A Practical Fuzzy Extractor for Continuous Features

Abstract

Many fuzzy extractors have been presented for discrete data; here we present a fuzzy extractor for continuous data. Our approach uses the code-offset method extended to \(\mathbb {R}^n\) by using lattice codes and Euclidean distance. This is accomplished in the Unconstrained Power Channel, a theoretical artifact especially developed for lattice codes used in scenarios other than telecommunication, in which the noise is assumed to be white Gaussian. To prove security we give a lower bound on the min-entropy of the common secret that an adversary necessarily faces; we also provide an upper bound. In addition we present a construction using Low-Density Lattice Codes. Our construction is more practical than existing proposals since it can be used with a feature of any dimension n and with some noise distributions that are not white Gaussian inherent to that feature.

This work has been supported by the Brazilian agency CAPES.

Appendices

Appendix

A Proof of Theorem 1

Proof

In order to know which realization of the secret information was chosen, the adversary takes the realization of the public transmitted information q and decreases from the distribution \(\mathcal {X}_g\). This results in a translation of \(\mathcal {X}_g\). The consequence is that this translation changes the configuration of lattice points inside the domain of the distribution. Therefore, it is necessary to analyze the security for each realization of Q.

Given q, the used lattice \(\varLambda \) and because \(S = Q-\mathcal {X}_a\), the adversary knows the possible realizations of S. The probability of each realization \(S_i\) of S is that the value is inside its Voronoi cell. Therefore

$$\begin{aligned} P[S_i] = \int \cdots \int _{V_q(S_i)} p_X( -v_1 + q_1, \cdots , -v_n + q_n) dv_1 \cdots dv_n,\text { } S_i \in \mathcal {S} \end{aligned}$$

(15)

where \(V_q(S_i)\) stands for the Voronoi cell of the point \(S_i\) regarding the set with the same domain of \(q-\mathcal {X}_g\) and \(\mathcal {S} =\{S_1, S_2, \cdots , S_m\}\) with \(\mathcal {S} \subseteq \varLambda \).

However, the division of the space using the domain of \(p-\mathcal {X}_g\) and the lattice \(\varLambda \) can be different. Some regions that belong to some Voronoi cell of a point of \(\mathcal {S}\) could be closer to an outside point. The set of points \(\mathcal {M} = \{M_1,M_2, \cdots , M_k\}\) is defined with the following property

$$\begin{aligned} V'(M_j) = \mathcal {S} \cap V(M_j), M_j \in \varLambda , j \in \mathbb {Z}^+ \end{aligned}$$

(16)

with \(V'(M_j) \ne \emptyset \) and \(V(M_j)\) is its Voronoi cell regarding the lattice \(\varLambda \).

If S could be mapped to those points, then their probabilities are

$$\begin{aligned} P[M_j] = \int \cdots \int _{V'(M_j) } p_X( -v_1 + q_1, \cdots , -v_n + q_n) dv_1 \cdots dv_n, V'(M_j) \ne \emptyset \end{aligned}$$

(17)

The maximum value possible for \(P[M_j]\) is \(V'(M_j) = \min (V(M_j),\max (V_q(S_i))) \). In other words, when \(V(M_j) \subseteq \mathcal {P}\). Because \(\mathcal {S} \subseteq \mathcal {M}\), then

$$\begin{aligned} \max (P[S_i]) \ge \max (P[M_j]) \end{aligned}$$

(18)

This implies that

$$\begin{aligned} H_\infty (\mathcal {S}) \le H_\infty (\mathcal {M}) \end{aligned}$$

(19)

The set \(\mathcal {M}\) is exactly the decoding of the points of \(q - \mathcal {X}_g\) without any restriction, therefore

$$\begin{aligned} H_\infty (\mathcal {M}) = H_\infty (\text {decode}(q-\mathcal {X}_g)) \end{aligned}$$

(20)

The probability of the points of \(\mathcal {S}\) for an adversary can be seen as

$$\begin{aligned} P[\mathcal {S}] = P[S| \mathcal {X}_g, Q = q, \varLambda ] \end{aligned}$$

(21)

By Eqs. (19), (20) and (21) we conclude that

$$\begin{aligned} H_\infty (S| \mathcal {X}_g, Q = q, \varLambda ) \le H_\infty (\text {decode}(q-\mathcal {X}_g)) \end{aligned}$$

(22)

B Proof of Theorem 2

This proof will use the same idea of the proof for the upper bound. The difference is that we will create a distribution \(\mathcal {X}_{min}\) that is just the adjustment of the distribution \(\mathcal {X}_g\) in a way that \(q- \mathcal {X}_{min}\) will always decode to a lattice point covered by the domain \(X_d\) of \(\mathcal {X}_g\). This adjustment can be seen as the decrease of the region determined by \(X_d\) or the increase of the volume of the lattice \(\varLambda \).

Proof

In order to know which realization of the secret information was chosen, the adversary takes the realization of the public transmitted information q and decreases from the distribution \(\mathcal {X}_g\). This results in a translation of \(\mathcal {X}_g\). The consequence is that this translation changes the configuration of lattice points inside the domain of the distribution. Therefore, it is necessary to analyze the security for each realization of Q.

Given q, the used lattice \(\varLambda \) and because \(S = Q-\mathcal {X}_a\), the adversary knows the possible realizations of S. The probability of each realization \(S_i\) of S is that the value is inside its Voronoi cell. Therefore

$$\begin{aligned} P[S_i] = \int \cdots \int _{V_q(S_i)} p_X( -v_1 + q_1, \cdots , -v_n + q_n) dv_1 \cdots dv_n,\text { } S_i \in \mathcal {S} \end{aligned}$$

(23)

where \(V_q(S_i)\) stands for the Voronoi cell of the point \(S_i\) regarding the set with the same domain of \(q-\mathcal {X}_g\) and \(\mathcal {S} =\{S_1, S_2, \cdots , S_m\}\) with \(\mathcal {S} \subseteq \varLambda \).

However, the division of the space using the domain of \(q-\mathcal {X}_g\) and the lattice \(\varLambda \) can be different. Some regions that belong to some Voronoi cell of a point of \(\mathcal {S}\) could be closer to an outside point. Because of this, we will shrink the domain of \(q - \mathcal {X}_g\) in a way that the decoding will find only lattice points inside this region.

Finding the exactly configuration of lattice points is hard, but we know that lattice points are a linear combination of vectors of the generator matrix G and that the maximum distance between lattice point is the length \(||c_{max}||\) of the biggest vector of G. Therefore, if we decrease \(||c_{max}||\) from a lattice point, we will pass by another lattice point.

Now, assuming that \(\mathcal {X}_g = [X_1, X_2, \cdots , X_n]\) and that the domain of each \(X_i\) is \([a_i,b_i]\) with \(b_i - a_i > ||c_{max}||\), then we can transform each \(X_i\) in a way that if we choose a point inside \(X_d\) then it will decoded also to a point inside \(X_d\). If we use the interval \(\left[ a_i+\frac{||c_{max}||}{2},b_i-\frac{||c_{max}||}{2}\right] \) with \(1 \le i \le n\), all points in this region will be decoded to a lattice point that belongs to \(q - \mathcal {X}_g\). However, the fact that \(b_i - a_i \le ||c_{max}||\) may occur. In this case, we will treat \(X_i\) as a constant with \(p(\frac{a_i + b_i}{2}) =1\) and 0 otherwise. The value \(\frac{a_i + b_i}{2}\) is chosen in order to force the decoding function to find a point inside \(q-\mathcal {X}_g\). The consequence of this approach is that the variable \(X_i\) does not contribute to the overall min-entropy.

First we define a function f that transforms the random variables that have a interval of occurrence less than \(||c_{max}||\):

$$\begin{aligned} f_i(X_i) = {\left\{ \begin{array}{ll} X_i &{} \text {if } b_i -a_i > ||c_{max}||\\ p(\frac{a_i + b_i}{2}) =1 \text { and } 0 \text { otherwise},&{} \text { otherwise}\\ \end{array}\right. } \end{aligned}$$

With this function, we have only the random variables that we can surely map to lattice points inside the domain of \(q-\mathcal {X}_g\).

It is important to notice that the decrease in the interval is just a multiplication of the random variable \(X_i\) by the constant \(c_i = \frac{b_i - a_i - ||c_{max}||}{b_i - a_i}\). The resulting probability density function is \(p_{Y_i}(y_i) = p_{X_i}(\frac{y_i}{c_i}) \frac{1}{c_i}\). We can conclude that \(c < 1\) and \(\displaystyle {\lim _{b_i - a_i \rightarrow \infty }} c_i = 1\), or in other words, if the interval is large enough the approximation will be close.

We define \(X_{tf} = [f_1(X_1),\cdots , f_n(X_n)]\) and the diagonal matrix C with elements as

$$\begin{aligned} c_i = {\left\{ \begin{array}{ll} \frac{b_i - a_i - ||c_{max}||}{b_i - a_i} &{} \text {if } b_i -a_i > ||c_{max}||\\ 1,&{} \text { otherwise}\\ \end{array}\right. } \end{aligned}$$

Taking \(\mathcal {X}_{min} = C X_{tf}\) will give a smaller region where all points will be decoded to points of \(q-X_d\). The set \(\mathcal {M} = \{M_1,\cdots ,M_k\}\) is defined as the one with the elements that will be the outcome of \(\text {decode}(q- \mathcal {X}_{min})\). Assuming that the domain of \(q-\mathcal {X}_g\) will be a convex area, their probabilities are

$$\begin{aligned} \begin{aligned} P[M_j]&= \int \cdots \int _{V'(M_j) } p_{\mathcal {X}_{min}}( -v_1 + q_1, \cdots , -v_o + q_o) dv_1 \cdots dv_o\\&= \prod _{i=1}^n \frac{1}{c_i} \int \cdots \int _{V'(M_j) } p_{X}\bigg ( -v_1 + q_1, \cdots , -v_o + q_o| X_{o+1} =\\&q_{o+1} - \frac{a_{o+1} + b_{o+1}}{2},\cdots X_{n} = q_{n} - \frac{a_{n} + b_{n}}{2}\bigg ) dv_1 \cdots dv_o\ \end{aligned} \end{aligned}$$

(24)

with \(0 \le o \le n\) and \(V'(M_j)\) is the Voronoi cell regarding \(q - \mathcal {X}_{min}\).

Because \(\mathcal {M} \subseteq \mathcal {S}\) , then

$$\begin{aligned} \max (P[M_j]) \ge \max (P[S_i]) \end{aligned}$$

(25)

This implies that

$$\begin{aligned} H_\infty (\mathcal {M}) \le H_\infty (\mathcal {S}) \end{aligned}$$

(26)

The set \(\mathcal {M}\) is the decoding of the points of \(q - \mathcal {X}_{min}\) without any restriction, therefore

$$\begin{aligned} H_\infty (\mathcal {M}) = H_\infty (\text {decode}(q - \mathcal {X}_{min})) \end{aligned}$$

(27)

The probability of the points of \(\mathcal {S}\) for an adversary can be seen to be

$$\begin{aligned} P[\mathcal {S}] = P[S| \mathcal {X}_g, Q = q, \varLambda ] \end{aligned}$$

(28)

By Eqs. (26), (27) and (28) we conclude that

$$\begin{aligned} H_\infty (\text {decode}(q- \mathcal {X}_{min})) \le H_\infty (S| \mathcal {X}_g, Q = q, \varLambda ) \end{aligned}$$

(29)