ABSTRACT
This paper explores what kinds of information two parties must communicate in order to correct errors which occur in a shared secret string W. Any bits they communicate must leak a significant amount of information about W --- that is, from the adversary's point of view, the entropy of W will drop significantly. Nevertheless, we construct schemes with which Alice and Bob can prevent an adversary from learning any useful information about W. Specifically, if the entropy of W is sufficiently high, then there is no function f(W) which the adversary can learn from the error-correction information with significant probability.This leads to several new results: (a) the design of noise-tolerant "perfectly one-way" hash functions in the sense of Canetti et al. [7], which in turn leads to obfuscation of proximity queries for high entropy secrets W; (b) private fuzzy extractors [11], which allow one to extract uniformly random bits from noisy and nonuniform data W, while also insuring that no sensitive information about W is leaked; and (c) noise tolerance and stateless key re-use in the Bounded Storage Model, resolving the main open problem of Ding [10].The heart of our constructions is the design of strong randomness extractors with the property that the source W can be recovered from the extracted randomness and any string W' which is close to W.
- B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, K. Yang. On the (Im)possibility of Obfuscating Programs. In Advances in Cryptology -- CRYPTO 2001, pp. 1--18.]] Google ScholarDigital Library
- C. Bennett, G. Brassard, and J. Robert. Privacy Amplification by Public Discussion. SIAM J. on Computing, 17 (2), pp. 210--229, 1988.]] Google ScholarDigital Library
- Eli Ben-Sasson, Madhu Sudan, Salil P. Vadhan, Avi Wigderson: Randomness-efficient low degree tests and short PCPs via epsilon-biased sets. STOC 2003: 612-621]] Google ScholarDigital Library
- Gilles Brassard, Louis Salvail. Secret-Key Reconciliation by Public Discussion. In Advances in Cryptology -- EUROCRYPT 1993, p. 410--423.]] Google ScholarDigital Library
- Christian Cachin, Ueli M. Maurer. Linking Information Reconciliation and Privacy Amplification. In J. Cryptology, 10 (2), 97--110, 1997.]]Google ScholarDigital Library
- R. Canetti. Towards realizing random oracles: Hash functions that hide all partial information. In Advances in Cryptology -- CRYPTO 1997.]] Google ScholarDigital Library
- R. Canetti, D. Micciancio, O. Reingold. Perfectly One-Way Probabilistic Hash Functions. In Proc. 30th ACM Symp. on Theory of Computing, 1998, pp. 131--140.]] Google ScholarDigital Library
- V. Chauhan and A. Trachtenberg. Reconciliation puzzles. IEEE Globecom 2004.]]Google Scholar
- Graham Cormode, Mike Paterson, S. uleyman Cenk Sahinalp, Uzi Vishkin. Communication complexity of document exchange. Proc. ACM Symp. on Discrete Algorithms, 2000, p. 197--206.]] Google ScholarDigital Library
- Y.Z. Ding. Error Correction in the Bounded Storage Model. In Theory of Cryptography 2005.]] Google ScholarDigital Library
- Y. Dodis, L. Reyzin and A. Smith. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. In Advances in Cryptology -- EUROCRYPT 2004.]]Google Scholar
- Y. Dodis and A. Smith. Entropic Security and the Encryption of High-Entropy Messages. In Theory of Cryptography 2005.]] Google ScholarDigital Library
- S. Goldwasser and S. Micali. Probabilistic encryption. JCSS, 28 (2), pp. 270--299, April 1984.]]Google ScholarCross Ref
- R. Impagliazzo and D. Zuckerman. How to Recycle Random Bits. In Proc. 30th IEEE Symp. on Foundations of Computer Science, 1989.]]Google ScholarDigital Library
- A. Juels, M. Wattenberg. A Fuzzy Commitment Scheme. In Proc. ACM Conf. Computer and Communications Security, 1999, pp. 28--36.]] Google ScholarDigital Library
- A. Juels and M. Sudan. A Fuzzy Vault Scheme. In IEEE International Symposium on Information Theory, 2002.]]Google ScholarCross Ref
- Shengli Liu and Henk C. A. Van Tilborg and Marten Van Dijk. Practical Protocol for Advantage Distillation and Information Reconciliation. Des. Codes Cryptography, 30 (1), 39--62, 2003.]] Google ScholarDigital Library
- Chi-Jen Lu. Encryption against Storage-Bounded Adversaries from On-Line Strong Extractors. J. Cryptology, 17(1): 27--42 (2004).]] Google ScholarDigital Library
- Ben Lynn, Manoj Prabhakaran, Amit Sahai. Positive Results and Techniques for Obfuscation. Advances in Cryptology -- EUROCRYPT 2004, p. 20-39.]]Google Scholar
- F. J. MacWilliams and N. J. A. Sloane. The Theory of Error-Correcting Codes, North-Holland, Amsterdam, New York, Oxford, 1978.]]Google Scholar
- U. Maurer. Secret Key Agreement by Public Discussion. IEEE Trans. on Info. Theory, 39(3):733-742, 1993.]]Google ScholarDigital Library
- J. Naor, M. Naor. Small-Bias Probability Spaces: Efficient Constructions and Applications.SIAM J. Comput. 22(4): 838--856 (1993).]] Google ScholarDigital Library
- N. Nisan, D. Zuckerman. Randomness is Linear in Space. In JCSS, 52 (1), pp. 43--52, 1996.]] Google ScholarDigital Library
- A. Russell and Wang. How to Fool an Unbounded Adversary with a Short Key. In Advances in Cryptology -- EUROCRYPT 2002.]] Google ScholarDigital Library
- R. Shaltiel. Recent developments in Explicit Constructions of Extractors. Bulletin of the EATCS, 77 , pp. 67--95, 2002.]]Google Scholar
- A. Smith. Maintaining Secrecy When Information Leakage is Unavoidable. Ph.D. Thesis, Massachusetts Institute of Technology, 2004.]] Google ScholarDigital Library
- Salil P. Vadhan. Constructing Locally Computable Extractors and Cryptosystems in the Bounded-Storage Model. J. Cryptology 17(1): 43--77 (2004).]] Google ScholarDigital Library
- Hoeteck Wee. On Obfuscating Point Functions. (These Proceedings.) Proc. 37th ACM Symp. on Theory of Computing, 2005.]] Google ScholarDigital Library
Index Terms
- Correcting errors without leaking partial information
Recommendations
On cryptography with auxiliary input
STOC '09: Proceedings of the forty-first annual ACM symposium on Theory of computingWe study the question of designing cryptographic schemes which are secure even if an arbitrary function f(sk) of the secret key is leaked, as long as the secret key sk is still (exponentially) hard to compute from this auxiliary input. This setting of ...
Public-Key encryption from ID-Based encryption without one-time signature
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part IDesign a secure public key encryption scheme and its security proof are one of the main interests in cryptography In 2004, Canetti, Halevi and Katz [8] constructed a public key encryption (PKE) from a selective identity-based encryption scheme with a ...
Designated verifier proxy signature scheme without random oracles
In a designated verifier proxy signature scheme, one can delegate his or her signing capability to another user in such a way that the latter can sign messages on behalf of the former, but the validity of the resulting signatures can only be verified by ...
Comments