key derivation from noisy sources with more errors than entropy benjamin fuller joint work with ran...
TRANSCRIPT
Key Derivation from Noisy Sources with More Errors Than Entropy
Benjamin Fuller
Joint work withRan Canetti, Omer Paneth, and Leonid Reyzin
May 5, 2014
1 BWF 4/2/2014
Authenticating Users• Users’ private data
exists online in a variety of locations
• Must authenticate users before granting access to private data
• Passwords are widely used but guessable
2 BWF 4/2/2014
Are there alternatives to passwords with high entropy (uncertainty)?
• Entropic sources are noisy – Source differs over time,
first reading w later readings x,
– Distance is bounded d(w, x) ≤ dmax
• Derive stable and strong key from noisy source– w, x map to same key
• Different samples from source produce independent keys– Gen( w ) ≠ Gen( w’ )
Key Derivation from Noisy SourcesPhysically Unclonable Functions (PUFs)[PappuRechtTaylorGershenfield02]
Biometric Data[Daugman04]
3 BWF 4/2/2014
Fuzzy Extractors Source
Public (p)
key
• Assume our source is strong– Traditionally, high entropy
• Fuzzy Extractors derive reliable keys from noisy data
[DodisOstrovskyReyzinSmith04, 08] (interactive setting in aaaa[BennettBrassardRobert88])
Generate
Reproduce
key
keyp
w
4 BWF 4/2/2014
Goals:• Correctness: Gen, Rep give same key
if d(w, x) ≤ dmax
• Security: (key , p) ≈ (U , p)Can be statistical or computational [FullerMengReyzin13]
Fuzzy Extractors Source
Public (p)
key
Ext
Ext
Generate
Reproduce
key
key
• Assume our source is strong– Traditionally, high entropy
• Fuzzy Extractors derive reliable keys from noisy data
[DodisOstrovskyReyzinSmith04, 08] (interactive setting in aaaa[BennettBrassardRobert88])
Traditional Construction• Derive a key using a
randomness extractor
p
w
Converts high entropy sources to uniform H∞(W0)≥ k Ext (W0 ) ≈ U
Fuzzy Extractors
Sketch Rec Ext
Ext
Generate
Reproduce
Source
Public (p)
key
key
keyp
w
• Assume our source is strong– Traditionally, high entropy
• Fuzzy Extractors derive reliable keys from noisy data
[DodisOstrovskyReyzinSmith04, 08] (interactive setting in aaaa[BennettBrassardRobert88])
Traditional Construction• Derive a key using a
randomness extractor
• Error correct to w with a secure sketch
Error-Correcting Codes
7 BWF 4/2/2014
ec1
• Subset, C, of metric space
• For ec1, ec2 in C, d(w, x) > 2dmax
• For any ec’ find closest ec1 in C
• Linear codes:– C is span of
expanding matrix Gc (generating matrix)
ec22dmax
ec’
Secure SketchesGenerate
ReproduceExt
ExtSketch Rec
Code OffsetSketch p =ec w
G – Generating matrixfor code that corrects dmax errors
ec = Gc
key
keyp
w
Secure Sketches
Code OffsetSketch
ec’=Dec(p x)
p xp =ec w
ec = Gc
If w and w are close then w = ec’ p.
G – Generating matrixfor code that corrects dmax errors
Generate
ReproduceExt
ExtSketch Rec
key
keyp
w
p xp =ec w
p x’
w is unknown (knowing p):
(k−k’)– entropy loss
Secure SketchesGenerate
ReproduceExt
ExtSketch Rec
Code OffsetSketch
Ext must be able to extract from distributions where
G – Generating matrixfor code that corrects dmax errors
key
keyp
w
Entropy Loss From Fuzzy Extractors
• Entropy is at a premium for physical sources– Iris ≈249 [Daugman1996]– Fingerprint ≈82
[RathaConnellBolle2001]– Passwords ≈31
[ShayKomanduri+2010]
• Fuzzy extractors have two losses:– Secure sketches lose error
correcting capability of the code (k-k’)
• Iris ≈200 bit error rate
– Randomness extractors lose 2log (1/ε) or between 60-100 bits
• After these losses the key may be too short to be useful: 30-60 bits
After these losses,there may not be any key left!
Entropy Loss From Fuzzy Extractors
Can we eliminate either of these entropy losses?
[DodisOstrovskyReyzinSmith]
Secure Sketch Code (corrects random errors)
Means k−k’≥ log |Bdmax| (Ball of radius dmax)
• Entropy is at a premium for physical sources– Iris ≈249 [Daugman1996]– Fingerprint ≈82
[RathaConnellBolle2001]– Passwords ≈31
[ShayKomanduri+2010]
• Fuzzy extractors have two losses:– Secure sketches lose error
correcting capability of the code (k-k’)
• Iris ≈200 bit error rate
– Randomness extractors lose 2log (1/ε) or between 60-100 bits
• After these losses the key may be too short to be useful: 30-60 bits
Error Tolerance and Security at OddsM
Any input to Repin this ball produces key
w
13 BWF 4/2/2014
• Adversary shouldn’t guess x* where d(w, x*) ≤ dmax
• Easier as dmax increases • Consider a source W
where initial readings w (for different physical devices) are close
• If there is a point x* close to all points in W, no security is possible
Error Tolerance and Security at OddsM
• Adversary shouldn’t guess x* where d(w, x*) ≤ dmax
• Easier as dmax increases • Consider a source W
where initial readings w (for different physical devices) are close
• If there is a point x* close to all points in W, no security is possible
By providing x* to Repthe adversary always learns key x*
14 BWF 4/2/2014
Let Bdmax represent the points with distance dmax
There is a W where
Error Tolerance and Security at OddsM
• Adversary shouldn’t guess x* where d(w, x*) ≤ dmax
• Easier as dmax increases • Consider a source W
where initial readings w (for different physical devices) are close
• If there is a point x* close to all points in W, no security is possible
By providing x* to Repthe adversary always learns key x*
15 BWF 4/2/2014
There is a W where
Call this minimum usable entropy, Husable(W)
Minimum Usable Entropy• Standard Fuzzy Extractors provide
worst case security guarantees– Implies |key|≤Husable(W)
• Many sources have no minimum usable entropy– Irises are thought to be the “best” biometric,
for irises Husable(W) ≈ -707
• Need property other than entropy to secure these sources (e.g. points are not close together)
Can we find reasonable properties and accompanying constructions?
16 BWF 4/2/2014
Hamming Metric• Security parameter n• Sources W = W1,…, Wk
symbols Wi over alphabet Z (grows with n )
• d(w, x)=# of symbols in that differ
17 BWF 4/2/2014
100 011 101 001 000 110 101 010 111 101
100 110 101 001 001 110 101 010 000 100wx
d(w, x)=4
Results
Security relies on point obfuscation (secure under strong vector DDH [BitanskiCanetti10])
18 BWF 4/2/2014
Construction 1 Construction 2
Security Requirement
ω(log n) entropy in most symbols
Ω(1) entropy in most symbols
Errors Corrected Θ(k)
Point Obfuscation• Obfuscator transforms
program I into “black-box” [BarakGoldreichImpagliazzo RudichSahaiVadhanYang01]
• Possible for point programs
(we use need a version achievable under number-theoretic assumptions due to [BitanskiCanetti10] )
19 BWF 4/2/2014
Point Obfuscation• Obfuscator transforms
program I into “black-box” [BarakGoldreichImpagliazzo RudichSahaiVadhanYang01]
• Possible for point programs[Canetti97] – We use a strong version achievable
under number-theoretic assumptions (composable virtual gray-box obfuscation [BitanskiCanetti10] )
20 BWF 4/2/2014
Point Obfuscation• Obfuscator transforms
program I into “black-box” [BarakGoldreichImpagliazzo RudichSahaiVadhanYang01]
• Possible for point programs[Canetti97] – Need a strong version achievable
under strong vector DDH (composable virtual gray-box obfuscation [BitanskiCanetti10] )
21 BWF 4/2/2014
w
Construction Attempt #1
• Hide w using obfuscation• Can check if x = w
without revealing w
Generate
Reproduce
key
key
1/0
Two Problems:No keyNo error tolerance
w
pw w
22 BWF 4/2/2014
Construction Attempt #2
Generate
Reproduce
key
key
1/0
Two Problems:No keyNo error tolerance
• Obfuscate each symbol (recall w = w1
,…, wk )• Can now learn which
symbols match
w
p
23 BWF 4/2/2014
w w
Construction Attempt #2
• Obfuscate each symbol (recall w = w1
,…, wk )• Can learn which
symbols match
Generate
Reproduce
key
key
w01
…
Two Problems:No keyNo error tolerance
w01
…
1/0
1/0
w
p
w1
wk
w1
wk
24 BWF 4/2/2014
Construction Attempt #2
• Obfuscate each symbol (recall w = w1
,…, wk )• Can learn which
symbols match
Generate
Reproduce
key
key
Knowing where errors occur is useful in coding theory
w01
… w01
…
1/0
1/0
Leverage a technique from point obfuscation
w
p
25 BWF 4/2/2014
w1
wk
w1
wk
Can specify output of point function [CanettiDakdouk08]
Lets try this on our construction26 BWF 4/2/2014
w w
c
Construction Attempt #3
• For each symbol i, flip ci – Obfuscate Knowing where errors occur
is useful in coding theory
27 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
1/0
1/0
w
p
w1
wk
w1
wk
Construction Attempt #3
• For each symbol i, flip ci – Obfuscate Knowing where errors occur
is useful in coding theory
28 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
1/0
1/0
w
p
wk
w1
wk
c1,…,ck
w1
Construction Attempt #3
• For each symbol i, flip ci – Obfuscate Knowing where errors occur
is useful in coding theory
29 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
1/0
1/0
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck
Construction Attempt #3
• For each symbol i, flip ci – Obfuscate
30 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
1/0
1/0
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck
Can run obfuscations and recover most bits of c
Construction Attempt #3
• For each symbol i, flip ci – Obfuscate
31 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
1/0
1/0
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck
Can run obfuscations and recover most bits of c
Construction Attempt #3
• For each symbol i, flip ci – Obfuscate
32 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck
Can run obfuscations and recover most bits of c
Construction
• Sample c C from binary error correcting code
• For each symbol i, Obfuscate
33 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck
Can run obfuscations and recover most bits of c
Construction
34 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck Dec
ode
Can run obfuscations and recover most bits of c
• Sample c C from binary error correcting code
• For each symbol i, Obfuscate
Construction
35 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck
Use c as output(run c through comp. ext. [Krawczyk10] to create key)
Dec
ode
• Sample c C from binary error correcting code
• For each symbol i, Obfuscate
Correctness and Security• Correctness:
Recover all but d(w, x) ≤ dmax bits of c
• Exist binary error correcting codes with error tolerance Θ(k)
Security Question: What about w and c is revealed by obfuscations … ?
36 BWF 4/2/2014
w1
c1wk
ck
Generate
Reproduce
key
key
w01
… w01
…
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck Dec
ode
What is revealed by obfuscations?• Need to argue adversary learns little through
equality oracle queries to symbols• Enough to argue adversary sees as response to
queries with overwhelming probability– That is, they rarely guess the stored value wi
37 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck Dec
ode
Block Unguessable DistributionsLet A be an algorithm asking polynomial queries of the form: is wi = xi?
Def: W = W1,…, Wk is block unguessable if there exists a set such that for all A,
Caution: Adaptivity is crucial, there are distributions with high overall entropy that can be guessed using equality queries to individual blocks
38 BWF 4/2/2014
Block Unguessable: Proceed with Caution
W1
w1
…
W2 Wk
An adversary can guess “easy” blocks, and use gained info to guess next block
w2wk
39 BWF 4/2/2014
Block Unguessable Distributions
Caution: Adaptivity is crucial, there are distributions with high overall entropy that can be guessed using equality queries to individual blocks
40 BWF 4/2/2014
Positive Examples: block fixing sources [KampZuckerman07], blocks are independent and many are entropic, all entropic blocks
Let A be an algorithm asking polynomial queries of the form: is wi = xi?
Def: W = W1,…, Wk is block unguessable if there exists a set such that for all A,
SecurityLet A be an algorithm asking polynomial queries of the form: is wi = xi?
Def: W = W1,…, Wk is block unguessable if there exists a set such that for all A,
Thm: When the source is block unguessable, C has computational entropy
Convertible to pseudorandom by comp. ext.
41 BWF 4/2/2014
SecurityLet A be an algorithm asking polynomial queries of the form: is wi = xi?
Def: W = W1,…, Wk is block unguessable if there exists a set such that for all A,
Thm: When the source is block unguessable, C has computational entropy
42 BWF 4/2/2014
SecurityLet A be an algorithm asking polynomial queries of the form: is wi = xi?
Def: W = W1,…, Wk is block unguessable if there exists a set such that for all A,
Thm: When the source is block unguessable, C has log(|C|) - (k-|J |) bits of comp. entropy
size of the code minus the “guessable” positions
43 BWF 4/2/2014
SecurityLet A be an algorithm asking polynomial queries of the form: is wi = xi?
Def: W = W1,…, Wk is block unguessable if there exists a set such that for all A,
Thm: When the source is block unguessable,C has log(|C|) - (k-|J |) bits of comp. entropy
44 BWF 4/2/2014
Note: In computational setting, size of key isn’t as crucial, can be expanded by computational extractor
Error Tolerance and Security at OddsM
• Adversary shouldn’t guess x* where d(w, x*) ≤ dmax
• A block unguessable distribution has more unguessable symbols than are corrected
• There is at least one symbol an adversary must guess
• Get security from adversary’s inability to guess this one symbol
w
45 BWF 4/2/2014
Error Tolerance and Security at OddsM
• Adversary shouldn’t guess x* where d(w, x*) ≤ dmax
• A block unguessable distribution has more unguessable symbols than are corrected
• There is at least one symbol an adversary must guess
• Get security from adversary’s inability to guess this symbol
46 BWF 4/2/2014
Results
47 BWF 4/2/2014
Construction 1 Construction 2
Security Requirement
ω(log n) entropy in most symbols
Ω(1) entropy in most symbols
Errors Corrected Θ(k)
Generate
Reproduce
key
key
w01
… w01
…
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck Dec
ode
Husable ≤ 0 if |Z| = ω(poly(n)) & C corrects Θ(k) errors
Reducing Required Entropy• Obfuscating symbols individually leaks equality,
entropy ensures A can’t guess stored values• Can we reduce the necessary entropy if we
obfuscate multiple symbols together?– Obfuscating all symbols together works
but eliminates error tolerance
48 BWF 4/2/2014
Generate
Reproduce
key
key
w01
… w01
…
w
p
c1,…,ck
w1
c1
wk
ckw1
c1
wk
ck Dec
ode
Generatekey
w01
…
c1,…,ck
…
• Instead of having symbols/obfuscations in 1-1 correspondence, introduce level of indirection
• Create random bipartite graph between symbols and obfuscations (published in p )– Each obfuscation has degree α
Reducing Required Entropy
w1
w2
wk
p
wk
w1
w2
49 BWF 4/2/2014
c1
c2
ck
Generatekey
c1,…,ck
…
• Instead of having symbols/obfuscations in 1-1 correspondence, introduce level of indirection
• Create random bipartite graph between symbols and obfuscations (published in p )– Each obfuscation has degree α
Reducing Required Entropy
w01
…
w1
w2
wk
pw1
w2
wk
50 BWF 4/2/2014
c1
c2
ck
Generatekey
• Instead of having symbols/obfuscations in 1-1 correspondence, introduce level of indirection
• Create random bipartite graph between symbols and obfuscations (published in p )– Each obfuscation has degree α
Reducing Required Entropy
p
51 BWF 4/2/2014
c1,…,ck
…
w1
w2
wk
w01
…
w1
w2
wk
c1
c2
ck
Generatekey
• Instead of having symbols/obfuscations in 1-1 correspondence, introduce level of indirection
• Create random bipartite graph between symbols and obfuscations (published in p )– Each obfuscation has degree α
Reducing Required Entropy
p
52 BWF 4/2/2014
c1,…,ck
…
w1
w2
wk
w01
…
w1
w2
wk
c1
c2
ck
Generatekey
• Instead of having symbols/obfuscations in 1-1 correspondence, introduce level of indirection
• Create random bipartite graph between symbols and obfuscations (published in p )– Each obfuscation has degree α
Reducing Required Entropy
p
53 BWF 4/2/2014
c1,…,ck
…
v1=w1||w2||w4||w10
w01
…
w1
w2
wk
c1
c2
ck
v2=w2||w3||w6||w8
vk=w3||w4||w7||w9
• The graph is an averaging sampler [Lu2002,Vadhan2003]
• Obfuscating multiple blocks together degrades error tolerance– If d(w, x) ≤ dmax, then Pr. each vi contains an error is O(dmax*α)
– If C supports Θ(k) errors and α=ω(log k), construction correct w.h.p. if d(w, x)≤ k/ω(log k) (by Chernoff bound)
Correctness
54 BWF 4/2/2014
Generatekey
p
c1,…,ck
…
v1=w1||w2||w4||w10
w01
…
w1
w2
wk
c1
c2
ck
v2=w2||w3||w6||w8
vk=w3||w4||w7||w9
• Assume exists set of symbols J with Ω(1) entropy conditioned on values of all other symbols
• E[ H∞( Vi )] ≥ Ω( E|{indices of J included in Vi}|)
Security
The size of this set is hyper-geometrically distributed. Expected size is α*|J|/k.Distribution has a small tail [Chvátal79].
55 BWF 4/2/2014
Generatekey
p
c1,…,ck
…
v1=w1||w2||w4||w10
w01
…
w1
w2
wk
c1
c2
ck
v2=w2||w3||w6||w8
vk=w3||w4||w7||w9
• Assume exists set of symbols J with Ω(1) entropy conditioned on values of all other symbols
• E[ H∞( Vi )] ≥ Ω( E|{indices of J included in Vi}|)
• If α = ω(log n), all H∞(Vi) ≥ ω(log n) entropy w.h.p.
• V = V1,…,Vk is a block unguessable distribution, security follows from previous construction
Security
56 BWF 4/2/2014
Generatekey
p
c1,…,ck
…
v1=w1||w2||w4||w10
w01
…
w1
w2
wk
c1
c2
ck
v2=w2||w3||w6||w8
vk=w3||w4||w7||w9
57 BWF 4/2/2014
Construction 1 Construction 2
Security Requirement
ω(log n) entropy in most symbols
Ω(1) entropy in most symbols
Errors Corrected Θ(k)
Generatekey
p
c1,…,ck
…
v1=w1||w2||w4||w10
w01
…
w1
w2
wk
c1
c2
ck
v2=w2||w3||w6||w8
vk=w3||w4||w7||w9
Results
Noisy Point Obfuscation
• A noisy point obfuscator isstronger than a fuzzy extractor– Cannot leak any partial information about w
• [DodisSmith05] achieve weaker distributional notion of noisy point obfuscation when Husable >> 0
• Our constructions leak information (value of individual blocks, locations of errors) and are not standard obfuscation
• Can we construct noisy point obfuscation for all distributions? From indistinguishability obfuscation? [GargGentryHaleviRaykovaSahaiWaters13]
58 BWF 4/2/2014
Conclusion• Construct the first (computational) fuzzy extractors
when Husable ≤ 0 using point obfuscation
• Constructions allow Husable ≤ 0 when alphabet is super-polynomial
– Necessary? Constructions for small alphabet?
• We restricted W , could restrict errors (that is restrict X )
59 BWF 4/2/2014
Questions?
60 BWF 4/2/2014