Skip to Main Content
Boston University
  • Bostonia
  • BU Today
  • The Brink
  • University Publications

    • Bostonia
    • BU Today
    • The Brink
  • School & College Publications

    • CFA Magazine
    • The Record
    • Arts & Sciences Magazine
    • InsideSargent
    • COM / 365
Other Publications
BU Today
  • Sections
News, Opinion, Community

The safety of fuzzy secrets

NSF awards $400,000 to take cryptography to next level

March 17, 2006
  • Chris Berdik
Twitter Facebook
Leo Reyzin was rewarded for thinking outside of the cryptographic box.

Every day, millions of Americans log into “secure” Web pages and computer databases — from personal e-mail to bank accounts to corporate files — using passwords that are amalgamations of initials, birthdays, and the names of pets or children. If it’s a particularly important or complex password, they may write it down, as 64 percent of respondents in a 2003 survey by SearchSecurity.Com said they did.

All this makes for a very insecure world of computer-stored data, according to Leonid Reyzin, a College of Arts and Sciences assistant professor of computer science and a cryptographer. “The problem with passwords is that there’s an inherent conflict between a secure password and an easy-to-remember password, and you want both,” says Reyzin.

He argues that attaining real computer security requires a new approach to cryptography, and the National Science Foundation (NSF) agrees. It has awarded Reyzin a 2006 CAREER Award, $400,000 over the next five years, to pursue a collection of research initiatives titled Cryptography Outside the Box. Some of Cryptography Outside the Box will attempt to improve “cryptographic models,” the mathematical approximations of real-world computer-user and hacker habits and capabilities, which are used to prove, mathematically, that a particular computer security program works.

Traditionally, says Reyzin, these models make certain assumptions that just don’t hold up to reality. For instance, the models often falsely assume that computers themselves are “black boxes,” where, as Reyzin puts it, “whatever is computed inside doesn’t leak information until it’s sent out somewhere [such as the Internet].”

Unfortunately, research has shown that a hacker can discover secret, multidigit security keys just by measuring the electromagnetic radiation, power usage, and computation time of a computer running an encryption program. Another unrealistic assumption of cryptographic models is that computer users have access to perfectly random security keys that they can carry with them and recall at will and that are never stolen.

“That is, of course, very difficult to implement in real life,” says Reyzin. “We all know that we don’t actually carry around 60-digit secret keys. At best, we carry around some tiny little passwords in our heads that are not much good for security.” “Passwords are so easily guessed because we’re forcing [computer] users to remember them and remember them precisely,” he adds. He thinks a better solution might be so-called “fuzzy secrets,” such as answers to questionnaires, key stroke timing, or mouse-drawn sketches, which are not so easily guessed but allow for a certain degree of inexactness.

Consequently, turning fuzzy secrets into workable cryptographic tools is another focus of Cryptography Outside the Box. “There are many things that we as humans can remember very well, but not precisely,” Reyzin says. Fuzzy secrets can also include biometric measurements such as fingerprints and iris scans, which are very close but never exactly the same from measurement to measurement. While the secrets may be fuzzy, the potential payoff of better computer security is crystal clear.

According to the 2005 Computer Crime and Security Survey, conducted by the FBI and the San Francisco–based Computer Security Institute, 56 percent of surveyed companies, nonprofits, and government offices experienced a computer security breach in the past year, up from 53 percent in 2004, equaling an average loss of $204,000 per respondent. And the need for more security will only increase with the growing number of portable, and networked, computing devices, which are easily lost or stolen.

It was Edgar Allen Poe, with his keen interest in ciphers and enigmas, who predicted that “human ingenuity cannot concoct a cipher which human ingenuity cannot resolve.” Reyzin is optimistic that modern cryptography may eventually break that cycle.

“We’re starting to chip away at that idea that cryptography is sort of a cat-and-mouse game that continues forever,” he says, by proving the mettle of security tools with mathematical precision. Still, he admits, “[While a mathematical] proof is comforting, it’s only as good as how well the real world matches your model.”

 

Explore Related Topics:

  • Computers
  • Global
  • Share this story

Share

The safety of fuzzy secrets

Share

  • Twitter
  • Facebook
  • Reddit
  • LinkedIn
  • Email

Latest from BU Today

  • Accolades

    COM’s Michelle Sullivan Named 2025 Metcalf Award for Excellence in Teaching Winner

  • Student Life

    Conning an Aircraft Carrier. A Storm-Drenched Training Exercise. Graduating ROTC Students Reflect on Last Four Years

  • Commencement 2025

    The Ultimate Senior Bucket List

  • Commencement 2025

    Advice to the Class of 2025: “Make Your Existence Meaningful”

  • BU SPARK!

    Fashion Social Networking App Wins at Spring 2025 Spark! Demo Day

  • Commencement 2025

    Capture the Moment: Use #BU2025 to Shine on the Jumbotron at Commencement

  • Baseball

    Want to Hit a Red Sox Game? Here’s What You Need to Know (Bah! Bah! Bah!)

  • Marketing & Communications

    BU Students Promote New Ben & Jerry’s Treat Supporting Families with Autistic Children

  • University News

    BU Backs Lawsuit to Halt National Science Foundation Funding Cuts

  • Voices & Opinion

    The Catholic Church Elects Its First American Pope: What Should He Do First?

  • Commencement 2025

    BU Commencement 2025: Everything You Need to Know

  • Food & Dining

    Where to Eat in Boston During Commencement Weekend: No Reservation Required

  • Student Life

    BU Class on History of Boston Takes to a Storied Stage: Club Passim

  • Student Life

    From Napkins to Coat Check: Dining Etiquette for First-Gen Students

  • Athletics

    BU Softball Looks to Win Third Straight Patriot League Title

  • Things-to-do

    The Weekender: May 8 to 11

  • Watch Now

    How These Engineering Students Built a Solar-Powered Water Heater

  • Health & Medicine

    THC Content in Cannabis Has Surged: Here’s What You Need to Know

  • Sustainability

    Donate Unwanted Goods During Move-Out and Help Serve Your Community

  • Awards

    For Academic Advisor Award Winners, Students Are at the Heart of It All

Section navigation

  • Sections
  • Must Reads
  • Videos
  • Series
  • Close-ups
  • Archives
  • About + Contact
Get Our Email

Explore Our Publications

Bostonia

Boston University’s Alumni Magazine

BU Today

News, Opinion, Community

The Brink

Pioneering Research from Boston University

  • Twitter
  • Facebook
  • Youtube
  • LinkedIn
  • Instagram
  • Weibo
  • TikTok
© Boston University. All rights reserved. www.bu.edu
© 2026 Trustees of Boston UniversityPrivacy StatementAccessibility
Boston University
Notice of Non-Discrimination: Boston University prohibits discrimination and harassment on the basis of race, color, natural or protective hairstyle, religion, sex or gender, age, national origin, ethnicity, shared ancestry and ethnic characteristics, physical or mental disability, sexual orientation, gender identity and/or expression, genetic information, pregnancy or pregnancy-related condition, military service, marital, parental, veteran status, or any other legally protected status in any and all educational programs or activities operated by Boston University. Retaliation is also prohibited. Please refer questions or concerns about Title IX, discrimination based on any other status protected by law or BU policy, or retaliation to Boston University’s Executive Director of Equal Opportunity/Title IX Coordinator, at titleix@bu.edu or (617) 358-1796. Read Boston University’s full Notice of Nondiscrimination.
Search
Boston University Masterplate
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
The safety of fuzzy secrets
0
share this