When is Key Derivation from Noisy Sources Possible? Benjamin Fuller, Leonid Reyzin, and Adam Smith Additional Work with Ran Canetti, Xianrui Meng, Omer Paneth August 26, 2014 1 1

Outline Noisy Authentication Sources Fuzzy Extractors Limitations of Standard Techniques Current Work

Authenticating Users Users’ private data exists online in a variety of locations Must authenticate users before granting access to private data Passwords are widely used but guessable

Are there alternatives to passwords with high entropy (uncertainty)? Authenticating Users Users’ private data exists online in a variety of locations Must authenticate users before granting access to private data Passwords are widely used but guessable CLOUD!!! Are there alternatives to passwords with high entropy (uncertainty)?

Physical Unclonable Functions (PUFs) [PappuRechtTaylorGershenField02] Hardware that implements random function Impossible to copy precisely Large challenge/response space On fixed challenge, responses close together Key storage [TuylsSchrijenSkoricVanGelovenVerhaeghWolters06] Proof of Possession Multi-party computation [OstrovskyScafuroViscontiWadia12]

Biometrics Measure unique physical phenomenon Unique, collectable, permanent, universal Repeated readings exhibit significant noise Uniqueness/Noise vary widely Human iris believed to be “best” [Daugman04, PrabhakarPankantiJain03]

Key Derivation from Noisy Sources Entropic sources are noisy Source differs over time, first reading w later readings x, Distance is bounded d(w, x) ≤ dmax Derive stable and strong key from noisy source w, x map to same key Different samples from source produce independent keys Gen( w ) ≠ Gen( w’ ) Physically Unclonable Functions (PUFs) [PappuRechtTaylorGershenfield02] Biometric Data [Daugman04] To perform cryptographic authentication we need to get a key from somewhere. There are many different possible sources for a key: a password, a physical token, a biometric. <click> Often the sources that have enough randomness or entropy to derive a key are noisy. Two good examples of this are physically unclonable functions and biometrics. <click, click, click> We will call the initial reading of a particular source, w_0. We call a source noisy if subsequent readings w_1 are not equal, to the initial reading but their distance is bounded. We want a tool that is able to derive a stable/repeatable key from this source. We should be able to produce a key from either w_0 or w_1. However, to have any notion of security, we must be sure that different samples of the source (e.g. two people’s irises) don’t map to the same key. So there is an inherit tradeoff between the errors we try and correct and the strength of our resulting key.

Outline Noisy Authentication Sources Fuzzy Extractors Limitations of Standard Techniques Current Work

Fuzzy Extractors Generate key Reproduce w key key Source Fuzzy Extractors key Public (p) Assume our source is strong Traditionally, high entropy Fuzzy Extractors derive reliable keys from noisy data [DodisOstrovskyReyzinSmith04, 08] (interactive setting in aaaa[BennettBrassardRobert88]) Goals: Correctness: Gen, Rep same key if d(w, x) ≤ dmax Security: (key , p) ≈ (U , p) Can be statistical or computational [FullerMengReyzin13] Generate key Fuzzy extractors perform key derivation from such sources non-interactively. <click> We start by assuming that our source is high quality. Traditionally this means the source has high min-entropy. This is denoted H infinity. It means that no outcome in the distribution is too likely. That is, every possible outcome has probability no more than 2^{-k}. <click> Back to fuzzy extractors, they derive stable keys from high min-entropy sources. They were introduced by Dodis, Ostrovsky, Reyzin, and Smith in 2004. Note there was considerable prior research on the interactive version of this problem introduced by Bennett, Brassard, and Robert in 1988. The basic setting is we have an algorithm Gen that takes the source value w_0 and produces a key. It also produces a helper value p. This helper value exists so we can reproduce the key. The algorithm Rep accomplishes this goal. It takes the helper value output by Gen and new reading of the source w_1. If the distance between w_0 and w_1 is small, <click> it produces the same key. In all of our analysis we assume the adversary has access to the Generate and Reproduce algorithms and this helper value p. Reproduce w key p

Converts high entropy sources to uniform H∞(W)≥ k Ext (W ) ≈ U Fuzzy Extractors key Public (p) Assume our source is strong Traditionally, high entropy Fuzzy Extractors derive reliable keys from noisy data [DodisOstrovskyReyzinSmith04, 08] (interactive setting in aaaa[BennettBrassardRobert88]) Traditional Construction Derive a key using a randomness extractor Generate key Ext The key is derived using a standard tool called a randomness extractor. <click> A randomness extractor converts all high min-entropy distributions to the uniform distribution. For the purposes of clarity, I have omitted the seed from the extractor, the seed is added to the public value p. So to generate our key, we simply extract from the value w_0. In our reproduce procedure, we will generate the same key so we will run the extractor in Rep. Unfortunately, we don’t have the value w_0 to run the extractor. The interesting part is how to reproduce the value w_0 so we can run the extractor in Rep Reproduce w key Converts high entropy sources to uniform H∞(W)≥ k Ext (W ) ≈ U p Ext

Fuzzy Extractors Generate key Ext Reproduce w key Ext key Source Fuzzy Extractors key Public (p) Assume our source is strong Traditionally, high entropy Fuzzy Extractors derive reliable keys from noisy data [DodisOstrovskyReyzinSmith04, 08] (interactive setting in aaaa[BennettBrassardRobert88]) Traditional Construction Derive a key using a randomness extractor Error correct to w with a secure sketch Generate key Ext This is accomplished using a tool called a secure sketch. <click> A secure sketch produces a public value p that is used to error correct w_0. It consists of a sketch algorithm that is run inside Gen, And a Rec algorithm. The Rec algorithm takes p and a close value w_1 and reproduces w_0. You can think of this as an error correcting procedure for w_0. Once we have the value w_0, we can run the extractor and obtain the original key. I am now going to describe a little bit more about how secure sketches work. Any questions on the fuzzy extractor paradigm so far? Reproduce w key p Ext Sketch Rec

Secure Sketches Generate key Reproduce key w Code Offset Sketch Ext p Rec Sketch ec = Gc Code Offset Sketch I’ll start by describing the sketch algorithm. <click, click> The sketch I am going to describe is called the “code-offset sketch” in the literature. Assume we have an error correcting code that can correct dmax errors. <click> We will start by selecting a random codeword. So we select a random value x and encode x using the error correcting code. We will use this ec value as a mask for our value w_0. Our public value p will be the exclusive or of the value ec and our original reading. Remember, we want two properties from p: it should allow recovery from a close value w_1 and it shouldn’t give much information about w_0. p =ec  w G – Generating matrix for code that corrects dmax errors

Secure Sketches Generate key Reproduce key w Code Offset Sketch Ext p Rec Sketch ec = Gc ec’=Dec(p  x) If w and x are close then w = ec’  p. Code Offset Sketch I’ll now show have the first property is fulfilled. <click> This is done in the Recovery function. So the recovery function has just the public value p and the new reading w_1. It adds these two values together. We then run the decoding procedure of the error correcting code on this value p\oplus w_1. This gives us a value ec’. If w_0 and w_1 are within the decoding radius for the error correcting code then ec’ = ec. This means we can recover the value w_0 from a close w_1. p  x p =ec  w G – Generating matrix for code that corrects dmax errors

Secure Sketches Generate key Reproduce key w Code Offset Sketch Ext must be able to extract from distributions where Generate key Ext Reproduce w key p Ext Rec Sketch w is unknown (knowing p): (k−k’) entropy loss Code Offset Sketch We will now work on the second property. We need the value p not to give much information about w_0. <click> Consider the case where we collect a reading from a different source, say w_0’. <click, click> This means that p \oplus w_0’ will not be close to the original codeword and decoding will give an unrelated value. <click> Formally, we can say that W_0 retains high entropy even conditioned on the public value p. This is the main novel contribution of a secure sketch (otherwise we could just provide error correcting information. Recall the starting entropy was k. We will call k-k’ the entropy loss of a secure sketch. This value is important as it determines the strength of our key. In particular, the extractor must be able to produce a good key with only k’ bits of entropy. p  x p =ec  w G – Generating matrix for code that corrects dmax errors p  x’

Implementing Fuzzy Extractors Need to know: Starting metric space M Starting Entropy Desired Error tolerance dmax Code C that corrects dmax errors Hash from M to bit-strings Can output key of length: k – (log |M| - log |C|)- 2 log (1/ε) Losses are significant. No key for many sources! Generate(w) Select c from C Set key = Hash(w) Set p = c  w Output (key, p) Reproduce(x, p) Set c’ = p  x Decode c = Decode(c’) Recover w=p  c Output key = Hash(w)

Outline Noisy Authentication Sources Fuzzy Extractors Limitations of Standard Techniques Current Work

Entropy Loss From Fuzzy Extractors Entropy is at a premium for physical sources Iris ≈249 [Daugman96] Fingerprint ≈82 [RathaConnellBolle01] Passwords ≈31 [ShayKomanduri+10] PUFs [KoeberlLiRejanWu14] Entropy loss is considered in information-theoretic setting (all powerful adversary) Fuzzy extractors have two losses: Secure sketches lose at least the error correcting capability of the code (k-k’) Iris ≈200 bit error rate Randomness extractors lose 2log (1/ε) or between 60-100 bitsits After these losses, there may not be any key left! Lets dig into the entropy loss a little bit more. <click> Most biometrics have a couple hundred bits of entropy. These sources are not overflowing with entropy, where we can afford entropy losses without much consideration. Entropy loss for fuzzy extractors consider an information theoretic adversary. This is primarily due to the construction using two “information-theoretic” primitives. This lose comes from two sources. The secure sketch due to an error correcting code is at least the error correcting capability. In practice, this entropy loss may be considerably higher Randomness extractors give a distribution that is close to uniform. There is some error \epsilon that indicates the distance from uniform. The length of the extractor key is proportional to the distance from uniform. <click> The point of all this is we may not have enough bits for a key after all of these losses. The main question of this work is whether we can eliminate these entropy losses. <click, click> If we consider the information theoretic setting we already have an answer to these questions. Any secure sketch that corrects dmax errors implies an error correcting code that corrects dmax errors and vice versa. This means that all bounds on the rate of a code carry over to secure sketch. One such bound is the sphere packing bound. This tells us the entropy loss must be at least the volume of the ball we are trying to correct. As stated above we are measuring the entropy loss in an information theoretic setting. Maybe we can do better by considering computationally bounded adversaries.

Entropy Loss From Fuzzy Extractors Entropy is at a premium for physical sources Iris ≈249 [Daugman96] Fingerprint ≈82 [RathaConnellBolle01] Passwords ≈31 [ShayKomanduri+10] PUFs [KoeberlLiRejanWu14] Entropy loss is considered in information-theoretic setting (all powerful adversary) Fuzzy extractors have two losses: Secure sketches lose at least the error correcting capability of the code (k-k’) Iris ≈200 bit error rate Randomness extractors lose 2log (1/ε) or between 60-100 bitsits Can we eliminate either of these entropy losses? [DodisOstrovskyReyzinSmith] Secure Sketch Error-Correcting Code (corrects random errors) Means k−k’≥ log|Bdmax| (Ball of radius dmax) Current Situation: PUFs Biometrics Lets dig into the entropy loss a little bit more. <click> Most biometrics have a couple hundred bits of entropy. These sources are not overflowing with entropy, where we can afford entropy losses without much consideration. Entropy loss for fuzzy extractors consider an information theoretic adversary. This is primarily due to the construction using two “information-theoretic” primitives. This lose comes from two sources. The secure sketch due to an error correcting code is at least the error correcting capability. In practice, this entropy loss may be considerably higher Randomness extractors give a distribution that is close to uniform. There is some error \epsilon that indicates the distance from uniform. The length of the extractor key is proportional to the distance from uniform. <click> The point of all this is we may not have enough bits for a key after all of these losses. The main question of this work is whether we can eliminate these entropy losses. <click, click> If we consider the information theoretic setting we already have an answer to these questions. Any secure sketch that corrects dmax errors implies an error correcting code that corrects dmax errors and vice versa. This means that all bounds on the rate of a code carry over to secure sketch. One such bound is the sphere packing bound. This tells us the entropy loss must be at least the volume of the ball we are trying to correct. As stated above we are measuring the entropy loss in an information theoretic setting. Maybe we can do better by considering computationally bounded adversaries.

Outline Noisy Authentication Sources Fuzzy Extractors Limitations of Standard Techniques Current Work

When is security possible? M Some distributions are inherently insecure If points are close, no security possible Ideal world: Possible using: Multi-Party Computation (in interactive setting) Obfuscation (under very strong assumptions) [BitanskiCanettiKalaiPaneth14] By providing x* to Rep the adversary always learns key key key x* We answer this question for both secure sketches and fuzzy extractors. <click> For secure sketches we show the answer is no. We show that defining a secure sketch with a computational adversary is not helpful. I will be more precise in a minute about what this means. For fuzzy extractors, we provide an affirmative answer. We construct a lossless computational fuzzy extractor based on Learning with Errors or LWE problem Along the way we extend the hardness of LWE to the case when some dimensions have known error.

When is security possible? key M By providing x* to Rep the adversary always learns key Hope: provide strong key whenever a negligible fraction of probability mass is within distance dmax New entropy notion! Fuzzy min-entropy is the maximum weight ball of a probability distribution x* We answer this question for both secure sketches and fuzzy extractors. <click> For secure sketches we show the answer is no. We show that defining a secure sketch with a computational adversary is not helpful. I will be more precise in a minute about what this means. For fuzzy extractors, we provide an affirmative answer. We construct a lossless computational fuzzy extractor based on Learning with Errors or LWE problem Along the way we extend the hardness of LWE to the case when some dimensions have known error.

When is security possible? key M Hope: provide strong key whenever a negligible fraction of probability mass is within distance dmax New entropy notion! Fuzzy min-entropy is the maximum weight ball of a probability distribution We answer this question for both secure sketches and fuzzy extractors. <click> For secure sketches we show the answer is no. We show that defining a secure sketch with a computational adversary is not helpful. I will be more precise in a minute about what this means. For fuzzy extractors, we provide an affirmative answer. We construct a lossless computational fuzzy extractor based on Learning with Errors or LWE problem Along the way we extend the hardness of LWE to the case when some dimensions have known error.

When is security possible? M Goal: good key for dist. with super-log fuzzy min-entropy Feasibility: consider information-theoretic constructions Two settings: Distribution-aware: algorithms encode probability mass function (pmf) of source Distribution-oblivious: algorithms must work for a family of distributions

Key derivation from fuzzy min entropy? Error correction without leaking information Standard setting, know only some properties of source distribution Distribution Aware Distribution Oblivious Secure Sketches Fuzzy Extractors ? Combine error correction and key derivation Standard transform from secure sketch to fuzzy extractor

Key derivation from fuzzy min entropy? Distribution Aware Distribution Oblivious Secure Sketches Fuzzy Extractors ? Thm: For any distribution W with fuzzy min-entropy there exists a secure sketch (and fuzzy extractor) with

Distribution Aware M w x Sketch knows probability mass function of W Consider initial reading w Recover algorithm will receive a nearby point x Sketch must disambiguate nearby points Sketch consists of a description of which nearby point was seen Problem: A ball can contain an unbounded number of points that rarely occur Idea: write down the probability of original w and limit recover to w with this probability w x

Distribution Aware M x w Sketch knows probability mass function of W Consider initial reading w Recover algorithm will receive a nearby point x Sketch must disambiguate nearby points Sketch consists of a description of which nearby point was seen Problem: A ball can contain an unbounded number of points that rarely occur Idea: write down the probability of original w and limit recover to w with this probability w Correcting on these unlikely points may reveal w Sketch is correct for all of W, Adv ignores low probability points

Key derivation from fuzzy min entropy? Distribution Aware Distribution Oblivious Secure Sketches Fuzzy Extractors ? Thm: For any distribution W there exists a secure sketch

Key derivation from fuzzy min entropy? Distribution Aware Distribution Oblivious Secure Sketches Fuzzy Extractors ? Thm: There is a family of distributions V (where all members have fuzzy entropy) such that any secure sketch for V removes all entropy

Distribution Oblivious Adversary selects what color will be provided Constraints imposed by Sketch Sketch supports a family V After Sketch is fixed, adversary selects a distribution W from V Sketch does not know what distribution it is being asked to correct (only receives sample from distribution) Sketch imposes constraints on W Constraints only depend on received sample and are independent of rest of W’s p.m.f. When W has little entropy Sketch constraints remove all entropy M

Distribution Oblivious Adversary selects what color will be provided Constraints imposed by Sketch Sketch supports a family V After Sketch is fixed, adversary selects a distribution W from V Sketch does not know what distribution it is being asked to correct (only receives sample from distribution) Sketch imposes constraints on W Constraints only depend on received sample and are independent of rest of W’s p.m.f. When W has little entropy Sketch constraints remove all entropy M Adversary’s search space Maybe those were “bad” constraints?

Distribution Oblivious Adversary selects what color will be provided Alternative Constraints Sketch supports a family V After Sketch is fixed, adversary selects a distribution W from V Sketch does not know what distribution it is being asked to correct (only receives sample from distribution) Sketch imposes constraints on W Constraints only depend on received sample and are independent of rest of W’s p.m.f. When W has little entropy Sketch constraints remove all entropy M

Distribution Oblivious Adversary selects what color will be provided Alternative Constraints Sketch supports a family V After Sketch is fixed, adversary selects a distribution W from V Sketch does not know what distribution it is being asked to correct (only receives sample from distribution) Sketch imposes constraints on W Constraints only depend on received sample and are independent of rest of W’s p.m.f. When W has little entropy Sketch constraints remove all entropy M Adversary’s search space Every Sketch must create constraints that are independent of the color, Leaves few points of each color

Conclusion Distribution-Aware: Show that key derivation is possible for any distribution with fuzzy min-entropy when algorithms know the p.m.f. Distribution-Oblivious: There exist families of distributions with no secure sketch Negative result extends to computational secure sketches defined using pseudoentropy using [FullerMengReyzin13] Can build computational secure sketch that provides unpredictability [BitanskiCanettiKalaiPaneth14] We have a fuzzy extractor for this family [CanettiFullerPanethReyzinSmith14] Open Question: Are there families of distributions where fuzzy extraction is not possible? Evidence constructing fuzzy extractors easier than secure sketches Questions?