Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets

  • Yevgeniy Dodis
  • Jonathan Katz
  • Leonid Reyzin
  • Adam Smith
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4117)


Consider two parties holding correlated random variables W and W′, respectively, that are within distance t of each other in some metric space. These parties wish to agree on a uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret SK that they can use to generate a sequence of session keys {R j } using multiple pairs {(W j , W j )}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded storage model with errors.

Our results improve upon previous work in several respects:

– The best previous solution for the keyless case with no errors (i.e., t=0) requires the min-entropy of W to exceed 2|W|/3. We show a solution when the min-entropy of W exceeds the minimal threshold |W|/2.

– Previous solutions for the keyless case in the presence of errors (i.e., t>0) required random oracles. We give the first constructions (for certain metrics) in the standard model.

– Previous solutions for the keyed case were stateful. We give the first stateless solution.


Random Oracle Message Authentication Code Fuzzy Extractor Honest Parti Strong Extractor 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [ADR02]
    Aumann, Y., Ding, Y., Rabin, M.: Everlasting security in the bounded storage model. IEEE Trans. on Information Theory 48(6), 1668–1680 (2002)MATHCrossRefMathSciNetGoogle Scholar
  2. [BBCM95]
    Bennett, C.H., Brassard, G., Crépeau, C., Maurer, U.M.: Generalized privacy amplification. IEEE Trans. on Information Theory 41(6) (1995)Google Scholar
  3. [BBR88]
    Bennett, C., Brassard, G., Robert, J.: Privacy amplification by public discussion. SIAM Journal on Computing 17(2), 210–229 (1988)CrossRefMathSciNetGoogle Scholar
  4. [BDK+05]
    Boyen, X., Dodis, Y., Katz, J., Ostrovsky, R., Smith, A.: Secure remote authentication using biometric data. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 147–163. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. [BMP00]
    Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 156. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. [Boy04]
    Boyen, X.: Reusable cryptographic fuzzy extractors. In: 11th ACM Conference on Computer and Communication Security. ACM Press, New York (2004)Google Scholar
  7. [BPR00]
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 139. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. [BR94]
    Bellare, M., Rompel, J.: Randomness-efficient oblivious sampling. In: 35th Annual Symposium on Foundations of Computer Science. IEEE, Los Alamitos (1994)Google Scholar
  9. [Cré97]
    Crépeau, C.: Efficient cryptographic protocols based on noisy channels. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 306–317. Springer, Heidelberg (1997)Google Scholar
  10. [CW79]
    Carter, J.L., Wegman, M.N.: Universal classes of hash functions. Journal of Computer and System Sciences 18, 143–154 (1979)MATHCrossRefMathSciNetGoogle Scholar
  11. [Din05]
    Ding, Y.Z.: Error correction in the bounded storage model. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 578–599. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. [DORS06]
    Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. Technical Report 2003/235, Cryptology ePrint archive 2006. Previous version appears in EUROCRYPT (2004),
  13. [DS02]
    Dodis, Y., Spencer, J.: On the (non)universality of the one-time pad. In: 43rd Annual Symposium on Foundations of Computer Science. IEEE, Los Alamitos (2002)Google Scholar
  14. [DS05]
    Dodis, Y., Smith, A.: Correcting errors without leaking partial information. In: 37th Annual ACM Symposium on Theory of Computing (2005)Google Scholar
  15. [FJ01]
    Frykholm, N., Juels, A.: Error-tolerant password recovery. In: Eighth ACM Conference on Computer and Communication Security. ACM Press, New York (2001)Google Scholar
  16. [GL01]
    Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. [GL03]
    Gennaro, R., Lindell, Y.: A framework for password-based authenticated key exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. [HILL99]
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: Construction of pseudorandom generator from any one-way function. SIAM Journal on Computing 28(4), 1364–1396 (1999)MATHCrossRefMathSciNetGoogle Scholar
  19. [JW99]
    Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: Sixth ACM Conference on Computer and Communication Security, pp. 28–36 (1999)Google Scholar
  20. [KOY01]
    Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 475. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. [LT03]
    Linnartz, J.-P.M.G., Tuyls, P.: New shielding functions to enhance privacy and prevent misuse of biometric templates. In: Kittler, J., Nixon, M.S. (eds.) AVBPA 2003. LNCS, vol. 2688. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. [Mau92]
    Maurer, U.: Conditionally-perfect secrecy and a provably-secure randomized cipher. Journal of Cryptology 5(1), 53–66 (1992)MATHCrossRefMathSciNetGoogle Scholar
  23. [Mau93]
    Maurer, U.: Secret key agreement by public discussion from common information. IEEE Transactions on Information Theory 39(3), 733–742 (1993)MATHCrossRefMathSciNetGoogle Scholar
  24. [Mau97]
    Maurer, U.M.: Information-theoretically secure secret-key agreement by NOT authenticated public discussion. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 209–225. Springer, Heidelberg (1997)Google Scholar
  25. [MW97]
    Maurer, U.M., Wolf, S.: Privacy amplification secure against active adversaries. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 307–321. Springer, Heidelberg (1997)Google Scholar
  26. [MW03]
    Maurer, U., Wolf, S.: Secret-key agreement over unauthenticated public channels — Part III: Privacy amplification. IEEE Transactions on Information Theory 49(4), 839–851 (2003)MATHCrossRefMathSciNetGoogle Scholar
  27. [RW03]
    Renner, R.S., Wolf, S.: Unconditional authenticity and privacy from an arbitrarily weak secret. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 78–95. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. [RW05]
    Renner, R.S., Wolf, S.: Simple and tight bounds for information reconciliation and privacy amplification. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 199–216. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. [SZ99]
    Srinivasan, A., Zuckerman, D.: Computing with very weak random sources. SIAM Journal on Computing 28(4), 1433–1459 (1999)MATHCrossRefMathSciNetGoogle Scholar
  30. [Vad04]
    Vadhan, S.: Constructing locally computable extractors and cryptosystems in the bounded-storage model. Journal of Cryptology 17(1) (2004)Google Scholar
  31. [WC81]
    Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. J. Computer and System Sciences 22 (1981)Google Scholar
  32. [Wol98]
    Wolf, S.: Strong security against active attacks in information-theoretic secret-key agreement. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 405–419. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  33. [Wyn75]
    Wyner, A.D.: The wire-tap channel. Bell System Technical Journal 54(8), 1355–1387 (1975)MathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Jonathan Katz
    • 2
  • Leonid Reyzin
    • 3
  • Adam Smith
    • 4
  1. 1.New York University 
  2. 2.University of Maryland 
  3. 3.Boston University 
  4. 4.Weizmann Institute of Science 

Personalised recommendations