DE102017109260A1 - Method for generating a key with perfect security - Google Patents

Abstract

A method for generating a key with perfect certainty, the method comprising: preprocessing a first source information with a preprocessing channel corresponding to a marginal distribution estimated based on the first source information, providing a partition of a set of possible preprocessed first source information into a set of subsets, wherein the elements of the subsets are codewords of (n, ε) codes of a composite channel based on statistics of the source and preprocessing channel, and the elements of each subset have a constant composition, determining helper data as an index of the subset comprising the preprocessed first source information, and determining the key as an index of the preprocessed first source information within the subset comprising the preprocessed first source information.

Description

FIELD OF THE INVENTION

The present invention is in the field of encryption methods. In particular, it relates to a method for generating a key based on a first source information and a method for estimating a key based on a second source information. The invention also relates to associated devices and a computer program product.

BACKGROUND AND RELATED ART

In communication systems, among other things, the security-relevant tasks to authenticate users based on authentication information and encrypted data in a public database.

In an authentication method, e.g. biometric data or the output of a physically non-clonable function used for authentication. The source of this data (e.g., the user's fingerprint) is not fully known. It should also be remembered that an attacker could potentially influence the source.

One known authentication method involves two phases. First, the user is registered in a registration phase. In this phase, the authentication system receives the data X ⁿ and the ID of the user. It then generates helper data M and a secret key K. Then it uses a one-way function f on K and stores the result and the helper data M under the user ID in a public database.

The second phase is an authentication phase. In this phase, the system receives the data Y ⁿ (eg from a measured fingerprint of a user to be authenticated) and the ID of the user. The system then reads the associated helper data M and f (K) from the database. It uses M and Y ⁿ to generate a secret key K. The system can then compare f (K) and f (K). If the functions are the same, the user is accepted, otherwise the user is rejected.

Another common security-related task concerns the storage of data in a public database where the data is to be kept secret using encryption with biometric data or the output of a physical-unclonable function (PUF). Again, the problem arises that the source of the biometric or PUF data is not perfectly known and an attacker may possibly influence the particular source.

A well-known encryption method involves two phases:

In a first phase, the system receives the encryption data X ⁿ and the data D to be stored. D becomes the encrypted data D generated and stored in the database.

In a second phase, the system receives the decryption data Y ⁿ and, from the database, the encrypted data D , From this, the system D can calculate what to match the original data D.

In the prior art, the problem arises that no perfect security is achieved. For example, the helper data M reveals information about the secret key K, so that an attacker with knowledge of M can construct an attack.

SUMMARY OF THE INVENTION

The present invention has for its object to provide a method for generating a key, wherein perfect security is achieved or at least a safety aspect is improved over known methods. This object is solved by the independent claims. Advantageous developments are specified in the dependent claims.

• - Vorverarbeiten einer ersten Quellinformation mit einem Vorverarbeitungskanal, der zu einer basierend auf der ersten Quellinformation geschätzten Marginalverteilung korrespondiert,
• - Bereitstellen einer Partitionierung einer Menge von möglichen vorverarbeiteten ersten Quellinformationen in eine Menge von Teilmengen, wobei die Elemente der Teilmengen Codewörter von (n, ε)-Codes eines zusammengesetzten Kanals sind, der auf einer Statistik der Quelle und dem Vorverarbeitungskanal basiert, und die Elemente jeder Teilmenge eine konstante Zusammensetzung aufweisen,
• - Bestimmen von Helferdaten als einen Index der Teilmenge, die die vorverarbeitete erste Quellinformation umfasst, und
• - Bestimmen des Schlüssels als einen Index der vorverarbeiteten ersten Quellinformation innerhalb der Teilmenge, die die vorverarbeitete erste Quellinformation umfasst.

A method according to the invention comprises the following steps:

• Preprocessing a first source information with a preprocessing channel corresponding to a marginal distribution estimated based on the first source information,
• - Providing a partitioning of a set of possible preprocessed first source information into a set of subsets, wherein the elements of the subsets are codewords of (n, ε) codes of a composite channel based on statistics of the source and the preprocessing channel, and the elements each subset have a constant composition,
• Determining helper data as an index of the subset comprising the pre-processed first source information, and
• - Determining the key as an index of the preprocessed first source information within the subset comprising the preprocessed first source information.

The method of the invention may e.g. be performed to register a user in a user database. For example, the first source information may be read information from a scan of the user's fingerprint.

The method is based on the assumption that the source of the first source information (and other source information) is modelable as a discrete memoryless multiple source (DMMS). Experiments have shown that this assumption is valid for many relevant sources in practice.

The inventive method has the advantage that "perfect security" can be achieved, in the sense that the helper data reveal no information about the key.

In an advantageous embodiment it is provided that the composite channel results from a series connection of the statistics of the first source information and the preprocessing channel.

In an advantageous embodiment it is provided that the estimation of the marginal distribution comprises selecting a probability distribution from a set of predefined probability distributions. For example, the predefined probability distributions may be stored in a database, so that when performing the method only a suitable probability distribution needs to be selected from the database.

In an advantageous embodiment, it is provided that if none of the subsets comprises the preprocessed first source information, the helper data and / or the key are generated at random.

The method should be designed such that it is as rare as possible that none of the subsets comprises the preprocessed first source information. Nevertheless, this case can not always be completely ruled out. The accidental generation of the helper data and / or the key ensures that even in this case no unnecessary information is disclosed.

In an advantageous embodiment it is provided that if the size of the subset comprising the preprocessed first source information does not correspond to a smallest size of all subsets, a deterministic mapping is used to map the index of the preprocessed first source information within the subset onto the key , This ensures that keys of the same size can always be output.

In an advantageous embodiment it is provided that the method is a method for storing data and comprises the method of combining the data and the key with a modulo addition.

Experiments have shown that the method according to the invention can be used particularly advantageously for the encrypted storage of data in databases.

In a further advantageous embodiment, it is provided that the first source information is user identification information and includes the method of storing the key in a public user database. The key is preferably encrypted with a one-way function before it is stored in the public database.

In an advantageous embodiment, it is provided that the first source information is biometric information about a user, in particular information about a fingerprint. Thus, a user may e.g. register with his fingerprint in a database.

• - Bereitstellen der von dem Schlüsselgenerierungsverfahren verwendeten Partitionierung,
• - Identifizieren einer ausgewählten Teilmenge basierend auf den Helferdaten als Index, und
• - Verwenden des zusammengesetzten Kanalcodes, der zu der ausgewählten Teilmenge korrespondiert, um die zweite Quellinformation zu decodieren und den geschätzten Schlüssel zu erhalten.

A further embodiment of the invention relates to a method for estimating a key based on a second source information and helper data generated using one of the above-mentioned key generation methods, the method comprising:

• Providing the partitioning used by the key generation method,
• Identifying a selected subset based on the helper data as an index, and
• Using the composite channel code corresponding to the selected subset to decode the second source information and obtain the estimated key.

Thus, this method of estimating a key can be combined with the above-mentioned key generation method for generating a key with perfect security. In the process of estimating the key, the same partitioning that was used when the key was generated must be used. This can be done, for example ensure that the partitioning is once created and then provided to the key generation method and method for estimating the key. The provision of the partitioning can thus take place, for example, by reading the partitioning from a data carrier.

This method can e.g. are used to authenticate a user who has previously registered with the above method for generating a key with perfect security in a database. The second source information could be read-out information from its fingerprint during the authentication.

In an advantageous embodiment it is provided that the composite channel results from a series connection of the statistics of the source and the preprocessing channel.

In an advantageous embodiment it is provided that if the size of the subset corresponding to the helper data as an index does not correspond to a smallest size of all subsets, a deterministic mapping is used to map the decoded second source information to the estimated key.

A further embodiment of the invention relates to a computer program product for calculating a key, in the execution of which one of the above-mentioned methods is executed.

• - eine Vorverarbeitungseinheit zum Vorverarbeiten einer ersten Quellinformation mit einem Vorverarbeitungskanal, der zu einer basierend auf der ersten Quellinformation geschätzten Marginalverteilung korrespondiert,
• - eine Partitionierungseinheit zum Bereitstellen einer Partitionierung einer Menge von möglichen vorverarbeiteten ersten Quellinformationen in eine Menge von Teilmengen, wobei die Elemente der Teilmengen Codewörter von (n, ε)-Codes eines zusammengesetzten Kanals sind, der auf einer Statistik der Quelle und dem Vorverarbeitungskanal basiert, und die Elemente jeder Teilmenge eine konstante Zusammensetzung aufweisen,
• - eine Helferdateneinheit zum Bestimmen von Helferdaten als einen Index der Teilmenge, die die vorverarbeitete erste Quellinformation umfasst, und
• - eine Schlüsseleinheit zum Bestimmen des Schlüssels als einen Index der vorverarbeiteten ersten Quellinformation innerhalb der Teilmenge, die die vorverarbeitete erste Quellinformation umfasst.

A further embodiment of the invention relates to a device for generating a key with perfect security, the device comprising:

• a preprocessing unit for preprocessing a first source information with a preprocessing channel which corresponds to a marginal distribution estimated based on the first source information,
• a partitioning unit for partitioning a set of possible preprocessed first source information into a set of subsets, the elements of the subsets being codewords of (n, ε) codes of a composite channel based on statistics of the source and preprocessing channel, and the elements of each subset have a constant composition,
• a helper data unit for determining helper data as an index of the subset comprising the pre-processed first source information, and
• a key unit for determining the key as an index of the preprocessed first source information within the subset comprising the preprocessed first source information.

This device is also referred to below as a key generation device.

• - eine Partitionierungseinheit zum Bereitstellen der Partitionierung der Schlüsselgenerierungsvorrichtung,
• - eine Identifikationseinheit zum Identifizieren einer ausgewählten Teilmenge basierend auf den Helferdaten als Index, und
• - eine Schlüsseleinheit zum Verwenden des zusammengesetzten Kanalcodes, der zu der ausgewählten Teilmenge korrespondiert, um die zweite Quellinformation zu decodieren und den geschätzten Schlüssel zu erhalten.

A further embodiment of the invention relates to a device for estimating a key based on a second source information and helper data generated with a key generation device, the device comprising:

• a partitioning unit for providing the partitioning of the key generation device,
• an identification unit for identifying a selected subset based on the helper data as an index, and
• a key unit for using the composite channel code corresponding to the selected subset to decode the second source information and obtain the estimated key.

A further embodiment of the invention relates to a system of the above-mentioned device for generating a key with perfect security and the device for estimating a key, wherein both devices use the same partitioning of the set of possible source information.

list of figures

• 1 eine schematische Darstellung eines Systems zur Registrierung und Authentifizierung eines Benutzers,
• 2 eine schematische Darstellung eines Systems zum verschlüsselten Speichern von Daten,
• 3 ein Blockdiagramm einer Vorrichtung zum Generieren eines Schlüssels,
• 4 ein Blockdiagramm einer Vorverarbeitungseinheit der Vorrichtung aus 3
• 5 eine schematische Darstellung einer Partitionierung einer Menge von möglichen vorverarbeiteten Quellinformationen,
• 6 ein Flussdiagramm eines Verfahrens zur Generierung eines Schlüssels, und
• 7 ein Flussdiagramm eines Verfahrens zum Schätzen eines Schlüssels.

Further advantages and features of the present invention will become apparent from the following description, in which embodiments of the invention will be explained with reference to the accompanying figures. Show:

• 1 a schematic representation of a system for registration and authentication of a user,
• 2 a schematic representation of a system for encrypted storage of data,
• 3 a block diagram of a device for generating a key,
• 4 a block diagram of a pre-processing unit of the device 3
• 5 a schematic representation of a partitioning of a set of possible preprocessed source information,
• 6 a flowchart of a method for generating a key, and
• 7 a flowchart of a method for estimating a key.

1 shows a system 100 to register and authenticate a user. The system includes a discrete multi-source memoryless source 110 (discrete memoryless multiple source, DMMS), a first system 102 to register the user, a second system 104 for authentication of the user as well as a public database 140 , The DMMS 110 generates a random variable X ⁿ during the registration phase and a random variable Y ⁿ during the authentication. The first random variable X ⁿ represents a first source information.

The first system 102 receives the random variable X ⁿ and an ID of the user in an encoder 110 , The encoder generates an ID a key Kund a helper information M. The key K is provided by a first one-way function 130 and the processed key f (K) together with the ID and helper information M in a public database 140 stored.

During the authentication phase it receives a decoder 150 of the second system 104 a random variable Y ⁿ representing second source information. The encoder also receives the ID of the user from the outside and uses this ID from the public database to retrieve the helper information M and the processed key f (K). The decoder generates an estimated key K from M and Y ⁿ . This is powered by a second one-way function 160 that the first one-way function 130 corresponds, processes and in a comparison unit 170 compared with the processed key f (K). The result of the comparison is output and signals whether the authentication was successful.

2 shows a system 200 for encrypted storage of data. The system includes a compound DMMS 210 , an encoder 220 , a public database 230 and a decoder 240 , The encoder 220 is configured to store data based on first source information X ⁿ from the compound DMMS 210 to encrypt and the encrypted data D in the public database 230 store. The encrypted data D can then be from a decoder 240 decrypt based on a (eg later obtained) second source information Y ⁿ to obtain the decrypted data D. The decrypted data D should match the original data D.

The following is an illustration of the authentication process.

3 shows a block diagram of a device 300 to generate a key. The device 300 includes a preprocessing unit 310 , an encoder 320 , a one-way function 322 , a database 330 and a decoder 340 , The preprocessing unit 310 is configured to pre-process a first information source X ^n, and ⁿ to obtain the pre-processed source information U. This is used by the encoder to obtain the key K and helper information M. The key K is processed by the one-way function f and together with the helper information M in the database 330 stored. There she can from the decoder 340 be retrieved. The decoder 340 also obtains a second source information Y ⁿ and thus can estimate a key K.

4 Figure 12 is a block diagram of the preprocessing unit of the apparatus 3 , The preprocessing unit 410 includes a unit 410 for estimating a marginal distribution ŝ. This becomes the channel preprocessing unit 420 made available. This also receives the second source information X ⁿ and thus can calculate the output data U ⁿ resulting from the use of the preprocessing channel V _ŝ .

und den deterministischen Decoder

Gegeben ein s ∈ S, das für legitime Benutzer nicht bekannt ist, werden für eine Zeitdauer n ∈ ℕ die Zufallsvariablen M und K generiert aus $Y_s^n$

unter Verwendung von ψ. Das Tripel (Φ, Θ, ψ) bezeichnen wir im Folgenden als zusammengesetztes Authentifizierungsprotokoll.A composite authentication model includes a set G of discrete memoryless multiple source (DMMS) with generic variables (X, Y) _s (all on the same alphabets X and Y), s ∈ S, and the (possibly randomized) encoders

and the deterministic decoder

Given s ∈ S, which is not known to legitimate users, the random variables M and K are generated for a period of time n ∈ ℕ $Y_s^n$

using ψ. The triple (Φ, Θ, ψ) is referred to below as a composite authentication protocol.

The distribution (X, Y) _s , s ∈ S is assumed to be known and can be used for the definition of the encoders and decoders.

$$I\left(M;K\right)\le \mathrm{\delta }$$

$$\frac{1}{n}I\left(M;X^n\right)\le L+\mathrm{\delta }\mathrm{.}$$

A tuple (R, L), R, L ≥ 0 is a few of an achievable secret key rate. Loss of privacy rate for the composite authentication model, if for each δ> 0 and all n ∈ N that are large enough, a composite Authentication protocol exists, so that for all s ∈ S: $$\text{pr}\left(K=\widehat{K}\right)\ge 1-\mathrm{\delta }$$

$$I\left(M;K\right)\le \mathrm{\delta }$$

$$\frac{1}{n}I\left(M;X^n\right)\le L+\mathrm{\delta }\mathrm{,}$$

This corresponds to the assumption in a known algorithm in which perfect security can not be achieved (the mutual information between M and K can be greater than zero). In the following, we call the associated authentication protocol Strong-Secrecy-Authentication-Protocol (SSA-Protocol). The set of all achievable rate pairs is the capacity region

für ŝ ∈ S. Die Mengen

bilden eine Partitionierung von S, da sie die Äquivalenzklassen für die zugehörige Äquivalenzrelation darstellen. Die Menge der Repräsentanten bezeichnen wir als Ŝ.For a given set G of DMMS we define the set

for ŝ ∈ S. The sets

form a partitioning of S, since they represent the equivalence classes for the associated equivalence relation. We call the set of representatives Ŝ.

The following applies:

gilt, dass U_ŝ - X_s - Y_s und

For all ŝ ∈ Ŝ the union is over all random variables U _ŝ , so for all

holds that U _ŝ - X _s - Y _s and

For perfect security and an even distribution of the key:

$$\text{log}\left|K\right|=H\left(K\right)$$

$$I\left(M;K\right)=0$$

$$\frac{1}{n}\text{log}\left|K\right|\ge R-\mathrm{\delta }$$

$$\frac{1}{n}I\left(M;X^n\right)\le L+\mathrm{\delta }\mathrm{.}$$

A tuple (R, L), R, L ≥ 0 is a few of an achievable secret key rate. Loss of privacy rate for the composite authentication model, if for each δ> 0 and all n ∈ N that are large enough, a composite authentication protocol exists, such that for all s ∈ S: $$\text{pr}\left(K=\widehat{K}\right)\ge 1-\mathrm{\delta }$$

$$\text{log}\left|K\right|=H\left(K\right)$$

$$I\left(M;K\right)=0$$

$$\frac{1}{n}\text{log}\left|K\right|\ge R-\mathrm{\delta }$$

$$\frac{1}{n}I\left(M;X^n\right)\le L+\mathrm{\delta }\mathrm{,}$$

genannt. Es kann gezeigt werden, dass

We call the associated authentication protocol Perfect Secrecy Authentication Protocol (PSA protocol). The set of all achievable rate pairs becomes the capacity region

called. It can be shown that

5 shows a schematic representation of a partitioning of a set U ⁿ of possible preprocessed source information. The set comprises seven subsets C _{m, ŝ} . The three subsets with the same index ŝ _{1 have the} same size and the four subsets with the same index ŝ ₂ have the same size. Overall, the subsets C _{m, ŝ} do not necessarily completely cover the entire set U ⁿ , ie there may be u ⁿ that can not be assigned to a subset C _{m, ŝ} .

6 is a detailed flowchart of a method 600 for generating a Key with perfect security. This method can be performed using a previously provided partitioning of the possible preprocessed source information, eg, partitioning as in FIG 5 shown.

After the start 602 In a first step, data is measured and read in as vector x ⁿ 604. This may, for example, be a fingerprint of a finger of a human hand, or it may be the output of a physically nonclonable function (physical-unclonable function, PUF), as can be realized in a chip, for example.

This is followed by preprocessing of the measured data x ⁿ .

To become here in one step 606 in preprocessing, the data is used to estimate the measured data x ⁿ , to estimate the marginal distribution P _{X of} the underlying compound DMMS. Thus, uncertainty about the source and an influence of an attacker on the source can be taken into account. The estimate is referred to below as ŝ.

This will be done in a next step 608 a Kanal associated channel V _ŝ determined. For example, this can be selected from a database of possible channels V based on ŝ a suitable channel V _ŝ . For example, suitable channels V _{ŝ may be} determined by a brute force method, ie by testing all possible channels and optimizing a target function. The optimization of the objective function can take place for example as follows: An (achievable) rate is defined. The optimization problem now is to find the amount of V _ŝ that minimizes the privacy leakage while satisfying the constraint that the rate is as high as set at the beginning.

Given ŝ, the system uses x ⁿ as input to the preprocessing channel V _ŝ . The associated output of the channel is hereafter referred to as u ⁿ . In a further step 610 the output u _{n is} generated, eg by applying the channel V _ŝ n times to each element of the vector x _n .

To define the encoder, the set of all possible preprocessed data U ^{n is} partitioned. Each of the subsets corresponds to a ŝ. All subsets that correspond to the same ŝ are the same size. They include codewords corresponding to a constant composition code for the composite channel, all of which W _s = P _{Y s | U ŝ} , s ∈ | (ŝ). This partitioning of the possible preprocessed data is preferably carried out "offline", ie before the partitioning is preferably calculated only once and then stored in a memory.

In a further step 612 the pre-processed data u _n be sought in the subsets.

It is in a decision step 614 determines whether the preprocessed data u _{n is contained} in the union of the subsets.

If the preprocessed data u _{n are} not contained in the union of the subsets, the secret key k is randomly chosen 616 according to a uniform distribution and the helper data m arbitrarily determined. Further, k and m are output 618 and the method ends in an end step 620 ,

If the preprocessed data u _{n is contained} in the union of the subsets, then for the helper data m the index of the subset C _{m is} selected 622 containing u _n .

In a further step 624 the helper data m is output.

In another decision step 626 it is determined whether the size of the subset containing u _m corresponds to a smallest size of all subsets. If no, a deterministic mapping is used 628 to the message set of the composite channel codes, corresponding to C _m, on K (which is the message set of the composite channel code which corresponds to the smallest C _m corresponds to) the message to u ⁿ corresponds to mapping to the key k. In this case, the prototype has the same size for each k ∈ K of this mapping and is as large as possible. Subsequently, k is output 630.

If the size of the subset containing u _m corresponds to a smallest size of all subsets, the method continues with one step 632 in which the message belonging to u ^{n of} the corresponding channel code is selected for k.

Subsequently, in an output step 634 k and the process ends in step 636 ,

7 shows a flowchart of a method 700 to estimate a key based on second source information and an auxiliary message.

After the start 702 be in a first step 704 y ⁿ and m are read. For example, it may be at y ⁿ to read data from a fingerprint act of a person who previously with the in 6 has registered procedures. The helper data m may have been retrieved from a database, eg in a database which has stored the helper data m as belonging to the ID of said person.

In a further step 706 For example, the composite channel code corresponding to C _{m is} used to decode y _n . The subsets C _m correspond to the subsets C _m , the process 600 out 6 used to generate the local key k and helper data m.

If the size of the subset C _m that corresponds to the helper data m does not correspond to a smallest size of all subsets 708, the method continues with a further step 710 in which the deterministic mapping is applied to the decoded message. Then, as the estimated secret key k, this result is selected. Subsequently, in an output step 712 k spent.

If the size of the subset C _m that corresponds to the helper data m corresponds to a smallest size of all subsets, the decoded message k is selected as the estimated secret key k 714. Subsequently, in an output step 716 k spent.

The procedure ends in step 718 ,

In the following, it will be explained in detail in an example how an above-mentioned partitioning of the possible preprocessed source information is determined and the preprocessing can be carried out.

lass U_ŝ, X_s und Y_s Zufallsvariablen sein, wobei (X, Y)_s der Ausgang des DMSS in G sind mit dem Index s. Weiterhin sind X_S und U_ŝ verbunden durch den Kanal

und es sei

Für ein δ > 0, für ein n groß genug und

die Indexmenge der Teilmengen C_m kann dann eine Menge

gewählt werden, die

nicht-überlappende Teilmengen C_m mit den folgenden Eigenschaften hat:

• - Wir betrachten eine Partition der Menge von allen Mengen C_m in |Ŝ| Teilmengen. Wir bezeichnen die Mengen C_m als C_m,ŝ, wobei ŝ ∈ Ŝ angibt, zu welcher Teilmenge sie gehören. Wir bezeichnen die Menge von Indizes m, die zu ŝ korrespondieren, als
  
• - Für jedes C_m,ŝ haben wir
  
• - Jedes C_m,ŝ besteht aus Sequenzen vom selben Typ.
• - Es gilt, dass
  
  und alle ŝ ∈ Ŝ.
• - Es können Paare von Abbildungen, die zusammengesetzt (n, ε)-Codes sind, definiert werden für alle Kanäle
  
  auf die folgende Weise definiert werden: Definieren eine (beliebige) bijektive Abbildung f_m: {1··· |C_m,ŝ|} → C_m,ŝ und eine zugehörige Abbildung ϕ_m: yⁿ → {1··· |C_m,ŝ|}. Dann ist (f_m,ϕ_m) so ein Code. Das bedeutet, dass $W_s^n\left({\varphi }_m^{-1}\left(f_m^{-1}\left(u^n\right)\right)|u^n\right)\ge 1-\in$
  
  für alle Codewörter uⁿ in C_m,ŝ.

For ŝ ∈ Ŝ and all

Let U _ŝ , X _s and Y _{s be} random variables, where (X, Y) _{s are} the output of the DMSS in G with the index s. Furthermore, X _S and U _{ŝ are} connected by the channel

and it is

For a δ> 0, for a n big enough and

the index set of subsets C _m can then be an amount

be chosen, the

non-overlapping subsets C _m with the following properties:

• - Consider a partition of the set of all sets C _m in | Ŝ | Subsets. We denote the sets C _m as C _{m, ŝ} , where ŝ ∈ Ŝ indicates to which subset they belong. We denote the set of indices m that correspond to ŝ as
  
• - For every C _{m, ŝ} we have
  
• - Each C _{m, ŝ} consists of sequences of the same type.
• - It is true that
  
  and all ŝ ∈ Ŝ.
• - Pairs of mappings that are composed (n, ε) codes can be defined for all channels
  
  Define an (arbitrary) bijective map f _m : {1 ··· | C _{m, ŝ} |} → C _{m, ŝ} and an associated map φ _m : y ⁿ → {1 ··· | C _{m, ŝ} |}. Then (f _m , φ _m ) is such a code. It means that $W_s^n\left({\phi }_m^{-1}\left(f_m^{-1}\left(u^n\right)\right)|u^n\right)\ge 1-\in$
  
  for all codewords u ⁿ in C _{m, ŝ} .

Thus, encoders and decoders Φ, Θ and ψ can be defined.

für ein ŝ∈Ŝ, wobei ξ' klein genug und n groß genug gewählt werden können, so dass

nicht-überlappend sind. Wenn dies für ŝ wahr ist, wird der Kanal V_ŝ verwendet, um uⁿ aus xⁿ zu generieren. Für Φ sucht das System in C nach uⁿ. Fall uⁿ ∉ C setzt es m = 0. Ebenso wird m = 0 gesetzt, wenn

We define Φ and Θ as follows. The system receives a sequence x _n . It checks if

for a ŝ∈Ŝ, where ξ 'can be chosen small enough and n big enough, so that

are non-overlapping. If true for ŝ, the channel V _{ŝ is} used to generate u ⁿ from x ⁿ . For Φ, the system looks for C u ^n. Case u ⁿ ∉ C it sets m = 0. Similarly, m = 0 is set if

wählt das System für k die Nachricht, die zu dem Codewort in diesem Code korrespondiert. Falls

wird eine deterministische Abbildung

angewendet. Diese Abbildung ist so definiert, dass für jedes

das Urbild von h_m eine Teilmenge von C_m,ŝ ist mit der Größe

For Θ, the system looks for C u _n. If u _n ∈ C, it considers the (n, ε) code that corresponds to the subset C _{m, ŝ} that contains u ⁿ . If

For k, the system selects the message corresponding to the codeword in that code. If

becomes a deterministic image

applied. This illustration is defined for each

the prototype of h _{m is} a subset of C _{m, ŝ} is the size

Falls uⁿ ∉ C, dann wird k zufällig gewählt gemäß einer gleichförmigen Verteilung auf dem Alphabet. Das Gleiche gilt, wenn uⁿ auf k̃ abgebildet wird oder wenn

The remainder of u ⁿ ∈ C _{m, ŝ} is mapped to a

If u ⁿ ∉ C, then k is chosen randomly according to a uniform distribution on the alphabet. The same applies if u ^{n is} mapped to k or if

We define ψ as follows: The system receives a sequence y ⁿ and the helper data m. When m ≠ 0, it decodes y ⁿ using the code corresponding to C _{m, ŝ} . The same mapping h _m is used as in the definition of Θ, if necessary. The result is k if it is different from k. If the result is k or if m = 0 then k is chosen randomly according to a uniform distribution on the alphabet.

Compound memory model

$$I\left(D;\overline{D}\right)=\mathrm{0}$$

$$\frac{1}{n}I\left(\overline{D};X^n\right)\le L+\mathrm{\delta }\mathrm{.}$$

A tuple (R, L), R, L ≥ 0 is a pair of achievable secret key rate. Loss of privacy rate for the compound memory model, if for each δ> 0 and all n ∈ N that are large enough, a composite authentication protocol exists, such that for all s ∈ S: $$\text{pr}\left(D=\widehat{D}\right)\ge 1-\mathrm{\delta }$$

$$I\left(D;\overline{D}\right)=\mathrm{0}$$

$$\frac{1}{n}I\left(\overline{D};X^n\right)\le L+\mathrm{\delta }\mathrm{,}$$

genannt. Es kann gezeigt werden, dass

The corresponding memory protocol is called Perfect-Secrecy-Storage-Protocol (PSS-protocol). The set of all achievable rate pairs becomes the capacity region

called. It can be shown that

• - K und M werden generiert wie für PSA-Protokolle,
• - D wird aus K, M und D generiert, indem zuerst K und D mit einer Modulo-Addition kombiniert werden. D ist dann das Tupel aus M und dem Ergebnis der Kombination.
• - Der Decoder verwendet M um Yⁿ zu decodieren und verwendet das Ergebnis um die Kombination des vorherigen Schritts zu invertieren.

For PSS protocols, the following design scheme can be used:

• - K and M are generated as for PSA protocols,
• - D is generated from K, M and D by first combining K and D with a modulo addition. D is then the tuple of M and the result of the combination.
• The decoder uses M to decode Y ⁿ and uses the result to invert the combination of the previous step.

Capacity-reaching PSS protocols can be constructed as described above for capacity-achieving PSA protocols.

Claims (14)

A method for generating a key with perfect security, the method comprising: preprocessing (610) a first source information with a preprocessing channel that belongs to a corresponding to a marginal distribution estimated based on the first source information; providing a partition of a set of possible preprocessed first source information into a set of subsets, the elements of the subsets being codewords of (n, ε) codes of a composite channel based on statistics of the Source (110, 210) and preprocessing channel, and the elements of each subset have a constant composition, determining (622) helper data as an index of the subset comprising the preprocessed first source information, and determining (632) the key as an index of the pre-processed first source information within the subset comprising the pre-processed first source information. Method according to Claim 1 , where the composite channel results from a series connection of the statistics of the source (110, 210) and the preprocessing channel. Method according to Claim 1 or 2 wherein estimating the marginal distribution comprises selecting a probability distribution from a set of predefined probability distributions (608). The method of any one of the preceding claims, wherein if none of the subsets comprises the preprocessed first source information, the helper data and / or the key are generated at random (616). Method according to one of the preceding claims, wherein if the size of the subset comprising the preprocessed first source information does not correspond to a smallest size of all subsets, a deterministic mapping is used to map the index of the preprocessed first source information within the subset to the key (628). The method of any one of the preceding claims, wherein the method is a method of storing data and comprises combining the data and the key with a modulo addition. Method according to one of the preceding claims, wherein the first source information is a user identification information and includes the method to store the key in a public user database (140, 230, 330). Method according to one of the preceding claims, wherein the first source information is a biometric information about a user, in particular information about a fingerprint. A method of estimating a key based on second source information and helper data generated by a key generation method of any one of the preceding claims, the method comprising: Providing the partitioning used by the key generation method, Identifying a selected subset of the partitioning based on the helper data as an index, and - using (706) the composite channel code corresponding to the selected subset to decode the second source information and obtain the estimated key. Method according to Claim 9 , where the composite channel results from a series connection of the statistics of the source and the preprocessing channel. Method according to Claim 9 or 10 wherein when the size of the subset corresponding to the helper data as an index does not correspond to a smallest size of all subsets, a deterministic map is used to map the decoded second source information to the estimated key (710). A device for generating a key with perfect security, the device comprising: a preprocessing unit (310, 400) for preprocessing (610) a first source information with a preprocessing channel that corresponds to a marginal distribution estimated based on the first source information, a partitioning unit for providing partitioning of a set of possible preprocessed first source information into a set of subsets, the elements of the subsets being codewords of (n, ε) codes of a composite channel based on statistics of the source (110, 210) and the preprocessing channel, and the elements of each subset have a constant composition, a helper data unit for determining helper data as an index of the subset comprising the pre-processed first source information, and a key unit for determining the key as an index of the preprocessed first source information within the subset comprising the preprocessed first source information. Apparatus for estimating a key based on second source information and helper data provided with a key generation apparatus Claim 12 generated, the device comprising: a partitioning unit for providing the partitioning of the key generation device, an identification unit for identifying a selected subset based on the helper data as an index, and a key unit for using the composite channel code corresponding to the selected subset to decode the second source information and the estimated one To get keys. Computer program product for calculating a key, in the execution of which a method according to one of Claims 1 to 11 is performed.

Images