Upgrading Fuzzy Extractors

Abstract

Fuzzy extractors derive stable keys from noisy sources non-interactively (Dodis et al., SIAM Journal of Computing 2008). Since their introduction, research has focused on two tasks: 1) showing security for as many distributions as possible and 2) providing stronger security guarantees including allowing one to enroll the same value multiple times (reusability), security against an active attacker (robustness), and preventing leakage about the enrolled value (privacy).

Given the need for progress on the basic fuzzy extractor primitive, it is prudent to seek generic mechanisms to transform a fuzzy extractor into one that is robust, private, and reusable so that it can inherit further improvements.

This work asks if one can generically upgrade fuzzy extractors to achieve robustness, privacy, and reusability. We show positive and negative results: we show upgrades for robustness and privacy, but we provide a negative result on reuse.

1. 1.

   We upgrade (private) fuzzy extractors to be robust under weaker assumptions than previously known in the common reference string model.

2. 2.

   We show a generic upgrade for a private fuzzy extractor using multi-bit compute and compare (MBCC) obfuscation (Wichs and Zirdelis, FOCS 2017) that requires less entropy than prior work.

3. 3.

   We show one cannot arbitrarily compose private fuzzy extractors. In particular, we show that assuming MBCC obfuscation and collision-resistant hash functions, there does not exist a private fuzzy extractor secure against unpredictable auxiliary inputs, strengthening a negative result of Brzuska et al. (Crypto 2014).

C. Cachet—Most work done while at the University of Connecticut.

Appendices

A Privacy vs FE Security

Showing that fuzzy extractor security does not imply privacy is straightforward. Let \(\textsf{FE}'\) be a fuzzy extractor for which \(\textsf{pub}' = w_1 || \textsf{pub}\), where \(w_1 \in \{0,1\}\) denotes the first bit of w and \(\textsf{pub}\) is a valid public value such that \(\textsf{key}\leftarrow \textsf{FE}.\textsf{Rep}(\textsf{pub}, w^*)\) when \(\textsf{dist}(w,w^*) \le t\). Then it is obvious that even though \(\textsf{FE}'\) is a secure fuzzy extractor, it is not private.

We will now show that the reverse is also not true.

Theorem 5

Privacy (Definition 8) does not imply fuzzy extractor security (Definition 7).

Proof

(Proof of Theorem 5). We will prove this by presenting a counter example. Consider the following construction:

• \((\textsf{pub},\textsf{key}) \leftarrow \textsf{Gen}(w)\): \(\textsf{key}\) is sampled uniformly at random and \(\textsf{pub}\) is an obfuscation of the program p such that, for inputs \(x \in \{0,1\}^*\) and \(b \in \{0,1\}\),

  $$ p(b, x) = {\left\{ \begin{array}{ll} \textsf{key}&{} \text {if } \ b = 1 \text { and } \textsf{dist}(w,x) \le t \\ \top &{} \text {if } \ b = 0 \text { and } x = \textsf{key}\\ \perp &{} \text {otherwise.} \end{array}\right. } $$

• \(\textsf{key}\leftarrow \textsf{Rep}(\textsf{pub}, b, w')\): run \(\textsf{pub}(1,w')\) and return its output.

Notice that for \(w,w' \in \mathcal {W}\) such that \(\textsf{dist}(w,w') \le t\), we have

$$\begin{aligned} \Pr \left[ \textsf{key}\leftarrow \textsf{Rep}(\textsf{pub},w') \ \left| \ (\textsf{pub},\textsf{key}) \leftarrow \textsf{Gen}(w) \right. \right] \ge 1 - \textsf{ngl}(\lambda ) \end{aligned}$$

which is the expected behavior of a fuzzy extractor. Furthermore, note that this construction is private since by the obfuscation definition, for any PPT adversary \(\mathcal {A}\), there exists simulator \(\textsf{Sim}\) such that for any predicate \(\phi \)

$$\begin{aligned} \left| \Pr [\mathcal {A}(\textsf{pub},\textsf{key}) = \phi (W)] - \Pr [\textsf{Sim}(1^\lambda ,1^{|\textsf{pub}|},1^{|\textsf{key}|}) = \phi (W)] \right| \le \textsf{ngl}(\lambda ) \end{aligned}$$

Now let’s check fuzzy extractor security. Consider the following experiment:

1. 1.

   Run \((\textsf{key},\textsf{pub}) \leftarrow \textsf{Gen}(w)\).

2. 2.

   Draw \(b \leftarrow \{0,1\}\).

3. 3.

   If \(b = 0\), sample \(U_\ell \xleftarrow {\$} \{0,1\}^\ell \) and send \((U_\ell , \textsf{pub})\) to \(\mathcal {A}\). Otherwise, send \((\textsf{key},\textsf{pub})\) to \(\mathcal {A}\).

4. 4.

   \(\mathcal {A}\) outputs \(b' \in \{0,1\}\) and wins if \(b' = b\).

\(\mathcal {A}\) has a straightforward way of winning this experiment by running \(\textsf{pub}(0,x)\), where \(x = \textsf{key}\) or \(x = U_\ell \) depending on drawn b. Then \(\mathcal {A}\) outputs \(b' = 1\) if \(\textsf{pub}(0,x) = \top \) and \(b' = 0\) if \(\textsf{pub}(0,x) = \perp \). Thus we have

$$\begin{aligned} \left| \Pr [ \mathcal {A}(\textsf{key}, \textsf{pub})=1] - \Pr [\mathcal {A}(U_\ell , \textsf{pub})=1] \right| > \textsf{ngl}\end{aligned}$$

and we can conclude that this construction, although private, is not a secure fuzzy extractor.

B Reusability from Composable MBCC Obfuscation

Reusability for Constructions 1 and 2 is achievable when the MBCC obfuscator is composable. We start by defining reuse.

Definition 15

(Reusable Fuzzy extractor [16]). Let \(\textsf{FE}\) be an \((\mathcal {M},\mathcal {W},\ell ,t,s,\epsilon )\)-fuzzy extractor with error \(\delta \) as defined above. Let \((W_1,\cdots ,W_\rho )\) be \(\rho \in \mathbb {N}\) correlated variables such that \(W_i \in \mathcal {W}\). Let adversary \(\mathcal {A}\) be a PPT adversary, then for all \(j \in [1,\rho ]\):

1. 1.

   The challenger samples \(w_j \leftarrow W_j\) and computes \((\textsf{key}_j, \textsf{pub}_j) \leftarrow \textsf{FE}.\textsf{Gen}(w)\).

2. 2.

   The challenger samples a uniform \(u \xleftarrow {\$} \{0,1\}^\ell \) and sets \(K_0 = \textsf{key}_i\) and \(K_1 = u\).

3. 3.

   The challenger draws \(b \xleftarrow {\$}\{0,1\}\) and sends to \(\mathcal {A}\)

   $$\begin{aligned} (\textsf{key}_1,\cdots , \textsf{key}_{i-1}, K_b, \textsf{key}_{i+1},\cdots , \textsf{key}_\rho , \textsf{pub}_1,\cdots ,\textsf{pub}_\rho ) \end{aligned}$$
4. 4.

   \(\mathcal {A}\) outputs \(b' \in \{0,1\}\) and wins if \(b' = b\).

We denote the above experiment as \(\textsf {Exp}_{\mathcal {A},b}^{\textsf {reusable}}\), the advantage of \(\mathcal {A}\) is

$$\begin{aligned} \textsf{Adv}(\mathcal {A}) = \left| \Pr [\textsf {Exp}_{\mathcal {A},0}^{\textsf {reusable}} = 1] - \Pr [\textsf {Exp}_{\mathcal {A},1}^{\textsf {reusable}} = 1] \right| . \end{aligned}$$

\(\textsf{FE}\) is a \((\rho ,\epsilon )\)-reusable fuzzy extractor if for all \(\mathcal {A}\), for all \(i \in [1,\rho ]\) the advantage of \(\mathcal {A}\) is at most \(\epsilon \).

However, as we show in Sect. 5 this is not possible without restricting the class of circuits being obfuscated.

Definition 16

(\(\ell \)-Composable Obfuscation with auxiliary input). \(\textsf{Obf}\) is a \(\ell \)-composable obfuscator for distribution class \(\mathcal {D}\) over the family of circuits \(\mathcal {P}_\lambda \) if for any PPT adversary \(\mathcal {A}\) and polynomial p, there exists a simulator \(\textsf{Sim}\) such that for every distribution ensemble \(D = \{D_\lambda \} \in \mathcal {D}\) and \((P_1,\cdots ,P_\ell , \textsf{aux}) \leftarrow D_\lambda \), with \(\ell = \textsf{poly}(\lambda )\),

$$\begin{aligned} &\Big | \Pr [ \mathcal {A} \big (\textsf{Obf}(P_1),\cdots ,\textsf{Obf}(P_\ell ), \textsf{aux}\big ) = 1 ] \\ &- \Pr [ \textsf{Sim}^{P_1,\cdots ,P_\ell } ( 1^{|P_1|},\cdots ,1^{|P_\ell |}, \textsf{aux}) = 1] \Big | \le \frac{1}{p(\lambda )} \end{aligned}$$

Theorem 6

Let \(\textsf{Obf}\) be a composable dist-VBB obfuscator for MBCC circuits, then Constructions 1 and 2 are reusable.

Proof

(Proof of Theorem 6). Suppose \(\textsf{PFE}\) is not a reusable fuzzy extractor, that is, there exists a PPT adversary \(\mathcal {A}\) and a polynomial \(p(\lambda )\) such that for all \(1 \le j \le \rho \):

$$\begin{aligned} &\big | \ \Pr [\mathcal {A} (\textsf{key}_1,\cdots , \textsf{key}_\rho , \textsf{pub}_1,\cdots ,\textsf{pub}_\rho ) = 1] \\ &- \Pr [\mathcal {A} (\textsf{key}_1,\cdots , \textsf{key}_{i-1}, U_\ell , \textsf{key}_{i+1},\cdots , \textsf{key}_\rho , \textsf{pub}_1,\cdots ,\textsf{pub}_\rho ) = 1] \ \big | > \frac{1}{p(\lambda )} \end{aligned}$$

where \(U_\ell \) is a uniform random string in \(\{0,1\}^\ell \).

Remember that \(\textsf{Obf}\) is a composable obfuscator for \(\textsf{MBCC}[\textsf{Rep}_\textsf{pub}, k, \textsf{key}]\). Let \(r(\lambda ) = 3p(\lambda )\) and suppose \(\textsf{Sim}\) is the simulator for \(\mathcal {A}\) for \(r(\lambda )\), then we have

$$\begin{aligned} &\big | \Pr [\mathcal {A}(\{\textsf{Obf}(1^\lambda , \textsf{MBCC}[\textsf{Rep}_\textsf{pub},k,\textsf{key}_i])\}_{i=1}^\rho , \textsf{aux}) = 1] \\ &- \Pr [\textsf{Sim}^{\{\textsf{MBCC}[\textsf{Rep}_\textsf{pub},k,\textsf{key}_i]\}_{i=1}^\rho }(1^\lambda , \{|\textsf{MBCC}[\textsf{Rep}_\textsf{pub},k,\textsf{key}_i]|\}_{i=1}^\rho , \textsf{aux}) = 1] \big | \le \frac{1}{3p(\lambda )} \end{aligned}$$

Note that in Construction 1, \(\textsf{pub}_i = \textsf{Obf}(1^\lambda , \textsf{MBCC}[\textsf{Rep}_{\textsf{pub}'},k,\textsf{key}_i])\) and set \(\textsf{aux}= \textsf{key}_1,\cdots ,\textsf{key}_\rho \) so we have

$$\begin{aligned} &\big | \Pr [\mathcal {A}(\{\textsf{pub}_i\}_{i=1}^\rho , \{\textsf{key}_i\}_{i=1}^\rho ) = 1] \nonumber \\ &- \Pr [\textsf{Sim}^{\{\textsf{pub}_i\}_{i=1}^\rho }(1^\lambda , \{|\textsf{pub}_i|\}_{i=1}^\rho , \{\textsf{key}_i\}_{i=1}^\rho ) = 1] \big | \le \frac{1}{3p(\lambda )} \end{aligned}$$

(3)

Notice that this also holds if we replace \(\textsf{key}_j\) by an independent uniform random variable \(U_\ell \) over \(\{0,1\}^\ell \). Then for any \(j \in \{1,\rho \}\) we have:

$$\begin{aligned} &\big | \Pr [\mathcal {A}(\{\textsf{pub}_i\}_{i=1}^\rho , \textsf{key}_1,\cdots ,\textsf{key}_{j-1}, U_\ell , \textsf{key}_{j+1},\cdots ,\textsf{key}_\rho ) = 1] \nonumber \\ &- \Pr [\textsf{Sim}^{\{\textsf{pub}_i\}_{i=1}^\rho }(1^\lambda , \{|\textsf{pub}_i|\}_{i=1}^\rho , \textsf{key}_1,\cdots ,\textsf{key}_{j-1}, U_\ell , \textsf{key}_{j+1},\cdots ,\textsf{key}_\rho ) = 1] \big | \le \frac{1}{3p(\lambda )} \end{aligned}$$

(4)

Again we adapt Canetti et al.’s lemma [16, Lemma 2]:

Lemma 3

Let \(U_\ell \) denote the uniform distribution over \(\{0,1\}^\ell \), then for \(1 \le j \le \rho \),

$$\begin{aligned} &\Big | \Pr [\textsf{Sim}^{\{\textsf{MBCC}[\textsf{Rep}_\textsf{pub},k,\textsf{key}_i]\}_{i=1}^\rho } \left( 1^\lambda , \left\{ \left| \textsf{MBCC}[\textsf{Rep}_\textsf{pub},k,\textsf{key}_i] \right| \right\} _{i=1}^\rho , \{\textsf{key}\}_{i=1}^\rho \right) = 1] \\ &- \Pr [\textsf{Sim}^{\{\textsf{MBCC}[\textsf{Rep}_\textsf{pub},k,\textsf{key}_i]\}_{i=1}^\rho } \left( 1^\lambda , \left\{ \left| \textsf{MBCC}[\textsf{Rep}_\textsf{pub},k,\textsf{key}_i] \right| \right\} _{i=1}^\rho , \{\textsf{key}_i\}_{i=1}^{j-1},U_\ell ,\{\textsf{key}_i\}_{i=j+1}^{\rho } \right) = 1] \Big | \\ &\le \frac{1}{3p(\lambda )} \end{aligned}$$

Proof

Fix any \(u \in \{0,1\}^\ell \), the lemma will follow by averaging over all u. The information about whether the \(j^{th}\) key value, denoted \(V_j\), is \(\textsf{key}_j\) or u can only be obtain by \(\textsf{Sim}\) through the query responses. First, we modify \(\textsf{Sim}\) to quit immediately when it gets a response not equal to \(\perp \). Such \(\textsf{Sim}\) is equally successful at distinguishing between \(\textsf{key}_j\) and u since the first non-\(\perp \) response tells \(\textsf{Sim}\) if its input is equal to \(\textsf{key}_j\). Subsequent responses add nothing to this knowledge. Since \(\textsf{Sim}\) can make at most q queries, there are \(q+1\) possible values for the view of \(\textsf{Sim}\) on a given input. Of those, q views consist of some number of non-\(\perp \) responses followed by a \(\perp \) response, and one view consists of all q responses equal to \(\perp \).

Then by [25, Lemma 2.2b],

$$\begin{aligned} \tilde{H}_\infty (V_j | View(\textsf{Sim}), \textsf{aux}) &\ge \tilde{H}_\infty (V_j) - \log (q+1) \\ &\ge \alpha - \log (q+1). \end{aligned}$$

where \(\textsf{aux}= \left( \{| \textsf{MBCC}[\textsf{Rep}_\textsf{pub},k,\textsf{key}_i]|\}_{i=1}^\rho , \textsf{key}_1,\cdots ,\textsf{key}_{j-1},\textsf{key}_{j+1},\cdots ,\textsf{key}_\rho \right) \).

Thus, at each query, the probability that \(\textsf{Sim}\) gets a non-\(\perp \) response and guesses \(V_j\) is at most \((q+1)/2^\alpha \). Since there are q queries of \(\textsf{Sim}\), the overall probability is at most \(q(q+1)/2^\alpha \). Then since \(2^\alpha \) is negligible in \(\lambda \), there exists some \(\lambda _0\) such that for all \(\lambda \ge \lambda _0\), \(q(q+1)/2^\alpha \le 1/(3p(\lambda ))\).

Then from Lemma 3, we have

$$\begin{aligned} &\big | \Pr [\textsf{Sim}^{\{\textsf{pub}_i\}_{i=1}^\rho }(1^\lambda , \{|\textsf{pub}_i|\}_{i=1}^\rho , \{\textsf{key}_i\}_{i=1}^\rho ) = 1] \nonumber \\ &- \Pr [\textsf{Sim}^{\{\textsf{pub}_i\}_{i=1}^\rho }(1^\lambda , \{|\textsf{pub}_i|\}_{i=1}^\rho , \textsf{key}_1,\cdots ,\textsf{key}_{j-1}, U_\ell , \textsf{key}_{j+1},\cdots ,\textsf{key}_\rho ) = 1] \big | \le \frac{1}{3p(\lambda )} \end{aligned}$$

(5)

Using the triangle inequality on Eqs. 3, 4 and 5 we obtain

$$\begin{aligned} &\big | \ \Pr [\mathcal {A} (\textsf{key}_1,\cdots , \textsf{key}_\rho , \textsf{pub}_1,\cdots ,\textsf{pub}_\rho ) = 1] \\ &- \Pr [\mathcal {A} (\textsf{key}_1,\cdots , \textsf{key}_{i-1}, U_\ell , \textsf{key}_{i+1},\cdots , \textsf{key}_\rho , \textsf{pub}_1,\cdots ,\textsf{pub}_\rho ) = 1] \ \big | \le \frac{1}{p(\lambda )} \end{aligned}$$

which is a contradiction and completes this proof.

Composable MBCC Obfuscation. Wichs and Zirdelis [47] build obfuscation for multi-bit compute-and-compare circuits from single bit compute-and-compare by composing the function f with a strongly injective PRG. By doing so they ensure that the target values \((y_1,\cdots ,y_\ell )\) are indistinguishable from uniform, even when given f, z and \(\textsf{aux}\). Their proof then relies on the security of the obfuscator for the \(i^{th}\) circuit by passing all remaining circuits as auxiliary information.

Unfortunately this technique cannot be directly applied to build composable MBCC obfuscation since it requires keeping track of which parts of the PRG output have already been used. This is reasonable for their MBCC obfuscation scheme, where all obfuscated compute-and-compare circuits will be generated at the same time. However this is not practical in the case of composable obfuscation, where the obfuscator will typically be run at different times and without a shared state. One could use a PRG with exponential stretch and select a random part of its output, then the probability of reuse should be low. Another issue is that in Wichs and Zirdelis’s scheme, the function and the input to the PRG are always the same. For composability, especially with the goal of building reusable FE, it would need to handle distinct but possibly correlated functions and values. It then is unclear what the auxiliary information (i.e. the other obfuscated programs) may leak on the current obfuscated circuit.