## Correcting errors without leaking partial information (2005)

### Cached

### Download Links

- [www.csail.mit.edu]
- [www.cse.psu.edu]
- [people.csail.mit.edu]
- [cs.nyu.edu]
- [www.cs.nyu.edu]
- [people.csail.mit.edu]
- [www.cse.psu.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In 37th Annual ACM Symposium on Theory of Computing (STOC |

Citations: | 55 - 9 self |

### BibTeX

@INPROCEEDINGS{Dodis05correctingerrors,

author = {Yevgeniy Dodis and Adam Smith},

title = {Correcting errors without leaking partial information},

booktitle = {In 37th Annual ACM Symposium on Theory of Computing (STOC},

year = {2005},

pages = {654--663},

publisher = {ACM}

}

### OpenURL

### Abstract

This paper explores what kinds of information two parties must communicate in order to correct errors which occur in a shared secret string W. Any bits they communicate must leak a significant amount of information about W — that is, from the adversary’s point of view, the entropy of W will drop significantly. Nevertheless, we construct schemes with which Alice and Bob can prevent an adversary from learning any useful information about W. Specifically, if the entropy of W is sufficiently high, then there is no function f(W) which the adversary can learn from the error-correction information with significant probability. This leads to several new results: (a) the design of noise-tolerant “perfectly oneway” hash functions in the sense of Canetti et al. [7], which in turn leads to obfuscation of proximity queries for high entropy secrets W; (b) private fuzzy extractors [11], which allow one to extract uniformly random bits from noisy and nonuniform data W, while also insuring that no sensitive information about W is leaked; and (c) noise tolerance and stateless key re-use in the Bounded Storage Model, resolving the main open problem of Ding [10]. The heart of our constructions is the design of strong randomness extractors with the property that the source W can be recovered from the extracted randomness and any string W ′ which is close to W.

### Citations

1950 |
Sloane The Theory of Error-Correcting Codes
- MacWilliams, A
- 1977
(Show Context)
Citation Context ...codes with good minimum distance and negligible bias seems difficult. Such codes do exist: a completely random set C of 2 k elements will have both (1) minimum distance d, where k/n ≈ (1 − h2(d/n))/2 =-=[20]-=- and (2) bias approximately 2 −(k−log n)/2 [22]. However, these codes are neither explicitly constructed nor efficiently decodable. This raises a natural question: Does there exist an explicitly-const... |

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...tting: a coding argument shows that the mutual information must be large (e.g., larger than τ) in general [4]. Even the analogue requirement for computationally bounded adversaries, semantic security =-=[13]-=-, is impossible here: if Eve knows that W is one of two strings w1, w2 which differ in only a few bits, then she can use whatever algorithm Bob would have run to compute W from S(W ) and w1. The diffi... |

291 | Fuzzy extractors: How to generate strong keys from biometrics and other noisy data
- Dodis, Ostrovsky, et al.
- 2008
(Show Context)
Citation Context ...way hash functions. Along the way, we simplify and improve the analysis of the noise-free construction of [7]. • Stronger Privacy for Biometric Applications. Fuzzy extractors were recently introduced =-=[11]-=- for extracting a secret, random key from noisy, non-uniform data such as biometric measurements. On input W , a fuzzy extractor outputs some public data P and a key R(W ), such that P can be used to ... |

259 | Small-bias probability spaces: efficient constructions and applications
- Naor, Naor
- 1993
(Show Context)
Citation Context ... bias seems difficult. Such codes do exist: a completely random set C of 2 k elements will have both (1) minimum distance d, where k/n ≈ (1 − h2(d/n))/2 [20] and (2) bias approximately 2 −(k−log n)/2 =-=[22]-=-. However, these codes are neither explicitly constructed nor efficiently decodable. This raises a natural question: Does there exist an explicitly-constructible ensemble of good codes with small bias... |

253 | Secret key agreement by public discussion from common information
- Maurer
- 1993
(Show Context)
Citation Context ...his is perhaps the least expected application of our technique, resolving the main open question left by Ding [10]. Ding considered the question of correcting errors in Maurer’s bounded storage model =-=[21]-=-. In this model, Alice, Bob and the adversary all have temporary access to a huge, random string, X, but have very bounded memories (only enough to remember a fraction of the length of the string). Al... |

230 | Randomness is linear in space
- Nisan, Zuckerman
- 1996
(Show Context)
Citation Context ... ɛ = 2 −t′ /2 and optimal min-entropy loss of 2τ log q. The Relation to Randomness Extraction. The starting point of the constructions is a result from earlier work stating that randomness extractors =-=[23]-=- are entropically secure, that is the output hides all functions of the source. We say a (randomized) map Y () is (t, ɛ)-indistinguishable if for all pairs of t-sources W1, W2, the distributions Y (W1... |

204 | Wattenberg,“A fuzzy commitment scheme
- Juels, Martin
- 1999
(Show Context)
Citation Context ...nded storage model (see Section 1.1). The Relation to Entropy Loss. The task of correcting errors in a joint string is usually called information reconciliation [2, 4, 5, 17, 10], fuzzy cryptography (=-=[15]-=-, see [26] for a survey), or document exchange (in communication complexity, e.g. [9, 8]). In contrast to this paper, previous work focused only on maximizing the length of a cryptographic key which c... |

189 | On the (Im)possibility of Obfuscating Programs
- Barak, Goldreich, et al.
(Show Context)
Citation Context ... for a program P generates a scrambled circuit ˜ P which allows one to evaluate P on any input, but leaks no additional information. Although code obfuscation is not possible in general (Barak et al. =-=[1]-=-), there are a few results showing that obfuscation of certain functions is possible in variants of the basic model, e.g. [19, 28]. Perfectly one-way hash functions, constructed by Canetti, Micciancio... |

183 | How to recycle random bits
- Impagliazzo, Zuckerman
- 1989
(Show Context)
Citation Context ...ar codes. 2. To illustrate the framework, we show that random linear codes are optimal in terms of both error-correction and entropic security (this corresponds to reproving the “leftover hash” lemma =-=[14]-=-). 3. We construct explicit, efficiently decodable, small-bias families of codes by considering a subset of binary images of a fixed code over a large (but constant-size) alphabet GF (2 e ). A number ... |

183 | A fuzzy vault scheme
- Juels, Sudan
- 2002
(Show Context)
Citation Context ...veals a particular, fixed set of linear combinations of the bits of W ). This can be a problem for several reasons. First, W itself may be sensitive (say, if it is a biometric used for authentication =-=[15, 16, 11]-=-), in which case S(W ) might reveal sensitive information, such as a person’s age. Second, when we use the error-correction protocol as a piece of a larger framework, entropy loss may not be a suffici... |

182 |
Privacy amplification by public discussion
- Bennett, Brassard, et al.
- 1988
(Show Context)
Citation Context ...imply a sketch, correcting τ errors. A typical example of a sketch is S(w) = syn C (w), where syn C is the syndrome of a linear error-correcting code C with block length n (see below for definitions) =-=[2]-=-. If C has dimension k, then syn C(w) is only n − k bits long. If the minimum distance of C is at least 2τ +1, then syn C(w) allows Bob to correct any τ errors in w ′ . Moreover, the process is effici... |

144 |
Recent developments in explicit constructions of extractors
- Shaltiel
(Show Context)
Citation Context ...structions of different combinatorial objects—in this case, extractors and error-correcting codes. In the past, error-correcting codes have been used to construct extractors and vice-versa (see, e.g. =-=[25]-=-). However, this paper describes objects which are in some sense both. Fuzzy extractors [11] provide a different example of objects which combine the two requirements. The connections to fuzzy extract... |

104 | Toward Realizing Random Oracles: Hash Functions that Hide All Partial Information
- Canetti
- 1997
(Show Context)
Citation Context ... all functions of W whenever the min-entropy 1 of W is above a certain threshold. This definition of security has already produced surprising results in two contexts. Canetti, Micciancio and Reingold =-=[6, 7]-=- constructed hash functions whose outputs leak no partial information about the input. Russell and Wang [24] and Dodis and Smith [12] gave entropically secure symmetric encryption schemes with keys mu... |

92 | Secret-key reconciliation by public discussion
- Brassard, Salvail
- 1994
(Show Context)
Citation Context ...ation I(W ; S(W )) be very small. Such a strongsrequirement is impossible to achieve in our setting: a coding argument shows that the mutual information must be large (e.g., larger than τ) in general =-=[4]-=-. Even the analogue requirement for computationally bounded adversaries, semantic security [13], is impossible here: if Eve knows that W is one of two strings w1, w2 which differ in only a few bits, t... |

73 | Perfectly One-Way Probabilistic Hash Functions
- Canetti, Micciancio, et al.
- 1998
(Show Context)
Citation Context ...rom the error-correction information with significant probability. This leads to several new results: (a) the design of noise-tolerant “perfectly oneway” hash functions in the sense of Canetti et al. =-=[7]-=-, which in turn leads to obfuscation of proximity queries for high entropy secrets W ; (b) private fuzzy extractors [11], which allow one to extract uniformly random bits from noisy and nonuniform dat... |

68 | On constructing locally computable extractors and cryptosystems in the boundedstorage model
- Vadhan
- 2004
(Show Context)
Citation Context ... key about which the adversary has no information, without making computational assumptions such as the existence of a pseudo-random generator. The model has received a lot of attention recently (see =-=[10, 27, 18]-=- and references therein), in particular because of a feature dubbed everlasting security: the same long term key can be re-used many times, and the session keys remain secure even if the adversary lea... |

44 | On obfuscating point functions
- Wee
(Show Context)
Citation Context ...9] is, roughly, that storing RO(w) allows one to check if x = w but reveals nothing about w. The attack of Barak et al. fails since the “code” of the random oracle is not accessible in the model. Wee =-=[28]-=- recently showed that obfuscating point functions is possible even without the random oracle, at the cost of simulator whose running time depends on the quality of the simulation and a very strong com... |

29 | Linking information reconciliation and privacy amplification,”Journal of Cryptology: the journal
- Cachin, Maurer
- 1997
(Show Context)
Citation Context ...mity queries, and key re-use in the bounded storage model (see Section 1.1). The Relation to Entropy Loss. The task of correcting errors in a joint string is usually called information reconciliation =-=[2, 4, 5, 17, 10]-=-, fuzzy cryptography ([15], see [26] for a survey), or document exchange (in communication complexity, e.g. [9, 8]). In contrast to this paper, previous work focused only on maximizing the length of a... |

25 |
Encryption against storage-bounded adversaries from on-line strong extractors
- Lu
(Show Context)
Citation Context ... key about which the adversary has no information, without making computational assumptions such as the existence of a pseudo-random generator. The model has received a lot of attention recently (see =-=[10, 27, 18]-=- and references therein), in particular because of a feature dubbed everlasting security: the same long term key can be re-used many times, and the session keys remain secure even if the adversary lea... |

22 | Entropic Security and the Encryption of High Entropy Messages. Full version of this paper. Available at IACR Cryptology ePrint Archive, report 2004/219, at http://eprint.iacr.org/2004/219 - Dodis, Smith |

19 |
Avi Wigderson. Randomnessefficient low degree tests and short PCPs via epsilon-biased sets
- Ben-Sasson, Sudan, et al.
- 2006
(Show Context)
Citation Context ...a set C is the bias of the uniform distribution over that set. It is known that the map Y (W ; A) = W ⊕ A is a (t, ɛ)-extractor whenever the bias of C is sufficiently small (δ ≤ ɛ2 −(n−t−1)/2 ), e.g. =-=[3]-=-. We generalize this to a family of sets by requiring that on average, the squared bias with respect to every α be low: Definition 3. A family of random variables (or sets) {Ai} i∈I is δ-biased if, fo... |

16 |
Amit Sahai, Positive results and techniques for obfuscation
- Lynn, Prabhakaran
(Show Context)
Citation Context ...mation. Although code obfuscation is not possible in general (Barak et al. [1]), there are a few results showing that obfuscation of certain functions is possible in variants of the basic model, e.g. =-=[19, 28]-=-. Perfectly one-way hash functions, constructed by Canetti, Micciancio and Reingold [7], can be interpreted as obfuscating equality queries (which accept the input if and only if it is equal to some p... |

12 |
Suleyman Cenk Sahinalp, and Uzi Vishkin. Communication complexity of document exchange
- Cormode, Paterson
- 2000
(Show Context)
Citation Context ...ting errors in a joint string is usually called information reconciliation [2, 4, 5, 17, 10], fuzzy cryptography ([15], see [26] for a survey), or document exchange (in communication complexity, e.g. =-=[9, 8]-=-). In contrast to this paper, previous work focused only on maximizing the length of a cryptographic key which can be derived from W once the errors in W ′ have been corrected. Because of that, they a... |

11 | Error correction in the bounded storage model
- Ding
- 2005
(Show Context)
Citation Context ...rm data W , while also insuring that no sensitive information about W is leaked; and (c) noise tolerance and stateless key re-use in the Bounded Storage Model, resolving the main open problem of Ding =-=[10]-=-. The heart of our constructions is the design of strong randomness extractors with the property that the source W can be recovered from the extracted randomness and any string W ′ which is close to W... |

8 |
Maintaining Secrecy When Information Leakage is Unavoidable
- Smith
- 2004
(Show Context)
Citation Context ...ge model (see Section 1.1). The Relation to Entropy Loss. The task of correcting errors in a joint string is usually called information reconciliation [2, 4, 5, 17, 10], fuzzy cryptography ([15], see =-=[26]-=- for a survey), or document exchange (in communication complexity, e.g. [9, 8]). In contrast to this paper, previous work focused only on maximizing the length of a cryptographic key which can be deri... |

6 |
to Fool an Unbounded Adversary with a Short Key
- How
- 2002
(Show Context)
Citation Context ...at when this requirement is relaxed (that is, when Eve is sufficiently uncertain about W ), a strong secrecy guarantee can be provided. A more suitable definition for our setting is entropic security =-=[7, 24, 12]-=-. If W, Y are (correlated) random variables, Y hides all functions of W if for every function f, it is nearly as hard to predict f(W ) given Y as it is without Y , regardless of the adversary’s comput... |

5 | Reconciliation puzzles - Chauhan, Trachtenberg - 2004 |

2 |
Tilborg and Marten Van Dijk. Practical Protocol for Advantage Distillation and Information Reconciliation. Des
- Liu, Van
(Show Context)
Citation Context ...mity queries, and key re-use in the bounded storage model (see Section 1.1). The Relation to Entropy Loss. The task of correcting errors in a joint string is usually called information reconciliation =-=[2, 4, 5, 17, 10]-=-, fuzzy cryptography ([15], see [26] for a survey), or document exchange (in communication complexity, e.g. [9, 8]). In contrast to this paper, previous work focused only on maximizing the length of a... |