Robust Fuzzy Extractors and Authenticated Key Agreement From Close Secrets

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 58, NO. 9, SEPTEMBER 2012 6207

Robust Fuzzy Extractors and AuthenticatedKey Agreement From Close Secrets

Yevgeniy Dodis, Bhavana Kanukurthi, Jonathan Katz, Leonid Reyzin, and Adam Smith

Abstract—Consider two parties holding samples from corre-lated distributions � and � �, respectively, where these samplesare within distance � of each other in some metric space. Theparties wish to agree on a close-to-uniformly distributed secret key� by sending a single message over an insecure channel controlledby an all-powerful adversary who may read and modify anythingsent over the channel. We consider both the keyless case, wherethe parties share no additional secret information, and the keyedcase, where the parties share a long-term secret that theycan use to generate a sequence of session keys �� using multiplepairs ��

�

��. The former has applications to, e.g., biometricauthentication, while the latter arises in, e.g., the bounded-storagemodel with errors. We show solutions that improve upon previouswork in several respects.

1) The best prior solution for the keyless case with no errors (i.e.,� �) requires the min-entropy of to exceed � �, whereis the bit length of . Our solution applies whenever the

min-entropy of exceeds the minimal threshold �, andyields a longer key.

2) Previous solutions for the keyless case in the presence of er-rors (i.e., �) required random oracles. We give the firstconstructions (for certain metrics) in the standard model.

3) Previous solutions for the keyed case were stateful. We givethe first stateless solution.

Index Terms—Fuzzy extractors, information reconciliation, in-formation-theoretic cryptography, key-agreement, weak secrets.

I. INTRODUCTION

A number of works have explored the problem of secret-keyagreement based on correlated information, by which

two parties holding samples of correlated random

Manuscript received June 24, 2011; revised April 18, 2012; accepted April21, 2012. Date of publication May 19, 2012; date of current version August14, 2012. This work was supported by the Louis L. and Anita M. PerlmanFellowship. Y. Dodis was supported by the NSF under Grants #0133806,#0311095, and #0515121. B. Kanukurthi was supported by the NSF underGrants #0311485, #0515100, #0546614, #0831281, #1012910, and #1012798.J. Katz was supported by the NSF under Grants #0310751, #0447075, and#0627306. L. Reyzin was supported by the NSF under Grants #0311485,#0515100, #0546614, #0831281, #1012910, and #1012798. This paper waspresented in part at Advances in Cryptology—Crypto 2006 and in part at the6th International Conference on Security and Cryptography for Networks(SCN). This is an expanded and corrected version of [15] and [23].

Y. Dodis is with the Department of Computer Science, New York University,New York, NY 10016 USA (e-mail: [email protected]).

B. Kanukurthi is with the Department of Computer Science, University ofCalifornia, Los Angeles, CA 90095 USA (e-mail: [email protected]).

J. Katz is with the Department of Computer Science, University of Maryland,College Park, MD 20742 USA (e-mail: [email protected]).

L. Reyzin is with the Department of Computer Science, Boston University,Boston, MA 02215 USA (e-mail: [email protected]).

A. Smith is with the Department of Computer Science and Engineering, Penn-sylvania State University, University Park, PA 16802 USA (e-mail: [email protected]).

Communicated by I. Blake, Associate Editor for Complexity andCryptography.

Digital Object Identifier 10.1109/TIT.2012.2200290

variables communicate in order to generate a shared,secret, close-to-uniform key . The problem has variouslybeen called “information reconciliation” (especially when thechallenge is to handle differences between the samples heldby the parties), “privacy amplification” (especially in the casewhen and the goal is to transform a nonuniformshared secret to a uniform one), or “fuzzy extraction.” Earlywork [3], [5], [26], [43] assumed the parties could communi-cate over a public but authenticated channel or, equivalently,assumed a passive adversary. This assumption was relaxed inlater work [27], [29], [30], [33], [42], which considered anactive adversary who could modify all messages sent betweenthe two parties.

The goal of the aforementioned works was primarily toexplore the possibility of information-theoretic security, es-pecially in the context of quantum cryptography; however,this is not the only motivation. The problem also arises in thecontext of using noisy data (such as biometric information, orobservations of some physical phenomenon) for cryptographicpurposes, even if computational security suffices. The sameproblem also arises in the context of the bounded-storage model(BSM) [28] in the presence of errors [14], [17]. We discusseach of these in turn.

A. Authentication Using Noisy Data

In the case of authentication/key agreement using noisy data,the random variables are close (with respect to somemetric) but not identical. For simplicity, we assume that thenoisy data represent biometric information, though the sametechniques apply to more general settings. In this context, twodifferent scenarios have been considered:

Secure authentication: Here, a trusted server stores some bio-metric data of a user, obtained during an initial enrollment.Later, when the user and the server want to establish a securecommunication session over an insecure channel, the user lo-cally obtains a fresh biometric scan which is close, but notidentical, to . The user and the server then use and toauthenticate each other and agree on a key .

Key recovery: In this scenario, a user utilizes his biometricdata to generate a random key along with some public in-formation , and then stores on a (possibly untrusted) server.The key is then used, for example, to encrypt some data forlong-term storage. At a later point in time, the user obtains afresh biometric scan along with the value from the server;together, these values enable the user to recover (and hencedecrypt the encrypted data).

In the second setting, the user is, in effect, running a keyagreement protocol with himself at two points in time, with the

0018-9448/$31.00 © 2012 IEEE

6208 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 58, NO. 9, SEPTEMBER 2012

(untrusted) server acting as the “communication channel” be-tween these two instances of the user. This second scenario in-herently requires a noninteractive (i.e., one-message) solutionsince is no longer available at the later point in time. Notealso that any solution for the second scenario also provides asolution for the first.

Several protocols for key agreement using noisy data overan authenticated channel are known [3], [5], [16], [20], [22].Most of the existing work for an unauthenticated channel,however, solves the problem only for two special cases [27],[29], [30], [33], [42]: 1) when , or (2) whenand consist of (arbitrarily many) independent realizationsof the same random variable, i.e.,and . In the case of biometric data,however, are not likely to be equal and we cannot, ingeneral, obtain an unbounded number of samples.

Recently, there has been progress on the general case. Rennerand Wolf [34] were the first to demonstrate that an interactivesolution is possible. Their protocol was not efficient, but an ef-ficient version was later given [24]. Boyen [8] showed (in therandom oracle model) how to achieve unidirectional authenti-cation, as well as a weak form of security for the second sce-nario (roughly, remains secret but the user can be fooledinto using an incorrect key ). Boyen et al. [9] showed twosolutions to the problem. Their first solution is noninteractiveand thus applies to both aforementioned scenarios, but relies onrandom oracles. Their second solution is interactive, and relieson password-based key exchange as a primitive. This means thatit provides computational rather than information-theoretic se-curity; furthermore, given the current state-of-the-art for pass-word-based key exchange, their solution is impractical withoutadditional assumptions such as random oracles or the existenceof public parameters.

B. BSM and the Keyed Case

Key agreement using correlated information arises also in thecontext of the BSM [28] in the presence of errors [14], [17].In the BSM, two parties share a long-term secret key .In each time period , a long random string is broadcast tothe parties (and the adversary); the assumption is that the lengthof is more than what the adversary can store. The partiesuse and to generate a secret session key in eachperiod. This process should achieve “everlasting security” [1],meaning that even if is revealed to the adversary in sometime period , all session keys remain independentlyand uniformly distributed from the perspective of the adversary.

A paradigm (formalized by [39]) for achieving the above isfor to contain a seed for a sampler1 and anotherseed for a randomness extractor. The parties useto sample some portion of in each period; in the absenceof errors, this results in each party holding the same value .Since the adversary may have some partial information about

, however, this shared value is not uniformly distributed fromthe point of view of the adversary, and the parties must there-fore use a randomness extractor with the seed to gen-

1A sampler [2] is a function that maps to a set of bit positions. In fact,may simply encode a set of randomly chosen bit positions, but better

samplers—using shorter seeds—are available.

erate a uniform key for the current period. In the presenceof transmission errors in , the problem is even more diffi-cult, as the parties then hold correlated (but possibly unequal)strings after the initial sampling. The parallels to bio-metric authentication should be clear. Nevertheless, the prob-lems are incomparable: in the case of the BSM with errors, thereis a stronger setup assumption (namely, that the parties share along-term key ) but the security requirements are morestringent since needs to be reusable and everlasting se-curity is required.

C. Our Contributions

We focus on the abstract problem of secret-key agreementbetween two parties holding instances of correlatedrandom variables that are guaranteed to be close butnot necessarily identical. Specifically, we assume that andare within distance in some underlying metric space. Our def-initions as well as some of our results hold for arbitrary metricspaces, while other results assume specific metrics.

We restrict our attention to noninteractive protocols definedby procedures that operate as follows. The firstparty, holding , computes and sends tothe second party; this second party computes .(If the parties share a long-term key , then takethis key as additional input.) The basic requirements, infor-mally, are the following.

Correctness: if is within distance of .Security: If the min-entropy of is high, then is uni-formly distributed even given .

So far, this gives exactly a fuzzy extractor as defined by Dodiset al. [16] (although we additionally allow the possibility of along-term key). Since we are interested in the case when the par-ties communicate over an unauthenticated channel, however, weactually want to construct robust fuzzy extractors [9] that addi-tionally protect against malicious modification of . Robustnessrequires that if the adversary sends any modified value ,then with high probability, the second player will reject (i.e.,

). We distinguish between the notion of preap-plication robustness and the stronger notion of postapplicationrobustness, where in the latter case, the adversary is given be-fore it generates . Postapplication robustness is needed in set-tings where the first party may begin using before the secondparty computes , and is also needed for the “key recovery”scenario discussed earlier (since previous usage of may leakinformation about it).

We now summarize our results.The case of no errors: Although our focus is on the case when

are unequal, we obtain improvements also in the casewhen they are equal (i.e., ) but nonuniform. Let de-note the min-entropy of and let denote its bit length.The best previous noninteractive solution in this setting is dueto Maurer and Wolf [27] who show that when , itis possible to achieve preapplication robustness and generate ashared key of length . On the other hand, results in[18] and [19] imply that a noninteractive solution is impossiblewhen . (As shown in [27, Sec. III-C], interactive solu-tions can do better; in fact, it is possible for the length of tobe nearly [11], [19], [33].)

DODIS et al.: ROBUST FUZZY EXTRACTORS AND AUTHENTICATED KEY AGREEMENT FROM CLOSE SECRETS 6209

We bridge the gap between known upper and lower boundsand show that whenever , it is possible to achievepreapplication robustness and generate a shared key of length

. This improves both the required min-entropy of andthe length of the resulting key. Moreover, we give the first so-lution satisfying postapplication robustness. That solution alsoworks as long as , but extracts a key half as long (i.e.,of length ).

Handling errors: The only previously known construction ofrobust fuzzy extractors [9] relies on the random oracle model.We (partially) resolve the main open question in [9] by showinga construction of robust fuzzy extractors in the standard modelfor the specific cases of the Hamming and set-difference met-rics.2 (The solution in [9] is generic and applies to any metricadmitting a good error-correcting code.) Our constructionachieves postapplication robustness.

The techniques of this paper were subsequently generalizedin [12].

Using a shared long-term key: There are scenarios in whichthe two parties trying to derive from and already sharea long-term secret key. Motivated by such settings, we defineand construct a keyed robust fuzzy extractor for general met-rics. In the process, we introduce a new primitive called an ex-tractor message authentication code (MAC): a one-time infor-mation-theoretic message authentication code whose output isindependent of the key if the message has sufficient entropy.

Application to the BSM with errors: Prior work focusingon the BSM with errors [14], [17] showed a noninteractive(i.e., single-message) solution to the problem discussed inSection I-B when the samples of the parties haveconstant relative Hamming distance. The solution of [14] isstateful: the long-term key is updated by both partiesafter each time period using information derived from . If aparty misses a time period and is no longer synchronized withthe other party, it is not clear how to recover. The solution in[17] is stateless; the parties keep the same long-term keyand can communicate even if one of them misses some .However, this solution assumes that the parties can communi-cate over an authenticated channel. Building on keyed robustfuzzy extractors, we show a stateless solution for the BSM witherrors (under the Hamming metric) using an unauthenticatedchannel.

II. DEFINITIONS AND PRELIMINARIES

For strings and , we use to denote their concatenationand let denote the length of . If is a set, meansthat is chosen uniformly from . If is a probability distri-bution, then means that is chosen according to .The notation denotes the probability assigned by tothe value . (We often omit the subscript when the probabilitydistribution is clear from context.) If is a probabilistic algo-rithm and is an input, denotes the output of runningwith random coins , and is the random variablefor uniformly sampled . If is a distribution, then is

2A previous version of this work [15] contained an erroneous claim of a con-struction for edit distance, which proceeded by embedding edit distance into setdifference using shingling (see [16]). That construction does not work, however,because the embedding fails to preserve the requirement that � � ��.

the random variable obtained by sampling and thenrunning . We let denote the uniform distribution over

. All logarithms are base 2.Let be two probability distributions over

some set . Their statistical distance is. If two distributions have sta-

tistical distance at most , we say they are -close and write. Note that -close distributions cannot be distin-

guished with advantage better than by an adversary whogets a single sample, even if the adversary is computationallyunbounded.

The min-entropy of a random variable is defined as. Following [16], we define

the (average) conditional min-entropy of given as

(where the expectation is over for which isnonzero). This definition is suited for cryptographic purposesbecause the probability that an adversary can predict whengiven the value of is .

Lemma 1, ([16, Lemma 2.2]): Let have at most ele-ments in its support. Then, .(More generally, .)

A. Hash Functions and Extractors

We recall the notion of almost-universal hashing [10], [36].

Definition 1: A family of efficient functionsis - if for

all , we have . Families withare called .

A simple universal family [36, Th. 5.2] can be constructed byidentifying and with in the natural way, anddefining as the high-order bits of .

Extractors [31] yield a (close to) uniform string from arandom variable with high min-entropy, using a uniform seed .Strong extractors guarantee that the extracted string is uniformeven conditioned on the seed. We consider only strong extrac-tors in this paper, and thus often omit the qualifier “strong.”

Definition 2: Let be a set and the uniform distributionover that set. A function is a

- if for all distributions overwith , we have.

We refer to the second argument to as the seed.We need to strengthen the aforementioned definition to

account for external information an adversary knows thatmay be correlated with . To do so, we generalize the min-en-tropy constraint on to average min-entropy, and requirethe extracted string to be uniform even given . Namely,we require that for any such that ,we have . Suchextractors are called average-case extractors. Note that any

-extractor is an -average-caseextractor, becauseby Markov’s inequality; Vahdan [40] proves the strongerstatement that any -extractor for is also an


-average-case extractor. However, the additional loss isnot always necessary. Indeed, the Leftover Hash Lemma gen-eralizes without any loss to the average-case setting. (Multipleversions of this lemma have appeared; we use the formulationof [37, Th. 8.1], augmented by [16, Lemma 2.4] for the averagecase; see [21] and references therein for earlier formulations.)

Lemma 2 (Leftover Hash Lemma): Fix . Ifis a -al-

most universal family, then is a strong -average-caseextractor (where the index of the hash function is the seed tothe extractor). In particular, if is universal and

, then is a strong -average-case extractor.The aforementioned holds even when depends on , i.e.,

when is a collection of almost-universal fami-lies, one for each value of the external information .

B. One-Time Message Authentication Codes

An (information-theoretic) one-time MAC consists of poly-nomial-time algorithms . The first algorithm takes akey and a message and outputs a tag ; we writethis as . The verification algorithm takes asinput a key , a message , and a tag , and outputseither 1 or 0, with the former being interpreted as acceptance andthe latter as rejection. Correctness requires that for all andall , we have . Secu-rity requires that when is chosen uniformly, an unboundedadversary cannot output a valid tag on a new message even afterbeing given the tag on any message of its choice. Formally, seethe following definition.

Definition 3: Message authentication codeis a - if for any adversary and anymessage , the probability that the following experimentoutputs “success” is at most : Choose uniform key ; let

; let ; output “success” ifand .

We next recall the notion of (almost) strongly universalhashing [36], [41].

Definition 4: A family of efficient functionsis - if

for all it holds that: (a)and (b) . Families with

are called or .

A strongly universal family [36, Th. 5.2] is obtained by iden-tifying with , letting , anddefining as the high-order bits of .

An almost strongly universal hash family can be used for in-formation-theoretic authentication of a message using a se-cret key , by letting the tag be . The property ofbeing -almost strongly universal implies that this is a -secureone-time MAC.

C. Secure Sketches and Fuzzy Extractors

We review the definitions of secure sketches and fuzzy ex-tractors from [16]. Let be a metric space with distance func-tion . Informally, a secure sketch enables recovery of a string

from any “close” string , without leaking toomuch information about .

Definition 5: An - for is a pair ofefficient randomized algorithms such that

1) The sketching procedure takes an input andoutputs a string . The recovery proceduretakes as inputs an element and a string

, and returns an element of .2) Correctness: If then

3) Security: For any distribution over with, we have .

The quantity is called the of the securesketch.

For the case of the Hamming metric on , we willmake use of the syndrome construction from [16] (this construc-tion also appeared as a component of earlier work, e.g., [4]).Here, the sketch consists of the -bit syndrome3 of

with respect to some (efficiently decodable)-error-correcting code. We do not need any details of this con-

struction other than the facts that is a (deterministic) linearfunction of and that the entropy loss is at most . Wealso note that this construction can be extended to the set-differ-ence metric [16].

As opposed to a secure sketch, whose goal is to recover theoriginal input, a fuzzy extractor enables generation of a close-to-uniform string from , and subsequent reproduction offrom any close to .

Definition 6: An - for isa pair of efficient randomized algorithms such that

1) The generation procedure takes input andoutputs an extracted string and a helper string

. The reproduction procedure takes asinputs an element and a string , andreturns a string in .

2) Correctness: If and is output by, then .

3) Security: For any distribution over with min-en-tropy , the string is close to uniform conditioned on

, i.e., if and , then.

Composing an -secure sketch with an average-case -extractor yieldsa -fuzzy extractor with and

(see [16, Lemma 4.1]).Just as with ordinary extractors, a more general definition of

fuzzy extractors accounts for external information and re-quires that for any with , we have

. A fuzzy extractor satisfyingthis definition is called an average-case fuzzy extractor, and allknown constructions satisfy this more general definition.

In this study, we will also use keyed fuzzy extractors whereboth and use the same key , which is uniform

3If� is the parity matrix for a linear code � (i.e., � � � iff �� ), thenthe syndrome of a vector � is �� .


and independent of the input distribution . Here, we requirethe additional security property that are independentlyuniform conditioned on . This stronger requirement stemsfrom the fact that needs to be reusable; thus, it should re-main uniform and independent of in order to be usefulnext time. This requirement implies (by a hybrid argument)that keyed fuzzy extractors can be used multiple times (withthe same key ) to extract independent keys fromindependent . It also implies that any extracted keyremains uniform even to an adversary who learns and(but not ).

Definition 7: An - for isa pair of efficient randomized algorithms ( , ) such that

1) Algorithm , on input a key and , outputsand ; we denote this by. Algorithm takes as input a key , an

element , and a string , and returns astring in ; we denote this by .

2) Correctness: For any key , ifand is output by , then it holds that

.3) Security: If is uniform, distribution over is

such that , and ,then .

For some applications, we need to impose the additional con-dition that, informally, not reveal any information about thedistribution . Formally, the distribution should be the sameregardless of the distribution , as long as has sufficientmin-entropy. It is easiest, though slightly more restrictive thannecessary, to simply require to be uniform (for any withsufficient min-entropy). That is, we say that has

if the security condition is strengthenedto require .This additional security condition was subsequently exploredin the setting of interactive key agreement [7].

This additional requirement may seem strange: after all, secu-rity of a fuzzy extractor depends not on secrecy of the distribu-tion , but only on the fact that has high min-entropy, whichensures that the specific sample is secret. However, there areapplications that need the distribution to be kept secret, andthe public output of the fuzzy extractor can harm them if thisrequirement is not satisfied.

The specific application considered in this paper is to theBSM (introduced in Section I-B and addressed in detail inSection IV-C). In this application, the input distribution to thefuzzy extractor depends on the sampling seed , whichneeds to remain secret so that it can be reused.

D. Robust Fuzzy Extractors

Fuzzy extractors protect against a passive attack in which anadversary observes and tries to learn something about the ex-tracted key . However, the definition says nothing about whathappens if an adversary can modify as it is sent to the userholding . That is, there are no guarantees about the output of

for .

Fig. 1. Robust extractors (cf., Definition 8). Dashed lines indicate variations inthe definition. (a) Keyed extractors take an additional input shared by

and . (b) For preapplication robustness, the adversary does not haveaccess to the extracted key �.

Boyen et al. [9] propose the notion of robust fuzzy extractors,which provide strong guarantees against such an attack. Specif-ically, can now output either a key or a special value(denoting “fail”). The definition requires that with high proba-bility, any value produced by the adversary (after beinggiven ) causes to output . Modified versions ofthe public information will therefore be detected.

We consider two variants of this idea, depending on whetherand additionally share a long-term key . (Boyen

et al. considered only the keyless version.) Furthermore, we dis-tinguish between two adversarial attacks, and thus two notionsof robustness, depending on whether the adversary has access to

when modifying . Indeed, if is used (e.g., for encryption)and the adversary can observe some effect of this use (e.g., theciphertext) before modifying , then the notion of robustnessfrom Boyen et al. (in which the adversary is given no informa-tion about ) is insufficient. Our stronger notion accounts forthis by giving the adversary access to in addition to . Thisis a conservative choice that results in a broadly applicable def-inition: security holds regardless of how is used and whetherit remains hidden partially, computationally, or not at all. Wecall this stronger notion postapplication robustness, and refer tothe original notion (where is not given to the adversary) aspreapplication robustness. Preapplication robustness suffices ifthe adversary’s ability to modify ends prior to any observableuse of .

If are two (correlated) random variables over ametric space , we say if the distance between

and is at most with probability one. We call a-pair if and .

Definition 8: An -fuzzy extractor hasif for all

-pairs and all adversaries , the probabilitythat the following experiment outputs “success” is at most: Sample from ; let ; let

(resp., ); output “success” ifand .

The definition is illustrated in Fig. 1. Note that the definitionis interesting even when (i.e., when ), because or-dinary extractors are not usually robust. We construct (keyless)robust fuzzy extractors in Section III, and keyed robust fuzzyextractors in Section IV.

The definition of robust extractors composes with itself insome situations. For example, a generalization of the above(used in [9]) allows the adversary to output ; theadversary succeeds if there exists an with .


A simple union bound shows that the success probability of anadversary in this case increases at most linearly in .

Similarly, suppose two players (Alice and Bob)receive a sequence of pairs of random variables

(with Alice re-ceiving the and Bob receiving the ), such that

for all , and the entropy of conditioned onthe information from prior time periods is atleast . Alice and Bob can agree on random and independentkeys by having Alice apply from a robustaverage-case fuzzy extractor to each and then send toBob. The attacker’s advantage in distinguishing the vectorof unknown keys from random is at most (this follows bya hybrid argument that replaces extracted keys by randomstrings one a time, starting with the most recent one). Theattacker’s probability of forging a valid is at most in anygiven period (this can be shown by simply giving the attacker

); thus, the overall probability offorgery over all time periods is at most .

For keyed fuzzy extractors, robustness is defined exactly asin Definition 8 with the only difference being that and

both use the same (uniform) key (which is not givento the adversary); see Fig. 1. At first glance, the addition ofa long-term key may seem to trivialize the problem of con-structing robust fuzzy extractors. For example, one might at-tempt to use as a key for a message authentication codeand, given output from a fuzzy extractor, simply appendto the tag . While this may work in the compu-tational setting, it will not suffice in the information-theoreticsetting if we want to support an unbounded number of time pe-riods (or if we want to use a key whose length does notgrow linearly in the number of time periods supported). Further-more, such a construction will not satisfy the security propertyof Definition 7 because will not be uniform conditionedon and .

III. CONSTRUCTING (KEYLESS) ROBUST FUZZY EXTRACTORS

We begin by analyzing the case of no errors (i.e., ), andthen consider the more general case.

A. Errorless Case

Consider the case where and Alice and Bobhold the same sample of a random variable . Inthe presence of a passive adversary, Alice and Bob can agree ona uniform key using a strong extractor . Phrased using theterminology of fuzzy extractors (with here), Alice runs

which simply samples a seed for , and sends toBob; both Alice and Bob then output the key

. This solution does not work if the adversary is ac-tive, which is why robust fuzzy extractors are interesting even inthe errorless case. In particular, if an adversary forwardsto Bob, then there is no longer any guarantee on Bob’s output

; in fact, it is easy to show a construction of a strongextractor with the property that a maliciously generatedcompletely determines Bob’s key . One idea toaddress this is for Alice to authenticate using the key she

Fig. 2. Construction for the errorless case.

extracts, and then send the authentication tag along with toBob. In general, this does not work either: if the adversary for-wards to Bob, then it may be easy for the adversaryto generate a forged tag with respect to the key that Bob de-rives. Instead, we use itself to authenticate and show thatthis approach works for a particular choice of strong extractorand message authentication code.

We define algorithms as follows. To compute, parse as two strings and of lengths and ,

respectively, where is a parameter of the construction.View as an element of and as an element of(the representation of field elements does not matter, as long asaddition in the field corresponds to exclusive-or of bit strings).Choose random , let denote the mostsignificant bits of , and let denote theremaining bits of . View as an element of . Then,compute , set , and let the extractedkey be . See Fig. 2.

, where , proceeds as follows. Parseas two strings and as earlier. Then, verify thatand output if this is not the case. Otherwise, compute theextracted key .

The following theorem states the parameters for whichis a robust fuzzy extractor. (Since here, the

metric over is irrelevant.) Observe that extraction is

possible as long as , and in the case ofpreapplication robustness (which is the notion considered in[27]), we extract a key of length roughly . This improveson the result of Maurer and Wolf [27] who requireand extract a key of length roughly .

Theorem 3: Fix , and let be the length of theextracted key. Then:

1) For any satisfying

is an -fuzzy extractor with preappli-cation robustness .


is an -fuzzy extractor with postap-plication robustness .Proof: We show that is close to uniform con-

ditioned on , and then argue robustness.


Extraction: We begin by showing thatis a universal hash family. Indeed, for ,

we have

This is equivalent to , where“ ” denotes concatenation (this is because we insisted that ad-dition/subtraction in the finite fields corresponds to bitwise ex-clusive-or). If , then we must have and so the prob-ability is 0. If , then there is a unique that satisfies theequality. Thus, the probability is at most .

Using the above and the leftover hash lemma(Lemma 2), we see that is

-close to or, putdifferently, that . This implies

using the triangle inequality.Preapplication robustness: We prove the stronger result that

robustness holds for worst case choice of . Fix and , and letbe the event that succeeds. Since is unbounded, we

may assume it is deterministic. Upon observing , the adversaryoutputs . If , then will rejectunless ; therefore, we need only consider the case .By definition, succeeds only if .

Call a triple a transcript, and say it is possible if. For any possible transcript , the

following holds (in the following probability expressions,are chosen according to the distribution conditioned onor, equivalently, conditioned on )

where the final equality holds because we insisted that addition/subtraction in our fields corresponds to bitwise exclusive-or.The term takes on each possible value in ex-actly once as varies; therefore, there arevalues of for which . For each such valueof , there is a unique value of that satisfies . Each

pair occurs with probability at most . Thus

The overall success probability of is given by

Since , we have and we concludethat .

Postapplication robustness: Because , providingto the adversary can increase its success probability by a mul-tiplicative factor of at most as compared to preapplication

robustness.4 Thus, if , the adversary’ssuccess probability (in the postapplication robustness game) isat most .

B. Improved Postapplication Robustness for the ErrorlessCase

In this section, we present a construction of an extractor withpostapplication robustness that extracts a key of length

, an improvement by a factor of as comparedto the construction given previously.

Assume is even for simplicity. To compute , letand denote the first and last halves of , respectively, and view

and as elements of . Choose a randomand compute . Let be the first bits of , where

is a parameter of the scheme, and let be the remainder of; i.e., and Output .

, where , proceeds in the obvious way:parse as two strings as earlier. Then, verify that

and output if this is not the case. Otherwise, computethe extracted key .

Before giving the formal proof, we provide some intuitionas to why this construction has better postapplication robust-ness. Recall that in the previous construction, is parsed astwo strings and of lengths and , respectively, and thevalues are computed as and .Increasing improves robustness but decreases the number ofextracted bits. For preapplication robustness, setting

suffices, and thus, the construction extracts nearlybits. For postapplication robustness, however, a larger

must be used and consequently the number of extracted bitsis decreased.

The postapplication robustness game reveals more infor-mation to the adversary about than the preapplicationrobustness game. This additional information—namely,itself—may make it easier for to guess . The key toour improvement is to use the pairwise-independent function

to compute both and . Because of pairwiseindependence, the value of leaks nothing aboutthe value for any . (This holds when

is uniform; when has min-entropy , then mayhave up to bits of information about .) In contrast,in the previous construction, only was computed using apairwise-independent hash function. This works better forpreapplication robustness (because can be taken shorter), butworse for postapplication robustness.

Theorem 4: Fix , and let be the length of theextracted key. Then, for any satisfying

is an -fuzzy extractor with postapplica-tion robustness .

4One might hope to improve this analysis, but we show in the Appendix thatthe analysis here is essentially tight.


Proof: We first show that is nearly uniformgiven . The proof proceeds along the lines of the analogousproof for Theorem 3. As earlier, we begin by showing that

is universal. Indeed, for, we have

If , then and so . If, then there is a unique for which ,

and so .The above and Lemma 2 imply that is

-close to . As in the previousproof, and recalling that , this means that

.Postapplication robustness: As in the previous proof, we

prove that robustness holds for worst case choice of . Fixand , and let be the event that succeeds. Sinceis unbounded, we may assume it is deterministic. Thus, uponobserving , the adversary outputs ; theadversary succeeds if . Note that if , then

will reject unless ; therefore, we need only considerthe case .

We now let a transcript be a tuple , and sayit is possible if . For any possible transcript

, we have the following (in the following prob-ability expressions, are chosen according to the distribution

conditioned on or, equivalently, conditioned on )

For any fixed , there is a unique value for whichand . Each pair occurs with

probability at most . We thus see that

The overall success probability of is given by

Since , we haveand so .

C. Authenticating a Message While Extracting

Each of the constructions given previously uses the parties’input to authenticate the extractor seed . Each constructioncan be extended to additionally authenticate a message , i.e.,to be simultaneously a robust fuzzy extractor and an informa-tion-theoretic one-time MAC. In this setting, both andwill take an additional input , and it should be difficult for anadversary to cause to accept a different . (We are beinginformal here since this is merely a stepping stone to the resultsin the following section.) This could be done naively by using

(a part of) as a key for a MAC, but this would correspond-ingly reduce the final number of extracted bits. In contrast, theapproach presented here (almost) does not reduce the length of

at all.We show how to extend the original construction given at the

beginning of Section III-A; the construction of Section III-Bcan be extended similarly. We adapt a standard technique [6],[13], [38] for authenticating messages using polynomial-basedalmost-universal hash functions. Let , where

is known to both parties in advance. Split into chunks, each bits long, and view these as coef-

ficients of a polynomial of degree .To compute , parse as , choose random

, compute , and set .As earlier, the extracted key is .

The procedure , given , , and , verifiesthat and that . If so,it accepts as valid and additionally outputs .

Extraction and robustness (which here means that neithernor can be modified without detection) are proved in a

manner very similar to the proof of Theorem 3. Fix arbitrary ,known to the adversary. To argue that is nearly uniform given

, we will show that isuniversal. Indeed, for , we have

If , then and the aforementioned equality cannotbe satisfied; if , there is a unique satisfying the equality.This proves universality. The rest of the proof proceeds asearlier.

For (preapplication) robustness, fix arbitrary and (knownto ) and proceed as earlier. The only difference is that we nowneed to compute the number of values of for which

(1)

The crucial property is that the polynomialis nonconstant if . A noncon-

stant polynomial of degree at most can take on a givenvalue at most times; hence, there are at mostvalues of satisfying (1). The probability that the adversary suc-ceeds (in changing either or without being detected) is thusat most . Note that the resulting forgery proba-bility is affected only by a multiplicative factor of ; sincewe expect in practice, the impact is small.

D. Adding Error Tolerance

We now consider settings when the input held by thesecond party is close, but not identical to the input used bythe first party. An obvious first attempt is to include a securesketch along with , and to authenticateusing the message-authentication technique discussed in theprevious section; would allow recovery of from , andthen verification could proceed as earlier. Unfortunately, thisdoes not quite work: if the adversary modifies the sketch ,


then a different value may be recovered; however, theresults of the previous section apply only when the receiveruses the same as the sender. In effect, we have a circularity:the receiver uses to verify that was not modified, but thereceiver computes (from ) using a possibly modified .

We show how to break this circularity using a modificationof the message-authentication technique from earlier. The keyidea is to exploit algebraic structure in the metric space, andto change the message authentication code so that it remainssecure even when the adversary can influence the key (this issometimes referred to as “security against related-key attacks”;our approach was generalized in [12]). Specifically, we first treatthe case where the distance between and is small in theHamming metric; in Section III-G, we extend the approach tothe set-difference metric.

Another problem arises from the fact that the performance ofour previous constructions degrades not only when the min-en-tropy of the input decreases, but also when the entropy gap

increases (for example, Theorem 3 can extractroughly bits with preapplication robustness). Because

reveals information about , the entropy of from the adver-sary’s point of view decreases, and the entropy gap increases.An important idea is to limit this increase by using the (shorter)part of that is independent of .

E. Tolerating Binary Hamming Errors

We begin by extending the construction presented at the be-ginning of Section III-A to tolerate binary hamming errors; wethen extend the construction from Section III-B.

Our metric space is and the distance betweentwo strings is Hamming distance—i.e., the number of bit posi-tions in which they differ. Suppose the input is a distribu-tion of min-entropy over , and that is guaranteed to bewithin distance of . Our starting point is to use a determin-istic, linear, secure sketch that is bits long; let

and note that . Weassume that is a surjective, linear function (this is the casefor the syndrome sketch for the Hamming metric), and so thereexists a matrix of rank such that . Let

be an matrix such that the matrix has

full rank. We let . One can view asthe information remaining in once has been learned bythe adversary.

We define as follows. , on input , begins bycomputing and . It then parses

as two strings with and ,where (so ) is a parameter of the construction.Letting , it pads with 0s to length

and parses the resulting string as with. It chooses random , and defines

.Finally, it sets , and outputs and

., on inputs and , first computes

. It checks that and; if not, then it outputs . Otherwise, let

and parse as with and .

Check that : if not, output ; otherwise,output .

Before turning to the detailed analysis, we note that the poly-nomial defined previously differs from the message-authen-tication technique in the previous section only in the leadingterm (and the forcing of to be even). It has the propertythat for any pair , and for any fixed offset ,the polynomial is a nonconstant poly-nomial of degree at most : this is easy to see for ;if , then the leading term is (recall we areworking in a field of characteristic 2 and is even). Our anal-ysis will show that amounts to a message authenticationcode (where the shared key is used to authenticate ) that isprovably secure against a class of related-key attacks where theadversary can force the receiver to use a key shifted by an offsetknown to the adversary.

Theorem 5: Let denote under the Hammingmetric, let be the -secure syndrome sketch for

, and let denote the volume of the ball of radius in .Fix , and let be the length of the extractedkey. Then:

1) For any , satisfying

is an -fuzzy extractor for withpreapplication robustness .

2) For any , satisfying

is an -fuzzy extractor for withpostapplication robustness .

Note that if , where is thebinary entropy function [25, Ch. 10, Sec. 11, Lemma 8], and

always.5

Before giving the proof, we briefly discuss the parametersobtained. The bound on differs in two main terms from thebound in the errorless case of Theorem 3. First, we lose thelength of the sketch. This is not surprising, since the sketchmay reduce the min-entropy of by up to bits. Second, we

5Note � � � � . The second bound is achieved by noting thatevery point in the ball centered at 0 can be represented by up to � strings oflength �� each, where each string represents the position of a 1 orindicates “the end” in case the weight of a point is less than �.


lose another additive factor of . In general, this is (tosome extent) inherent, since the min-entropy of may be aslow as . Looking at it slightly differently, inour analysis, we start by giving the attacker “forfree,” which can reduce the min-entropy of by . Wecan prove a generalization of the aforementioned result wherethe term is replaced by . Thus, forexample, if errors are independent of , then the term isno longer present.

Proof: That the construction satisfies the functionality ofa robust fuzzy extractor is clear, we thus turn to proving se-curity. The argument that is nearly uniform given is sim-ilar to the errorless case, except that the entropy loss due to thesketch has to be taken into account. For every , the family

is universal because for every, there is at most one such that . Since

, applyingLemma 2 and proceeding as in the proof of Theorem 3 gives

.Preapplication robustness: We prove the stronger result that

robustness holds for worst case choice of , and even if the ad-versary is given . Fix and , and let be theevent that succeeds. Since is unbounded, we may assume itis deterministic. Upon observing , the adversary outputs

. If , thenwill reject unless ; thus, we need only consider the

case .Call a tuple a transcript and denote it by

. Call a transcript feasible if . Forsome fixed feasible transcript, the adversary’s success dependsonly on the choice of conditioned on the given values of

. (Note is determined by and .)Recall that denote the values reconstructed

during the course of applying to and .We claim that for any feasible transcript, there is at mostone value for which will not reject. Indeed, saythere are two distinct values for which doesnot reject; this means and

. But then, violating correctness

of the secure sketch. This implies there is also at most onevalue for each of for which will not reject. may beunable to compute (since it does not know ); how-ever, we claim that can compute the differencesand . Let , and recallthe weight of is at most . By linearity of , we have

The right-hand side of the aforementioned equation is known to, and an argument as earlier shows that there is at most one

with weight at most that satisfies the aforementioned equation.Thus, can be computed by . Linearity of means thatcan also compute

Next, we prove that for any feasible transcript, we have

(2)

To see this, note that succeeds only if ,which is the same as requiring that be a solution to the equation

. (Recall from earlierthat we may assume are known to .) But for anydistinct pairs and for any , the polynomial

is nonconstant and has degree at most. (If , this is immediate; if , then the

leading term is , which is nonzero sinceis even and we are working in a field of characteristic 2.)

Thus, for any , the number of values of forwhich is at most

, and so the number of values of that satisfyis at most .

Each such value occurs with probability at most(where we let also stand for the random variable describingthe distribution of ), giving the bound

. Note that

because ; finally

since . This completes the proof of (2).We may now easily prove the theorem. We have

using (2). Since , Lemma 1 gives

Observe that (because). We conclude that the success probability of

is at most

Postapplication robustness: Because the extracted key isof length , providing it to the adversary can increaseits success probability by at most a factor of . The restof the analysis remains the same.

F. Improved Postapplication Robustness for the HammingMetric

In this section, we extend the construction from Section III-Bto tolerate binary Hamming errors. The space is stillwith Hamming distance. is similar to the one in theprevious construction except that now and are obtained by


splitting into two equal parts (we assume for simplicity thatis even) and computing and

.

Theorem 6: Let denote under the Hammingmetric, let be the -secure syndrome sketch for

, and let denote the volume of the ball of radius in .Fix , and let be the length of the extractedkey. Then, for any satisfying

is a -fuzzy extractor for with postap-plication robustness .

Proof: We first show that is nearly uniform given. For every , the family

is universal. Since, applying the Leftover Hash Lemma

(Lemma 2) and proceeding as in the proof of Theorem 3 showsthat .

Postapplication robustness: We prove the stronger result thatrobustness holds for worst case choice of , and even if the adver-sary is given . Fix and , and let be the eventthat succeeds. Since is unbounded, we may assume it is de-terministic. Upon observing , the adversary out-puts . If ,then will reject unless ; thus, we need only considerthe case .

Call a tuple a transcript and denote it by. Call a transcript feasible if .

For some fixed feasible transcript, the adversary’s success de-pends only on choice of (conditioned on the given values of

).As in the proof of Theorem 5, for any feasible transcript,

there is at most one value for each of for whichwill not reject, and moreover, the values and

can be computed by . Following an argumentexactly as in the proof of that theorem, for any feasible tran-script , we have

and so

Since, we obtain

.

G. Construction for the Set-Difference Metric

The constructions from the previous two sections rely heavilyon the linearity of the secure sketch used in the protocol and onthe structure of the Hamming space. Using the techniques from[16], however, they can be extended to handle errors under theset-difference metric.

In the set-difference metric, elements of are sets of at mostelements chosen from some fixed universe of size ; the dis-

tance between two sets is the size of their symmetricdifference: . Notingthat elements of can be represented by characteristic vectorsof length , we see that the set-difference metric is equivalentto the Hamming metric; this is inefficient, however, since ele-ments of can be represented using at most bits. Al-gorithms here should, ideally, run in time ratherthan in time .

In order to extend the analysis of the previous sections tohandle this different representation of the input, we need a pairof functions that take sets and output strings of length

and , respectively. A set of size at mostshould be uniquely determined by the pair ,and the functions should be linear in the following sense: theaddition/removal of a particular element should correspond toadding/subtracting a particular bit vector. In other words,and should be linear in the characteristic vector of theirinput set. The function of the BCH secure sketch of Dodiset al. [16, Sec. 6.3] (called “PinSketch”) is, in fact, linear: itoutputs values of bits each in order to correct upto errors, thus producing sketches of length .We will see in a moment how to construct correspondingto this . For the PinSketch construction, the universe must beviewed as nonzero elements of a binary field for someand thus .

The constructions of and are the same as in the pre-vious sections, but using different , , and functions.In addition, should check that the recovered value is aset with elements in . (Note, however, that it is not nec-essary to check that has size at most ; the constructionswork correctly even if has more than elements, so long as

.)The analysis is the same as in the previous sections. The

volume of the ball of radius remains the same as in the bi-nary Hamming case; here, is very large compared to and sowe use in our formulas since this isnow a close approximation. Using and

, we obtain the following as corollariesof Theorems 5 and 6, respectively.

Corollary 7: Let be the set-difference metric on sets ofsize at most over the universe . Using fromSection III-E with as described previously, fix

and then let be the length of the extractedkey. Then:


is an -fuzzy extractor for withpreapplication robustness .



is an -fuzzy extractor for withpostapplication robustness .

Corollary 8: Let be the set-difference metric on sets ofsize at most over the universe . Using fromSection III-F with as described previously, fixand then let be the length of the extractedkey. Then, for any satisfying

is a -fuzzy extractor for with postap-plication robustness .

It remains to describe . For self-containment, we includea description of as well. To compute and

on input , let (computations in) and, viewing values as bit strings, output

and .Given any set of points, these two vectors are easy to computein operations in . Moreover, given ,one can recover . (Simply observe that isthe syndrome of the characteristic vector of with respect tothe binary BCH code of distance , and that the weight ofthis vector is at most . See [16, Lemma 6.2], setting ,

, and .) Algorithms have thedesired linearity property since adding or removing an element

from corresponds to adding to each component (andwe require addition in binary fields to correspond to bitwise ex-clusive-or).

IV. KEYED ROBUST FUZZY EXTRACTORS

AND THEIR APPLICATIONS

In this section, we show that the addition of a very short,long-term, shared secret key allows us to achieve consid-erably better parameters when constructing keyed robust fuzzyextractors. The parameters we obtain are optimal up to constantfactors.

To motivate our construction, recall the naive transformationfrom fuzzy extractors to keyed robust fuzzy extractors discussedin Section II-E. Suppose we start from the generic constructionof a fuzzy extractor from [16, Lemma 4.1]: here, ,where for a secure sketch , and the extracted keyis . In an attempt to make this construction robust,we may set and include as part of .This is fine for one-time use, but leaks information aboutso cannot be used an unbounded number of times. Formally,this construction does not satisfy Definition 7 since is notuniform given .

We can change the scheme to avoid this. Note that mustrecover before computing . Thus, we can add

to the authenticated message, i.e., set .The tag can be verified by after recovering . This does notstrengthen the robustness property, which was already satisfiedby the original scheme. However, it does help with the problemof revealing , since now the attacker does not know the

entire message being authenticated, so the entropy of the mes-sage can be used to hide . Thus, we see that we need toconstruct an information-theoretic MAC whose secret key is in-dependent of the tag as long as the authenticated message hashigh min-entropy. Observe that in strong randomness extractors,the output is independent of the seed. Thus, it suffices to ensurethat is simultaneously a message authentication code anda strong randomness extractor when the key is viewed as theseed. (Note that we do not need the guarantee, provided by theextractor property, that the tag output by is itself uniform;nevertheless, uniform tags are easy enough to achieve.) This isthe problem we turn to in the next section.

A. Extractor-MACs

Definition 9: A family offunctions is aif it is -almost strongly universal and an (average-case)strong extractor.

When constructing MACs, one typically tries to minimize thetag length (to approach the bound ), while for extrac-tors, one tries to maximize the output length (to approach thebound ). In our setting, the extractor constraintis merely a convenient way to argue key reuse, so we will infact try to minimize . Naturally, we also want to minimize themin-entropy threshold .

Our construction of extractor-MACs follows from the obser-vation that almost strongly-universal hash functions are MACsand, as universal hash functions, also extractors. (In fact, this ob-servation was used to get extractors with short seeds in [35, Sec.3]). We exemplify our construction with the family constructedin [6, Sec. 4]. Specifically, we compose two hash families asfollows. Let be a -almost universal hash familymapping -bit inputs to -bit outputs (for some to be deter-mined later), and let be a strongly universal hash familymapping -bit inputs to -bit outputs, where(i.e., ). Set . By [36, Th. 5.5],

is a -almost strongly universal hash family, since. This means it can be used for message authen-

tication. Furthermore, by [36, Th. 5.4], it is-almost universal, since is -almost uni-

versal. By the Leftover Hash Lemma (Lemma 2), this means itis an -extractor with .

We will set to be the family from [36, Th. 5.2] (de-scribed following Definition 4) with keys of length .It remains to set so that we can construct a convenientalmost-universal hash family . We use the polyno-mial-based construction from [6], [13], and [38]. The key isa point in , and the message is split into pieces

, each of which is viewed as an element of .Then, . This family is

-almost universal with key length (because two dis-tinct degree- polynomials agree on at most points).We can setto make . This gives key length

, and we obtain the following.

Theorem 9: For any , and , thereexists a -extractor-MAC for messages of length , with


key length and tag length.

This construction has both short keys and short tags. One canreuse the key as long as the min-entropy of the authenticatedmessage is above the threshold . The taglength is within one bit of optimal, since it is impossible to ob-tain -almost strong universality with tags shorter than .Known bounds on extractors [32, Th. 1.9] (reinterpreted forstrong extractors by viewing the seed as part of the extractoroutput) imply that the key length is optimal up to a constantfactor and the entropy threshold is optimal up to an additiveconstant.

B. Constructing Keyed Robust Fuzzy Extractors

We now apply extractor-MACs to build keyed robust fuzzyextractors. We start with a generic construction and set the pa-rameters in the following.

Assume is an -secure sketch withsketch length ; is an average-case -extractor with

-bit inputs, -bit outputs, and -bit seeds; and is anaverage-case -extractor-MAC frombits to bits having a key of length . We now define akeyed robust fuzzy extractor with secret key , which issimply the extractor-MAC secret key .

1) : compute sketch , sample atrandom, set key , tag ,

and output .2) : Let . If

, then ; else .

Theorem 10: The aforementioned construction is a-keyed fuzzy extractor with postapplication ro-

bustness , which uses a secret key of length andoutputs public information of length .

Proof: We need to show correctness, security, and unforge-ability. Correctness follows immediately from the correctness ofthe secure sketch. To show security (i.e., extraction), we need toargue that for any of min-entropy , we have

or equivalently

Indeed

because and is an average-case-extractor. This trivially implies that

On the other hand

because

(the first inequality follows from Lemma 1 and the lastinequality follows by independence of ), and is aaverage-case extractor.

By the triangle inequality, therefore, we obtain

Using the triangle inequality again, we obtain the desired result.To show robustness, suppose outputs

. First, consider the case when . In thiscase, implies , and thus,

. Therefore, unless and ,will output . Now, consider the case when .

Then, in order for not to reject, must correctly guess thetag of a new message with a uniformly chosen key , whichcannot be done with probability higher than by the -almoststrong universality of . Note that this implies postapplica-tion robustness: it does not hurt to reveal (or even itself) to

, because the security of relies on the secrecy of only.

The price of authentication: We compare the parameters ofTheorem 10 to the original (nonrobust, nonkeyed) constructionsin [16]. First, note that the choice of a sketch and strong extractorcan be done in the same manner as for nonrobust fuzzy extrac-tors. Assume we use the construction of Theorem 9 for .Then, the secret key is just the MAC key, whose length is

as long as and(which is the case with typical extractor and secure

sketch constructions), so that . For the extractor-MACof Theorem 9 to work, we need or

. This means that the key is onlybits shorter than for nonrobust extractors, which can

extract bits [16, Lemma 4.3]. Finally, thelength of increases only by the tag length .

C. Uniform Helper Strings and Application to the BSM WithErrors

Keyed robust fuzzy extractors allow us to remove the needfor an authenticated channel between the honest parties in theBSM with errors. As explained in Definition 7, the first step isto construct such extractors with uniform helper strings. We thenshow in more detail how they apply to the BSM.

Keyed robust extractors with uniform helper strings: Exam-ining the keyed construction in Theorem 10, we see that the onlyplace where the value depends on (the distributionof) is in the sketch . Indeed, the seed is chosenuniformly at random, and the value is close to uniform (evenconditioned on , , , and ) by the properties of the ex-tractor-MAC. Thus, to solve our problem, we only need to buildan -secure sketch such that is statisticallyclose to uniform whenever has sufficient min-entropy. (Notethat such sketches cannot be deterministic.) Such sketches werestudied by Dodis and Smith [17], where they were used to solvethe noisy-BSM problem even in the authenticated-channel case.In particular, Dodis and Smith show such sketches for the binary


Hamming metric with parameters that are only a constant factorworse than those of regular sketches.

Theorem 11, ([17, Th. 1]): For any min-entropy ,there exists an efficient -secure sketch for the Ham-ming metric over that is also an -extractor, where

, , and are all , and the length of the sketch is.

Using such sketches in the construction of Section IV-B givesus the following theorem.

Theorem 12: Using the sketch of Theorem 11 in the construc-tion of Section IV-B gives an -keyed fuzzy extractorwith uniform helper strings and postapplication robustness .

Proof: Correctness and unforgeability are shown the sameway as in Theorem 10. To show security (i.e., extraction) withuniform helper strings, we need to argue that for any withmin-entropy , we have

or equivalently

Indeed

for the same reason as in Theorem 10. On the other hand,by Theorem 10 and therefore

which, by the triangle inequality, implies

The rest of the proof proceeds as in Theorem 10.

Application to the BSM: To explain the application, we firstbriefly recall the key elements of the BSM [28] with errors [14],[17] concentrating only on the stateless variant in [17]. Our dis-cussion will be specific to Hamming distance.

In the BSM with errors, two parties (say, Alice and Bob) startby sharing a long-term secret key . At each time period ,Alice (resp., Bob) has access to a noisy version (resp., )of a random string (of length ). We assume a bound onthe Hamming distance of and . Both the honest partiesand the attacker are limited in storage to considerably fewerthan bits. More specifically, we assume that can look atthe entire but store only bits of (arbitrary) informationabout , for . After has stored its information about

, it cannot see again; this means that has average min-entropy from the adversary’s point of view by Lemma1. The honest parties are even more limited in their storage, butthey can use their shared secret key to gain an advantage overthe adversary and communicate securely without the need forcomputational assumptions (they can even achieve everlastingsecurity [1]).

Prior work [14], [17] assumed that the communicationchannel between Alice and Bob was authenticated or, equiva-lently, that the adversary does not modify the messages betweenAlice and Bob. This authenticated channel was used to recon-cile the differences between (the relevant portions of) and

received by the two parties. In this study, we remove theneed for the authenticated channel.

The basic idea underlying prior work is to use fuzzy extrac-tors to derive a key from and that is unknown to

. For example, in “sample-and-extract” protocols [39], onepart of consists of a key for an oblivious sam-pler [2], [39]. This key specifies locations in the -bit string

(resp., ) which Alice (resp., Bob) will read to obtainan -bit substring (resp., ). The properties of the sam-pler ensure that 1) with high probability and are stillclose (say, within Hamming distance from each other); and 2)with high probability, still has some uncertainty (min-entropy

) about and . (Note that it is crucial thatdoes not know at the time is broadcast, so is unableto store information that is specifically correlated to .)Fuzzy extractors can then be used to derive from and ,with Alice running to obtain and sending thehelper string to Bob over the authenticated channel, and thenBob running to get [14], [17].

To remove the need for an authenticated channel, Alice andBob can use a robust fuzzy extractor instead. Because they arealready in the shared-key setting, they can use a keyed robustfuzzy extractor, storing its secret key as part of their long-term secret key (in addition to ). There is, how-ever, a subtle problem which already caused difficulties evenin the case of authenticated channels and nonrobust extractors[14], [17].

The problem arises due to the reuse of . As discussedin Sections II-D and II-E, can be reused safely, but only ifthe input to the fuzzy extractor has sufficient min-entropy (fromthe adversary’s point of view). In the current setting, however, apotential problem is that may use information gleaned from

in order to reduce the entropy of . Specifically, if iscorrelated with , then may reveal information about thesampler key that was used to sample . In other words,by observing , may learn something about the locations inthe large random string that were used to obtain . Whileit is too late for to observe those locations in (because ofthe bounded-storage assumption), may be able to observe thesame locations in the next string , thus reducing the min-entropy of , which will be obtained from those locations.

We can solve this problem by making sure that revealsnothing about . This is precisely what is guaranteed bykeyed robust fuzzy extractors with uniform helper strings, asconstructed in Theorem 12, since is distributed the sameway (up to a small statistical distance) regardless of what

is. (To use Theorem 12, we need to ensure that the inputto the extractor has sufficient min-entropy. This holds withoverwhelming probability, even conditioned on and theknowledge of , because is unlikely to have stored muchuseful information about the locations sampled by .)Thus, using extractors with uniform helper strings ensures that


the public value hides the entire ,and not just , and therefore allows for the reuse of .

Using such robust fuzzy extractors in place of nonrobustfuzzy extractors allows us to remove the need for authenticatedchannels in [17]; the security argument (omitted here) is similarto the one there. Now, Alice and Bob no longer need to trustthat their message goes unmodified: they will (with probability

) detect any modification to the helper string. The priceis that Alice and Bob have to additionally share a (short) ex-tractor-MAC key , compute the tag , andsend this (short) tag together with the rest of the information.Thus, we obtain a stateless protocol in the BSM without as-suming authenticated channels, which tolerates a linear fractionof Hamming errors, requires a long-term shared secret key ofsize , and requires Alice and Bobto read bits of the source, and to send a single messageof size per time period in order to extract bits that are-close to uniform. These parameters are optimal up to constant

factors.

APPENDIX

POSTAPPLICATION ROBUSTNESS OF THE BASIC CONSTRUCTION

We argue that the construction from Section III-A cannot ex-tract more than the stated number of bits if postapplication ro-bustness is desired.

For postapplication robustness, the concern is that can re-veal information to the adversary about for a cleverly chosen

. Here, we show an adversarial strategy that does exactly thisand succeeds in the postapplication robustness game with prob-ability . In our attack, we fix a particular (and somewhatunusual) representation of field elements. (Recall that the the-orem was claimed to work for any representation of field el-ements, so long as addition of field elements corresponds tothe exclusive-or of bit strings.) Typically, one viewsas for some irreducible polynomial of degree

, and represents elements as -valued vectors in thebasis . We will do the same, butreorder the basis elements so as to separate the even and oddpowers (as-suming, for concreteness, that is even). Letting denotethe field element corresponding to the polynomial , the prop-erty of this representation we use is that the bits of the left halfof any value with last bit 0 are equal to the right halfof the bits of .

Recall . Suppose the distribution on is such thatthe top bits of are 0 (the rest of the bits of are uniform).Given and , the adversary gets to see the topbits of . Therefore, the adversary knows bitsfrom the bottom half of as long as the last bit of is 0,which happens with probability . To use this knowledge, theadversary will simply ensure that the difference between and

is , by letting .In detail, the adversarial strategy is as follows: let ;

let consist of concatenated with the top bits of andrandom bits, and let .

The adversary wins whenever , which happens with

probability , because all but bitsof are correct as long as the last bit of is 0.

ACKNOWLEDGMENT

We thank Hoeteck Wee for his collaboration during the earlystages of this work, and Raef Bassily and anonymous refereesfor comments on the manuscript.

REFERENCES

[1] Y. Aumann, Y. Ding, and M. Rabin, “Everlasting security in thebounded storage model,” IEEE Trans. Inf. Theory, vol. 48, no. 6, pp.1668–1680, Jun. 2002.

[2] M. Bellare and J. Rompel, “Randomness-efficient oblivious sampling,”in Proc. 35th Annu. Symp. Found. Comput. Sci., 1994, pp. 276–287.

[3] C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, “General-ized privacy amplification,” IEEE Trans. Inf. Theory, vol. 41, no. 6, pp.1915–1923, Nov. 1995.

[4] C. H. Bennett, G. Brassard, C. Crépeau, and M.-H. Skubiszewska,“Practical quantum oblivious transfer,” in Advances in Cryptology—Crypto ’91, volume 576 LNCS. New York: Springer-Verlag, 1992, pp.351–366.

[5] C. H. Bennett, G. Brassard, and J.-M. Robert, “Privacy amplificationby public discussion,” SIAM J. Comput., vol. 17, no. 2, pp. 210–229,1988.

[6] J. Bierbrauer, T. Johansson, G. Kabatianskii, and B. Smeets, “On fam-ilies of hash functions via geometric codes and concatenation,” in Ad-vances in Cryptology—Crypto ’93, volume 773 LNCS. New York:Springer-Verlag, 1994, pp. 331–342.

[7] N. J. Bouman and S. Fehr, “Secure authentication from a weak key,without leaking information,” in Advances in Cryptology—Eurocrypt2011, volume 6632 LNCS. New York: Springer-Verlag, 2011, pp.246–265.

[8] X. Boyen, “Reusable cryptographic fuzzy extractors,” in Proc. 11thACM Conf. Comput. Commun. Security, 2004, pp. 82–91.

[9] X. Boyen, Y. Dodis, J. Katz, R. Ostrovsky, and A. Smith, “Se-cure remote authentication using biometric data,” in Advances inCryptology—Eurocrypt 2005, volume 3494 LNCS. New York:Springer-Verlag, 2005, pp. 147–163.

[10] L. Carter and M. N. Wegman, “Universal classes of hash functions,” J.Comput. Syst. Sci., vol. 18, no. 2, pp. 143–154, 1979.

[11] N. Chandran, B. Kanukurthi, R. Ostrovsky, and L. Reyzin, “Privacyamplification with asymptotically optimal entropy loss,” in Proc. 42ndAnnu. ACM Symp. Theory Comput., 2010, pp. 785–794.

[12] R. Cramer, Y. Dodis, S. Fehr, C. Padró, and D. Wichs, “Detection ofalgebraic manipulation with applications to robust secret sharing andfuzzy extractors,” in Advances in Cryptology—Eurocrypt 2008, volume4965 LNCS. New York: Springer-Verlag, 2008, pp. 471–488.

[13] B. den Boer, “A simple and key-economical unconditional authentica-tion scheme,” J. Comput. Security, vol. 2, pp. 65–72, 1993.

[14] Y. Z. Ding, “Error correction in the bounded storage model,” in Proc.2nd Theory Cryptography Conf., 2005, pp. 578–599.

[15] Y. Dodis, J. Katz, L. Reyzin, and A. Smith, “Robust fuzzy extrac-tors and authenticated key agreement from close secrets,” in Advancesin Cryptology—Crypto, volume 4117 LNCS. New York: Springer-Verlag, 2006, pp. 232–250.

[16] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, “Fuzzy extractors:How to generate strong keys from biometrics and other noisy data,”SIAM J. Comput., vol. 38, no. 1, pp. 97–139, 2008.

[17] Y. Dodis and A. Smith, “Correcting errors without leaking partial in-formation,” in Proc. 37th Annu. ACM Symp. Theory Comput., 2005, pp.654–663.

[18] Y. Dodis and J. Spencer, “On the (non)universality of the one-timepad,” in Proc. 43rd Annu. Symp. Found. Comput. Sci., 2002, pp.376–387.

[19] Y. Dodis and D. Wichs, “Non-malleable extractors and symmetrickey cryptography from weak secrets,” in Proc. 41st Annu. ACM Symp.Theory Comput., 2009, pp. 601–610.

[20] N. Frykholm and A. Juels, “Error-tolerant password recovery,” in Proc.8th ACM Conf. Comput. Commun. Security, 2001, pp. 1–9.

[21] J. Haastad, R. Impagliazzo, L. A. Levin, and M. Luby, “A pseudo-random generator from any one-way function,” SIAM J. Comput., vol.28, no. 4, pp. 1364–1396, 1999.

[22] A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in Proc.6th ACM Conf. Comput. Commun. Security, 1999, pp. 28–36.


[23] B. Kanukurthi and L. Reyzin, “An improved robust fuzzy extractor,” inProc. 6th Int. Conf. Security Cryptography Netw., 2008, pp. 156–171.

[24] B. Kanukurthi and L. Reyzin, “Key agreement from close secrets overunsecured channels,” in Advances in Cryptology—Eurocrypt 2009,volume 5479 LNCS. New York: Springer-Verlag, 2009, pp. 206–223.

[25] F. MacWilliams and N. Sloane, The Theory of Error-CorrectingCodes. Amsterdam, The Netherlands: North Holland, 1977.

[26] U. Maurer, “Secret key agreement by public discussion from commoninformation,” IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733–742, May1993.

[27] U. Maurer and S. Wolf, “Secret-key agreement over unauthenticatedpublic channels II: Privacy amplification,” IEEE Trans. Inf. Theory, vol.49, no. 4, pp. 839–851, Apr. 2003.

[28] U. M. Maurer, “Conditionally-perfect secrecy and a provably-securerandomized cipher,” J. Cryptol., vol. 5, no. 1, pp. 53–66, 1992.

[29] U. M. Maurer, “Information-theoretically secure secret-key agreementby NOT authenticated public discussion,” in Advances in Cryp-tology—Eurocrypt, volume 1233 LNCS. New York: Springer-Verlag,1997, pp. 209–225.

[30] U. M. Maurer and S. Wolf, “Privacy amplification secure against ac-tive adversaries,” in Advances in Cryptology—Crypto, volume 1294LNCS. New York: Springer-Verlag, 1997, pp. 307–321.

[31] N. Nisan and D. Zuckerman, “Randomness is linear in space,” J.Comput. Syst. Sci., vol. 52, no. 1, pp. 43–53, 1996.

[32] J. Radhakrishnan and A. Ta-Shma, “Bounds for dispersers, extractors,and depth-two superconcentrators,” SIAM J. Discrete Math., vol. 13,no. 1, pp. 2–24, 2000.

[33] R. Renner and S. Wolf, “Unconditional authenticity and privacy froman arbitrarily weak secret,” in Advances in Cryptology— Crypto,volume 2729 LNCS. New York: Springer-Verlag, 2003, pp. 78–95.

[34] R. Renner and S. Wolf, “The exact price for unconditionally secureasymmetric cryptography,” in Advances in Cryptology—Eurocrypt,volume 3027 LNCS. New York: Springer-Verlag, 2004, pp. 109–125.

[35] A. Srinivasan and D. Zuckerman, “Computing with very weak randomsources,” SIAM J. Comput., vol. 28, no. 4, pp. 1433–1459, 1999.

[36] D. R. Stinson, “Universal hashing and authentication codes,” J. De-signs, Codes Cryptography, vol. 4, no. 4, pp. 369–380, 1994.

[37] D. R. Stinson, “Universal hash families and the leftover hash lemma,and applications to cryptography and computing,” J. Combinat. Math.Combinat. Comput., vol. 42, pp. 3–31, 2002.

[38] R. Taylor, “An integrity check value algorithm for stream ciphers,”in Advances in Cryptology—Crypto, volume 773 LNCS. New York:Springer-Verlag, 1994, pp. 40–48.

[39] S. P. Vadhan, “Constructing locally computable extractors and cryp-tosystems in the bounded-storage model,” J. Cryptol., vol. 17, no. 1,pp. 43–77, 2004.

[40] S. P. Vadhan, “Pseudorandomness,” in Foundations and Trends in The-oretical Computer Science. Hanover, MA: Now Publishers, unpub-lished.

[41] M. N. Wegman and L. Carter, “New hash functions and their use inauthentication and set equality,” J. Comput. Syst. Sci., vol. 22, no. 3,pp. 265–279, 1981.

[42] S. Wolf, “Strong security against active attacks in information-theoreticsecret-key agreement,” in Advances in Cryptology—Asiacrypt, volume1514 LNCS. New York: Springer-Verlag, 1998, pp. 405–419.

[43] A. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, no. 8,pp. 1355–1387, 1975.

Yevgeniy Dodis, biography not available at the time of publication.

Bhavana Kanukurthi, biography not available at the time of publication.

Jonathan Katz, biography not available at the time of publication.

Leonid Reyzin, biography not available at the time of publication.

Adam Smith, biography not available at the time of publication.

Documents

Robust Fuzzy Extractors and Authenticated Key Agreement From Close Secrets