## A fuzzy vault scheme (2002)

### Cached

### Download Links

- [theory.lcs.mit.edu]
- [people.csail.mit.edu]
- [theory.csail.mit.edu]
- [eprint.iacr.org]
- [eprint.iacr.org]
- [www.rsa.com]
- [www.rsasecurity.com]
- DBLP

### Other Repositories/Bibliography

Venue: | In International Symposium on Information Theory (ISIT |

Citations: | 209 - 1 self |

### BibTeX

@INPROCEEDINGS{Juels02afuzzy,

author = {Ari Juels and Madhu Sudan},

title = {A fuzzy vault scheme},

booktitle = {In International Symposium on Information Theory (ISIT},

year = {2002},

pages = {408},

publisher = {IEEE Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We describe a simple and novel cryptographic construction that we refer to as a fuzzy vault. A player Alice may place a secret value κ in a fuzzy vault and “lock ” it using a set A of elements from some public universe U. If Bob tries to “unlock ” the vault using a set B of similar length, he obtains κ only if B is close to A, i.e., only if A and B overlap substantially. In constrast to previous constructions of this flavor, ours possesses the useful feature of order invariance, meaning that the ordering of A and B is immaterial to the functioning of the vault. As we show, our scheme enjoys provable security against a computationally unbounded attacker.

### Citations

1919 | How to share a secret
- Shamir
(Show Context)
Citation Context ...well for this problem.1.1 Previous work A somewhat less naïve approach to a fuzzy vault construction than straightforward encryption might be achieved through use of Shamir secret sharing techniques =-=[23]-=-. Alice partitions her secret value κ into shares s1, s2, . . . , sn, and encrypt these shares respectively under each of the elements a1, a2, . . . , an in her set A. This would yield a set of cipher... |

460 |
Algebraic Coding Theory
- Berlekamp
- 1968
(Show Context)
Citation Context ...′ null ′ . We write RSdecode(k, Q) to denote the output on inputs k and Q. For our (practical) purposes, the best choice for RSdecode is generally the classical algorithm of Peterson-Berlekamp-Massey =-=[3, 17, 21]-=-. This algorithm decodes successfully if at least k+t 2 points in Q share a common polynomial. The best version of RSdecode to date, i.e., the one most likely to recover p successfully, is that of Gur... |

408 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1992
(Show Context)
Citation Context ...ere are several ways to avoid this difficulty. One way is for Alice to include in her vault a cryptographically binding commitment cA to her secret value κ using, such as, e.g., a Pedersen commitment =-=[20]-=-. Now, Alice participates in the key agreement protocol with Bob in a manner that binds her to cA (through a straightforward modification of existing algorithms). This does not ensure that VA and cA r... |

289 |
Shift-register synthesis and BCH decoding
- Massey
- 1969
(Show Context)
Citation Context ...′ null ′ . We write RSdecode(k, Q) to denote the output on inputs k and Q. For our (practical) purposes, the best choice for RSdecode is generally the classical algorithm of Peterson-Berlekamp-Massey =-=[3, 17, 21]-=-. This algorithm decodes successfully if at least k+t 2 points in Q share a common polynomial. The best version of RSdecode to date, i.e., the one most likely to recover p successfully, is that of Gur... |

260 | Improved decoding of Reed-Solomon and Algebraic-Geometric codes
- Guruswami, Sudan
- 1999
(Show Context)
Citation Context ...decodes successfully if at least k+t 2 points in Q share a common polynomial. The best version of RSdecode to date, i.e., the one most likely to recover p successfully, is that of Guruswami and Sudan =-=[12]-=-. This algorithm successfully √determines p provided that the number of points in Q that lie on p is at least kt. Our preference for the classical algorithm is based on the fact that this algorithm is... |

237 | A fuzzy commitment scheme
- Juels, Wattenberg
- 1999
(Show Context)
Citation Context ... critical here. It is usually not possible to impose an order effectively on biometric features because of the problem of erasures. For this reason, previous schemes like that of Juels and Wattenberg =-=[15]-=- described below are unlikely to work well for this problem.1.1 Previous work A somewhat less naïve approach to a fuzzy vault construction than straightforward encryption might be achieved through us... |

217 |
A public-key cryptosystem based on algebraic coding theory
- McEliece
- 1978
(Show Context)
Citation Context ...ic codes, it is not surprising that errorcorrecting codes appear in many areas of cryptography, such as quantum cryptography [2, 6], public-key cryptography (via the well known McEliece cryptosystem) =-=[18]-=-, identification schemes [26], digital signature schemes [1], and cryptanalytic techniques [13], just to name a few examples. We do not explore this extensive branch of the literature here. We note, h... |

164 | Provably Secure Password Authenticated Key Exchange Using Diffie-Helllman
- Boyko, Mackenzie, et al.
(Show Context)
Citation Context ...mber, he tries to open VA using his set of favorite movies B. If he decodes successfully, he obtains a secret value κ ′ . Alice and Bob now invoke a password-authenticated key-agreement protocol (see =-=[5]-=- for a recent example). They use their respective secrets κ and κ ′ as passwords for this protocol. 7 If κ = κ ′ , then Alice and Bob will successfully establish a private channel. Otherwise, they wil... |

117 |
On Enabling Secure Applications through Off-line Biometric Identification
- Davida
- 1998
(Show Context)
Citation Context ...tion on h given sufficiently large security parameters. It is easy to see then that the task of the attacker is to guess c uniformly over C. A similar, less resilient antecedent scheme is proposed in =-=[7, 8]-=-, while another system with similar goals but no rigorously provable security characteristics is proposed in [24, 25]. Note that if the hashed value h(c) is removed from the Juels and Wattenberg schem... |

112 | Achieving oblivious transfer using weakened security assumptions
- Crépeau, Kilian
- 1988
(Show Context)
Citation Context ...al and historical affinities between error-correcting codes and cryptographic codes, it is not surprising that errorcorrecting codes appear in many areas of cryptography, such as quantum cryptography =-=[2, 6]-=-, public-key cryptography (via the well known McEliece cryptosystem) [18], identification schemes [26], digital signature schemes [1], and cryptanalytic techniques [13], just to name a few examples. W... |

105 | Password hardening based on keystroke dynamics," presented at
- Reiter, Monrose, et al.
- 1999
(Show Context)
Citation Context ... Reed-Solomon list decoding problem [4]. Other schemes making use of this problem include, for example, the scheme proposed by Monrose, Reiter, and Wetzel for hardening passwords using keystroke data =-=[19]-=-. An important difference between our scheme and previous ones of this flavor is our range of parameter choices. The [19] scheme bases its security on the computational hardness of small polynomial re... |

67 | A new identification scheme based on syndrome decoding
- Stern
- 1993
(Show Context)
Citation Context ...g that errorcorrecting codes appear in many areas of cryptography, such as quantum cryptography [2, 6], public-key cryptography (via the well known McEliece cryptosystem) [18], identification schemes =-=[26]-=-, digital signature schemes [1], and cryptanalytic techniques [13], just to name a few examples. We do not explore this extensive branch of the literature here. We note, however, that Reed-Solomon cod... |

55 |
Encoding and error-correction procedures for the BoseChauduri codes
- Peterson
- 1960
(Show Context)
Citation Context ...′ null ′ . We write RSdecode(k, Q) to denote the output on inputs k and Q. For our (practical) purposes, the best choice for RSdecode is generally the classical algorithm of Peterson-Berlekamp-Massey =-=[3, 17, 21]-=-. This algorithm decodes successfully if at least k+t 2 points in Q share a common polynomial. The best version of RSdecode to date, i.e., the one most likely to recover p successfully, is that of Gur... |

54 | Hardness of approximating the minimum distance of a linear code - Dumer, Micciancio |

42 | The relation of error correction and cryptography to an offine biometric based identication scheme
- Davida, Frankel, et al.
- 1999
(Show Context)
Citation Context ...tion on h given sufficiently large security parameters. It is easy to see then that the task of the attacker is to guess c uniformly over C. A similar, less resilient antecedent scheme is proposed in =-=[7, 8]-=-, while another system with similar goals but no rigorously provable security characteristics is proposed in [24, 25]. Note that if the hashed value h(c) is removed from the Juels and Wattenberg schem... |

41 | P (2000) Noisy polynomial interpolation and noisy Chinese remaindering
- Bleichenbacher, Nguyen
(Show Context)
Citation Context ... series of questions. In recognition of the unreliability of human memory, the system permits users to answer some of these questions incorrectly. A serious vulnerability in this system is exposed in =-=[4]-=-, who show more broadly that the underlying hardness assumption is weak. Our fuzzy vault scheme offers an alternative implementation that is provably secure in an information-theoretic sense and that ... |

26 | Cryptanalysis of block ciphers with probalistic non linear relations of low degree
- Jakobsen
- 1998
(Show Context)
Citation Context ... such as quantum cryptography [2, 6], public-key cryptography (via the well known McEliece cryptosystem) [18], identification schemes [26], digital signature schemes [1], and cryptanalytic techniques =-=[13]-=-, just to name a few examples. We do not explore this extensive branch of the literature here. We note, however, that Reed-Solomon codes, the most popular form of error-correcting code and the one we ... |

11 |
Secure private key generation using a fingerprint
- Soutar, GJ
- 1996
(Show Context)
Citation Context ...guess c uniformly over C. A similar, less resilient antecedent scheme is proposed in [7, 8], while another system with similar goals but no rigorously provable security characteristics is proposed in =-=[24, 25]-=-. Note that if the hashed value h(c) is removed from the Juels and Wattenberg scheme, i.e., if we no longer think of it as a commitment scheme, then we obtain a kind of fuzzy vault in which the vault ... |

9 |
Practical quantum oblivious transfer protocols
- Bennett, Brassard, et al.
- 1992
(Show Context)
Citation Context ...al and historical affinities between error-correcting codes and cryptographic codes, it is not surprising that errorcorrecting codes appear in many areas of cryptography, such as quantum cryptography =-=[2, 6]-=-, public-key cryptography (via the well known McEliece cryptosystem) [18], identification schemes [26], digital signature schemes [1], and cryptanalytic techniques [13], just to name a few examples. W... |

5 |
A digital signature scheme based on linear error-correcting block codes
- Alabbadi, Wicker
- 1994
(Show Context)
Citation Context ...ear in many areas of cryptography, such as quantum cryptography [2, 6], public-key cryptography (via the well known McEliece cryptosystem) [18], identification schemes [26], digital signature schemes =-=[1]-=-, and cryptanalytic techniques [13], just to name a few examples. We do not explore this extensive branch of the literature here. We note, however, that Reed-Solomon codes, the most popular form of er... |

2 | On enabling secure applications through o#-line biometric identification - Davida, Frankel, et al. - 1998 |

2 |
Biometric encryption for secure key generation
- Soutar
- 1998
(Show Context)
Citation Context ...guess c uniformly over C. A similar, less resilient antecedent scheme is proposed in [7, 8], while another system with similar goals but no rigorously provable security characteristics is proposed in =-=[24, 25]-=-. Note that if the hashed value h(c) is removed from the Juels and Wattenberg scheme, i.e., if we no longer think of it as a commitment scheme, then we obtain a kind of fuzzy vault in which the vault ... |

1 |
Proving with knowing: On oblivious, agnostic, and blindfolded provers
- Jakobsson, Yung
- 1996
(Show Context)
Citation Context ...ploy the Secure Socket-Layer (SSL) protocol to establish a private, authenticated channel, and then employ a socialet millionaires’ or similar protocol to test the condition κ = κ ′ in zero knowledge =-=[14, 22]-=-. This method depends upon one player having an appropriately signed certificate.2. Bob publishes VB on secret κB. 3. Alice applies Unlock to VB using her set A. If successful, she obtains a value κ ... |

1 | Pedersen Non-interactive and information-theoretic secure verifiable secret sharing - unknown authors - 1991 |

1 | A fair and e#cient solution to the sociaset millionaires' problem. Discrete Applied Mathematics - Schoenmakers, Boudot, et al. - 2000 |

1 |
A fair and efficient solution to the sociaset millionaires’ problem. Discrete Applied Mathematics
- Schoenmakers, Boudot, et al.
- 2000
(Show Context)
Citation Context ...ploy the Secure Socket-Layer (SSL) protocol to establish a private, authenticated channel, and then employ a socialet millionaires’ or similar protocol to test the condition κ = κ ′ in zero knowledge =-=[14, 22]-=-. This method depends upon one player having an appropriately signed certificate.2. Bob publishes VB on secret κB. 3. Alice applies Unlock to VB using her set A. If successful, she obtains a value κ ... |