This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
SHADE: Secure
HAmming
DistancE
computation from oblivious transfer
Julien
Bringer,
Hervé
Chabanne
,
Alain
Patey
Workshop on
Applied
Homomorphic
Cryptography
(WAHC’13)

Apr. 1
st
, 2013
Work
partially
funded
by the ANR
SecuLar
project
and by the
European
FP7 FIDELITY
project
1
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
OUTLINE
Motivations
Secure
Biometric
Recognition
Secure Computation of
Hamming
distances:
previous
proposals
Homomorphic
Encryption
Garbled
Circuits
SHADE
The basic
scheme
The
fully

secure
scheme
Alain Patey / 01/04/2013 / WAHC'13
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
2
/
Motivations
Alain Patey / 01/04/2013 / WAHC'13
3
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
BIOMETRIC
MATCHING
Biometrics
: Images are
encoded
into
feature
vectors
Biometric
matching
: computation of a
similarity
measure
between
two
vectors
Hamming
Distance
Euclidean
Distance
Scalar
Product
…
Alain Patey / 01/04/2013 / WAHC'13
4
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
EXAMPLE
: IRIS
Iriscodes
: 256

byte code + 256

byte
mask
Mask
indicates
(in)exploitable data:
eyelids
,
eyelashes
,
blurred
pixels…
Similarity
measure
between
(X
1
,M
1
) and (X
2
,M
2
):
normalized
Hamming
distance
HD(X
1
,X
2
) = (X
1
⨁
X
2
) ∩M
1
∩ M
2
 / M
1
∩ M
2

John
Daugman
: How iris recognition
works
. IEEE
Trans
. Circuits
Syst
.
Video
Techn
. (TCSV) 14(1):21

30 (2004)
Alain Patey / 01/04/2013 / WAHC'13
5
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
EXAMPLE
:
FINGERPRINT
Binary
feature
vector
fingerprint
representation
: ~50,000 bit

vectors
Bits
indicate
presence
/absence of
given
patterns
Similarity
measure
:
usual
Hamming
distance
Bringer
, J. and
Despiegel
, V.,
Binary
feature
vector
Fingerprint
representation
from
minutiae
vicinities
,
BTAS'10. (2010).
Alain Patey / 01/04/2013 / WAHC'13
6
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
EXAMPLE
:
FACE
Face:
SciFI
project
Approach
similar
to the
approach
of
previous
slide
900

bit
vectors
(constant 180

bit
weight
)
Similarity
measure
=
usual
Hamming
distance
Margarita
Osadchy
, Benny
Pinkas
,
Ayman
Jarrous
,
Boaz
Moskovich
:
SCiFI

A System for Secure Face
Identification. IEEE Symposium on Security and
Privacy
2010:239

254
Alain Patey / 01/04/2013 / WAHC'13
7
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
MOTIVATIONS FOR
SECURE
BIOMETRIC
MATCHING
Biometric
data are
extremely
sensitive
hard to
revoke
But
very
useful
for
personal
recognition
Need
for protection and
usability
at
the
same
time
⇒
Secure computation
Applications
1 vs N identification
Intersection of
biometric
databases
Deduplication
Anonymous
access
control
…
Alain Patey / 01/04/2013 / WAHC'13
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
8
/
Secure
Hamming
Distance
Computation:
Previous
proposals
Alain Patey / 01/04/2013 / WAHC'13
9
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
SETTING
Output
learned
either
by C, S or
both
Privacy
: One party
does
not
learn
information about the
other
party’s
input
(
except
the
result
)
Alain Patey / 01/04/2013 / WAHC'13
Serve
r
Client
100110011101
11001001010
1
Binary
string
X=(x
1
,…,
x
n
)
Binary
string
Y=(y
1
,…
,
y
n
)
Secure Computation
Output:
dH
(X,Y) =
Σ
(
xi
⨁
yi
)
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
10
/
Homomorphic
Encryption
Alain Patey / 01/04/2013 / WAHC'13
11
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
XOR

LY
/
ADDITIVELY
HOMOMORPHIC
ENCRYPTION
E =
homomorphic
cryptosystem
Goal:
compute
E(X
⨁
Y)
(or E(
dH
(X,Y)))
from
E(X) and Y
(or E(X) and E(Y))
where
X and Y are strings
No efficient
homomorphic
cryptosystem
to do
this
straightforward
Goldwasser

Micali
: XOR over bits
Paillier
: addition over
integers
Use of
additively
homomorphic
encryption
(
Paillier
and extensions)
E(X).E(Y)=E(X+Y)
E(X)
Y
= E(X.Y)
Alain Patey / 01/04/2013 / WAHC'13
12
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
SECURE
HAMMING
DISTANCE
USING
HOMOMORPHIC
ENCRYPTION
Alain Patey / 01/04/2013 / WAHC'13
Client
Serve
r
Input: X=(x
1
,…,
x
n
),
sk
, pk
Input: Y=(y
1
,…,
y
n
), pk
E(x1),…,E(
xn
)
For i=1..n, E(
xi
⨁
yi
)=E(xi)
1

2yi
.E(yi)
E(
dH
(X,Y))
Decryption
using
sk
Output:
dH
(X,Y)
Data
encryptio
n
Result
decryptio
n
Computation
over
encrypted
data
E(
dH
(X,Y))=E(
Σ
(
xi
⨁
yi
))
=
Π
E(
xi
⨁
yi
)
Recall
:
x,y
∈
{0,1}
x
⊕
y
= x + y
–
2x.y
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
13
/
Yao’s
Protocol
Alain Patey / 01/04/2013 / WAHC'13
14
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
1

OUT

OF

2
OBLIVIOUS
TRANSFER
Alain Patey / 01/04/2013 / WAHC'13
Sender
Receiv
er
Inputs:

strings X
0
and X
1
Input

bit b
Output:

X
b
Output:
∅
•
Sender
does
not
learn
b
•
Receiver
learns
nothing
about X
1

b
15
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
GARBLED CIRCUITS
Garbled circuits: “Encrypted” binary circuits
Random keys are associated with wires (one pair per wire)
Gates are encrypted using these keys
S creates the garbled circuit:
picks random keys and encrypts tables
C evaluates the garbled circuit
Decrypts the garbled tables using one key per input wire
Keys corresponding to S’s inputs are directly sent to C
Keys corresponding to C’s inputs are sent using OT
1
2
’s
Alain Patey / 01/04/2013 / WAHC'13
16
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
YAO’S
PROTOCOL
Alain Patey / 01/04/2013 / WAHC'13
Party
1
Party
2
Creates
the
Garbled
Circuit
Garbled
Circuit, labels of P1’s inputs
Labels of P2’s inputs
using
1

out

of

2
OT’s
Evaluates
the
Garbled
Circuit
Obtains
f(X,Y)
(
Optional
) f(X,Y)
17
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
IMPLEMENTATION
OF
YAO’S
PROTOCOL
Garbling
can
be
implemented
using
symmetric
cryptography
Optimizations
:
free XOR
gates
25%
gate
reduction
OT
1
2
’s
can
also
be
implemented
using
symmetric
cryptography
After
some
preprocessing
involving
public

key
cryptography
Implementations
are
available
Fairplay, TASTY, Secure Computation Framework…
Alain Patey / 01/04/2013 / WAHC'13
18
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
SUMMARY
Additively
homomorphic
encryption
Bits are
encrypted
separately
(
ciphertexts
are
at
least 2048

bit long)
Homomorphic
operations
are
costly
Ciphertexts
can
be
re

used
(for
another
instance of the
protocol
or
another
functionality
)
Yao’s
protocol
Mostly
symmetric
cryptography
Garbled
circuits not
reusable
Use of
Yao’s
protocol
for
secure
Hamming
distance computation
gives
better
performances
than
homomorphic
encryption
Yan Huang, David Evans, Jonathan Katz,
Lior
Malka:
Faster
Secure
Two

Party Computation
Using
Garbled
Circuits. USENIX Security Symposium 2011
Alain Patey / 01/04/2013 / WAHC'13
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
19
/
SHADE
Alain Patey / 01/04/2013 / WAHC'13
20
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
TOWARDS
SHADE
Garbled
Circuits are
big
,
even
for the simple
Hamming
distance circuit
e
g
>120 KB
bandwidth
required
for 2048

bit
Hamming
distance
When
using
Yao’s
protocol
,
sender’s
inputs to the
OT’s
are
independent
of
the
actual
inputs X and Y
Ideas
:
Get
rid
of
garbled
circuits
Adapt
the inputs of the
OT’s
such
that
1.
they
are
linked
to the
sender’s
bit

string
2.
t
he output of the
i
th
OT
is
linked
to
xi
⨁
yi
Input of the server: (r
i
+ x
i
, r
i
+(1

x
i
))
Input of the client: y
i
Output of the client: r
i
+
x
i
⨁
y
i
Alain Patey / 01/04/2013 / WAHC'13
21
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
PROTOCOL
Alain Patey / 01/04/2013 / WAHC'13
Server: X = (x
1
,…,
x
n
)
Client:
Y
= (y
1
,…,
y
n
)
OT
1
2
Input: (
r
i
+x
i
, r
i
+(x
i
⨁
1))
Input: y
i
Output:
∅
Output: t
i
=r
i
+(
x
i
⨁
y
i
)
Compute
R=
Σ
r
i
Compute
T
=
Σt
i
(=R+HD(X,Y))
For i=1,…,n:
R
T
Output T

R = HD(X,Y)
Output T

R = HD(X,Y)
1st option
2nd option
Oblivious
Transfer
Select
random
r
1
,…,r
n
22
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
REMARKS
Overall
cost
: n
OT’s
Privacy
ensured
in the semi

honest
model
Extension to
several
dH
(
X,Y
j
)
at
the
same
time
Biometric
1 vs N

identification
Applicable to
any
function
of the
form
:
F(X,Y) = ∑
λ
i
f
i
(
x
i
,y
i
)
F(X,Y) = ∏f(
x
i
,y
i
)
Alain Patey / 01/04/2013 / WAHC'13
23
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
COMPARISON
TO
PREVIOUS
SOLUTIONS
After
preprocessing
,
including
optimizations
Alain Patey / 01/04/2013 / WAHC'13
HE
Yao
SHADE
24
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
COMPUTATION TIME
Comparison
to
Yao’s
protocol
For 900 bits:
HE: ~310 ms
Yao: ~20 ms
SHADE: ~8 ms
Alain Patey / 01/04/2013 / WAHC'13
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
25
/
The
fully

secure
scheme
(
security
against
malicious
adversaries
)
SHADE
Alain Patey / 01/04/2013 / WAHC'13
26
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
COMMITTED
OBLIVIOUS
TRANSFER
Alain Patey / 01/04/2013 / WAHC'13
Sender
Receiv
er
Inputs:

strings X
0
and X
1

random
values r
0
,r
1
Inputs:

bit b

random
value r
Common Inputs: Com(X
0
,r
0
);
Com(
X
1
,r
1
);
Com
(
b,r
)
Output:

X
b

random
value u
Common Output: Com(
X
b
,u
)
Kiraz
, M.S.,
Schoenmakers
, B.,
Villegas
, J.:
Efficient
committed
oblivious
transfer
of
bit strings. In: ISC
.
(2007)
Output:
∅
27
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
HOMOMORPHIC
COMMITMENT
Additively
homomorphic
commitment
:
Com(x
1
, r
1
) . Com(x
2
,r
2
) = Com(x
1
+x
2
, r
1
+r
2
)
Zero

knowledge
proofs
:
Proof
that
a
commitment
c
commits
to
either
x
1
or x
2
Here
: proof
that
committed
value
is
a bit (0 or 1)
Proof
that
two
committed
values
differ
by 1
Instantiation
using
Paillier
or
ElGamal
cryptosystem
Alain Patey / 01/04/2013 / WAHC'13
28
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
FULLY
SECURE
SCHEME
–
1
ST
STEP
:
COMMITMENT
AND
PROOFS
OF
CONSISTENCY
Alain Patey / 01/04/2013 / WAHC'13
Server: X = (x
1
,…,
x
n
)
Client:
Y
= (y
1
,…,
y
n
)
•
Pick
random
values χ
1
,…,
χ
n
•
Compute
and
publish
Com(
y
i
,χ
i
), i=1…n
•
Prove
that
committed
values
are bits
•
Pick
random
values
α
1
,…,α
n
,β
1
,…,β
n
,r
1
,…,r
n
•
Compute
and
publish
,
for i
=1…
n
•
A
i
=Com(
ri+xi
, α
i
)
•
B
i
=Com(r
i
+ (1

x
i
),β
i
)
•
Prove
that
committed
values
differ
by 1
Common:

A
i
=Com
(a,
α
i
)

B
i
=Com
(b
i
,
β
i
)

Com(
y
i
,χ
i
)
Server:

x
i

r
i
; a
i
=
r
i
+x
i
; b
i
= r
i
+ (1

x
i
)

α
i
;
β
i
Client:

y
i

χ
i
29
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
FULLY
SECURE
SCHEME
–
2
ND
STEP
:
COMMITTED
OBLIVIOUS
TRANSFERS
Alain Patey / 01/04/2013 / WAHC'13
Common:

A
i
=Com
(a,
α
i
)

B
i
=Com
(b
i
,
β
i
)

Com(
y
i
,χ
i
)
Server:

x
i

r
i
; a
i
=
r
i
+x
i
; b
i
= r
i
+ (1

x
i
)

α
i
;
β
i
Client:

y
i

χ
i
n
Committed
oblivious
transfers
Output:

t
i
= r
i
+ (
x
i
⨁
y
i
)

random
values
𝜏
i
Common Output: C
i
=Com(t
i
,
𝜏
i
)
30
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
FULLY
SECURE
SCHEME
–
3
RD
STEP
:
HAMMING
DISTANCE COMPUTATION (1
ST
OPTION)
Alain Patey / 01/04/2013 / WAHC'13
Common:

A
i
=Com
(a,
α
i
)

B
i
=Com
(b
i
,
β
i
)

C
i
=Com(t
i
,
𝜏
i
)
Server:

r
i
; a
i
=
r
i
+x
i
; b
i
= r
i
+ (1

x
i
)

α
i
;
β
i
Client:

t
i
= r
i
+ (
x
i
⨁
y
i
)

𝜏
i
Compute
R = r
1
+ …+r
n
Compute
T
= t
1
+ …+
t
n
Compute
K = Com(2R+n,
∑(α
i
+ β
i
))
R + proof
that
K
commits
to 2R+n
Compute
K = A
1
…A
n
B
1
…
B
n
Check the proof
Output T

R=
dH
(X,Y)
Same
mechanisms
for
2
nd
option
31
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
CONCLUSION
Most efficient
secure
Hamming
distance computation in the semi

honest
model
Applicable to
any
linear
combination
of bit

wise
independent
functions
Non

reusable
like
garbled
circuits
unlike
homomorphic
encryption
Adaptation to the
malicious
model
Using
additive
homomorphic
encryption
and
zero

knowledge
Applications to
secure
image/signal
processing
In
particular
,
biometric
identification
Alain Patey / 01/04/2013 / WAHC'13
32
/
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third part
y w
ithout the prior written authorization of Morpho.
THANK
YOU
FOR
YOUR
ATTENTION
Questions ?
Alain Patey / 01/04/2013 / WAHC'13
Comments 0
Log in to post a comment