Results 1  10
of
144
Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. Technical Report 2003/235, Cryptology ePrint archive, http://eprint.iacr.org, 2006. Previous version appeared at EUROCRYPT 2004
 34 [DRS07] [DS05] [EHMS00] [FJ01] Yevgeniy Dodis, Leonid Reyzin, and Adam
, 2004
"... We provide formal definitions and efficient secure techniques for • turning noisy information into keys usable for any cryptographic application, and, in particular, • reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying mater ..."
Abstract

Cited by 349 (34 self)
 Add to MetaCart
We provide formal definitions and efficient secure techniques for • turning noisy information into keys usable for any cryptographic application, and, in particular, • reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying material that, unlike traditional cryptographic keys, is (1) not reproducible precisely and (2) not distributed uniformly. We propose two primitives: a fuzzy extractor reliably extracts nearly uniform randomness R from its input; the extraction is errortolerant in the sense that R will be the same even if the input changes, as long as it remains reasonably close to the original. Thus, R can be used as a key in a cryptographic application. A secure sketch produces public information about its input w that does not reveal w, and yet allows exact recovery of w given another value that is close to w. Thus, it can be used to reliably reproduce errorprone biometric inputs without incurring the security risk inherent in storing them. We define the primitives to be both formally secure and versatile, generalizing much prior work. In addition, we provide nearly optimal constructions of both primitives for various measures of “closeness” of input data, such as Hamming distance, edit distance, and set difference.
Boosting and differential privacy
, 2010
"... Abstract—Boosting is a general method for improving the accuracy of learning algorithms. We use boosting to construct improved privacypreserving synopses of an input database. These are data structures that yield, for a given set Q of queries over an input database, reasonably accurate estimates of ..."
Abstract

Cited by 332 (8 self)
 Add to MetaCart
(Show Context)
Abstract—Boosting is a general method for improving the accuracy of learning algorithms. We use boosting to construct improved privacypreserving synopses of an input database. These are data structures that yield, for a given set Q of queries over an input database, reasonably accurate estimates of the responses to every query in Q, even when the number of queries is much larger than the number of rows in the database. Given a base synopsis generator that takes a distribution on Q and produces a “weak ” synopsis that yields “good ” answers for a majority of the weight in Q, our Boosting for Queries algorithm obtains a synopsis that is good for all of Q. We ensure privacy for the rows of the database, but the boosting is performed on the queries. We also provide the first synopsis generators for arbitrary sets of arbitrary lowsensitivity
Simple Extractors for All MinEntropies and a New PseudoRandom Generator
 Journal of the ACM
, 2001
"... A “randomness extractor ” is an algorithm that given a sample from a distribution with sufficiently high minentropy and a short random seed produces an output that is statistically indistinguishable from uniform. (Minentropy is a measure of the amount of randomness in a distribution). We present a ..."
Abstract

Cited by 109 (29 self)
 Add to MetaCart
(Show Context)
A “randomness extractor ” is an algorithm that given a sample from a distribution with sufficiently high minentropy and a short random seed produces an output that is statistically indistinguishable from uniform. (Minentropy is a measure of the amount of randomness in a distribution). We present a simple, selfcontained extractor construction that produces good extractors for all minentropies. Our construction is algebraic and builds on a new polynomialbased approach introduced by TaShma, Zuckerman, and Safra [TSZS01]. Using our improvements, we obtain, for example, an extractor with output length m = k/(log n) O(1/α) and seed length (1 + α) log n for an arbitrary 0 < α ≤ 1, where n is the input length, and k is the minentropy of the input distribution. A “pseudorandom generator ” is an algorithm that given a short random seed produces a long output that is computationally indistinguishable from uniform. Our technique also gives a new way to construct pseudorandom generators from functions that require large circuits. Our pseudorandom generator construction is not based on the NisanWigderson generator [NW94], and turns worstcase hardness directly into pseudorandomness. The parameters of our generator match those in [IW97, STV01] and in particular are strong enough to obtain a new proof that P = BP P if E requires exponential size circuits.
Lossy Trapdoor Functions and Their Applications
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 80 (2007)
, 2007
"... We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of standard lattice problems. Using lossy TDFs, we ..."
Abstract

Cited by 92 (19 self)
 Add to MetaCart
We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of standard lattice problems. Using lossy TDFs, we develop a new approach for constructing many important cryptographic primitives, including standard trapdoor functions, CCAsecure cryptosystems, collisionresistant hash functions, and more. All of our constructions are simple, efficient, and blackbox. Taken all together, these results resolve some longstanding open problems in cryptography. They give the first known (injective) trapdoor functions based on problems not directly related to integer factorization, and provide the first known CCAsecure cryptosystem based solely on worstcase lattice assumptions.
Our Data, Ourselves: Privacy via Distributed Noise Generation
 In EUROCRYPT
, 2006
"... Abstract. In this work we provide efficient distributed protocols for generating shares of random noise, secure against malicious participants. The purpose of the noise generation is to create a distributed implementation of the privacypreserving statistical databases described in recent papers [14 ..."
Abstract

Cited by 91 (13 self)
 Add to MetaCart
(Show Context)
Abstract. In this work we provide efficient distributed protocols for generating shares of random noise, secure against malicious participants. The purpose of the noise generation is to create a distributed implementation of the privacypreserving statistical databases described in recent papers [14,4,13]. In these databases, privacy is obtained by perturbing the true answer to a database query by the addition of a small amount of Gaussian or exponentially distributed random noise. The computational power of evenasimple form of these databases, when the queryis just of the form È i f(di), that is, the sum over all rows i in the database of a function f applied to the data in row i, has been demonstrated in [4]. A distributed implementation eliminates the need for a trusted database administrator. The results for noise generation are of independent interest. The generation of Gaussian noise introduces a technique for distributing shares of many unbiased coins with fewer executions of verifiable secret sharing than would be needed using previous approaches (reduced by afactorofn). The generation of exponentially distributed noise uses two shallow circuits: one for generating many arbitrarily but identically biased coins at an amortized cost of two unbiased random bits apiece, independent of the bias, and the other to combine bits of appropriate biases to obtain an exponential distribution. 1
Unbalanced expanders and randomness extractors from parvareshvardy codes
 In Proceedings of the 22nd Annual IEEE Conference on Computational Complexity
, 2007
"... We give an improved explicit construction of highly unbalanced bipartite expander graphs with expansion arbitrarily close to the degree (which is polylogarithmic in the number of vertices). Both the degree and the number of righthand vertices are polynomially close to optimal, whereas the previous ..."
Abstract

Cited by 83 (7 self)
 Add to MetaCart
(Show Context)
We give an improved explicit construction of highly unbalanced bipartite expander graphs with expansion arbitrarily close to the degree (which is polylogarithmic in the number of vertices). Both the degree and the number of righthand vertices are polynomially close to optimal, whereas the previous constructions of TaShma, Umans, and Zuckerman (STOC ‘01) required at least one of these to be quasipolynomial in the optimal. Our expanders have a short and selfcontained description and analysis, based on the ideas underlying the recent listdecodable errorcorrecting codes of Parvaresh and Vardy (FOCS ‘05). Our expanders can be interpreted as nearoptimal “randomness condensers, ” that reduce the task of extracting randomness from sources of arbitrary minentropy rate to extracting randomness from sources of minentropy rate arbitrarily close to 1, which is a much easier task. Using this connection, we obtain a new construction of randomness extractors that is optimal up to constant factors, while being much simpler than the previous construction of Lu et al. (STOC ‘03) and improving upon it when the error parameter is small (e.g. 1/poly(n)).
On Constructing Locally Computable Extractors and Cryptosystems In The Bounded Storage Model
 Journal of Cryptology
, 2002
"... We consider the problem of constructing randomness extractors which are locally computable, i.e. only read a small number of bits from their input. As recently shown by Lu (CRYPTO `02 ), locally computable extractors directly yield secure privatekey cryptosystems in Maurer's bounded storage ..."
Abstract

Cited by 72 (7 self)
 Add to MetaCart
(Show Context)
We consider the problem of constructing randomness extractors which are locally computable, i.e. only read a small number of bits from their input. As recently shown by Lu (CRYPTO `02 ), locally computable extractors directly yield secure privatekey cryptosystems in Maurer's bounded storage model (J. Cryptology, 1992).
A sample of samplers  a computational perspective on sampling (survey
 In FOCS
, 1997
"... Abstract. We consider the problem of estimating the average of a huge set of values. That is, given oracle access to an arbitrary function f: {0, 1} n P −n → [0, 1], we wish to estimate 2 x∈{0,1} n f(x) upto an additive error of ǫ. We are allowed to employ a randomized algorithm that may err with pr ..."
Abstract

Cited by 69 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the problem of estimating the average of a huge set of values. That is, given oracle access to an arbitrary function f: {0, 1} n P −n → [0, 1], we wish to estimate 2 x∈{0,1} n f(x) upto an additive error of ǫ. We are allowed to employ a randomized algorithm that may err with probability at most δ. We survey known algorithms for this problem and focus on the ideas underlying their construction. In particular, we present an algorithm that makes O(ǫ −2 · log(1/δ)) queries and uses n + O(log(1/ǫ)) + O(log(1/δ)) coin tosses, both complexities being very close to the corresponding lower bounds.
Extractors with weak random seeds
 In Proceedings of the 37th Annual ACM Symposium on Theory of Computing
, 2005
"... We show how to extract random bits from two or more independent weak random sources in cases where only one source is of linear minentropy and all other sources are of logarithmic minentropy. Our main results are as follows: 1. A long line of research, starting by Nisan and Zuckerman [15], gives e ..."
Abstract

Cited by 67 (6 self)
 Add to MetaCart
(Show Context)
We show how to extract random bits from two or more independent weak random sources in cases where only one source is of linear minentropy and all other sources are of logarithmic minentropy. Our main results are as follows: 1. A long line of research, starting by Nisan and Zuckerman [15], gives explicit constructions of seededextractors, that is, extractors that use a short seed of truly random bits to extract randomness from a weak random source. For every such extractor E, with seed of length d, we construct an extractor E ′ , with seed of length d ′ = O(d), that achieves the same parameters as E but only requires the seed to be of minentropy larger than (1/2 + δ) · d ′ (rather than fully random), where δ is an arbitrary small constant. 2. Fundamental results of Chor and Goldreich and Vazirani [6, 22] show how to extract Ω(n) random bits from two (independent) sources of length n and minentropy larger than (1/2 + δ) · n, where δ is an arbitrary small constant. We show how to extract Ω(n) random bits (with optimal probability of error) when only one source is of minentropy (1/2 + δ) · n and the other source is of logarithmic minentropy. 1 3. A recent breakthrough of Barak, Impagliazzo and Wigderson [4] shows how to extract Ω(n) random bits from a constant number of (independent) sources of length n and minentropy larger than δn, where δ is an arbitrary small constant. We show how to extract Ω(n) random bits (with optimal probability of error) when only one source is of minentropy δn and all other (constant number of) sources are of logarithmic minentropy. 4. A very recent result of Barak, Kindler, Shaltiel, Sudakov and Wigderson [5] shows how to extract a constant number of random bits from three (independent) sources of length n and minentropy larger than δn, where δ is an arbitrary small constant. We show how to extract Ω(n) random bits, with subconstant probability of error, from one source of minentropy δn and two sources of logarithmic minentropy.