A Fuzzy Commitment

dashingincestuousΑσφάλεια

22 Φεβ 2014 (πριν από 3 χρόνια και 8 μήνες)

86 εμφανίσεις

Ari Juels

RSA Laboratories


Marty Wattenberg

328 W. 19th Street,
NYC


A Fuzzy Commitment
Scheme

Biometrics



Biometric authentication
:

Computer Authentication through
Measurement of Biological Characteristics

u
Fingerprint scanning

u
Iris scanning

u
Voice recognition

Types of biometric authentication

u
Many others...

u
Face recognition

u
Body odor


Authenticating...

Enrollment / Registration

Template
t


Alice

Enrollment / Registration


Alice

Server

Authentication

Server

Authentication


Alice

Server

Server verifies against template



?

The Problem...

Template theft

Limited password changes

First password

Second password

Templates represent
intrinsic

information about
you


Alice

Theft of template is theft of identity

Towards a solution


password


UNIX protection of passwords


password


h(

password

)


Password


Template protection?

h( )

Fingerprint is variable

u
Differing angles of presentation

u
Differing amounts of pressure

u
Chapped skin



Don

t have exact key!

We need

fuzzy


commitment


( )

Seems counterintuitive

Cryptographic (hash) function
scrambles bits to produce

random
-
looking structure,
but


Fuzziness


or error resistance means
high degree of local structure

Error Correcting Codes



Noisy channel


Alice

Bob



Alice, I love… crypto


s

Error correcting codes


Alice

Bob



110


g

110

111 111 000

Function
g

adds redundancy

Bob



M

3 bits

C

9 bits

c

Message space

Codeword space

g

Error correcting codes


Alice

Bob



111 111 000


0

1

1
0
1 111
1
00

111 111 000

f

c

C

Function
f

corrects errors


Alice

f

Alice uses
g
-
1

to retrieve message

9 bits

C

M

3 bits


Alice

g
-
1

c

Alice gets original, uncorrupted message

110

Constructing C

Idea:

Treat template like message

W

g

C(t) = h(g(t))

What do we get?




Fuzziness


of error
-
correcting code

Security of hash function
-
based
commitment

Problems

Davida, Frankel, and Matt (

㤷9

Results in very large error
-
correcting
code

Do not get good fuzziness

Cannot prove security easily

Don

t really have access to

message

!

Our (counterintuitive) idea:



Express template as

corrupted


codeword

Never use message space!

Express template as

corrupted


codeword

W

t

w

t = w +




t = w +


h(w)

Idea: hash most significant part

for security



Idea: leave some local information in clear

for

fuzziness


How we use fuzzy
commitment...

Computing fuzzy hash of

template
t

Choose w at random

Compute


= t
-

w

Store (h(w),

) as commitment

(h(w),

)


Verification of fingerprint
t


Retrieve C(t) =
(h(w),

)


Try to decommit using t

:


Compute
w


= f(t


-


)


Is h(w

) = h(w)?



?

Characteristics of

Good fuzziness (say, 17%)

Simplicity

Provably strong security


I.e., nothing to steal


Open problems

What do template and error distributions
really look like?

What other uses are there for fuzzy
commitment?


Graphical passwords

Questions?