Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data

We provide formal definitions and efficient secure techniques for - turning noisy information into keys usable for any cryptographic application, and, in particular, - reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying material that, unlike traditional cryptographic keys, is (1) not reproducible precisely and (2) not distributed uniformly. We propose two primitives: a "fuzzy extractor" reliably extracts nearly uniform randomness R from its input; the extraction is error-tolerant in the sense that R will be the same even if the input changes, as long as it remains reasonably close to the original. Thus, R can be used as a key in a cryptographic application. A "secure sketch" produces public information about its input w that does not reveal w, and yet allows exact recovery of w given another value that is close to w. Thus, it can be used to reliably reproduce error-prone biometric inputs without incurring the security risk inherent in storing them. We define the primitives to be both formally secure and versatile, generalizing much prior work. In addition, we provide nearly optimal constructions of both primitives for various measures of ``closeness'' of input data, such as Hamming distance, edit distance, and set difference.Comment: 47 pp., 3 figures. Prelim. version in Eurocrypt 2004, Springer LNCS 3027, pp. 523-540. Differences from version 3: minor edits for grammar, clarity, and typo

Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer

A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time of at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems which are generally thought to be hard on a classical computer and have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, e.g., the number of digits of the integer to be factored.Comment: 28 pages, LaTeX. This is an expanded version of a paper that appeared in the Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, Nov. 20--22, 1994. Minor revisions made January, 199

On Karatsuba's Problem Concerning the Divisor Function τ(n)\tau(n)

We study an asymptotic behavior of the sum \sum\limits_{n\le x}\frac{\D \tau(n)}{\D \tau(n+a)}. Here $\tau(n)$ denotes the number of divisors of $n$ and $a\ge 1$ is a fixed integer.Comment: 32 page

An efficient algorithm for accelerating the convergence of oscillatory series, useful for computing the polylogarithm and Hurwitz zeta functions

This paper sketches a technique for improving the rate of convergence of a general oscillatory sequence, and then applies this series acceleration algorithm to the polylogarithm and the Hurwitz zeta function. As such, it may be taken as an extension of the techniques given by Borwein's "An efficient algorithm for computing the Riemann zeta function", to more general series. The algorithm provides a rapid means of evaluating Li_s(z) for general values of complex s and the region of complex z values given by |z^2/(z-1)|<4. Alternatively, the Hurwitz zeta can be very rapidly evaluated by means of an Euler-Maclaurin series. The polylogarithm and the Hurwitz zeta are related, in that two evaluations of the one can be used to obtain a value of the other; thus, either algorithm can be used to evaluate either function. The Euler-Maclaurin series is a clear performance winner for the Hurwitz zeta, while the Borwein algorithm is superior for evaluating the polylogarithm in the kidney-shaped region. Both algorithms are superior to the simple Taylor's series or direct summation. The primary, concrete result of this paper is an algorithm allows the exploration of the Hurwitz zeta in the critical strip, where fast algorithms are otherwise unavailable. A discussion of the monodromy group of the polylogarithm is included.Comment: 37 pages, 6 graphs, 14 full-color phase plots. v3: Added discussion of a fast Hurwitz algorithm; expanded development of the monodromy v4:Correction and clarifiction of monodrom

How Fast Can We Multiply Large Integers on an Actual Computer?

We provide two complexity measures that can be used to measure the running time of algorithms to compute multiplications of long integers. The random access machine with unit or logarithmic cost is not adequate for measuring the complexity of a task like multiplication of long integers. The Turing machine is more useful here, but fails to take into account the multiplication instruction for short integers, which is available on physical computing devices. An interesting outcome is that the proposed refined complexity measures do not rank the well known multiplication algorithms the same way as the Turing machine model.Comment: To appear in the proceedings of Latin 2014. Springer LNCS 839

Primeless Factoring-Based Cryptography

Factoring-based public-key cryptosystems have an overall complexity which is dominated by the key-production algorithm, which requires the generation of prime numbers. This is most inconvenient in settings where the key-generation is not an one-off process, e.g., secure delegation of computation or EKE password-based key exchange protocols. To this end, we extend the Goldwasser-Micali (GM) cryptosystem to a provably secure system, denoted SIS, where the generation of primes is bypassed. By developing on the correct choice of the parameters of SIS, we align SIS's security guarantees (i.e., resistance to factoring of moduli, etc.) to those of other well-known factoring-based cryptosystems. Taking into consideration different possibilities to implement the fundamental operations, we explicitly compare and contrast the asymptotic complexity of well-known public-key cryptosystems (e.g., GM and/or RSA) with that of SIS's. The latter shows that once we are ready to accept an increase in the size of the moduli, SIS offers a generally lower asymptotic complexity than, e.g., GM or even RSA (when scaling correctly the number of encrypted bits). This would yield most significant speed-ups to applications like the aforementioned secure delegation of computation or protocols where a fresh key needs to be generated with every new session, e.g., EKE password-based key exchange protocols

О КОНФЕРЕНЦИИ ПАМЯТИ АНАТОЛИЯ АЛЕКСЕЕВИЧА КАРАЦУБЫ ПО ТЕОРИИ ЧИСЕЛ И ПРИЛОЖЕНИЯМ

In January, 2014, the I’st one-day international “Conference to the Memory of A.A. Karatsuba on Number Theory and Applications” took place in Steklov Mathematical Institute of Russian Academy of sciences. The aims of this conference were presentation of new and important results in different branches of number theory (especially in branches connected with works of A. A. Karatsuba), the exchange by new number-theoretical ideas and insight with new methods and tendencies in number theory. The 2’nd Conference was organized by Steklov Mathematical Institute of Russian Academy of sciences together with Moscow State university in January, 2015. The present paper contains wide annotations of reports of 2’nd Conference.  В январе 2014 г. в Математическом институте им. В. А. Стеклова РАН состоялась первая однодневная международная “Конференция памяти Анатолия Алексеевича Карацубы по теории чисел и приложениям”. Целями этой конференции были представление новых и значимых результатов в различных направлениях теории чисел (особенно в тех, что связаны с творчеством А.А. Карацубы), обмен новыми теоретико-числовыми идеями и ознакомление с новыми методами и тенденциями в теории чисел. Вторая международная Конференция была проведена Математическим институтом им. В. А. Стеклова РАН совместно с Московским Государственным университетом имени М. В. Ломоносова с 30 по 31 января 2015 г. Настоящая статья содержит развёрнутые аннотации докладов, прочитанных на второй Конференции.