helper data schemes for privacy preserving biometrics
play

Helper data schemes for privacy-preserving biometrics Boris kori - PowerPoint PPT Presentation

Helper data schemes for privacy-preserving biometrics Boris kori TU Eindhoven van der Meulen seminar Leuven, December 2011 1 Outline Security with noisy data - biometrics & privacy - Physical Unclonable Functions (PUFs)


  1. Helper data schemes for privacy-preserving biometrics Boris Š kori ć TU Eindhoven van der Meulen seminar Leuven, December 2011 1

  2. Outline • “Security with noisy data” - biometrics & privacy - Physical Unclonable Functions (PUFs) - anti-counterfeiting • Secure Sketches & Fuzzy Extractors - basics - Leftover Hash Lemma - some easy constructions 2

  3. Example A: biometric authentication • Biometrics are not really secret - easy to obtain - don’t entrust important secrets to biometric key • ... but have to be treated confidentially - privacy legislation - large databases, insider attacks 3

  4. Example A: biometric authentication • Biometrics are not really secret - easy to obtain - don’t entrust important secrets to biometric key • ... but have to be treated confidentially - privacy legislation - large databases, insider attacks • Solution - treat biom. authentication same as Unix passwords - store hash of {biometric + salt} • Problem - noisy measurements - hash has no noise tolerance 0010110101 1110111001... 3

  5. PUFs • Relatively new security primitive (Pappu 2001) • Physical Unclonable Function - complex piece of material - challenge-response pairs (CRPs) - difficult to characterize (“opaque”) - difficult to clone physically - difficult to emulate (“mathematical unclonability”) • Various applications - authentication token - anti-counterfeiting - secure key storage - software to hardware binding - tamper evidence 4

  6. Optical PUF Pappu 2001 Silicon PUF [Gassend et al. 2002] TiO 2 � TiN � Coating PUF Posch 1998; Tuyls et al. 2006 SRAM PUF FPGA ‘butterfly’ PUF Guajardo et al. Su et al. 2007 Kumar et al. 2008 5

  7. Anti-counterfeiting Traditional approach : • add authenticity mark to product • hard to forge • all marks are identical 6

  8. Anti-counterfeiting Traditional approach : • add authenticity mark to product • all marks are identical } Er, ... WTF? • hard to forge 6

  9. Anti-counterfeiting Traditional approach : • add authenticity mark to product • all marks are identical } Er, ... WTF? • hard to forge Imagine your company needs a security label ... • how do you know what you are buying? - nobody discloses technology details - there is no “AES” for anti-counterfeiting - perfect market for snake oil • by the way, many of the suppliers are Chinese 6

  10. From a Chinese company webpage: is a high-tech company which is professional in laser security. (...) We can supply our clients with the comprehensive products in this field, such as: hologram label design, hologram master shooting, related professional equipments and related hologram materials. (...) And our clients are quite satisfied with our products and services. We are sure that we can meet your demands as well. Welcome to visit our company.Any more requirements, please connect us. 7

  11. Example B: anti-counterfeiting with bare PUFs • Unique marks [Bauder, Simmons < 1991] - uncontrollable process - even manufacturer cannot clone Certificate • digitally signed by Enrollment Authority. • Two-step verification !"#$%&'()"*+,%" - check signature of Authority !"-.#*$/"&0)-" - check the mark. !"10$2"&-)0*34" • Forgery needs either - physical cloning !"#"$%&'("#)%$*+,' - or fake signature. -.'/*$01+"$.'234' • Allows open approach - no longer security-by-obscurity. 8

  12. Example B: anti-counterfeiting with bare PUFs • Unique marks [Bauder, Simmons < 1991] - uncontrollable process - even manufacturer cannot clone Certificate • digitally signed by Enrollment Authority. • Two-step verification !"#$%&'()"*+,%" - check signature of Authority !"-.#*$/"&0)-" - check the mark. !"10$2"&-)0*34" • Forgery needs either - physical cloning !"#"$%&'("#)%$*+,' - or fake signature. -.'/*$01+"$.'234' • Allows open approach - no longer security-by-obscurity. Manufacturer afraid to reveal product properties • just like biometric privacy • store hash of {mark + salt} → problem with noise 8

  13. Example C: remote authentication with bare PUF Eve has occasional access to the PUF Alice has {c i , S i } Bob has the PUF c i Random i Check if c i is replay Measure PUF response S’ Authenticated channel; MAC key S i Never use c i again • PUF serves as huge repository of keys • Problem: noisy measurements ! 9

  14. Example D: Read-proof key storage Device secrets stored during off state • attacker has full access • assumption: digital NV memory is insecure Derive encryption key from Silicon/Coating PUF • only when needed • non-digital, hard to read from outside • tampering destroys key • Physically Obfuscated Key (POK) Integrated components Insecure NV-mem E K [Device secrets] POK sensor crypto processor K Noise! 10

  15. Secure Sketches & Fuzzy Extractors 11

  16. A special kind of noise correction Redundancy data Juels, Wattenberg 1999 Dodis, Reyzin, Smith 2003 • required for error correction Linnartz, Tuyls 2003 • created at enrollment • assumed public! (stored e.g. in DB) • must not leak Secure Sketch Fuzzy Extractor SS Gen S X X W (helper data) W ˆ X X’ X’ Rec Rep S’ • Prob[ ≠ X] is low ˆ • Prob[S’ ≠ S] is low X • I (W; X) is small • I (W; S) is small • don’t care about I (W;X) 12

  17. Which technique to use, SS or FE? privacy uniform Application Technique of X ? secret? authentication ∎ One-Way Function by password biometric authentication ∎ Secure Sketch + OWF anticounter- ∎ Secure Sketch + OWF feiting PUF anticounter- --- feiting PUF bare PUF PUF authent. --- w/o MACs PUF authent. ∎ Fuzzy Extractor with MACs ∎ POK Fuzzy Extractor 13

  18. ̂ Privacy-preserving biometric database Enrollment: X i SS W i hash ID helper data salt 1 W 1 c 1 H 1 =h(c 1 ||X 1 ) ... ... ... ... n W n c n H n =h(c n ||X n ) Authentication: c i H i W i yes/no X i X' i Rec h(.||.) Compare 14

  19. Helper Data; some intuition SS Gen S X X SS FE W W ˆ X X’ Rec X’ Rep S’ Noisy measurement X stable part noisy part } W key 15

  20. Helper Data; some intuition SS Gen S X X SS FE W W ˆ X X’ Rec X’ Rep S’ Noisy measurement X Helper Data reveals noisy part of X. stable part noisy part • SS: How much privacy is lost? Not so bad: } - W is subject to noise anyway W key - many people may have same W • FE: How much of the key is leaked? Zero if W, S derived from independent parts of X 15

  21. Bluff your way in Secure Sketches Discrete non-uniform noisy X. w ← SS(x) Enrollment phase: 16

  22. Bluff your way in Secure Sketches Discrete non-uniform noisy X. w ← SS(x) Enrollment phase: x w 16

  23. x ̂ = Rep(x’,w) Reconstruction phase: x’ 17

  24. x ̂ = Rep(x’,w) Reconstruction phase: x’ w 17

  25. x ̂ = Rep(x’,w) Reconstruction phase: x ̂ x’ w 17

  26. Secure Sketch: privacy of X How much does W leak? • position of X in a tile w How bad is that? • generally not so bad • “least significant bits” • subject to noise anyway • attacker must guess which tile 18

  27. Secure Sketch: privacy of X How much does W leak? • position of X in a tile w How bad is that? • generally not so bad • “least significant bits” • subject to noise anyway • attacker must guess which tile Can you do without helper data? • only if all enrollments occur first • but then the tiling itself leaks 18

  28. Fuzzy Extractor: generic construction from SS Dodis, Reyzin, Smith 2003 public Gen S UHF SS X random r W x ̂ X’ S’ Rec UHF Rep UHF = universal hash function 19

  29. Almost Universal Hash Functions Φ : X × R → T is called η -almost universal if, for fixed x, x’ Prob[ Φ R ( x ) = Φ R ( x ′ )] ≤ η Called Universal for η = 1/ | T | Carter, Wegman 1979 Leftover hash lemma If F : X × R → {0,1} ℓ is 2 − ℓ (1+ δ ) -almost universal, then ∆ ( F ( X, R ) Y R ; U ℓ Y R ) ≤ 1 � δ + 2 ℓ − e H 2 ( X | Y ) 2 Distance of F(X,R) from uniformity, given Y and R 20

  30. Extractable randomness Invert the leftover hash lemma: H 2 ( X | Y ) + 2 − 2 log 1 ext ( X | Y ) ≥ � ℓ ε ε penalty due to uniformity requirement Rather bad • H 2 ≤ Shannon entropy • Penalty term depends on target ε , not on uniformity improvement . 21

  31. Basic examples of Fuzzy Extractors 22

  32. Code offset method • X = binary string • Use a linear ECC Enrollment • random key s • encode to c s • w = c s -x Reconstruction • s’ = decode(x’+w) 23

  33. Fuzzy Extractor purely from UHFs B Š , Tuyls 2008 helper data MAC key 24

  34. Fuzzy Extractor purely from UHFs B Š , Tuyls 2008 helper data MAC key MAC on w 24

  35. Fuzzy Extractor from partitions Verbitskiy, Tuyls, Obi, Schoenmakers, B Š 2008 • First partition: equiprobable keys • 2nd partition: helper data, equiprob. subpartitions • S | W=w is uniform 25

  36. Protecting the helper data (no PKI) SS x “robustness” Boyen 2005 of helper data w and h=hash(x, w) attack Random oracle model w’, h’ x ̂ x’ Rec Check h’==hash(x ̂ ,w’) 26

Recommend


More recommend