# When Are Fuzzy Extractors Possible?

## Abstract

Fuzzy extractors (Dodis et al., Eurocrypt 2004) convert repeated noisy readings of a high-entropy secret into the same uniformly distributed key. A minimum condition for the security of the key is the hardness of guessing a value that is similar to the secret, because the fuzzy extractor converts such a guess to the key.

We define *fuzzy min-entropy* to quantify this property of a noisy source of secrets. Fuzzy min-entropy measures the success of the adversary when provided with *only* the functionality of the fuzzy extractor, that is, the *ideal* security possible from a noisy distribution. High fuzzy min-entropy is necessary for the existence of a fuzzy extractor.

We ask: *is high fuzzy min-entropy a sufficient condition for key extraction from noisy sources?* If only computational security is required, recent progress on program obfuscation gives evidence that fuzzy min-entropy is indeed sufficient. In contrast, information-theoretic fuzzy extractors are not known for many practically relevant sources of high fuzzy min-entropy.

In this paper, we show that fuzzy min-entropy is *sufficient* for information theoretically secure fuzzy extraction. For every source distribution *W* for which security is possible we give a secure fuzzy extractor.

Our construction relies on the fuzzy extractor knowing the precise distribution of the source *W*. A more ambitious goal is to design a single extractor that works for all possible sources. Our second main result is that this more ambitious goal is impossible: we give a family of sources with high fuzzy min-entropy for which no single fuzzy extractor is secure. We show three flavors of this impossibility result: for standard fuzzy extractors, for fuzzy extractors that are allowed to sometimes be wrong, and for secure sketches, which are the main ingredient of most fuzzy extractor constructions.

## Keywords

Fuzzy extractors Secure sketches Information theory Biometric authentication Error-tolerance Key derivation Error-correcting codes## Notes

### Acknowledgements

The authors are grateful to Gene Itkis and Yevgeniy Dodis for helpful discussions and to Thomas Holenstein for clarifying the results of [24, 25]. The work of Benjamin Fuller was done while at MIT Lincoln Laboratory and Boston University and is sponsored in part by US NSF grants 1012910 and 1012798 and the United States Air Force under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the authors and are not necessarily endorsed by the United States Government. Leonid Reyzin is supported in part by US NSF grants 0831281, 1012910, 1012798, and 1422965, and The Institute of Science and Technology, Austria, where part of this work was performed. Adam Smith’s work was supported in part by NSF awards 0747294, 0941553 and 1447700 and was performed partly while at Boston University’s Hariri Institute for Computing and RISCS Center, and the Harvard Center for Research on Computation & Society.

## Supplementary material

## References

- 1.Ahlswede, R., Csiszár, I.: Common randomness in information theory and cryptography - I: secret sharing. IEEE Trans. Inf. Theory
**39**(4), 1121–1132 (1993)MathSciNetCrossRefMATHGoogle Scholar - 2.Ash, R.: Information Theory. Intersciene Publishers, New York (1965)MATHGoogle Scholar
- 3.Barak, B., Canetti, R., Lindell, Y., Pass, R., Rabin, T.: Secure computation without authentication. J. Cryptology
**24**(4), 720–760 (2011)MathSciNetCrossRefMATHGoogle Scholar - 4.Bennett, C.H., Brassard, G., Robert, J.M.: Privacy amplification by public discussion. SIAM J. Comput.
**17**(2), 210–229 (1988)MathSciNetCrossRefMATHGoogle Scholar - 5.Bitansky, N., Canetti, R., Kalai, Y.T., Paneth, O.: On virtual grey box obfuscation for general circuits. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 108–125. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44381-1_7 CrossRefGoogle Scholar
- 6.Blanton, M., Hudelson, W.M.P.: Biometric-based non-transferable anonymous credentials. In: Qing, S., Mitchell, C.J., Wang, G. (eds.) ICICS 2009. LNCS, vol. 5927, pp. 165–180. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-11145-7_14 CrossRefGoogle Scholar
- 7.Boyen, X., Dodis, Y., Katz, J., Ostrovsky, R., Smith, A.: Secure remote authentication using biometric data. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 147–163. Springer, Heidelberg (2005). doi: 10.1007/11426639_9 CrossRefGoogle Scholar
- 8.Brostoff, S., Sasse, M.: Are passfaces more usable than passwords?: a field trial investigation. In: McDonald, S., Waern, Y., Cockton, G. (eds.) People and Computers, pp. 405–424. Springer, London (2000)Google Scholar
- 9.Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci.
**18**(2), 143–154 (1979)MathSciNetCrossRefMATHGoogle Scholar - 10.Csiszár, I., Körner, J.: Broadcast channels with confidential messages. IEEE Trans. Inf. Theory
**24**(3), 339–348 (1978)MathSciNetCrossRefMATHGoogle Scholar - 11.Daugman, J.: Probing the uniqueness and randomness of iriscodes: results from 200 billion iris pair comparisons. Proc. IEEE
**94**(11), 1927–1935 (2006)CrossRefGoogle Scholar - 12.Daugman, J.: How iris recognition works. IEEE Trans. Circ. Syst. Video Technol.
**14**(1), 21–30 (2004)CrossRefGoogle Scholar - 13.Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput.
**38**(1), 97–139 (2008)MathSciNetCrossRefMATHGoogle Scholar - 14.Ellison, C., Hall, C., Milbert, R., Schneier, B.: Protecting secret keys with personal entropy. Future Gener. Comput. Syst.
**16**(4), 311–318 (2000)CrossRefGoogle Scholar - 15.Fano, R.: Transmission of Information: A Statistical Theory of Communications. MIT Press Classics, M.I.T. Press, New York (1961)MATHGoogle Scholar
- 16.Frankl, P., Füredi, Z.: A short proof for a theorem of Harper about Hamming-spheres. Discrete Math.
**34**(3), 311–313 (1981)MathSciNetCrossRefMATHGoogle Scholar - 17.Fuller, B., Meng, X., Reyzin, L.: Computational fuzzy extractors. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 174–193. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-42033-7_10 CrossRefGoogle Scholar
- 18.Fuller, B., Smith, A., Reyzin, L.: When are fuzzy extractors possible? IACR Cryptology ePrint Archive 2014, 961 (2014)Google Scholar
- 19.Gassend, B., Clarke, D., Van Dijk, M., Devadas, S.: Silicon physical random functions. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 148–160. ACM (2002)Google Scholar
- 20.Hao, F., Anderson, R., Daugman, J.: Combining crypto with biometrics effectively. IEEE Trans. Comput.
**55**(9), 1081–1088 (2006)CrossRefGoogle Scholar - 21.Harper, L.H.: Optimal numberings and isoperimetric problems on graphs. J. Comb. Theory
**1**(3), 385–393 (1966)MathSciNetCrossRefMATHGoogle Scholar - 22.Hayashi, M., Tyagi, H., Watanabe, S.: Secret key agreement: general capacity and second-order asymptotics. In: 2014 IEEE International Symposium on Information Theory, pp. 1136–1140. IEEE (2014)Google Scholar
- 23.Hoeffding, W.: Probability inequalities for sums of bounded random variables. J. Am. Stat. Assoc.
**58**(301), 13–30 (1963)MathSciNetCrossRefMATHGoogle Scholar - 24.Holenstein, T.: Strengthening key agreement using hard-core sets. Ph.D. thesis, ETH Zurich (May 2006), reprint as vol. 7 of ETH Series in Information Security and Cryptography, ISBN 3-86626-088-2, Hartung-Gorre Verlag, Konstanz (2006)Google Scholar
- 25.Holenstein, T., Renner, R.: One-way secret-key agreement and applications to circuit polarization and immunization of public-key encryption. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 478–493. Springer, Heidelberg (2005). doi: 10.1007/11535218_29 CrossRefGoogle Scholar
- 26.Ignatenko, T., Willems, F.M.: Biometric security from an information-theoretical perspective. Found. Trends Commun. Inf. Theory
**7**(2–3), 135–316 (2012)MATHGoogle Scholar - 27.Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: Sixth ACM Conference on Computer and Communication Security, pp. 28–36. ACM, November 1999Google Scholar
- 28.Linnartz, J.-P., Tuyls, P.: New shielding functions to enhance privacy and prevent misuse of biometric templates. In: Kittler, J., Nixon, M.S. (eds.) AVBPA 2003. LNCS, vol. 2688, pp. 393–402. Springer, Heidelberg (2003). doi: 10.1007/3-540-44887-X_47 CrossRefGoogle Scholar
- 29.Maurer, U.M.: Secret key agreement by public discussion from common information. IEEE Trans. Inf. Theory
**39**(3), 733–742 (1993)MathSciNetCrossRefMATHGoogle Scholar - 30.Mayrhofer, R., Gellersen, H.: Shake well before use: intuitive and secure pairing of mobile devices. IEEE Trans. Mob. Comput.
**8**(6), 792–806 (2009)CrossRefGoogle Scholar - 31.Monrose, F., Reiter, M.K., Wetzel, S.: Password hardening based on keystroke dynamics. Int. J. Inf. Secur.
**1**(2), 69–83 (2002)CrossRefMATHGoogle Scholar - 32.Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci.
**52**(1), 43–52 (1996)MathSciNetCrossRefMATHGoogle Scholar - 33.Pappu, R., Recht, B., Taylor, J., Gershenfeld, N.: Physical one-way functions. Science
**297**(5589), 2026–2030 (2002)CrossRefGoogle Scholar - 34.Renner, R., Wolf, S.: The exact price for unconditionally secure asymmetric cryptography. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 109–125. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24676-3_7 CrossRefGoogle Scholar
- 35.Renner, R., Wolf, S.: Simple and tight bounds for information reconciliation and privacy amplification. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 199–216. Springer, Heidelberg (2005). doi: 10.1007/11593447_11 CrossRefGoogle Scholar
- 36.Skoric, B., Tuyls, P.: An efficient fuzzy extractor for limited noise. Cryptology ePrint Archive, Report 2009/030 (2009)Google Scholar
- 37.Suh, G.E., Devadas, S.: Physical unclonable functions for device authentication and secret key generation. In: Proceedings of the 44th Annual Design Automation Conference, pp. 9–14. ACM (2007)Google Scholar
- 38.Tuyls, P., Goseling, J.: Capacity and examples of template-protecting biometric authentication systems. In: Maltoni, D., Jain, A.K. (eds.) BioAW 2004. LNCS, vol. 3087, pp. 158–170. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25976-3_15 CrossRefGoogle Scholar
- 39.Tuyls, P., Schrijen, G.-J., van Škorić, B., Geloven, J., Verhaegh, N., Wolters, R.: Read-proof hardware from protective coatings. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 369–383. Springer, Heidelberg (2006). doi: 10.1007/11894063_29 CrossRefGoogle Scholar
- 40.Tyagi, H., Watanabe, S.: Converses for secret key agreement and secure computing. IEEE Trans. Inf. Theo.
**61**(9) (2015)Google Scholar - 41.Wang, Y., Rane, S., Draper, S.C., Ishwar, P.: A theoretical analysis of authentication, privacy and reusability across secure biometric systems. IEEE Trans. Inf. Forensics Secur.
**6**(6), 1825–1840 (2012)CrossRefGoogle Scholar - 42.Wyner, A.D.: The wire-tap channel. Bell Syst. Tech. J.
**54**(8), 1355–1387 (1975)MathSciNetCrossRefMATHGoogle Scholar - 43.Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Comput. J.
**36**(3), 227–237 (1993)CrossRefGoogle Scholar