A Fuzzy Commitment

Ari Juels

RSA Laboratories


Marty Wattenberg

328 W. 19th Street,
NYC


A Fuzzy Commitment
Scheme

Biometrics



Biometric authentication
:

Computer Authentication through
Measurement of Biological Characteristics

u
Fingerprint scanning

u
Iris scanning

u
Voice recognition

Types of biometric authentication

u
Many others...

u
Face recognition

u
Body odor


Authenticating...

Enrollment / Registration

Template
t


Alice

Enrollment / Registration


Alice

Server

Authentication

Server

Authentication


Alice

Server

Server verifies against template



?

The Problem...

Template theft

Limited password changes

First password

Second password

Templates represent
intrinsic

information about
you


Alice

Theft of template is theft of identity

Towards a solution

“
password
”

UNIX protection of passwords

“
password
”

h(
“
password
”
)

“
Password
”

Template protection?

h( )

Fingerprint is variable

u
Differing angles of presentation

u
Differing amounts of pressure

u
Chapped skin



Don
’
t have exact key!

We need
“
fuzzy
”

commitment


( )

Seems counterintuitive

Cryptographic (hash) function
scrambles bits to produce

random
-
looking structure,
but

“
Fuzziness
”

or error resistance means
high degree of local structure

Error Correcting Codes



Noisy channel


Alice

Bob

“

Alice, I love… crypto
”

s

Error correcting codes


Alice

Bob

“

110
”

g

110

111 111 000

Function
g

adds redundancy

Bob



M

3 bits

C

9 bits

c

Message space

Codeword space

g

Error correcting codes


Alice

Bob

“

111 111 000
”

0

1

1
0
1 111
1
00

111 111 000

f

c

C

Function
f

corrects errors


Alice

f

Alice uses
g
-
1

to retrieve message

9 bits

C

M

3 bits


Alice

g
-
1

c

Alice gets original, uncorrupted message

110

Constructing C

Idea:

Treat template like message

W

g

C(t) = h(g(t))

What do we get?



“
Fuzziness
”

of error
-
correcting code

Security of hash function
-
based
commitment

Problems

Davida, Frankel, and Matt (
‘
㤷9

Results in very large error
-
correcting
code

Do not get good fuzziness

Cannot prove security easily

Don
’
t really have access to
“
message
”
!

Our (counterintuitive) idea:



Express template as
“
corrupted
”

codeword

Never use message space!

Express template as
“
corrupted
”

codeword

W

t

w

t = w +




t = w +


h(w)

Idea: hash most significant part

for security



Idea: leave some local information in clear

for
“
fuzziness
”

How we use fuzzy
commitment...

Computing fuzzy hash of

template
t

Choose w at random

Compute


= t
-

w

Store (h(w),

) as commitment

(h(w),

)


Verification of fingerprint
t
’

Retrieve C(t) =
(h(w),

)


Try to decommit using t
’
:

–
Compute
w
’

= f(t
’

-


)

–
Is h(w
’
) = h(w)?



?

Characteristics of

Good fuzziness (say, 17%)

Simplicity

Provably strong security

–
I.e., nothing to steal


Open problems

What do template and error distributions
really look like?

What other uses are there for fuzzy
commitment?

–
Graphical passwords

Questions?