Results 1  10
of
67
Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. Technical Report 2003/235, Cryptology ePrint archive, http://eprint.iacr.org, 2006. Previous version appeared at EUROCRYPT 2004
 34 [DRS07] [DS05] [EHMS00] [FJ01] Yevgeniy Dodis, Leonid Reyzin, and Adam
, 2004
"... We provide formal definitions and efficient secure techniques for • turning noisy information into keys usable for any cryptographic application, and, in particular, • reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying mater ..."
Abstract

Cited by 532 (38 self)
 Add to MetaCart
We provide formal definitions and efficient secure techniques for • turning noisy information into keys usable for any cryptographic application, and, in particular, • reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying material that, unlike traditional cryptographic keys, is (1) not reproducible precisely and (2) not distributed uniformly. We propose two primitives: a fuzzy extractor reliably extracts nearly uniform randomness R from its input; the extraction is errortolerant in the sense that R will be the same even if the input changes, as long as it remains reasonably close to the original. Thus, R can be used as a key in a cryptographic application. A secure sketch produces public information about its input w that does not reveal w, and yet allows exact recovery of w given another value that is close to w. Thus, it can be used to reliably reproduce errorprone biometric inputs without incurring the security risk inherent in storing them. We define the primitives to be both formally secure and versatile, generalizing much prior work. In addition, we provide nearly optimal constructions of both primitives for various measures of “closeness” of input data, such as Hamming distance, edit distance, and set difference.
A Fuzzy Commitment Scheme
 ACM CCS'99
, 1999
"... We combine wellknown techniques from the areas of errorcorrecting codes and cryptography to achieve a new type of cryptographic primitive that we refer to as a fuzzy commitment scheme. Like a conventional cryptographic commitment scheme, our fuzzy commitment scheme is both concealing and binding: i ..."
Abstract

Cited by 327 (1 self)
 Add to MetaCart
(Show Context)
We combine wellknown techniques from the areas of errorcorrecting codes and cryptography to achieve a new type of cryptographic primitive that we refer to as a fuzzy commitment scheme. Like a conventional cryptographic commitment scheme, our fuzzy commitment scheme is both concealing and binding: it is infeasible for an attacker to learn the committed value, and also for the committer to decommit a value in more than one way. In a conventional scheme, a commitment must be opened using a unique witness, which acts, essentially, as a decryption key. By contrast, our scheme is fuzzy in the sense that it accepts a witness that is close to the original encrypting witness in a suitable metric, but not necessarily identical. This characteristic of our fuzzy commitment scheme makes it useful for applications such as biometric authentication systems, in which data is subject to random noise. Because the scheme is tolerant of error, it is capable of protecting biometric data just as conventional cryptographic techniques, like hash functions, are used to protect alphanumeric passwords. This addresses a major outstanding problem in the theory of biometric authentication. We prove the security characteristics of our fuzzy commitment scheme relative to the properties of an underlying cryptographic hash function.
Reusable cryptographic fuzzy extractors
 ACM CCS 2004, ACM
, 2004
"... We show that a number of recent definitions and constructions of fuzzy extractors are not adequate for multiple uses of the same fuzzy secret—a major shortcoming in the case of biometric applications. We propose two particularly stringent security models that specifically address the case of fuzzy s ..."
Abstract

Cited by 95 (2 self)
 Add to MetaCart
We show that a number of recent definitions and constructions of fuzzy extractors are not adequate for multiple uses of the same fuzzy secret—a major shortcoming in the case of biometric applications. We propose two particularly stringent security models that specifically address the case of fuzzy secret reuse, respectively from an outsider and an insider perspective, in what we call a chosen perturbation attack. We characterize the conditions that fuzzy extractors need to satisfy to be secure, and present generic constructions from ordinary building blocks. As an illustration, we demonstrate how to use a biometric secret in a remote error tolerant authentication protocol that does not require any storage on the client’s side. 1
Robust fuzzy extractors and authenticated key agreement from close secrets
 In Advances in Cryptology — Crypto 2006, volume 4117 of LNCS
, 2006
"... Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel co ..."
Abstract

Cited by 71 (20 self)
 Add to MetaCart
Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel controlled by an allpowerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a longterm secret SKBSM that they can use to generate a sequence of session keys {Rj} using multiple pairs {(Wj, W ′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the boundedstorage model with errors. We show solutions that improve upon previous work in several respects: • The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bitlength of W. Our solution applies whenever the minentropy of W exceeds the minimal threshold n/2, and yields a longer key. • Previous solutions for the keyless case in the presence of errors (i.e., t> 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. • Previous solutions for the keyed case were stateful. We give the first stateless solution. 1
Unconditionally Secure Key Agreement and the Intrinsic Conditional Information
, 1999
"... This paper is concerned with secretkey agreement by public discussion. Assume that two parties Alice and Bob and an adversary Eve have access to independent realizations of random variables X , Y , and Z, respectively, with joint distribution PXY Z . The secret key rate S(X ; Y jjZ) has been define ..."
Abstract

Cited by 61 (7 self)
 Add to MetaCart
This paper is concerned with secretkey agreement by public discussion. Assume that two parties Alice and Bob and an adversary Eve have access to independent realizations of random variables X , Y , and Z, respectively, with joint distribution PXY Z . The secret key rate S(X ; Y jjZ) has been defined as the maximal rate at which Alice and Bob can generate a secret key by communication over an insecure, but authenticated channel such that Eve's information about this key is arbitrarily small. We define a new conditional mutual information measure, the intrinsic conditional mutual information between X and Y when given Z, denoted by I(X ; Y # Z), which is an upper bound on S(X ; Y jjZ). The special scenarios are analyzed where X , Y , and Z are generated by sending a binary random variable R, for example a signal broadcast by a satellite, over independent channels, or two scenarios in which Z is generated by sending X and Y over erasure channels. In the first two scenarios it can be sho...
Oblivious Transfer with a MemoryBounded Receiver
, 1998
"... We propose a protocol for oblivious transfer that is unconditionally secure under the sole assumption that the memory size of the receiver is bounded. The model assumes that a random bit string slightly larger than the receiver's memory is broadcast (either by the sender or by a third party). I ..."
Abstract

Cited by 54 (2 self)
 Add to MetaCart
(Show Context)
We propose a protocol for oblivious transfer that is unconditionally secure under the sole assumption that the memory size of the receiver is bounded. The model assumes that a random bit string slightly larger than the receiver's memory is broadcast (either by the sender or by a third party). In our construction, both parties need memory of size in (n 2 2 ) for some < 1 2 , when a random string of size N = n 2 is broadcast, for > > 0, whereas a malicious receiver can have up to N bits of memory for any < 1. In the course of our analysis, we provide a direct study of an interactive hashing protocol closely related to that of Naor et al. [27]. 1. Introduction Oblivious transfer is an important primitive in modern cryptography. It was introduced to cryptography in several variations by Rabin and Even et al. [29, 20] and had been studied already by Wiesner [31] (under the name of "multiplexing "), in a paper that marked the birth of quantum cryptography. Oblivious t...
Unconditional Security Against MemoryBounded Adversaries
 In Advances in Cryptology – CRYPTO ’97, Lecture Notes in Computer Science
, 1997
"... We propose a privatekey cryptosystem and a protocol for key agreement by public discussion that are unconditionally secure based on the sole assumption that an adversary's memory capacity is limited. No assumption about her computing power is made. The scenario assumes that a random bit string ..."
Abstract

Cited by 52 (4 self)
 Add to MetaCart
(Show Context)
We propose a privatekey cryptosystem and a protocol for key agreement by public discussion that are unconditionally secure based on the sole assumption that an adversary's memory capacity is limited. No assumption about her computing power is made. The scenario assumes that a random bit string of length slightly larger than the adversary's memory capacity can be received by all parties. The random bit string can for instance be broadcast by a satellite or over an optical network, or transmitted over an insecure channel between the communicating parties. The proposed schemes require very high bandwidth but can nevertheless be practical. 1 Introduction One of the most important properties of a cryptographic system is a proof of its security under reasonable and general assumptions. However, every design involves a tradeoff between the strength of the security and further important qualities of a cryptosystem, such as efficiency and practicality. The security of all currently used cryp...
Unconditionally Secure Commitment and Oblivious Transfer Schemes Using Private Channels and a Trusted Initializer
, 1999
"... We present a new and very simple commitment scheme that does not depend on any assumptions about computational complexity; the Sender and Receiver may both be computationally unbounded. Instead, the scheme utilizes a "trusted initializer " who participates only in an initial setup ..."
Abstract

Cited by 42 (0 self)
 Add to MetaCart
(Show Context)
We present a new and very simple commitment scheme that does not depend on any assumptions about computational complexity; the Sender and Receiver may both be computationally unbounded. Instead, the scheme utilizes a &quot;trusted initializer &quot; who participates only in an initial setup phase. The scheme also utilizes private channels between each pair of parties. The Sender is able to easily commit to a large value; the scheme is not just a &quot;bitcommitment &quot; scheme. We also observe that 1outofn oblivious transfer is easily handled in the same model, using a simple OT protocol due to Bennett et al.[2].
Cryptography In the Bounded QuantumStorage Model
 IN 46TH ANNUAL IEEE SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE (FOCS
, 2005
"... We initiate the study of twoparty cryptographic primitives with unconditional security, assuming that the adversary’s quantum memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, w ..."
Abstract

Cited by 36 (8 self)
 Add to MetaCart
(Show Context)
We initiate the study of twoparty cryptographic primitives with unconditional security, assuming that the adversary’s quantum memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, whereas an adversarial player needs quantum memory of size at least n/2 in order to break the protocol, where n is the number of qubits transmitted. This is in sharp contrast to the classical boundedmemory model, where we can only tolerate adversaries with memory of size quadratic in honest players’ memory size. Our protocols are efficient, noninteractive and can be implemented using today’s technology. On the technical side, a new entropic uncertainty relation involving minentropy is established.
On the foundations of oblivious transfer
, 1998
"... cachinlacm.org Abstract. We show that oblivious transfer can be based on a very general notion of asymmetric information difference. We investigate a Universal Oblivious Ransfer, denoted UOT(X, Y), that gives Bob the freedom to access Alice’s input X in an arbitrary way as long as he does not obtai ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
cachinlacm.org Abstract. We show that oblivious transfer can be based on a very general notion of asymmetric information difference. We investigate a Universal Oblivious Ransfer, denoted UOT(X, Y), that gives Bob the freedom to access Alice’s input X in an arbitrary way as long as he does not obtain full information about X. Alice does not learn which information Bob has chosen. We show that oblivious transfer can be reduced to a single execution of UOT(X, Y) with Bob’s knowledge Y restricted in terms of RCnyi entropy of order a> 1. For independently repeated UOT the reduction works even if only Bob’s Shannon information is restricted, i.e. if H(XIY)> 0 in every UOT(X, Y). Our protocol requires that honest Bob obtains at least half of Alice’s information X without error.