## Abstract

Fuzzy extractors (Dodis et al., in Advances in cryptology—EUROCRYPT 2014, Springer, Berlin, 2014, pp 93–110) convert repeated noisy readings of a secret into the same uniformly distributed key. To eliminate noise, they require an initial enrollment phase that takes the first noisy reading of the secret and produces a nonsecret helper string to be used in subsequent readings. *Reusable* fuzzy extractors (Boyen, in Proceedings of the 11th ACM conference on computer and communications security, CCS, ACM, New York, 2004, pp 82–91) remain secure even when this initial enrollment phase is repeated multiple times with noisy versions of the same secret, producing multiple helper strings (for example, when a single person’s biometric is enrolled with multiple unrelated organizations). We construct the first reusable fuzzy extractor that makes no assumptions about how multiple readings of the source are correlated. The extractor works for binary strings with Hamming noise; it achieves computational security under the existence of digital lockers (Canetti and Dakdouk, in Advances in cryptology—EUROCRYPT 2008, Springer, Berlin, 2008, pp 489–508). It is simple and tolerates near-linear error rates. Our reusable extractor is secure for source distributions of linear min-entropy rate. The construction is also secure for sources with much lower entropy rates—lower than those supported by prior (nonreusable) constructions—assuming that the distribution has some additional structure, namely, that random subsequences of the source have sufficient minentropy. Structure beyond entropy is necessary to support distributions with low entropy rates. We then explore further how different structural properties of a noisy source can be used to construct fuzzy extractors when the error rates are high, building a computationally secure and an information-theoretically secure construction for large-alphabet sources.

This is a preview of subscription content, access via your institution.

## Notes

- 1.
- 2.
- 3.
The entropy rate of a string is the entropy divided by the length of the string.

- 4.
We use \(\log \) to denote \(\log _2\). We use \(\ln \) to denote the natural logarithm.

- 5.
The error rate of a string is the number of errors divided by the length of the string.

- 6.
See [3, Lemma 4.7.2, Equation 4.7.5, p. 115] for one characterization on the size of Hamming balls in the binary field.

- 7.
Binary entropy \(h_2(\alpha )\) for \(0<\alpha <1\) is defined as \(-\alpha \log \alpha -(1-\alpha ) \log (1-\alpha )\); it is greater than \(\alpha \log \frac{1}{\alpha }\) and, in particular, greater than \(\alpha \) for interesting range \(\alpha <\frac{1}{2}\).

- 8.
However, standard heuristics for estimating entropy can also be used to indicate whether a source has high-entropy samples. For a corpus of noisy signals, repeat the following a statistically significant number of times: (1) sample

*k*indices (2) run the heuristic entropy test on the corpus which each sample restricted to the*k*indices, (3) for estimates \({est}_1,\dots , {est}_m\) compute the*average min entropy*, as defined in Sect. 2, of these estimates by \(-\log \sum _i 2^{-{est}_i}\). - 9.
- 10.
We present and analyze the construction with uniformly random subsets; however, if necessary, it is possible to substantially decrease the required public randomness and the length of

*p*by using more sophisticated samplers. See [35] for an introduction to samplers. Security does not depend on the subsets being independently random. It is sufficient for the marginal distribution of each subset to be random. The subsets being distinct (and independent) is used to argue correctness. - 11.
For the construction to be reusable \(\rho \) times the digital locker must be composable \(\ell \cdot \rho \) times.

- 12.
Any code that corrects \(t\) Hamming errors also corrects \(t\) \(0\rightarrow 1\) errors, but more efficient codes exist for this type of error [62]. Codes with \(2^{\Theta (n)}\) codewords and \(t= \Theta (n)\) over the binary alphabet exist for Hamming errors and suffice for our purposes (first constructed by Justensen [41]). These codes also yield a constant error tolerance for \(0\rightarrow 1\) bit flips. The class of errors we support in our source (\(t\) Hamming errors over a large alphabet) and the class of errors for which we need codes (\(t\) \(0\rightarrow 1\) errors) are different.

- 13.
Here we assume that \(|\mathcal {Z}|\ge n\times \log p\), that is the source has a small number of symbols.

- 14.
We actually need \(({\mathsf {Gen}} ', {\mathsf {Rep}} ')\) to be an average case fuzzy extractor (see [26, Definition 4] and the accompanying discussion). Most known constructions of fuzzy extractors are average-case fuzzy extractors. For simplicity we refer to \({\mathsf {Gen}} ', {\mathsf {Rep}} '\) as simply a fuzzy extractor.

- 15.
Note, again, that \(({\mathsf {Gen}} ', {\mathsf {Rep}} ')\) must be an average-case fuzzy extractor. Most known constructions are average-case and we omit this notation.

## References

- 1.
Q. Alamélou, P.-E. Berthier, C. Cachet, S. Cauchie, B. Fuller, P. Gaborit, S. Simhadri, Pseudoentropic isometries: a new framework for fuzzy extractor reusability, in

*Proceedings of the 2018 on Asia Conference on Computer and Communications Security*(ACM, 2018), pp. 673–684 - 2.
D. Apon, C. Cho, K. Eldefrawy, and J. Katz, Efficient, reusable fuzzy extractors from LWE, in

*International Conference on Cyber Security Cryptography and Machine Learning*(Springer, Berlin, 2017), pp. 1–18 - 3.
R. Ash,

*Information Theory*(Interscience Publishers, Geneva, 1965) - 4.
M. Blanton and M. Aliasgari, On the (non-) reusability of fuzzy sketches and extractors and security improvements in the computational setting, in

*IACR Cryptology ePrint Archive*, vol. 2012 (2012), p. 608 - 5.
M. Blanton and M. Aliasgari, Analysis of reusability of secure sketches and fuzzy extractors.

*IEEE Trans. Inf. Forensics Secur.***8**(9–10), 1433–1445 (2013) - 6.
C.H. Bennett, G. Brassard, and J.-M. Robert, Privacy amplification by public discussion.

*SIAM J. Comput.***17**(2), 210–229 (1988) - 7.
N. Bitansky and R. Canetti, On strong simulation and composable point obfuscation, in

*Advances in Cryptology—CRYPTO 2010*(Springer, Berlin, 2010), pp. 520–537 - 8.
N. Bitansky, R. Canetti, Y.T. Kalai, and O. Paneth, On virtual grey box obfuscation for general circuits, in

*Advances in Cryptology—CRYPTO*(2014) - 9.
N. Bitansky, R. Canetti, Y.T. Kalai, and O. Paneth, On virtual grey box obfuscation for general circuits.

*Algorithmica***79**(4), 1014–1051 (2017) - 10.
X. Boyen, Y. Dodis, J. Katz, R. Ostrovsky, and A. Smith, Secure remote authentication using biometric data, in

*Advances in Cryptology—EUROCRYPT*(Springer, Berlin, 2005), pp. 147–163 - 11.
M. Blanton and W.M.P. Hudelson, Biometric-based non-transferable anonymous credentials, in

*Information and Communications Security*(Springer, Berlin, 2009), pp. 165–180 - 12.
X. Boyen, Reusable cryptographic fuzzy extractors, in

*Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS*(ACM, New York, 2004), pp. 82–91 - 13.
M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in

*ACM Conference on Computer and Communications Security, CCS*(1993), pp. 62–73 - 14.
S. Brostoff and M.A. Sasse, Are passfaces more usable than passwords?: A field trial investigation.

*People and Computers*, 405–424 (2000) - 15.
R. Canetti, Towards realizing random oracles: Hash functions that hide all partial information, in

*Advances in Cryptology—CRYPTO’97*(Springer, Berlin, 1997), pp. 455–469 - 16.
R. Canetti and R.R. Dakdouk, Obfuscating point functions with multibit output, in

*Advances in Cryptology—EUROCRYPT 2008*(Springer, Berlin, 2008), pp. 489–508 - 17.
R. Cramer, Y. Dodis, S. Fehr, C. Padró, and D. Wichs, Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors, in

*Advances in Cryptology—EUROCRYPT 2008*(Springer, Berlin, 2008), pp. 471–488 - 18.
R. Canetti, B. Fuller, O. Paneth, L. Reyzin, and A. Smith, Reusable fuzzy extractors for low-entropy distributions, in

*Advances in Cryptology—EUROCRYPT*(Springer, Berlin, 2016), pp. 117–146 - 19.
B. Chor and O. Goldreich, Unbiased bits from sources of weak randomness and probabilistic communication complexity.

*SIAM J. Comput.***17**(2) (1988) - 20.
R. Canetti, Y.T. Kalai, M. Varia, and D. Wichs, On symmetric encryption and point obfuscation, in

*Theory of Cryptography, 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, February 9–11, 2010. Proceedings*(2010), pp. 52–71 - 21.
F. Carter and A. Stoianov, Implications of biometric encryption on wide spread use of biometrics, in

*EBF Biometric Encryption Seminar (June 2008)*(2008) - 22.
R.R. Dakdouk,

*Theory and Application of Extractable Functions*. PhD thesis, Yale University, 2009. http://www.cs.yale.edu/homes/jf/Ronny-thesis.pdf - 23.
J. Daugman, How iris recognition works.

*IEEE Trans. Circuits Syst. Video Technol.***14**(1), 21–30 (2004) - 24.
Y. Dodis, B. Kanukurthi, J. Katz, L. Reyzin, and A. Smith, Robust fuzzy extractors and authenticated key agreement from close secrets.

*IEEE Trans. Inf. Theory***58**(9), 6207–6222 (2012) - 25.
Y. Dodis, Y.T. Kalai, and S. Lovett, On cryptography with auxiliary input, in M. Mitzenmacher, ed.,

*Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31–June 2, 2009*(ACM, 2009), pp. 621–630 - 26.
Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, Fuzzy extractors: how to generate strong keys from biometrics and other noisy data.

*SIAM J. Comput.***38**(1), 97–139 (2008) - 27.
Y. Dodis, K. Pietrzak, and D. Wichs, Key derivation without entropy waste, in

*Advances in Cryptology–EUROCRYPT 2014*(Springer, Berlin, 2014), pp. 93–110 - 28.
C. Ellison, C. Hall, R. Milbert, and B. Schneier, Protecting secret keys with personal entropy.

*Future Gener. Comput. Syst.***16**(4), 311–318 (2000) - 29.
B. Fuller, X. Meng, and L. Reyzin, Computational fuzzy extractors, in

*Advances in Cryptology—ASIACRYPT 2013*(Springer, Berlin, 2013), pp. 174–193 - 30.
B. Fuller, X. Meng, and L. Reyzin, Computational fuzzy extractors.

*Inf. Comput.*104602 (2020) - 31.
B. Fuller and L. Peng, Continuous-source fuzzy extractors: source uncertainty and insecurity, in

*2019 IEEE International Symposium on Information Theory (ISIT)*(IEEE, 2019), pp. 2952–2956 - 32.
B. Fuller, L. Reyzin, and A. Smith, When are fuzzy extractors possible? in

*Advances in Cryptology—ASIACRYPT*(Springer, Berlin, 2016), pp. 277–306 - 33.
B. Fuller, L. Reyzin, and A. Smith, When are fuzzy extractors possible?

*IEEE Trans. Inf. Theory*(2020) - 34.
B. Gassend, D. Clarke, M. Van Dijk, and S. Devadas, Silicon physical random functions, in

*Proceedings of the 9th ACM Conference on Computer and Communications Security*(ACM, 2002), pp. 148–160 - 35.
O. Goldreich, A sample of samplers: a computational perspective on sampling, in

*Studies in Complexity and Cryptography. Miscellanea on the Interplay Between Randomness and Computation*(Springer, Berlin, 2011), pp. 302–332 - 36.
J. Håstad, R. Impagliazzo, L.A. Levin, and M. Luby, A pseudorandom generator from any one-way function.

*SIAM J. Comput.***28**(4), 1364–1396 (1999) - 37.
C.-Y. Hsiao, C.-J. Lu, and L. Reyzin, Conditional computational entropy, or toward separating pseudoentropy from compressibility, in

*Advances in Cryptology—EUROCRYPT*(2007), pp. 169–186 - 38.
M. Hiller, D. Merli, F. Stumpf, and G. Sigl, Complementary IBS: application specific error correction for PUFs, in

*IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)*(IEEE, 2012), pp. 1–6 - 39.
T. Holenstein and R. Renner, One-way secret-key agreement and applications to circuit polarization and immunization of public-key encryption, in V. Shoup, ed.,

*Advances in Cryptology—CRYPTO, Volume 3621 of Lecture Notes in Computer Science*(Springer, Berlin, 2005), pp. 478–493 - 40.
C. Herder, L. Ren, M. van Dijk, M.-D. Yu, and S. Devadas, Trapdoor computational fuzzy extractors and stateless cryptographically-secure physical unclonable functions.

*IEEE Trans. Depend. Secure Comput.***14**(1), 65–82 (2017) - 41.
J. Justesen, Class of constructive asymptotically good algebraic codes.

*IEEE Trans. Inf. Theory***18**(5), 652–656 (1972) - 42.
E.J.C. Kelkboom, J. Breebaart, T.A.M. Kevenaar, I. Buhan, and R.N.J. Veldhuis, Preventing the decodability attack based cross-matching in a fuzzy commitment scheme.

*IEEE Trans. Inf. Forensics Secur.***6**(1), 107–121 (2011) - 43.
P. Koeberl, J. Li, A. Rajan, and W. Wu, Entropy loss in PUF-based key generation schemes: the repetition code pitfall, in

*2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)*(IEEE, 2014), pp. 44–49 - 44.
B. Kanukurthi and L. Reyzin, Key agreement from close secrets over unsecured channels, in

*Advances in Cryptology—EUROCRYPT*(2009), pp. 206–223 - 45.
H. Krawczyk, Cryptographic extraction and key derivation: the HKDF scheme, in

*Advances in Cryptology—CRYPTO 2010*(Springer, Berlin, 2010), pp. 631–648 - 46.
J. Kamp and D. Zuckerman, Deterministic extractors for bit-fixing sources and exposure-resilient cryptography.

*SIAM J. Comput.***36**(5), 1231–1247 (2007) - 47.
B. Lynn, M. Prabhakaran, and A. Sahai, Positive results and techniques for obfuscation, in

*Advances in Cryptology—EUROCRYPT 2004*(Springer, Berlin, 2004), pp. 20–39 - 48.
U.M. Maurer, Secret key agreement by public discussion from common information.

*IEEE Trans. Inf. Theory***39**(3), 733–742 (1993) - 49.
U.M. Maurer, Information-theoretically secure secret-key agreement by NOT authenticated public discussion, in W. Fumy, ed.,

*Advances in Cryptology—EUROCRYPT, Volume 1233 of Lecture Notes in Computer Science*(Springer, Berlin, 1997), pp. 209–225 - 50.
R. Mayrhofer and H. Gellersen, Shake well before use: intuitive and secure pairing of mobile devices.

*IEEE Trans. Mobile Comput.***8**(6), 792–806 (2009) - 51.
F. Monrose, M.K. Reiter, and S. Wetzel, Password hardening based on keystroke dynamics.

*Int. J. Inf. Secur.***1**(2), 69–83 (2002) - 52.
R. Maes, P. Tuyls, and I. Verbauwhede, Low-overhead implementation of a soft decision helper data algorithm for SRAM PUFs, in

*Cryptographic Hardware and Embedded Systems-CHES 2009*(Springer, Berlin, 2009), pp. 332–347 - 53.
U.M. Maurer and S. Wolf, Towards characterizing when information-theoretic secret key agreement is possible, in K. Kim and T. Matsumoto, eds.,

*Advances in Cryptology—ASIACRYPT, Volume 1163 of Lecture Notes in Computer Science*(Springer, Berlin, 1996), pp. 196–209 - 54.
U.M. Maurer and S. Wolf, Privacy amplification secure against active adversaries, in B.S. Kaliski Jr., ed.,

*Advances in Cryptology—CRYPTO, Volume 1294 of Lecture Notes in Computer Science*(Springer, Berlin, 1997), pp. 307–321 - 55.
N. Nisan and D. Zuckerman, Randomness is linear in space.

*J. Comput. Syst. Sci.*43–52 (1993) - 56.
R. Pappu, B. Recht, J. Taylor, and N. Gershenfeld, Physical one-way functions.

*Science***297**(5589), 2026–2030 (2002) - 57.
R. Pass, K. Seth, and S. Telang, Obfuscation from semantically-secure multi-linear encodings. Cryptology ePrint Archive, Report 2013/781, 2013. http://eprint.iacr.org/.

- 58.
G.E. Suh and S. Devadas, Physical unclonable functions for device authentication and secret key generation, in

*Proceedings of the 44th Annual Design Automation Conference*(ACM, 2007), pp. 9–14 - 59.
S. Simhadri, J. Steel, and B. Fuller, Cryptographic authentication from the iris, in

*Information Security Conference*(2019) - 60.
B. Skoric and P. Tuyls, An efficient fuzzy extractor for limited noise. Cryptology ePrint Archive, Report 2009/030, 2009. http://eprint.iacr.org/

- 61.
K. Simoens, P. Tuyls, and B. Preneel, Privacy weaknesses in biometric sketches, in

*2009 30th IEEE Symposium on Security and Privacy*(IEEE, 2009), pp. 188–203 - 62.
L.G. Tallini, S. Al-Bassam, and B. Bose, On the capacity and codes for the Z-channel, in

*IEEE International Symposium on Information Theory*(2002), p. 422 - 63.
P. Tuyls, G.-J. Schrijen, B. Skoric, J. Geloven, N. Verhaegh, and R. Wolters, Read-proof hardware from protective coatings, in Cryptographic Hardware and Embedded Systems—CHES 2006 (2006), pp. 369–383

- 64.
S.P. Vadhan, On constructing locally computable extractors and cryptosystems in the bounded storage model, in

*Advances in Cryptology—CRYPTO 2003*(Springer, Berlin, 2003), pp. 61–77 - 65.
J. Woodage, R. Chatterjee, Y. Dodis, A. Juels, and T. Ristenpart, A new distribution-sensitive secure sketch and popularity-proportional hashing, in

*Advances in Cryptology—CRYPTO*(Springer, Berlin, 2017), pp. 682–710 - 66.
Y. Wen and S. Liu, Reusable fuzzy extractor from LWE, in

*Australasian Conference on Information Security and Privacy*(Springer, Berlin, 2018), pp. 13–27 - 67.
Y. Wen, S. Liu, and S. Han, Reusable fuzzy extractor from the decisional Diffie–Hellman assumption.

*Des. Codes Cryptogr.*1–18 (2018) - 68.
M.-D.M. Yu and S. Devadas, Secure and robust error correction for physical unclonable functions.

*IEEE Des. Test***27**(1), 48–65 (2010) - 69.
M. Zviran and W.J. Haga, A comparison of password techniques for multilevel authentication mechanisms.

*Comput. J.***36**(3), 227–237 (1993)

## Acknowledgements

The authors are grateful to Nishanth Chandran, Nir Bitansky, Sharon Goldberg, Gene Itkis, Bhavana Kanukurthi, and Mayank Varia for helpful discussions, creative ideas, and important references. Adam Smith performed this work while on the faculty of the Pennsylvania State University’s Department of Computer Science and Engineering. The research was partly supported by NSF awards 0747294 and 0941553. Part of the research was done while A.S. was on sabbatical, supported by Boston University’s Hariri Institute for Computing. Ran Canetti is supported by the NSF MACS project, an NSF Algorithmic Foundations Grant 1218461, the Check Point Institute for Information Security, and ISF Grant 1523/14. Omer Paneth is additionally supported by the Simons award for graduate students in theoretical computer science. Benjamin Fuller performed this work while at Boston University and MIT Lincoln Laboratory. The work of Benjamin Fuller was sponsored in part by US NSF Grants 1012910, 1012798, and 1849904 and the United States Air Force under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the authors and are not necessarily endorsed by the United States Government. Leonid Reyzin is supported in part by US NSF Grants 0831281, 1012910, 1012798, and 1422965.

## Author information

### Affiliations

### Corresponding author

## Additional information

### Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

© IACR 2020. This article is the final version submitted by the author(s) to the IACR and to Springer-Verlag on September 15, 2020. A preliminary version of this work appeared at the 35th IACR Advances in Cryptology, EUROCRYPT, May 2016. Differences between that work and this manuscript are discussed at the end of the introduction.

Communicated by Stefano Tessaro.

## Rights and permissions

## About this article

### Cite this article

Canetti, R., Fuller, B., Paneth, O. *et al.* Reusable Fuzzy Extractors for Low-Entropy Distributions.
*J Cryptol* **34, **2 (2021). https://doi.org/10.1007/s00145-020-09367-8

Received:

Revised:

Accepted:

Published:

### Keywords

- Fuzzy extractors
- Reusability
- Key derivation
- Digital lockers
- Point obfuscation