A Fuzzy Commitment Scheme

C A Fuzzy Commitment Scheme Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC

Biometrics

Biometric authentication:Computer Authentication through Measurement of Biological Characteristics

Fingerprint scanning • Iris scanning • Voice recognition • Face recognition • Body odor Types of biometric authentication • Many others... Authenticating...

Alice Alice Enrollment / Registration Template t

Alice Alice Enrollment / Registration Server

Alice Authentication Server

Alice Alice Authentication Server

Alice Server verifies against template ? 

The Problem...

Alice Template theft

First password Second password Limited password changes

Alice Alice Templates represent intrinsic information about you Theft of template is theft of identity

Towards a solution

h h(“password”) “Password” UNIX protection of passwords “password” “password”

Alice Alice Alice Template protection? h h( )

 Alice Fingerprint is variable • Differing angles of presentation • Differing amounts of pressure • Chapped skin Don’t have exact key!

( ) C C Alice Alice We need “fuzzy” commitment

Seems counterintuitive • Cryptographic (hash) function scrambles bits to producerandom-looking structure, but • “Fuzziness” or error resistance means high degree of local structure

Error Correcting Codes

“ Alice, I love… crypto ” s Alice Noisy channel Bob

“ 110 ” Alice Error correcting codes Bob

C M g 111 111 000 110 c 3 bits 9 bits g Message space Codeword space Function g adds redundancy Bob

“ 111 111 000 ” 1 Alice 0 Error correcting codes Bob

C f 111 111 000 f c Alice Function f corrects errors 101 111 100

M C g-1 Alice gets original, uncorrupted message 110 Alice Alice uses g-1to retrieve message c 9 bits 3 bits

Constructing C

g Alice Idea: Treat template like message W C(t) = h(g(t))

What do we get? • “Fuzziness” of error-correcting code • Security of hash function-based commitment

Problems Davida, Frankel, and Matt (‘97) • Results in very large error-correcting code • Do not get good fuzziness • Cannot prove security easily • Don’t really have access to “message”!

Our (counterintuitive) idea: • Express template as “corrupted” codeword • Never use message space!

 Express template as “corrupted” codeword W t = w +  w t

h(w)  Idea: hash most significant part for security t = w +  Idea: leave some local information in clear for “fuzziness”

How we use fuzzy commitment...

C Alice (h(w),) Computing fuzzy hash oftemplate t • Choose w at random • Compute  = t - w • Store (h(w), ) as commitment

Alice ?  Verification of fingerprint t’ • Retrieve C(t) = (h(w), ) • Try to decommit using t’: • Compute w’ = f(t’ - ) • Is h(w’) = h(w)?

Alice • Provably strong security • I.e., nothing to steal C C Characteristics of • Good fuzziness (say, 17%) • Simplicity

Open problems • What do template and error distributions really look like? • What other uses are there for fuzzy commitment? • Graphical passwords

Questions?

A Fuzzy Commitment Scheme

A Fuzzy Commitment Scheme

Presentation Transcript

A Fuzzy Adventure

emergency commitment involuntary commitment

Carbon Reduction Commitment Energy Efficiency Scheme Overview

Schools and the Carbon Reduction Commitment Energy Efficiency Scheme (CRC)

Unconditionally S ecure First-Price Auction Protocols Using a Multicomponent Commitment Scheme

A Scheme Refresher

A Ten Year Commitment

Fuzzy Little Caterpillar Fuzzy Wuzzy ! Fuzzy Wuzzy ! Fuzzy little caterpillar,

Fuzzy Commitment

Commitment

NCI: A Growing Commitment

Professionalism: A Lifelong Commitment

Schools and the Carbon Reduction Commitment Energy Efficiency Scheme

A Pyramid Scheme?

GROWTH A STRONG COMMITMENT

A Single Commitment

FUZZY RELATIONS, FUZZY GRAPHS, AND FUZZY ARITHMETIC

A Commitment to Tourism

A Commitment to ATN

Commitment is a

A Commitment to Excellence