Reusable Fuzzy Extractors for Low-Entropy Distributions


Fuzzy extractors (Dodis et al., in Advances in cryptology—EUROCRYPT 2014, Springer, Berlin, 2014, pp 93–110) convert repeated noisy readings of a secret into the same uniformly distributed key. To eliminate noise, they require an initial enrollment phase that takes the first noisy reading of the secret and produces a nonsecret helper string to be used in subsequent readings. Reusable fuzzy extractors (Boyen, in Proceedings of the 11th ACM conference on computer and communications security, CCS, ACM, New York, 2004, pp 82–91) remain secure even when this initial enrollment phase is repeated multiple times with noisy versions of the same secret, producing multiple helper strings (for example, when a single person’s biometric is enrolled with multiple unrelated organizations). We construct the first reusable fuzzy extractor that makes no assumptions about how multiple readings of the source are correlated. The extractor works for binary strings with Hamming noise; it achieves computational security under the existence of digital lockers (Canetti and Dakdouk, in Advances in cryptology—EUROCRYPT 2008, Springer, Berlin, 2008, pp 489–508). It is simple and tolerates near-linear error rates. Our reusable extractor is secure for source distributions of linear min-entropy rate. The construction is also secure for sources with much lower entropy rates—lower than those supported by prior (nonreusable) constructions—assuming that the distribution has some additional structure, namely, that random subsequences of the source have sufficient minentropy. Structure beyond entropy is necessary to support distributions with low entropy rates. We then explore further how different structural properties of a noisy source can be used to construct fuzzy extractors when the error rates are high, building a computationally secure and an information-theoretically secure construction for large-alphabet sources.

This is a preview of subscription content, access via your institution.


  1. 1.

    Robust fuzzy extractors [10, 17, 24, 49, 54] additionally protect against active attackers who modify p. Our constructions can be made robust by the random-oracle-based transform of [10, Theorem 1]. We discuss robustness further in Sect. 3.

  2. 2.

    The term “digital lockers” was introduced by Canetti and Dakdouk [16]; the fact that such digital lockers can be built easily out cryptographic hash functions is shown by [47, Section 4].

  3. 3.

    The entropy rate of a string is the entropy divided by the length of the string.

  4. 4.

    We use \(\log \) to denote \(\log _2\). We use \(\ln \) to denote the natural logarithm.

  5. 5.

    The error rate of a string is the number of errors divided by the length of the string.

  6. 6.

    See [3, Lemma 4.7.2, Equation 4.7.5, p. 115] for one characterization on the size of Hamming balls in the binary field.

  7. 7.

    Binary entropy \(h_2(\alpha )\) for \(0<\alpha <1\) is defined as \(-\alpha \log \alpha -(1-\alpha ) \log (1-\alpha )\); it is greater than \(\alpha \log \frac{1}{\alpha }\) and, in particular, greater than \(\alpha \) for interesting range \(\alpha <\frac{1}{2}\).

  8. 8.

    However, standard heuristics for estimating entropy can also be used to indicate whether a source has high-entropy samples. For a corpus of noisy signals, repeat the following a statistically significant number of times: (1) sample k indices (2) run the heuristic entropy test on the corpus which each sample restricted to the k indices, (3) for estimates \({est}_1,\dots , {est}_m\) compute the average min entropy, as defined in Sect. 2, of these estimates by \(-\log \sum _i 2^{-{est}_i}\).

  9. 9.

    Reusability and unlinkability are two different properties. Unlinkability prevents an adversary from telling if two enrollments correspond to the same physical source [21, 42]. We do not consider this property in this work.

  10. 10.

    We present and analyze the construction with uniformly random subsets; however, if necessary, it is possible to substantially decrease the required public randomness and the length of p by using more sophisticated samplers. See [35] for an introduction to samplers. Security does not depend on the subsets being independently random. It is sufficient for the marginal distribution of each subset to be random. The subsets being distinct (and independent) is used to argue correctness.

  11. 11.

    For the construction to be reusable \(\rho \) times the digital locker must be composable \(\ell \cdot \rho \) times.

  12. 12.

    Any code that corrects \(t\) Hamming errors also corrects \(t\) \(0\rightarrow 1\) errors, but more efficient codes exist for this type of error [62]. Codes with \(2^{\Theta (n)}\) codewords and \(t= \Theta (n)\) over the binary alphabet exist for Hamming errors and suffice for our purposes (first constructed by Justensen [41]). These codes also yield a constant error tolerance for \(0\rightarrow 1\) bit flips. The class of errors we support in our source (\(t\) Hamming errors over a large alphabet) and the class of errors for which we need codes (\(t\) \(0\rightarrow 1\) errors) are different.

  13. 13.

    Here we assume that \(|\mathcal {Z}|\ge n\times \log p\), that is the source has a small number of symbols.

  14. 14.

    We actually need \(({\mathsf {Gen}} ', {\mathsf {Rep}} ')\) to be an average case fuzzy extractor (see [26, Definition 4] and the accompanying discussion). Most known constructions of fuzzy extractors are average-case fuzzy extractors. For simplicity we refer to \({\mathsf {Gen}} ', {\mathsf {Rep}} '\) as simply a fuzzy extractor.

  15. 15.

    Note, again, that \(({\mathsf {Gen}} ', {\mathsf {Rep}} ')\) must be an average-case fuzzy extractor. Most known constructions are average-case and we omit this notation.


  1. 1.

    Q. Alamélou, P.-E. Berthier, C. Cachet, S. Cauchie, B. Fuller, P. Gaborit, S. Simhadri, Pseudoentropic isometries: a new framework for fuzzy extractor reusability, in Proceedings of the 2018 on Asia Conference on Computer and Communications Security (ACM, 2018), pp. 673–684

  2. 2.

    D. Apon, C. Cho, K. Eldefrawy, and J. Katz, Efficient, reusable fuzzy extractors from LWE, in International Conference on Cyber Security Cryptography and Machine Learning (Springer, Berlin, 2017), pp. 1–18

  3. 3.

    R. Ash, Information Theory (Interscience Publishers, Geneva, 1965)

    Google Scholar 

  4. 4.

    M. Blanton and M. Aliasgari, On the (non-) reusability of fuzzy sketches and extractors and security improvements in the computational setting, in IACR Cryptology ePrint Archive, vol. 2012 (2012), p. 608

  5. 5.

    M. Blanton and M. Aliasgari, Analysis of reusability of secure sketches and fuzzy extractors. IEEE Trans. Inf. Forensics Secur. 8(9–10), 1433–1445 (2013)

    Article  Google Scholar 

  6. 6.

    C.H. Bennett, G. Brassard, and J.-M. Robert, Privacy amplification by public discussion. SIAM J. Comput. 17(2), 210–229 (1988)

    MathSciNet  Article  Google Scholar 

  7. 7.

    N. Bitansky and R. Canetti, On strong simulation and composable point obfuscation, in Advances in Cryptology—CRYPTO 2010 (Springer, Berlin, 2010), pp. 520–537

  8. 8.

    N. Bitansky, R. Canetti, Y.T. Kalai, and O. Paneth, On virtual grey box obfuscation for general circuits, in Advances in Cryptology—CRYPTO (2014)

  9. 9.

    N. Bitansky, R. Canetti, Y.T. Kalai, and O. Paneth, On virtual grey box obfuscation for general circuits. Algorithmica 79(4), 1014–1051 (2017)

  10. 10.

    X. Boyen, Y. Dodis, J. Katz, R. Ostrovsky, and A. Smith, Secure remote authentication using biometric data, in Advances in Cryptology—EUROCRYPT (Springer, Berlin, 2005), pp. 147–163

  11. 11.

    M. Blanton and W.M.P. Hudelson, Biometric-based non-transferable anonymous credentials, in Information and Communications Security (Springer, Berlin, 2009), pp. 165–180

  12. 12.

    X. Boyen, Reusable cryptographic fuzzy extractors, in Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS (ACM, New York, 2004), pp. 82–91

  13. 13.

    M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in ACM Conference on Computer and Communications Security, CCS (1993), pp. 62–73

  14. 14.

    S. Brostoff and M.A. Sasse, Are passfaces more usable than passwords?: A field trial investigation. People and Computers, 405–424 (2000)

  15. 15.

    R. Canetti, Towards realizing random oracles: Hash functions that hide all partial information, in Advances in Cryptology—CRYPTO’97 (Springer, Berlin, 1997), pp. 455–469

  16. 16.

    R. Canetti and R.R. Dakdouk, Obfuscating point functions with multibit output, in Advances in Cryptology—EUROCRYPT 2008 (Springer, Berlin, 2008), pp. 489–508

  17. 17.

    R. Cramer, Y. Dodis, S. Fehr, C. Padró, and D. Wichs, Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors, in Advances in Cryptology—EUROCRYPT 2008 (Springer, Berlin, 2008), pp. 471–488

  18. 18.

    R. Canetti, B. Fuller, O. Paneth, L. Reyzin, and A. Smith, Reusable fuzzy extractors for low-entropy distributions, in Advances in Cryptology—EUROCRYPT (Springer, Berlin, 2016), pp. 117–146

  19. 19.

    B. Chor and O. Goldreich, Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM J. Comput. 17(2) (1988)

  20. 20.

    R. Canetti, Y.T. Kalai, M. Varia, and D. Wichs, On symmetric encryption and point obfuscation, in Theory of Cryptography, 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, February 9–11, 2010. Proceedings (2010), pp. 52–71

  21. 21.

    F. Carter and A. Stoianov, Implications of biometric encryption on wide spread use of biometrics, in EBF Biometric Encryption Seminar (June 2008) (2008)

  22. 22.

    R.R. Dakdouk, Theory and Application of Extractable Functions. PhD thesis, Yale University, 2009.

  23. 23.

    J. Daugman, How iris recognition works. IEEE Trans. Circuits Syst. Video Technol. 14(1), 21–30 (2004)

    Article  Google Scholar 

  24. 24.

    Y. Dodis, B. Kanukurthi, J. Katz, L. Reyzin, and A. Smith, Robust fuzzy extractors and authenticated key agreement from close secrets. IEEE Trans. Inf. Theory 58(9), 6207–6222 (2012)

    MathSciNet  Article  Google Scholar 

  25. 25.

    Y. Dodis, Y.T. Kalai, and S. Lovett, On cryptography with auxiliary input, in M. Mitzenmacher, ed., Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31–June 2, 2009 (ACM, 2009), pp. 621–630

  26. 26.

    Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)

    MathSciNet  Article  Google Scholar 

  27. 27.

    Y. Dodis, K. Pietrzak, and D. Wichs, Key derivation without entropy waste, in Advances in Cryptology–EUROCRYPT 2014 (Springer, Berlin, 2014), pp. 93–110

  28. 28.

    C. Ellison, C. Hall, R. Milbert, and B. Schneier, Protecting secret keys with personal entropy. Future Gener. Comput. Syst. 16(4), 311–318 (2000)

    Article  Google Scholar 

  29. 29.

    B. Fuller, X. Meng, and L. Reyzin, Computational fuzzy extractors, in Advances in Cryptology—ASIACRYPT 2013 (Springer, Berlin, 2013), pp. 174–193

  30. 30.

    B. Fuller, X. Meng, and L. Reyzin, Computational fuzzy extractors. Inf. Comput. 104602 (2020)

  31. 31.

    B. Fuller and L. Peng, Continuous-source fuzzy extractors: source uncertainty and insecurity, in 2019 IEEE International Symposium on Information Theory (ISIT) (IEEE, 2019), pp. 2952–2956

  32. 32.

    B. Fuller, L. Reyzin, and A. Smith, When are fuzzy extractors possible? in Advances in Cryptology—ASIACRYPT (Springer, Berlin, 2016), pp. 277–306

  33. 33.

    B. Fuller, L. Reyzin, and A. Smith, When are fuzzy extractors possible? IEEE Trans. Inf. Theory (2020)

  34. 34.

    B. Gassend, D. Clarke, M. Van Dijk, and S. Devadas, Silicon physical random functions, in Proceedings of the 9th ACM Conference on Computer and Communications Security (ACM, 2002), pp. 148–160

  35. 35.

    O. Goldreich, A sample of samplers: a computational perspective on sampling, in Studies in Complexity and Cryptography. Miscellanea on the Interplay Between Randomness and Computation (Springer, Berlin, 2011), pp. 302–332

  36. 36.

    J. Håstad, R. Impagliazzo, L.A. Levin, and M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)

    MathSciNet  Article  Google Scholar 

  37. 37.

    C.-Y. Hsiao, C.-J. Lu, and L. Reyzin, Conditional computational entropy, or toward separating pseudoentropy from compressibility, in Advances in Cryptology—EUROCRYPT (2007), pp. 169–186

  38. 38.

    M. Hiller, D. Merli, F. Stumpf, and G. Sigl, Complementary IBS: application specific error correction for PUFs, in IEEE International Symposium on Hardware-Oriented Security and Trust (HOST) (IEEE, 2012), pp. 1–6

  39. 39.

    T. Holenstein and R. Renner, One-way secret-key agreement and applications to circuit polarization and immunization of public-key encryption, in V. Shoup, ed., Advances in Cryptology—CRYPTO, Volume 3621 of Lecture Notes in Computer Science (Springer, Berlin, 2005), pp. 478–493

  40. 40.

    C. Herder, L. Ren, M. van Dijk, M.-D. Yu, and S. Devadas, Trapdoor computational fuzzy extractors and stateless cryptographically-secure physical unclonable functions. IEEE Trans. Depend. Secure Comput. 14(1), 65–82 (2017)

    Article  Google Scholar 

  41. 41.

    J. Justesen, Class of constructive asymptotically good algebraic codes. IEEE Trans. Inf. Theory 18(5), 652–656 (1972)

    MathSciNet  Article  Google Scholar 

  42. 42.

    E.J.C. Kelkboom, J. Breebaart, T.A.M. Kevenaar, I. Buhan, and R.N.J. Veldhuis, Preventing the decodability attack based cross-matching in a fuzzy commitment scheme. IEEE Trans. Inf. Forensics Secur. 6(1), 107–121 (2011)

  43. 43.

    P. Koeberl, J. Li, A. Rajan, and W. Wu, Entropy loss in PUF-based key generation schemes: the repetition code pitfall, in 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST) (IEEE, 2014), pp. 44–49

  44. 44.

    B. Kanukurthi and L. Reyzin, Key agreement from close secrets over unsecured channels, in Advances in Cryptology—EUROCRYPT (2009), pp. 206–223

  45. 45.

    H. Krawczyk, Cryptographic extraction and key derivation: the HKDF scheme, in Advances in Cryptology—CRYPTO 2010 (Springer, Berlin, 2010), pp. 631–648

  46. 46.

    J. Kamp and D. Zuckerman, Deterministic extractors for bit-fixing sources and exposure-resilient cryptography. SIAM J. Comput. 36(5), 1231–1247 (2007)

    MathSciNet  Article  Google Scholar 

  47. 47.

    B. Lynn, M. Prabhakaran, and A. Sahai, Positive results and techniques for obfuscation, in Advances in Cryptology—EUROCRYPT 2004 (Springer, Berlin, 2004), pp. 20–39

  48. 48.

    U.M. Maurer, Secret key agreement by public discussion from common information. IEEE Trans. Inf. Theory 39(3), 733–742 (1993)

    MathSciNet  Article  Google Scholar 

  49. 49.

    U.M. Maurer, Information-theoretically secure secret-key agreement by NOT authenticated public discussion, in W. Fumy, ed., Advances in Cryptology—EUROCRYPT, Volume 1233 of Lecture Notes in Computer Science (Springer, Berlin, 1997), pp. 209–225

  50. 50.

    R. Mayrhofer and H. Gellersen, Shake well before use: intuitive and secure pairing of mobile devices. IEEE Trans. Mobile Comput. 8(6), 792–806 (2009)

    Article  Google Scholar 

  51. 51.

    F. Monrose, M.K. Reiter, and S. Wetzel, Password hardening based on keystroke dynamics. Int. J. Inf. Secur. 1(2), 69–83 (2002)

  52. 52.

    R. Maes, P. Tuyls, and I. Verbauwhede, Low-overhead implementation of a soft decision helper data algorithm for SRAM PUFs, in Cryptographic Hardware and Embedded Systems-CHES 2009 (Springer, Berlin, 2009), pp. 332–347

  53. 53.

    U.M. Maurer and S. Wolf, Towards characterizing when information-theoretic secret key agreement is possible, in K. Kim and T. Matsumoto, eds., Advances in Cryptology—ASIACRYPT, Volume 1163 of Lecture Notes in Computer Science (Springer, Berlin, 1996), pp. 196–209

  54. 54.

    U.M. Maurer and S. Wolf, Privacy amplification secure against active adversaries, in B.S. Kaliski Jr., ed., Advances in Cryptology—CRYPTO, Volume 1294 of Lecture Notes in Computer Science (Springer, Berlin, 1997), pp. 307–321

  55. 55.

    N. Nisan and D. Zuckerman, Randomness is linear in space. J. Comput. Syst. Sci. 43–52 (1993)

  56. 56.

    R. Pappu, B. Recht, J. Taylor, and N. Gershenfeld, Physical one-way functions. Science 297(5589), 2026–2030 (2002)

    Article  Google Scholar 

  57. 57.

    R. Pass, K. Seth, and S. Telang, Obfuscation from semantically-secure multi-linear encodings. Cryptology ePrint Archive, Report 2013/781, 2013.

  58. 58.

    G.E. Suh and S. Devadas, Physical unclonable functions for device authentication and secret key generation, in Proceedings of the 44th Annual Design Automation Conference (ACM, 2007), pp. 9–14

  59. 59.

    S. Simhadri, J. Steel, and B. Fuller, Cryptographic authentication from the iris, in Information Security Conference (2019)

  60. 60.

    B. Skoric and P. Tuyls, An efficient fuzzy extractor for limited noise. Cryptology ePrint Archive, Report 2009/030, 2009.

  61. 61.

    K. Simoens, P. Tuyls, and B. Preneel, Privacy weaknesses in biometric sketches, in 2009 30th IEEE Symposium on Security and Privacy (IEEE, 2009), pp. 188–203

  62. 62.

    L.G. Tallini, S. Al-Bassam, and B. Bose, On the capacity and codes for the Z-channel, in IEEE International Symposium on Information Theory (2002), p. 422

  63. 63.

    P. Tuyls, G.-J. Schrijen, B. Skoric, J. Geloven, N. Verhaegh, and R. Wolters, Read-proof hardware from protective coatings, in Cryptographic Hardware and Embedded Systems—CHES 2006 (2006), pp. 369–383

    Article  Google Scholar 

  64. 64.

    S.P. Vadhan, On constructing locally computable extractors and cryptosystems in the bounded storage model, in Advances in Cryptology—CRYPTO 2003 (Springer, Berlin, 2003), pp. 61–77

  65. 65.

    J. Woodage, R. Chatterjee, Y. Dodis, A. Juels, and T. Ristenpart, A new distribution-sensitive secure sketch and popularity-proportional hashing, in Advances in Cryptology—CRYPTO (Springer, Berlin, 2017), pp. 682–710

  66. 66.

    Y. Wen and S. Liu, Reusable fuzzy extractor from LWE, in Australasian Conference on Information Security and Privacy (Springer, Berlin, 2018), pp. 13–27

  67. 67.

    Y. Wen, S. Liu, and S. Han, Reusable fuzzy extractor from the decisional Diffie–Hellman assumption. Des. Codes Cryptogr. 1–18 (2018)

  68. 68.

    M.-D.M. Yu and S. Devadas, Secure and robust error correction for physical unclonable functions. IEEE Des. Test 27(1), 48–65 (2010)

  69. 69.

    M. Zviran and W.J. Haga, A comparison of password techniques for multilevel authentication mechanisms. Comput. J. 36(3), 227–237 (1993)

    Article  Google Scholar 

Download references


The authors are grateful to Nishanth Chandran, Nir Bitansky, Sharon Goldberg, Gene Itkis, Bhavana Kanukurthi, and Mayank Varia for helpful discussions, creative ideas, and important references. Adam Smith performed this work while on the faculty of the Pennsylvania State University’s Department of Computer Science and Engineering. The research was partly supported by NSF awards 0747294 and 0941553. Part of the research was done while A.S. was on sabbatical, supported by Boston University’s Hariri Institute for Computing. Ran Canetti is supported by the NSF MACS project, an NSF Algorithmic Foundations Grant 1218461, the Check Point Institute for Information Security, and ISF Grant 1523/14. Omer Paneth is additionally supported by the Simons award for graduate students in theoretical computer science. Benjamin Fuller performed this work while at Boston University and MIT Lincoln Laboratory. The work of Benjamin Fuller was sponsored in part by US NSF Grants 1012910, 1012798, and 1849904 and the United States Air Force under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the authors and are not necessarily endorsed by the United States Government. Leonid Reyzin is supported in part by US NSF Grants 0831281, 1012910, 1012798, and 1422965.

Author information



Corresponding author

Correspondence to Benjamin Fuller.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

© IACR 2020. This article is the final version submitted by the author(s) to the IACR and to Springer-Verlag on September 15, 2020. A preliminary version of this work appeared at the 35th IACR Advances in Cryptology, EUROCRYPT, May 2016. Differences between that work and this manuscript are discussed at the end of the introduction.

Communicated by Stefano Tessaro.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Canetti, R., Fuller, B., Paneth, O. et al. Reusable Fuzzy Extractors for Low-Entropy Distributions. J Cryptol 34, 2 (2021).

Download citation


  • Fuzzy extractors
  • Reusability
  • Key derivation
  • Digital lockers
  • Point obfuscation