The original text has been lost, the following is obtained from archive.
The secret value in the cryptographic mechanism is usually a random string, which is required to be evenly distributed and can be accurately reproduced when needed. In the real world, the secret value is difficult to meet this point. For example, for biological characteristics such as fingerprints, it is not a uniformly distributed random value, and it cannot be accurately reproduced every time it is needed (fingerprints have certain errors). The most common way for users to authenticate is based on Password. Short Passwords are easy for users to remember, but the entropy is very low and the security is poor; and some long passphrases are not easy for users to remember, and evenly distributed random numbers cannot be used. To overcome this obstacle, a method is needed to convert these secret values in reality into uniformly distributed random numbers required by a true cryptographic system. The fuzzy extractor introduced in this article can meet this requirement.
Fuzzy Extractor (FE), allows the input to have certain noise (or error), as long as the input is similar, the same uniform random string can be extracted. The general structure is as follows:
Gen process: input w, output auxiliary data P (public) and uniform random value R (l bit).
Rep process: Given P, input w', and regenerate a uniform random value R.
Correctness: If dis(w,w')<=t, an accurate R can be reconstructed; if dis(w,w')>t, no guarantee is provided for the output of Rec
Security: The auxiliary data P will not reveal too much information about R; the distribution of R is close to even distribution.
Application: R extracted from w can be used as a key, but it does not need to be stored. It can be restored from w'next time it is used? W can be a biological fingerprint, physical fingerprint PUF, or other cryptographic materials (if the user does not remember clearly Passphrase) etc.
Secure Sketch (SS)? Allows accurate reconstruction of noisy input.? Unlike FE, SS reconstructs the original input itself and does not solve the problem of uneven distribution. The general structure of SS is as follows:
SS process: input w, output s, s can be made public;.
Rec process: Given s and input w'(close to w), w? Can be recovered.
Correctness: If dis(w,w')<=t, the exact w can be recovered; if dis(w,w')>t, no guarantee is provided for the output of Rec.
Security: s will not reveal too much information about w.
The SS process actually implies an FE. The FE can be constructed from the SS by adding a strong random number to the front Ext as shown in the following figure:
It can be seen from the foregoing that both SS and FE can reconstruct the previous accurate value, but what SS reconstructs is the original input itself, which does not have uniform randomness. By adding a strong random extractor Ext, FE can be constructed from SS. ? Here, x is the random seed of Ext, and x and SS(w) can be used as auxiliary data of FE. An Ext function can be realized by using HMAC or KDF.
A simple example: Use FE to use biometrics and other data for encryption and decryption applications
w, w'For the user's biometric input (such as fingerprint), the uniform random number seed R finally generated by FE can be used as a key for encryption and decryption. One advantage of this is that there is no need to store any keys, and R can be reconstructed based on biometrics when needed.
Another example: use physical unclonable function PUF (equivalent to physical fingerprint) to generate keys
reference:
Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin, Adam Smith. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. SIAM Journal on Computing, 38(1):97–139, 2008.