We provide formal definitions and efficient secure techniques for • turning noisy information into keys usable for any cryptographic application, and, in particular, • reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying material that, unlike traditional cryptographic keys, is (1) not reproducible precisely and (2) not distributed uniformly. We propose two primitives: a fuzzy extractor reliably extracts nearly uniform randomness R from its input; the extraction is error-tolerant in the sense that R will be the same even if the input changes, as long as it remains reasonably close to the original. Thus, R can be used as a key in a cryptographic application. A secure sketch produces public information about its input w that does not reveal w, and yet allows exact recovery of w given another value that is close to w. Thus, it can be used to reliably reproduce error-prone biometric inputs without incurring the security risk inherent in storing them. We define the primitives to be both formally secure and versatile, generalizing much prior work. In addition, we provide nearly optimal constructions of both primitives for various measures of “closeness” of input data, such as Hamming distance, edit distance, and set difference.

In many important applications, a collection of mutually distrustful parties must perform private computation over multisets. Each party’s input to the function is his private input multiset. In order to protect these private sets, the players perform privacy-preserving computation; that is, no party learns more information about other parties ’ private input sets than what can be deduced from the result. In this paper, we propose efficient techniques for privacy-preserving operations on multisets. By employing the mathematical properties of polynomials, we build a framework of efficient, secure, and composable multiset operations: the union, intersection, and element reduction operations. We apply these techniques to a wide range of practical problems, achieving more efficient results than those of previous work.

Let E be a public-key encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingly, even strong notions of security such as chosen-ciphertext security appear to be insufficient for proving security in these settings. Since encryption cycles come up naturally in several applications, it is desirable to construct systems that remain secure in the presence of such cycles. Until now, all known constructions have only be proved secure in the random oracle model. We construct an encryption system that is circular-secure under the Decision Diffie-Hellman assumption, without relying on random oracles. Our proof of security holds even if the adversary obtains an encryption clique, that is, encryptions of ski under pk j for all 0 ≤ i, j ≤ n. We also construct a circular counterexample: a one-way secure encryption scheme that becomes completely insecure if an encryption cycle of length 2 is published. 1

Abstract. We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors. One trapdoor enables the real system to generate short vectors in all lattices in the family. The other trapdoor enables the simulator to generate short vectors for all lattices in the family except for one. We extend this basic technique to an adaptively-secure IBE and a Hierarchical IBE. 1

Abstract — Over-the-air programming (OAP) is a fundamental service in sensor networks that relies upon reliable broadcast for efficient dissemination. As such, existing OAP protocols become decidedly inefficient (with respect to energy, communication or delay) in unreliable broadcast environments, such as those with relatively high node density or noise. In this paper, we consider OAP approaches based on rateless codes, which significantly improve OAP in such environments by drastically reducing the need for packet rebroadcasting. We thus design and implement two rateless OAP protocols, rateless Deluge and ACKless Deluge, both of which replace the data transfer mechanism of the established OAP Deluge protocol with rateless analogs. Experiments with Tmote Sky motes on single-hop networks with packet loss rates of 7 % show these protocols to save significantly in communication over regular Deluge (roughly 15-30 % savings in the data plane, and 50-80 % in the control plane), and multi-hop experiments reveal similar trends. Simulations further shows that our new protocols scale better than standard Deluge (in terms of communication and energy) to high network density. TinyOS code for our implementation can be found at

We introduce the notion of resource-fair protocols. Informally, this property states that if one party learns the output of the protocol, then so can all other parties, as long as they expend roughly the same amount of resources. As opposed to similar previously proposed definitions, our definition follows the standard simulation paradigm and enjoys strong composability properties. In particular, our definition is similar to the security definition in the universal composability (UC) framework, but works in a model that allows any party to request additional resources from the environment to deal with dishonest parties that may prematurely abort. In

Abstract. Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Diffie-Hellman key exchange. However, formal proofs in the standard model require randomness extractors to formally extract the entropy of the random master secret into a seed prior to derive other keys. Whereas this is a quite simple tool, it is not easy to use in practice —or it is easy to misuse it—. In addition, in many standards, the acronym PRF (Pseudo-Random Functions) is used for several tasks, and namely the randomness extraction. While randomness extractors and pseudo-random functions are a priori distinct tools, we first study whether such an application is correct or not. We thereafter study DH-key exchange, in the cases of prime subgroups of Z ⋆ p (and namely where p is a safe-prime) and of elliptic curves, since in IPSec, for example, only these groups are considered. We present very efficient and provable randomness extraction techniques for these groups under the DDH assumption. In the special case of elliptic curves, we present a new technique —the so-called ’Twist-AUgmented’ technique — an alternative to randomness extractors which exploits specific properties of some elliptic curves. We finally compare the efficiency of this method with other solutions.

Abstract. Golle et al recently introduced universal re-encryption, defining it as re-encryption by a player who does not know the key used for the original encryption, but which still allows an intended player to recover the plaintext. Universal re-encryption is potentially useful as part of many information-hiding techniques, as it allows any player to make ciphertext unidentifiable without knowing the key used. Golle et al’s techniques for universal re-encryption are reviewed, and an improved hybrid universal re-encryption construction which permits indefinite re-encryptions with better efficiency and an almost-optimally small increase in file size is presented. Some implementational issues and optimisations are discussed. 1

In this paper we consider the problem of privately computing the intersection of sets (set-intersection), as well as several variations on this problem: cardinality set-intersection, threshold set-intersection, and over-threshold set-intersection. Cardinality set-intersection is the problem of determining the size of the intersection set, without revealing the actual threshold set. In threshold set-intersection, only the elements which appear at least a threshold number t times in the players' private inputs are revealed. Over-threshold set-intersection is a variation on threshold set-intersection in which not only the threshold set is revealed, but also the number of times each element in the threshold set appeared in the private inputs. We propose protocols that are more...

Abstract. In [2], Blum et al. demonstrated the first sub-exponential algorithm for learning the parity function in the presence of noise. They solved the length-n parity problem in time 2 O(n / log n) but it required the availability of 2 O(n / log n) labeled examples. As an open problem, they asked whether there exists a 2 o(n) algorithm for the length-n parity problem that uses only poly(n) labeled examples. In this work, we provide a positive answer to this question. We show that there is an algorithm that solves the length-n parity problem in time 2 O(n / log log n) using n 1+ɛ labeled examples. This result immediately gives us a sub-exponential algorithm for decoding n × n 1+ɛ random binary linear codes (i.e. codes where the messages are n bits and the codewords are n 1+ɛ bits) in the presence of random noise. We are also able to extend the same techniques to provide a sub-exponential algorithm for dense instances of the random subset sum problem. 1