TY - JOUR
T1 - Robust fuzzy extractors and authenticated key agreement from close secrets
AU - Dodis, Yevgeniy
AU - Kanukurthi, Bhavana
AU - Katz, Jonathan
AU - Reyzin, Leonid
AU - Smith, Adam
N1 - Funding Information:
Manuscript received June 24, 2011; revised April 18, 2012; accepted April 21, 2012. Date of publication May 19, 2012; date of current version August 14, 2012. This work was supported by the Louis L. and Anita M. Perlman Fellowship. Y. Dodis was supported by the NSF under Grants #0133806, #0311095, and #0515121. B. Kanukurthi was supported by the NSF under Grants #0311485, #0515100, #0546614, #0831281, #1012910, and #1012798. J. Katz was supported by the NSF under Grants #0310751, #0447075, and #0627306. L. Reyzin was supported by the NSF under Grants #0311485, #0515100, #0546614, #0831281, #1012910, and #1012798. This paper was presented in part at Advances in Cryptology—Crypto 2006 and in part at the 6th International Conference on Security and Cryptography for Networks (SCN). This is an expanded and corrected version of [15] and [23].
PY - 2012
Y1 - 2012
N2 - Consider two parties holding samples from correlated distributions W and W′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret {\ssr SK Ext that they can use to generate a sequence of session keys {R j} using multiple pairs {(W j, W′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects. 1) The best prior solution for the keyless case with no errors (i.e., t=0) requires the min-entropy of W to exceed 2n/3 , where n is the bit length of W. Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. 2) Previous solutions for the keyless case in the presence of errors (i.e., t < 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. 3) Previous solutions for the keyed case were stateful. We give the first stateless solution.
AB - Consider two parties holding samples from correlated distributions W and W′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret {\ssr SK Ext that they can use to generate a sequence of session keys {R j} using multiple pairs {(W j, W′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects. 1) The best prior solution for the keyless case with no errors (i.e., t=0) requires the min-entropy of W to exceed 2n/3 , where n is the bit length of W. Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. 2) Previous solutions for the keyless case in the presence of errors (i.e., t < 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. 3) Previous solutions for the keyed case were stateful. We give the first stateless solution.
KW - Fuzzy extractors
KW - information reconciliation
KW - information-theoretic cryptography
KW - key-agreement
KW - weak secrets
UR - http://www.scopus.com/inward/record.url?scp=84865393678&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84865393678&partnerID=8YFLogxK
U2 - 10.1109/TIT.2012.2200290
DO - 10.1109/TIT.2012.2200290
M3 - Article
AN - SCOPUS:84865393678
SN - 0018-9448
VL - 58
SP - 6207
EP - 6222
JO - IEEE Transactions on Information Theory
JF - IEEE Transactions on Information Theory
IS - 9
M1 - 6203415
ER -