errors

Outline Strong Authentication through Key Derivation Key Derivation from Noisy Sources Limitations of Traditional Approaches/Lessons New Constructions

Key Derivation from Noisy Sources Interactive Protocols [Wyner75] … [BennettBrassardRobert85,88] …lots of work… w1w1 w0w0 Parties agree on cryptographic key Problem: User must store initial reading w 0 at server Want approach where w 0 is not stored!

Fuzzy Extractors: Functionality [JuelsWattenberg99], …, [DodisOstrovskyReyzinSmith04] … Enrollment algorithm Gen : Take a measurement w 0 from the source. Use it to “lock up” random r in a nonsecret value p. Subsequent algorithm Rep: give same output if d(w 0, w 1 ) < t Security: r looks uniform even given p, w hen the source is good enough w0w0 p w1w1 < t Gen Rep Traditionally, security def. is information theoretic r r

Fuzzy Extractors: Goals Goal 1: handle as many sources as possible (typically, any source in which w 0 is 2 k -hard to guess) Goal 2: handle as much error as possible (typically, any w 1 within distance t ) Most previous approaches are analyzed in terms of t and k w0w0 p w1w1 < t Gen Rep entropy k Traditional approaches do not support sources with t > k (many practical sources) r r

Contribution Three lessons on how to construct fuzzy extractors for practical sources – Eliminate Secure Sketches [FMR13] – Exploit Distributional Structure [FRS14] – Define Objects Computational [FMR13] Constructions of fuzzy extractors for large classes of distributions where t > k [CFPRS14] Reusable fuzzy extractor for arbitrary correlation between repeated readings [CFPRS14]

Gen Rep w0w0 p Ext (converts high-entropy sources to uniform, e.g., via universal hashing [CarterWegman77] ) w1w1 Fuzzy Extractors: Typical Construction < t entropy k - correct errors using a secure sketch - derive r using a randomness extractor (gives recovery of the original from a noisy signal) [DodisOstrovskyReyzinSmith08] r r

Gen Rep w0w0 p Ext w1w1 Fuzzy Extractors: Typical Construction Sketch Rec w0w0 < t entropy k - correct errors using a secure sketch - derive r using a randomness extractor (gives recovery of the original from a noisy signal) (converts high-entropy sources to uniform, e.g., via universal hashing [CarterWegman77] ) [DodisOstrovskyReyzinSmith08] r r

Secure Sketches Generate Reproduce Ext Sketch Rec Code Offset Sketch [JuelsWattenberg99] p =c  w 0 c r r p w0w0 w1w1 < t C – Error correcting code correcting t errors

Secure Sketches c’=Decode(c*) p  w 1 = c* p =c  w 0 c If decoding succeeds, w 0 = c’  p. If decoding succeeds, w 0 = c’  p. Generate Reproduce Ext Sketch Rec p w0w0 w1w1 < t r r Code Offset Sketch [JuelsWattenberg99] C – Error correcting code correcting t errors

p  w 1 = c* p =c  w 0 p  w’ 1 Secure Sketches Generate Reproduce Ext Sketch Rec p w0w0 w’1w’1 > t r r Code Offset Sketch [JuelsWattenberg99] p has info about w 0. How much does it hurt security? C – Error correcting code correcting t errors

Outline Strong Authentication through Key Derivation Key Derivation from Noisy Sources Limitations of Traditional Approaches/Lessons New Constructions

Gen Rep w0w0 p Ext w1w1 p must store enough information to recover w 0 How much information is that? Problem with Secure Sketches Sketch Rec w0w0 entropy k < t r r

Rep w0w0 p Ext w1w1 p must store enough information to recover w 0 How much information is that? If all Rep knows about source is entropy, w 0 can be anywhere within distance t, so log |B t | > t bits Current approaches provide no security if t > k Problem with Secure Sketches Rec w0w0 < t BtBt r stores t bits about w 0 has k < t bits of entropy r

Rep w0w0 p Ext w1w1 Fuzzy extractors and secure sketches have upper bounds on key length based on error tolerance Secure sketches subject to stronger bounds Thm [FMR13]: Secure sketches with computational security limited: Problem with Secure Sketches Rec w0w0 < t BtBt r stores t bits about w 0 has k < t bits of entropy r Can build sketches with info-theoretic security from sketches that provide computational security

Lessons 1.Stop using secure sketches – Subject to strong bounds – Bounds apply with computational security

Is it possible to handle “more errors than entropy” ( t > k )? Support of w 0 This distribution has 2 k points Why might we hope to extract from this distribution? Points are far apart No need to deconflict original reading w1w1

Is it possible to handle “more errors than entropy” ( t > k )? Support of w 0 Left and right have same number of points and error tolerance Support of v 0 r Since t > k there is a distribution v 0 where all points lie in a single ball

Is it possible to handle “more errors than entropy” ( t > k )? Support of v 0 Support of w 0 v1v1 r Rep For any construction adversary learns r by running with v 1 r t r r Recall: adversary can run Rep on any point w1w1 r Rep ? t The likelihood of adversary picking a point w 1 close enough to recover r is low

Is it possible to handle “more errors than entropy” ( t > k )? Support of v 0 Support of w 0 Key derivation may be possible for w 0, impossible for v 0 v1v1 r Rep For any construction adversary learns r by running with v 1 r t r w1w1 t r Rep ? To distinguish between w 0 and v 0 must consider more than just t and k The likelihood of adversary picking a point w 1 close enough to recover r is low

Lessons 1.Stop using secure sketches 2.Exploit structure of source beyond entropy – Need to understand what structure is helpful

Understand the structure of source w1w1 r Rep t Minimum necessary condition for fuzzy extraction: weight inside any B t must be small Let H fuzz (W 0 ) = log (1/max wt(B t )) Big H fuzz (W 0 ) is necessary Q: Is big H fuzz (W 0 ) sufficient for fuzzy extractors?

Is big H fuzz (W 0 ) sufficient? Thm [FRS]: Yes, if algorithms know exact distribution of W 0 Imprudent to assume construction and adversary have same view of W 0 – Should assume adversary knows more about W 0 – Deal with adversary knowledge by providing security for family V of W 0, security should hold for whole family Thm [FRS]: No if W 0 is only known to come from a family V A3: Yes if security is computational (using obfuscation) [Bitansky Canetti Kalai Paneth 14] A4: No if security is information-theoretic A5: No if you try to build (computational) secure sketch Will show negative result for secure sketches (negative result for fuzzy extractors more complicated)

Thm [FRS]: No if W 0 comes from a family V Describe a family of distributions V For any fuzzy extractor Gen, Rep for most W 0 in V, few w* in W 0 could produce p Implies W 0 has little entropy conditioned on p Rep w0w0 p w1w1 Rec w0w0 < t BtBt

Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V First consider one dist. W For w 0, Rec(w 0, p) =w 0 For nearby w 1, Rec(w 1, p) = w 0 Call augmented fixed point To maximize H(W | p) make as many points of W augmented fixed points Augmented fixed points at least distance t apart (exponentially small fraction of space) w 0 = Rec(w 0, p) w1w1 W Now we’ll consider family V, Goal: for most W in V, can’t include many augmented fixed points

Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0 w0w0 W

w0w0 W Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0

w0w0 W Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0

Viable points set by Gen Adversary knows color of w 0 Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0 Distributions only share w 0 – Sketch must include augmented fixed points from all distributions with w 0 w0w0

Viable points set by Gen Adversary knows color of w 0 Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0 Distributions only share w 0 – Sketch must include augmented fixed points from all distributions with w 0 Maybe this was a bad choice of viable points? Adversary’s search space w0w0

Adversary knows color of w 0 Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0 Distributions only share w 0 – Sketch must include augmented fixed points from all distributions with w 0 w0w0 Alternative Points

Adversary knows color of w 0 Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0 Distributions only share w 0 – Sketch must include augmented fixed points from all distributions with w 0 w0w0 Alternative Points Adversary’s search space Thm: Sketch, Rec can include at most 4 augmented fixed points from members of V on average

Thm [FRS]: Yes, if algorithms know exact distribution of W 0 Imprudent to assume construction and adversary have same view of W 0 – Deal with adversary knowledge by providing security for family V of W 0, security should hold for whole family Thm [FRS]: No if adversary knows more about W 0 than fuzzy extractor creator A3: Yes if security is computational (using obfuscation) [Bitansky Canetti Kalai Paneth 14] A4: No if security is information-theoretic A5: No if you try to build (computational) secure sketch Is big H fuzz (W 0 ) sufficient? Fuzzy extractors defined information-theoretically (used info-theory tools), No compelling need for info-theory security Fuzzy extractors defined information-theoretically (used info-theory tools), No compelling need for info-theory security

Lessons 1.Stop using secure sketches 2.Exploit structure of source beyond entropy 3.Define objects computationally

Outline Strong Authentication through Key Derivation Key Derivation from Noisy Sources Lessons 1.Stop using secure sketches 2.Exploit structure of source beyond entropy 3.Define objects computationally New Constructions

Idea [CFPRS14]: “encrypt” r using parts of w 0 w 0 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 Gen : - get random combinations of symbols in w 0 r p Gen a 3 a 9 a 5 r r a 1 a 9 a 2 r r a 3 a 4 a 5 r r a 7 a 5 a 6 r r a 2 a 8 a 7 r r a 3 a 5 a 2 r r - “lock” r using these combinations r

w 0 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r p Gen a 3 a 9 a 5 r r a 1 a 9 a 2 r r a 3 a 4 a 5 r r a 7 a 5 a 6 r r a 2 a 8 a 7 r r a 3 a 5 a 2 r r Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

w 0 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r p Gen a 3 a 9 a 5 r r a 1 a 9 a 2 r r a 3 a 4 a 5 r r a 7 a 5 a 6 r r a 2 a 8 a 7 r r a 3 a 5 a 2 r r Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

w 0 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r - = locks + positions of symbols needed to unlock r p Gen p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

w 0 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r r p Gen - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r p - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r p Rep : w 1 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r Rep - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

a 1 a 9 a 2 r a 3 a 4 a 5 r a7 a5a6a7 a5a6 r a 2 a 8 a 7 r a 3 a 5 a 2 r p w 1 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r Rep a 3 a 9 a 5 r Rep : - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

a 1 a 9 a 2 r a 3 a 4 a 5 r a7 a5a6a7 a5a6 r a 2 a 8 a 7 r a 3 a 5 a 2 r p w 1 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r Rep a 3 a 9 a 5 r Rep : Use the symbols of w 1 to open at least one lock - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

a 1 a 9 a 2 r a 3 a 4 a 5 r a7 a5a6a7 a5a6 r a 2 a 8 a 7 r a 3 a 5 a 2 r p w 1 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r Rep Rep : Use the symbols of w 1 to open at least one lock a 3 a 9 a 5 r r - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

a 1 a 9 a 2 r a 3 a 4 a 5 r a7 a5a6a7 a5a6 r a 2 a 8 a 7 r a 3 a 5 a 2 r Rep : Use the symbols of w 1 to open at least one lock a 3 a 9 a 5 r r Error-tolerance: one combination must unlock with high probability Security: each combination must have enough entropy - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r (sampling of symbols must preserve sufficient entropy) Idea [CFPRS14]: “encrypt” r using parts of w 0

How to implement locks? A lock is the following program: – If input = a 1 a 9 a 2, output r – Else output  – One implementation (R.O. model): lock = r  H(a 1 a 9 a 2 ) a 1 a 9 a 2 r Ideally: Obfuscate this program – Obfuscation: preserve functionality, hide the program – Obfuscating this specific program called “digital locker”

Digital Lockers Digital Locker is obfuscation of – If input = a 1 a 9 a 2, output r – Else output  Equivalent to encryption of r that is secure even multiple times with correlated, weak keys [CanettiKalaiVariaWichs10] Digital lockers are practical (R.O. or DL-based) [CanettiDakdouk08], [BitanskyCanetti10] Hides r if input can’t be exhaustively searched (superlogarithmic entropy) a 1 a 9 a 2 r

Digital Locker is obfuscation of – If input = a 1 a 9 a 2, output r – Else output  Equivalent to encryption of r that is secure even multiple times with correlated and weak keys [CanettiKalaiVariaWichs10] Digital lockers are practical (R.O. or DL-based) [CanettiDakdouk08], [BitanskyCanetti10] Hides r if input can’t be exhaustively searched (superlogarithmic entropy) Digital Lockers Q: if you are going to use obfuscation, why bother? Why not just obfuscate the following program for p – If distance between w 0 and the input is less than t, output r – Else output  A: you can do that [BitanskyCanettiKalaiPaneth14], except it’s very impractical + has a very strong assumption a 1 a 9 a 2 r

How good is this construction? Handles sources with t > k For correctness: t < constant fraction of symbols a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r

How good is this construction? Handles sources with t > k For correctness: t < constant fraction of symbols a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r Construction 2: Supports t= constant fraction but only for really large alphabets Construction 2: Supports t= constant fraction but only for really large alphabets Construction 3: Similar parameters but info-theoretic security Construction 3: Similar parameters but info-theoretic security Why did I tell you about computation constructional?

How good is this construction? It is reusable! – Same source can be enrolled multiple times with multiple independent services w0w0 r p Gen w0'w0' r' p' Gen w 0 '' r'' p'' Gen Secret even given p, p', p'', r, r'' Secret even given p, p', p'', r, r''

How good is this construction? It is reusable! – Same source can be enrolled multiple times with multiple independent services – Follows from composability of obfuscation – In the past: difficult to achieve, because typically new enrollments leak fresh information – Only previous construction [Boyen2004]: all reading must differ by fixed constants (unrealistic) – Our construction: each reading individually must satisfy our conditions

Conclusion Lessons: Don’t use secure sketches (i.e., full error correction) Exploit structure in source Provide computational security It is possible to cover sources with more errors than entropy! Also get reusability! t Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.