[Network Security Think Tank] Fuzzy Extractor and Its Application _ Password

Original Title [Network Security Think Tank] Fuzzy hemp extraction centrifuge Extractor and Its Application This paper introduces the definition application and limitation of fuzzy extractor The limitations of the fuzzy extractor are that it can only extract the entropic information source once and that the public information is tampered with which will lead to the generation of the wrong key Therefore this paper introduces the reusable robust fuzzy extractor and gives its definition construction and points out its potential application scenarios Introduction Uniformly distributed random variables are widely used in cryptography For example the most important element in a cryptosystem is the key and the security of a cryptosystem depends on the uniform randomness of the key In addition for public key encryption or digital signature schemes the encryption algorithm or signature algorithm also requires the participation of random numbers to ensure the CPA security or unforgeability of the encryption algorithm An important question is how to generate uniformly distributed random bits A source that generates random bits with a certain entropy is called a Randomness Source If the string generated by the “random source” is not only “uniformly distributed” in the key space but also “accurately reproduced” The “random source” can then be used to generate the encryption and decryption keys for the cryptographic algorithm However in real life there are almost no such random sources that are uniformly random and accurately reproduced In reality there bra tape measure are many random sources with noise which have high (minimum) entropy but are not uniformly random and each sampling result is similar but there are some small deviations (noise) For example Human biological information such as fingerprint voiceprint iris etc; Noise of electronic components (unclonable function); Quantum information Can we cryptographically transform these noisy random sources into good random sources that produce random bits that are “uniformly distributed” and “exactly reproduced” If so then these random sources can be used by us and provide an endless stream of reproducible random numbers for the cryptosystem Fuzzy extractor In the past two decades many cryptographers have devoted themselves to the study of how to use cryptographic techniques to make noisy random sources to generate uniformly random and accurately reproducible strings Definition of Fuzzy Extractor In 2004 Dodis et al Proposed the concept of fuzzy extractor to solve this problem The fuzzy extractor FE = (Gen Rep) has two algorithms the generative algorithm and the regenerative algorithm The extractor is described as follows see Figure 1 Gen (PR) Generation algorithm Gen inputs a string w (one sample of a random source of noise) and outputs a string R and a public helper string P; Rep(w’P) R’ Regeneration algorithm input W ‘ (another sample of a random source of noise) and a public helper string P a string R’ is output Correctness The correctness requirement is that if the distance between the two samples w and w ‘is close enough then R’ = R that is R can be reproduced accurately; Security The security requirement is that if the random source has enough entropy then R is uniformly random Expand the full text The fuzzy extractor construct propose by Dodis et al Depends on two component namely an (ordinary not fuzzy) extractor and a secure sketch The extractor [13] can convert non-uniform strings into uniform strings which can be implemented using universal functions while the secure sketch is dedicated to error correction which can be implemented using linear error correction codes Application of Fuzzy Extractor Using the fuzzy extractor a noisy random source can be transformed into a uniformly random and accurately reproduced string Fuzzy extractors can be used in cryptosystems

Symmetric key generation Using the fuzzy extractor the user can extract a random string R and a public helper string P by calling the generation algorithm Gen (w) (P R) with his own biological information (that is a noisy random source) as input This random string R can be used as the key of the cryptosystem to participate in the cryptosystem and the public help string P is stored without confidentiality The key R is destroyed as soon as the cryptosystem has run When the cryptographic system needs the key again for cryptographic operation the user takes his own biometric information (ie noisy random source) and the public helper string P as inputs and calls the regeneration algorithm Rep (w ‘ P) R’ to reproduce the key R Therefore the user does not need to store the key and the fuzzy extractor can recover the key safely and reliably only by inputting own biological information when the user needs the key each time thereby solving the problems of key generation and storage After that the key R is applied to the symmetric cipher algorithm and Enc (R m) can be used to encrypt the plaintext m to obtain the ciphertext C and Dec (R C) can be used to decrypt the ciphertext C and recover the plaintext m This is shown in Figure 2 Key agreement from close secret Two-party key agreement is also possible using the fuzzy extractor technique Let Alice have a secret message w and Bob have a secret message w’ Where the distances of w and w ‘are close For example Alice and Bob are doing quantum key distribution; Alice and Bob are listening to a noisy radio station at the same time; Alice knows Bob’s iris information hemp extraction centrifuge Alice can use the fuzzy extractor to act on w to obtain the secure key R and a public helper string P send P to Bob and Bob can call the fuzzy extractor regeneration algorithm Rep (w ‘ P) R to reproduce the key R Thus Alice and Bob complete the key agreement See Figure 3 Application of GPRS in public key cryptosystem Public-key cryptography typically rely on difficult assumptions Hard assumptions generally require uniformly random strings Uch as the ElGamal encryption scheme rely on the “decisional Diffie-Hellman” assumption associated with the discrete logarithm hard problem The discrete logarithm problem is described as follows Given a group of size p p is a large prime G is the generator of the group and for a X p chosen uniformly at random let Given y G computing the discrete logarithm of y is the discrete logarithm problem For if X ‘is not uniformly distributed solving the discrete logarithm problem for Z may no longer be difficult Through the fuzzy extractor the user can extract a uniformly random X from a noisy random source as the private key of the ElGamal encryption scheme as the public key of the ElGamal encryption scheme Robust fuzzy extractor The security of fuzzy extractor only considers the passive attack That is the public helper string P can be known by the adversary but P cannot be tampered with by the adversary If the adversary tampers with P then the recovery algorithm Rep of the fuzzy extractor is likely to get a wrong output R ′ But in real life an active adversary may tamper with P For example in the key agreement process an aggressive adversary can intercept P and send a wrong P ‘to Bob (see Figure 4) Then Bob’s call to the recovery algorithm Rep of the fuzzy extractor is likely to result in a wrong output R ‘ If R ≠ R ‘ the key negotiation fails In order to solve the above problem Boyen et al [4] proposed the concept of robust fuzzy extractor in 2005 There are two definitions of security for the robustness of fuzzy extractors namely “pre-application” robustness and “post-application” robustness The robustness before application ensures that the adversary submits a tampered one when he only sees the public help string P and the recovery algorithm of the fuzzy extractor can only output and can not produce a wrong one However in practical applications if a user uses R in some cryptographic schemes some or even all of the information of R will be leaked to the adversary In this case “pre-application” robustness no longer applies ” Post-application “robustness” can solve this problem The post-application robustness guarantees that the adversary can only output the recovery algorithm of the fuzzy extractor when he sees P and R and submits a tampered Boyen et al [4] proposed a general method to transform fuzzy extractors into “pre-application” robust fuzzy extractors by using Hash functions However in the security proof the Hash function is regarded as a random oracle so the security is based on the Random Oracle model In 2006 Dodis et al [7] first constructed a “post-application” robust fuzzy extractor under the standard model In their construction inputting a bit string w of length n and min-entropy m the extractor can extract a uniformly distributed bit string of length l = (2m ? n)/3 It can be seen that the extracted random string does not exceed 1/3 of the minimum entropy m In 2008 K a n u K u R t H I and R e y Z I n C I t e { Kanukurthi 2008 } constructed a “post-application” robust fuzzy extractor and the length of the extracted random string is longer l = (2m-n)/2 bits In 2009 Dodis et al [9] proved that in the trivial model if the entropy rate (m/n) of the input w is less than half then the robustness of the fuzzy extractor is impossible to achieve In order to solve this problem Cramer et al [6] proposed a new cryptographic primitive algebraic manipulation detection (AMD) in 2008 At the same time a robust fuzzy extractor is constructed by using AMD codes under the Common Reference String (CRS) model CRS model means that the Common Reference String is fixed in the hardware and no one can tamper with the CRS Their proposed extractor breaks the line that the entropy rate of a random source needs to be greater than half of its length under the trivial model Nonetheless the entropy loss of this extractor is enormous Fuzzy extractor with repeatable extraction Using the fuzzy extractor the user can extract the secure key from his own biological information for encryption and decryption and does not need to save the key After enjoying the above convenience users may want to extract multiple secure and reliable keys from their biometric information and apply them to different organizations and different scenarios However A person’s biological information is unique and cannot be altered or created; The fuzzy extractor ensures the security of extracting a key from a noisy random source And the security of drawing multiple different keys from the same random source cannot be guaranteed In order to solve the above problem Boyen [3] proposed the concept of reusable fuzzy extractor (Reusable Fuzzy Extractor) in 2004