Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When.

Similar presentations


Presentation on theme: "Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When."— Presentation transcript:

1 Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When are Fuzzy Extractors Possible? [FullerSmithReyzin14] Key Derivation from Noisy Sources with More Errors than Entropy [CanettiFullerPanethSmithReyzin14]

2 Key Derivation from Noisy Sources Physically Unclonable Functions (PUFs) Biometric Data High-entropy sources are often noisy –Initial reading w 0 ≠ later reading reading w 1 – Source w 0 = a 1,…, a k, each symbol a i over alphabet Z –Assume a bound on distance: d(w 0, w 1 ) ≤ t d(w 0, w 1 ) = # of symbols in that differ ABCADBEFAA AGCABBEFCB w0w0 w1w1 d(w 0, w 1 )=4

3 Key Derivation from Noisy Sources Physically Unclonable Functions (PUFs) Biometric Data Goal of this talk: produce good outputs in scenarios we couldn’t handle before High-entropy sources are often noisy –Initial reading w 0 ≠ later reading reading w 1 – Source w 0 = a 1,…, a k, each symbol a i over alphabet Z –Assume a bound on distance: d(w 0, w 1 ) ≤ t Goal: derive a stable cryptographically strong output –Want w 0, w 1 to map to same output –The output should look uniform to the adversary

4 Physical Unclonable Functions (PUFs) [PappuRechtTaylorGershenfeld02] Hardware that implements random function Impossible to copy precisely Large challenge/response space – On fixed challenge, responses close together interference Gabor Hash Laser

5 Biometrics Measure unique physical phenomenon Unique, collectable, permanent, universal Repeated readings exhibit significant noise Uniqueness/Noise vary widely Human iris believed to be “best” [Daugman04], [PrabhakarPankantiJain03]

6 Two Physical Processes w0w0 w 0 – create a new biometric or hardware device, take initial reading w 1 – take new reading from a fixed biometric or hardware device w1w1 Two readings may not be subject to same noise. Often less error in original reading Uncertainty Errors

7 Outline Strong Authentication through Key Derivation Key Derivation from Noisy Sources Limitations of Traditional Approaches/Lessons New Constructions

8 Key Derivation from Noisy Sources Interactive Protocols [Wyner75] … [BennettBrassardRobert85,88] …lots of work… w1w1 w0w0 Parties agree on cryptographic key Problem: User must store initial reading w 0 at server Want approach where w 0 is not stored!

9 Fuzzy Extractors: Functionality [JuelsWattenberg99], …, [DodisOstrovskyReyzinSmith04] … Enrollment algorithm Gen : Take a measurement w 0 from the source. Use it to “lock up” random r in a nonsecret value p. Subsequent algorithm Rep: give same output if d(w 0, w 1 ) < t Security: r looks uniform even given p, w hen the source is good enough w0w0 p w1w1 < t Gen Rep Traditionally, security def. is information theoretic r r

10 Fuzzy Extractors: Goals Goal 1: handle as many sources as possible (typically, any source in which w 0 is 2 k -hard to guess) Goal 2: handle as much error as possible (typically, any w 1 within distance t ) Most previous approaches are analyzed in terms of t and k w0w0 p w1w1 < t Gen Rep entropy k Traditional approaches do not support sources with t > k (many practical sources) r r

11 Contribution Three lessons on how to construct fuzzy extractors for practical sources – Eliminate Secure Sketches [FMR13] – Exploit Distributional Structure [FRS14] – Define Objects Computational [FMR13] Constructions of fuzzy extractors for large classes of distributions where t > k [CFPRS14] Reusable fuzzy extractor for arbitrary correlation between repeated readings [CFPRS14]

12 Gen Rep w0w0 p Ext (converts high-entropy sources to uniform, e.g., via universal hashing [CarterWegman77] ) w1w1 Fuzzy Extractors: Typical Construction < t entropy k - correct errors using a secure sketch - derive r using a randomness extractor (gives recovery of the original from a noisy signal) [DodisOstrovskyReyzinSmith08] r r

13 Gen Rep w0w0 p Ext w1w1 Fuzzy Extractors: Typical Construction Sketch Rec w0w0 < t entropy k - correct errors using a secure sketch - derive r using a randomness extractor (gives recovery of the original from a noisy signal) (converts high-entropy sources to uniform, e.g., via universal hashing [CarterWegman77] ) [DodisOstrovskyReyzinSmith08] r r

14 Secure Sketches Generate Reproduce Ext Sketch Rec Code Offset Sketch [JuelsWattenberg99] p =c  w 0 c r r p w0w0 w1w1 < t C – Error correcting code correcting t errors

15 Secure Sketches c’=Decode(c*) p  w 1 = c* p =c  w 0 c If decoding succeeds, w 0 = c’  p. If decoding succeeds, w 0 = c’  p. Generate Reproduce Ext Sketch Rec p w0w0 w1w1 < t r r Code Offset Sketch [JuelsWattenberg99] C – Error correcting code correcting t errors

16 p  w 1 = c* p =c  w 0 p  w’ 1 Secure Sketches Generate Reproduce Ext Sketch Rec p w0w0 w’1w’1 > t r r Code Offset Sketch [JuelsWattenberg99] p has info about w 0. How much does it hurt security? C – Error correcting code correcting t errors

17 Outline Strong Authentication through Key Derivation Key Derivation from Noisy Sources Limitations of Traditional Approaches/Lessons New Constructions

18 Gen Rep w0w0 p Ext w1w1 p must store enough information to recover w 0 How much information is that? Problem with Secure Sketches Sketch Rec w0w0 entropy k < t r r

19 Rep w0w0 p Ext w1w1 p must store enough information to recover w 0 How much information is that? If all Rep knows about source is entropy, w 0 can be anywhere within distance t, so log |B t | > t bits Current approaches provide no security if t > k Problem with Secure Sketches Rec w0w0 < t BtBt r stores t bits about w 0 has k < t bits of entropy r

20 Rep w0w0 p Ext w1w1 Fuzzy extractors and secure sketches have upper bounds on key length based on error tolerance Secure sketches subject to stronger bounds Thm [FMR13]: Secure sketches with computational security limited: Problem with Secure Sketches Rec w0w0 < t BtBt r stores t bits about w 0 has k < t bits of entropy r Can build sketches with info-theoretic security from sketches that provide computational security

21 Lessons 1.Stop using secure sketches – Subject to strong bounds – Bounds apply with computational security

22 Is it possible to handle “more errors than entropy” ( t > k )? Support of w 0 This distribution has 2 k points Why might we hope to extract from this distribution? Points are far apart No need to deconflict original reading w1w1

23 Is it possible to handle “more errors than entropy” ( t > k )? Support of w 0 Left and right have same number of points and error tolerance Support of v 0 r Since t > k there is a distribution v 0 where all points lie in a single ball

24 Is it possible to handle “more errors than entropy” ( t > k )? Support of v 0 Support of w 0 v1v1 r Rep For any construction adversary learns r by running with v 1 r t r r Recall: adversary can run Rep on any point w1w1 r Rep ? t The likelihood of adversary picking a point w 1 close enough to recover r is low

25 Is it possible to handle “more errors than entropy” ( t > k )? Support of v 0 Support of w 0 Key derivation may be possible for w 0, impossible for v 0 v1v1 r Rep For any construction adversary learns r by running with v 1 r t r w1w1 t r Rep ? To distinguish between w 0 and v 0 must consider more than just t and k The likelihood of adversary picking a point w 1 close enough to recover r is low

26 Lessons 1.Stop using secure sketches 2.Exploit structure of source beyond entropy – Need to understand what structure is helpful

27 Understand the structure of source w1w1 r Rep t Minimum necessary condition for fuzzy extraction: weight inside any B t must be small Let H fuzz (W 0 ) = log (1/max wt(B t )) Big H fuzz (W 0 ) is necessary Q: Is big H fuzz (W 0 ) sufficient for fuzzy extractors?

28 Is big H fuzz (W 0 ) sufficient? Thm [FRS]: Yes, if algorithms know exact distribution of W 0 Imprudent to assume construction and adversary have same view of W 0 – Should assume adversary knows more about W 0 – Deal with adversary knowledge by providing security for family V of W 0, security should hold for whole family Thm [FRS]: No if W 0 is only known to come from a family V A3: Yes if security is computational (using obfuscation) [Bitansky Canetti Kalai Paneth 14] A4: No if security is information-theoretic A5: No if you try to build (computational) secure sketch Will show negative result for secure sketches (negative result for fuzzy extractors more complicated)

29 Thm [FRS]: No if W 0 comes from a family V Describe a family of distributions V For any fuzzy extractor Gen, Rep for most W 0 in V, few w* in W 0 could produce p Implies W 0 has little entropy conditioned on p Rep w0w0 p w1w1 Rec w0w0 < t BtBt

30 Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V First consider one dist. W For w 0, Rec(w 0, p) =w 0 For nearby w 1, Rec(w 1, p) = w 0 Call augmented fixed point To maximize H(W | p) make as many points of W augmented fixed points Augmented fixed points at least distance t apart (exponentially small fraction of space) w 0 = Rec(w 0, p) w1w1 W Now we’ll consider family V, Goal: for most W in V, can’t include many augmented fixed points

31 Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0 w0w0 W

32 w0w0 W Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0

33 w0w0 W Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0

34 Viable points set by Gen Adversary knows color of w 0 Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0 Distributions only share w 0 – Sketch must include augmented fixed points from all distributions with w 0 w0w0

35 Viable points set by Gen Adversary knows color of w 0 Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0 Distributions only share w 0 – Sketch must include augmented fixed points from all distributions with w 0 Maybe this was a bad choice of viable points? Adversary’s search space w0w0

36 Adversary knows color of w 0 Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0 Distributions only share w 0 – Sketch must include augmented fixed points from all distributions with w 0 w0w0 Alternative Points

37 Adversary knows color of w 0 Adversary specifies V Goal: build Sketch, Rec maximizing H(W | p), for all W in V Sketch must create augmented fixed points based only on w 0 Build family with many possible distributions for each w 0 Sketch can’t tell W from w 0 Distributions only share w 0 – Sketch must include augmented fixed points from all distributions with w 0 w0w0 Alternative Points Adversary’s search space Thm: Sketch, Rec can include at most 4 augmented fixed points from members of V on average

38 Thm [FRS]: Yes, if algorithms know exact distribution of W 0 Imprudent to assume construction and adversary have same view of W 0 – Deal with adversary knowledge by providing security for family V of W 0, security should hold for whole family Thm [FRS]: No if adversary knows more about W 0 than fuzzy extractor creator A3: Yes if security is computational (using obfuscation) [Bitansky Canetti Kalai Paneth 14] A4: No if security is information-theoretic A5: No if you try to build (computational) secure sketch Is big H fuzz (W 0 ) sufficient? Fuzzy extractors defined information-theoretically (used info-theory tools), No compelling need for info-theory security Fuzzy extractors defined information-theoretically (used info-theory tools), No compelling need for info-theory security

39 Lessons 1.Stop using secure sketches 2.Exploit structure of source beyond entropy 3.Define objects computationally

40 Outline Strong Authentication through Key Derivation Key Derivation from Noisy Sources Lessons 1.Stop using secure sketches 2.Exploit structure of source beyond entropy 3.Define objects computationally New Constructions

41 Idea [CFPRS14]: “encrypt” r using parts of w 0 w 0 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 Gen : - get random combinations of symbols in w 0 r p Gen a 3 a 9 a 5 r r a 1 a 9 a 2 r r a 3 a 4 a 5 r r a 7 a 5 a 6 r r a 2 a 8 a 7 r r a 3 a 5 a 2 r r - “lock” r using these combinations r

42 w 0 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r p Gen a 3 a 9 a 5 r r a 1 a 9 a 2 r r a 3 a 4 a 5 r r a 7 a 5 a 6 r r a 2 a 8 a 7 r r a 3 a 5 a 2 r r Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

43 w 0 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r p Gen a 3 a 9 a 5 r r a 1 a 9 a 2 r r a 3 a 4 a 5 r r a 7 a 5 a 6 r r a 2 a 8 a 7 r r a 3 a 5 a 2 r r Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

44 w 0 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r - = locks + positions of symbols needed to unlock r p Gen p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

45 w 0 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r r p Gen - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

46 a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r p - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

47 a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r p Rep : w 1 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r Rep - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

48 a 1 a 9 a 2 r a 3 a 4 a 5 r a7 a5a6a7 a5a6 r a 2 a 8 a 7 r a 3 a 5 a 2 r p w 1 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r Rep a 3 a 9 a 5 r Rep : - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

49 a 1 a 9 a 2 r a 3 a 4 a 5 r a7 a5a6a7 a5a6 r a 2 a 8 a 7 r a 3 a 5 a 2 r p w 1 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r Rep a 3 a 9 a 5 r Rep : Use the symbols of w 1 to open at least one lock - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

50 a 1 a 9 a 2 r a 3 a 4 a 5 r a7 a5a6a7 a5a6 r a 2 a 8 a 7 r a 3 a 5 a 2 r p w 1 = a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 r Rep Rep : Use the symbols of w 1 to open at least one lock a 3 a 9 a 5 r r - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r Idea [CFPRS14]: “encrypt” r using parts of w 0

51 a 1 a 9 a 2 r a 3 a 4 a 5 r a7 a5a6a7 a5a6 r a 2 a 8 a 7 r a 3 a 5 a 2 r Rep : Use the symbols of w 1 to open at least one lock a 3 a 9 a 5 r r Error-tolerance: one combination must unlock with high probability Security: each combination must have enough entropy - = locks + positions of symbols needed to unlock p Gen : - get random combinations of symbols in w 0 - “lock” r using these combinations r (sampling of symbols must preserve sufficient entropy) Idea [CFPRS14]: “encrypt” r using parts of w 0

52 How to implement locks? A lock is the following program: – If input = a 1 a 9 a 2, output r – Else output  – One implementation (R.O. model): lock = r  H(a 1 a 9 a 2 ) a 1 a 9 a 2 r Ideally: Obfuscate this program – Obfuscation: preserve functionality, hide the program – Obfuscating this specific program called “digital locker”

53 Digital Lockers Digital Locker is obfuscation of – If input = a 1 a 9 a 2, output r – Else output  Equivalent to encryption of r that is secure even multiple times with correlated, weak keys [CanettiKalaiVariaWichs10] Digital lockers are practical (R.O. or DL-based) [CanettiDakdouk08], [BitanskyCanetti10] Hides r if input can’t be exhaustively searched (superlogarithmic entropy) a 1 a 9 a 2 r

54 Digital Locker is obfuscation of – If input = a 1 a 9 a 2, output r – Else output  Equivalent to encryption of r that is secure even multiple times with correlated and weak keys [CanettiKalaiVariaWichs10] Digital lockers are practical (R.O. or DL-based) [CanettiDakdouk08], [BitanskyCanetti10] Hides r if input can’t be exhaustively searched (superlogarithmic entropy) Digital Lockers Q: if you are going to use obfuscation, why bother? Why not just obfuscate the following program for p – If distance between w 0 and the input is less than t, output r – Else output  A: you can do that [BitanskyCanettiKalaiPaneth14], except it’s very impractical + has a very strong assumption a 1 a 9 a 2 r

55 How good is this construction? Handles sources with t > k For correctness: t < constant fraction of symbols a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r

56 How good is this construction? Handles sources with t > k For correctness: t < constant fraction of symbols a 1 a 9 a 2 r a 3 a 9 a 5 r a 3 a 4 a 5 r a 7 a 5 a 6 r a 2 a 8 a 7 r a 3 a 5 a 2 r Construction 2: Supports t= constant fraction but only for really large alphabets Construction 2: Supports t= constant fraction but only for really large alphabets Construction 3: Similar parameters but info-theoretic security Construction 3: Similar parameters but info-theoretic security Why did I tell you about computation constructional?

57 How good is this construction? It is reusable! – Same source can be enrolled multiple times with multiple independent services w0w0 r p Gen w0'w0' r' p' Gen w 0 '' r'' p'' Gen Secret even given p, p', p'', r, r'' Secret even given p, p', p'', r, r''

58 How good is this construction? It is reusable! – Same source can be enrolled multiple times with multiple independent services – Follows from composability of obfuscation – In the past: difficult to achieve, because typically new enrollments leak fresh information – Only previous construction [Boyen2004]: all reading must differ by fixed constants (unrealistic) – Our construction: each reading individually must satisfy our conditions

59 Conclusion Lessons: Don’t use secure sketches (i.e., full error correction) Exploit structure in source Provide computational security It is possible to cover sources with more errors than entropy! Also get reusability! t Questions?


Download ppt "Strong Key Derivation from Noisy Sources Benjamin Fuller December 12, 2014 Based on three works: Computational Fuzzy Extractors [FullerMengReyzin13] When."

Similar presentations


Ads by Google