Robust Fuzzy Extractors and Authenticated Key Agreement From Close Secrets

Consider two parties holding samples from correlated distributions $W$ and $W^{\prime }$ , respectively, where these samples are within distance $t$ of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key $R$ by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret ${ssr SK}_{ssr Ext}$ that they can use to generate a sequence of session keys ${R_{j}}$ using multiple pairs ${(W_{j}, W^{\prime }_{j})}$ . The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects. The best prior solution for the keyless case with no errors (i.e., $t=0$ ) requires the min-entropy of $W$ to exceed $2n/3$ , where $n$ is the bit length of $W$ . Our solution applies whenever the mi- -entropy of $W$ exceeds the minimal threshold $n/2$ , and yields a longer key.