390 likes | 519 Views
C. A Fuzzy Commitment Scheme. Ari Juels RSA Laboratories. Marty Wattenberg 328 W. 19th Street, NYC. Biometrics. Biometric authentication : Computer Authentication through Measurement of Biological Characteristics. Fingerprint scanning. Iris scanning. Voice recognition.
E N D
C A Fuzzy Commitment Scheme Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC
Biometric authentication:Computer Authentication through Measurement of Biological Characteristics
Fingerprint scanning • Iris scanning • Voice recognition • Face recognition • Body odor Types of biometric authentication • Many others... Authenticating...
Alice Alice Enrollment / Registration Template t
Alice Alice Enrollment / Registration Server
Alice Authentication Server
Alice Alice Authentication Server
Alice Server verifies against template ?
Alice Template theft
First password Second password Limited password changes
Alice Alice Templates represent intrinsic information about you Theft of template is theft of identity
h h(“password”) “Password” UNIX protection of passwords “password” “password”
Alice Alice Alice Template protection? h h( )
Alice Fingerprint is variable • Differing angles of presentation • Differing amounts of pressure • Chapped skin Don’t have exact key!
( ) C C Alice Alice We need “fuzzy” commitment
Seems counterintuitive • Cryptographic (hash) function scrambles bits to producerandom-looking structure, but • “Fuzziness” or error resistance means high degree of local structure
“ Alice, I love… crypto ” s Alice Noisy channel Bob
“ 110 ” Alice Error correcting codes Bob
C M g 111 111 000 110 c 3 bits 9 bits g Message space Codeword space Function g adds redundancy Bob
“ 111 111 000 ” 1 Alice 0 Error correcting codes Bob
C f 111 111 000 f c Alice Function f corrects errors 101 111 100
M C g-1 Alice gets original, uncorrupted message 110 Alice Alice uses g-1to retrieve message c 9 bits 3 bits
g Alice Idea: Treat template like message W C(t) = h(g(t))
What do we get? • “Fuzziness” of error-correcting code • Security of hash function-based commitment
Problems Davida, Frankel, and Matt (‘97) • Results in very large error-correcting code • Do not get good fuzziness • Cannot prove security easily • Don’t really have access to “message”!
Our (counterintuitive) idea: • Express template as “corrupted” codeword • Never use message space!
Express template as “corrupted” codeword W t = w + w t
h(w) Idea: hash most significant part for security t = w + Idea: leave some local information in clear for “fuzziness”
C Alice (h(w),) Computing fuzzy hash oftemplate t • Choose w at random • Compute = t - w • Store (h(w), ) as commitment
Alice ? Verification of fingerprint t’ • Retrieve C(t) = (h(w), ) • Try to decommit using t’: • Compute w’ = f(t’ - ) • Is h(w’) = h(w)?
Alice • Provably strong security • I.e., nothing to steal C C Characteristics of • Good fuzziness (say, 17%) • Simplicity
Open problems • What do template and error distributions really look like? • What other uses are there for fuzzy commitment? • Graphical passwords