A fuzzy extractor can extract an almost uniform random string from a noisy source with enough entropy such as biometric data. To reproduce an identical key from repeated readings of biometric data, the fuzzy extractor generates a helper data and a random string from biometric data and uses the helper data to reproduce the random string from the second reading. In 2013, Fuller et al. proposed a computational fuzzy extractor based on the learning with errors problem. Their construction, however, can tolerate a sub-linear fraction of errors and has an inefficient decoding algorithm, which causes the reproducing time to increase significantly. In 2016, Canetti et al. proposed a fuzzy extractor with inputs from low-entropy distributions based on a strong primitive, which is called digital locker. However, their construction necessitates an excessive amount of storage space for the helper data, which is stored in authentication server. Based on these observations, we propose a new efficient computational fuzzy extractor with small size of helper data. Our scheme supports reusability and robustness, which are security notions that must be satisfied in order to use a fuzzy extractor as a secure authentication method in real life. Also, it conceals no information about the biometric data and thanks to the new decoding algorithm can tolerate linear errors. Based on the non-uniform learning with errors problem, we present a formal security proof for the proposed fuzzy extractor. Furthermore, we analyze the performance of our fuzzy extractor scheme and provide parameter sets that meet the security requirements. As a result of our implementation and analysis, we show that our scheme outperforms previous fuzzy extractor schemes in terms of the efficiency of the generation and reproduction algorithms, as well as the size of helper data.

Authentication necessitates the use of a secret derived from some source with sufficient entropy. Because of their uniqueness and usability, biometric information such as fingerprints, iris patterns, and facial features can be a promising candidate, as can physical unclonable functions and quantum sources. Biometric authentication, in particular, makes a user’s life much easier because biometric information does not require a user to memorize or securely store anything in order to authenticate. However, two challenges are found to using biometric data. First, because biometric information is immutable, it is difficult to change once it has been leaked to an adversary. As a result, provable cryptographic security is critical for biometric storage systems. Second, whenever biometric data are generated, small errors occur as a result of the various conditions and environments. In other words, the biometric data provide similar but not identical readings at each measurement.

Since Dodis et al. [

The majority of the fuzzy extractors are built on the sketch-then-extract paradigm, with a secure sketch and a randomness extractor as building blocks [

Fuller et al. [

Moreover, Fuller’s construction does not guarantee reusability or robustness. Boyen [

Canetti et al. [

We propose a new computational fuzzy extractor in this paper that does not rely on a secure sketch or digital locker. As a result, our scheme is efficient, and thanks to the new decoding algorithm, it can tolerate linear errors. To address the error caused by the difference between the biometric data used for registration and the biometric data used for authentication, we encode the extracted key using two cryptographic primitives: error correction code (ECC) and the EMBLEM encoding method [

In addition, we extend our fuzzy extractor to robust and reusable. Both security concepts must be satisfied in order to use a fuzzy extractor as a secure authentication method in real life. Moreover, we present formal security proof for the proposed fuzzy extractor based on the non-uniform LWE (NLWE) problem [

To ensure the security of our fuzzy extractor, we must assume that the biometric data are drawn from a uniform distribution. Also, we are well aware that in reality, many fuzzy sources, including biometric data, do not provide uniform distributions. The purpose of this paper is to inspire researchers to create an efficient computational fuzzy extractor based on our construction.

Dodis et al. introduced the fuzzy extractor in 2004, which generates a cryptographically secure key using the user’s biometric data and is based on secure sketch [

In 2017, Apon et al. [

The remainder of this paper is organized as follows: In Section 2, we introduce notation, mathematical problems, and the error correcting mechanism on which our scheme is based on. We briefly introduce Fuller’s fuzzy extractor [

Let

For finite set

The LWE and NLWE problems are defined here. The LWE problem was defined in [

For integers

The advantage of an adversary

For integers

The advantage of an adversary

According to reference [

Furthermore, if

For some distributions

The relationship between LWE and NLWE problems is easily generalizable, and the proof of [

We encode the extracted key with two cryptographic primitives to account for the error caused by the difference between the biometric data used for registration and the biometric data used for authentication: EMBLEM encoding method and ECC.

The basic idea behind ECC is that the sender encodes the message with redundancy bits to allow the receiver to detect and correct a limited number of errors that may occur anywhere in the message without re-transmission. In this paper, we use the

We use an additional encoding method, EMBLEM encoding, with ECC encoding to tolerate errors caused by differences between the biometric data used for registration and the biometric data used for authentication. EMBLEM is a new multi-bit encoding method used in LWE-based encryption schemes [

Let

Compute

Output

Let

Output a

In 2017, Fuller et al. [

Sample

Set

Output

Compute

Output

Find

Compute

If

Output

The

Fuzzy extractor extracts an almost uniformly random string

It holds the following properties.

The reusability is the security notion in the case that several pairs of extracted string and related helper data issued from correlated biometric data are revealed to an adversary, which is clearly a much stronger security guarantee. More formally, it is the security of a reissued pair

Challenger samples

When

The robustness is a security notion that applies when an adversary modifies the helper data

Challenger samples

3.

The experiment outputs 1 if

The main idea our scheme is that the biometric data

We present a computational reusable fuzzy extractor based on the NLWE problem in this paper as shown in

Sample

Sample

Compute

Set

Output

Compute

Compute

In this paper, we assume that the admissible error distribution

If

Boyen et al. [

We present a computational reusable fuzzy extractor with robustness based on the construction of computational fuzzy extractor with reusability presented in Chapter 4. The details of our construction are as follows. We assume that

Sample

Sample

Compute

Compute

Compute

Set

Output

Compute

Compute

Compute

Compute

Check if

The correctness of the robust and reusable fuzzy extractor scheme in construction 5.1 follows from the correctness of the underlying reusable fuzzy extractor scheme in construction 4.1.

If

The reusability of the fuzzy extractor scheme presented in construction 5.1 is guaranteed in the same way that Theorem 4.1 is guaranteed. We sketch a proof of reusability here. To achieve robustness, our scheme has some changes compared to the scheme in Chapter 4.1. First,

In this game, the helper data

Decode is a deterministic function determined by the inputs. Therefore, when

Assume for a moment that there are no collisions in the outputs of any of the adversary’s random oracle queries. The probability that the forgery is “successful” is at most the probability that

In the first case, the probability that the adversary

Let

As previously stated, we use

We use the method presented by [

The most important building block in most efficient NLWE attacks is the blockwise Korkine-Zolotarev (BKZ) lattice reduction algorithm [

The helper data are made of

Parameter | Set 1 | Set 2 | Set 3 |
---|---|---|---|

80 | 128 | 256 | |

160 | 256 | 512 | |

255 | 511 | 1023 | |

108 | 84 | 60 | |

87 | 130 | 258 | |

Biodata (Bytes) | 160 | 256 | 512 |

30% | 20% | 11% | |

12% | 8% | 5% | |

Standard deviation |
0.5 | 0.35 | 0.25 |

Bit hardness | 81 | 129 | 261 |

In this section, we describe the performance of our fuzzy extractor scheme. We evaluate the performance of our implementation on a 3.7GHz Intel Core i7-8700 k running Ubuntu 20.04 LTS. Our implementation codes are available to https://github.com/KU-Cryptographic-Protocol-Lab/Fuzzy_Extractor.

Huth et al. [

Canetti et al. [

Schemes | Secure |
Security |
Reusability | Robustness | Decoding time when error rates increases |
---|---|---|---|---|---|

[ |
O | LWE | O | X | – |

[ |
O | DDH/DLIN | O | O | – |

[ |
O | DDH/LWE | O | O | – |

[ |
X | LWE | X | X | |

[ |
X | LWE | O | X | |

[ |
X | X | O | X | |

[ |
X | X | O | X | |

Ours | X | NLWE | O | O | – |

Conversely, our scheme does not increase the decoding time or storage space for helper data with an increasing error

Parameter | Set 1 | Set 2 | Set 3 |
---|---|---|---|

80 | 128 | 256 | |

Biodata (Bytes) | 160 | 256 | 512 |

30% | 20% | 11% | |

Reusable fuzzy extractor (Construction 4.1) | |||

Helper data (bytes) | 287 | 543 | 1055 |

Gen (K cycle) | 1455 | 3862 | 14135 |

Rep (K cycle) | 1015 | 3106 | 12410 |

Robust and reusable fuzzy extractor (Construction 5.1) | |||

Helper data (Bytes) | 298 | 560 | 1088 |

Gen (K cycle) | 1471 | 3963 | 14323 |

Rep (K cycle) | 1017 | 3242 | 12882 |

In this paper, we propose a new computational fuzzy extractor that is more efficient and has small size of helper data. As a result, our scheme is reusable and robust, and it can tolerate linear errors thanks to a new decoding algorithm that employs ECC and the EMBLEM encoding method. These points contribute to increasing the efficiency of the reproduction algorithm and supporting the linear fraction of errors for biometric data. Furthermore, as the error increases, our scheme does not increase the decoding time or storage space for helper data. We present the formal security proof for the proposed fuzzy extractor using the non-uniform LWE problem, as well as the concrete bit hardness for our scheme using the LWE-estimator. To ensure the security of our fuzzy extractor, we must assume that the biometric data are drawn from a uniform distribution, i.e.,