Consider two parties holding samples from correlated distributions W and W , respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed

more »

... case, where the parties share a long-term secret SK Ext that they can use to generate a sequence of session keys {R j } using multiple pairs {(W j , W j )}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors. We show solutions that improve upon previous work in several respects: • The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bit-length of W . Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key. • Previous solutions for the keyless case in the presence of errors (i.e., t > 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. • Previous solutions for the keyed case were stateful. We give the first stateless solution. * This is an expanded and corrected version of [15, 23] . W = W and the goal is to transform a nonuniform shared secret to a uniform one), or "fuzzy extraction." Early work [43, 5, 26, 3] assumed the parties could communicate over a public but authenticated channel or, equivalently, assumed a passive adversary. This assumption was relaxed in later work [29, 30, 42, 27, 33] , which considered an active adversary who could modify all messages sent between the two parties. The goal of the above works was primarily to explore the possibility of information-theoretic security, especially in the context of quantum cryptography; however, this is not the only motivation. The problem also arises in the context of using noisy data (such as biometric information, or observations of some physical phenomenon) for cryptographic purposes, even if computational security suffices. The same problem also arises in the context of the bounded-storage model (BSM) [28] in the presence of errors [14, 17] . We discuss each of these in turn. Authentication Using Noisy Data In the case of authentication/key agreement using noisy data, the random variables W, W are close (with respect to some metric) but not identical. For simplicity, we assume the noisy data represents biometric information, though the same techniques apply to more general settings. In this context, two different scenarios have been considered: "Secure authentication": Here, a trusted server stores some biometric data w of a user, obtained during an initial enrollment. Later, when the user and the server want to establish a secure communication session over an insecure channel, the user locally obtains a fresh biometric scan w which is close, but not identical, to w. The user and the server then use w and w to authenticate each other and agree on a key R. "Key recovery": In this scenario, a user utilizes his biometric data w to generate a random key R along with some public information P , and then stores P on a (possibly untrusted) server. The key R is then used, for example, to encrypt some data for long-term storage. At a later point in time, the user obtains a fresh biometric scan w along with the value P from the server; together, these values enable the user to recover R (and hence decrypt the encrypted data).