Computational Fuzzy Extractors

  • Benjamin Fuller
  • Xianrui Meng
  • Leonid Reyzin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8269)


Fuzzy extractors derive strong keys from noisy sources. Their security is defined information-theoretically, which limits the length of the derived key, sometimes making it too short to be useful. We ask whether it is possible to obtain longer keys by considering computational security, and show the following.

  • Negative Result: Noise tolerance in fuzzy extractors is usually achieved using an information reconciliation component called a “secure sketch.” The security of this component, which directly affects the length of the resulting key, is subject to lower bounds from coding theory. We show that, even when defined computationally, secure sketches are still subject to lower bounds from coding theory. Specifically, we consider two computational relaxations of the information-theoretic security requirement of secure sketches, using conditional HILL entropy and unpredictability entropy. For both cases we show that computational secure sketches cannot outperform the best information-theoretic secure sketches in the case of high-entropy Hamming metric sources.

  • Positive Result: We show that the negative result can be overcome by analyzing computational fuzzy extractors directly. Namely, we show how to build a computational fuzzy extractor whose output key length equals the entropy of the source (this is impossible in the information-theoretic setting). Our construction is based on the hardness of the Learning with Errors (LWE) problem, and is secure when the noisy source is uniform or symbol-fixing (that is, each dimension is either uniform or fixed). As part of the security proof, we show a result of independent interest, namely that the decision version of LWE is secure even when a small number of dimensions has no error.


Fuzzy extractors secure sketches key derivation Learning with Errors error-correcting codes computational entropy randomness extractors 


  1. 1.
    Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009), CrossRefGoogle Scholar
  2. 2.
    Applebaum, B., Ishai, Y., Kushilevitz, E.: On pseudorandom generators with linear stretch in NC 0. Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques, pp. 260–271 (2006)Google Scholar
  3. 3.
    Barak, B., Dodis, Y., Krawczyk, H., Pereira, O., Pietrzak, K., Standaert, F.-X., Yu, Y.: Leftover hash lemma, revisited. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Barak, B., Shaltiel, R., Wigderson, A.: Computational analogues of entropy. In: 11th International Conference on Random Structures and Algorithms, pp. 200–215 (2003)Google Scholar
  5. 5.
    Bennett, C.H., Brassard, G., Robert, J.M.: Privacy amplification by public discussion. SIAM Journal on Computing 17(2), 210–229 (1988)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Transactions on Information Theory 24(3), 384–386 (1978)CrossRefzbMATHGoogle Scholar
  7. 7.
    Boyen, X., Dodis, Y., Katz, J., Ostrovsky, R., Smith, A.: Secure remote authentication using biometric data. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 147–163. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the 45th Annual ACM Symposium on Symposium on Theory of Computing, pp. 575–584. ACM (2013)Google Scholar
  9. 9.
    Brostoff, S., Sasse, M.: Are passfaces more usable than passwords?: A field trial investigation. People and Computers, 405–424 (2000)Google Scholar
  10. 10.
    Castelluccia, C., Mutaf, P.: Shake them up!: A movement-based pairing protocol for CPU-constrained devices. In: Proceedings of the 3rd International Conference on Mobile Systems, Applications, and Services, pp. 51–64. ACM (2005)Google Scholar
  11. 11.
    Chandran, N., Kanukurthi, B., Ostrovsky, R., Reyzin, L.: Privacy amplification with asymptotically optimal entropy loss. In: Proceedings of the 42nd ACM Symposium on Theory of Computing, pp. 785–794. ACM, New York (2010), Google Scholar
  12. 12.
    Cover, T.M., Thomas, J.A.: Elements of information theory, 2nd edn. Wiley Interscience (2006)Google Scholar
  13. 13.
    Dachman-Soled, D., Gennaro, R., Krawczyk, H., Malkin, T.: Computational extractors and pseudorandomness. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 383–403. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Daugman, J.: How iris recognition works. IEEE Transactions on Circuits and Systems for Video Technology 14(1), 21–30 (2004)CrossRefGoogle Scholar
  15. 15.
    Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing 38(1), 97–139 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Dodis, Y., Wichs, D.: Non-malleable extractors and symmetric key cryptography from weak secrets. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, pp. 601–610. ACM, New York (2009), CrossRefGoogle Scholar
  17. 17.
    Döttling, N., Müller-Quade, J.: Lossy codes and a new variant of the learning-with-errors problem. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 18–34. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  18. 18.
    Fuller, B., Meng, X., Reyzin, L.: Computational fuzzy extractors. Cryptology ePrint Archive (2013),
  19. 19.
    Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC, pp. 99–108. ACM, New York (2011)Google Scholar
  20. 20.
    Guruswami, V.: Introduction to coding theory - lecture 2: Gilbert-Varshamov bound. University Lecture (2010)Google Scholar
  21. 21.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM Journal on Computing 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Hsiao, C.-Y., Lu, C.-J., Reyzin, L.: Conditional computational entropy, or toward separating pseudoentropy from compressibility. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 169–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: Sixth ACM Conference on Computer and Communication Security, pp. 28–36. ACM (November 1999)Google Scholar
  24. 24.
    Kamp, J., Zuckerman, D.: Deterministic extractors for bit-fixing sources and exposure-resilient cryptography. SIAM Journal on Computing 36(5), 1231–1247 (2007)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Kanukurthi, B., Reyzin, L.: Key agreement from close secrets over unsecured channels. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 206–223. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  26. 26.
    Krawczyk, H.: Cryptographic extraction and key derivation: The HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  27. 27.
    Micciancio, D., Peikert, C.: Hardness of SIS and LWE with Small Parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  28. 28.
    Nisan, N., Zuckerman, D.: Randomness is linear in space. Journal of Computer and System Sciences, 43–52 (1993)Google Scholar
  29. 29.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, pp. 333–342. ACM, New York (2009), CrossRefGoogle Scholar
  30. 30.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM, New York (2005), Google Scholar
  31. 31.
    Regev, O.: The learning with errors problem (invited survey). In: Annual IEEE Conference on Computational Complexity, pp. 191–204 (2010)Google Scholar
  32. 32.
    Reyzin, L.: Some notions of entropy for cryptography. In: Fehr, S. (ed.) ICITS 2011. LNCS, vol. 6673, pp. 138–142. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  33. 33.
    Shannon, C.E., Weaver, W., Blahut, R.E., Hajek, B.: The mathematical theory of communication, vol. 117. University of Illinois press Urbana (1949)Google Scholar
  34. 34.
    Suh, G.E., Devadas, S.: Physical unclonable functions for device authentication and secret key generation. In: Proceedings of the 44th Annual Design Automation Conference, pp. 9–14. ACM (2007)Google Scholar
  35. 35.
    Tuyls, P., Schrijen, G.-J., Škorić, B., van Geloven, J., Verhaegh, N., Wolters, R.: Read-proof hardware from protective coatings. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 369–383. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  36. 36.
    Vadhan, S.: Pseudorandomness. Foundations and Trends in Theoretical Computer Science. Now Publishers (2012)Google Scholar
  37. 37.
    Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. The Computer Journal 36(3), 227–237 (1993)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Benjamin Fuller
    • 1
    • 2
  • Xianrui Meng
    • 1
    • 2
  • Leonid Reyzin
    • 1
    • 2
  1. 1.Boston UniversityUSA
  2. 2.MIT Lincoln LaboratoryUSA

Personalised recommendations