NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
1
Cryptographic Tools
for Noisy Data
Adam Smith
Pennsylvania State University
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
What are “cryptographic tools”?
• Cryptography remarkably successful at securing
communication channels (e.g. SSL)
• More generally: securing computation
Encryption usually protects data but makes it “inert”
Since early 1980’s: secrecy and utility (trade-off?)
• What is crypto’s role in (research on) biometric systems?
Change the design space, e.g.
• “Fuzzy” cryptography
• Secure function evaluation
• Noise-tolerant searchable encryption
• Anonymization for statistical databases
Help making “science” of biometrics: abstraction, models 2
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
“Fuzzy” cryptography
• Tools for dealing with biometrics as secrets or keys
Noisy!
Not uniformly random
Not easily revocable
• 10 fingers, 2 eyes, 1 mother’s maiden name
Not exactly secret
• Example: fuzzy extractors
Dodis et al., 2004
Building on work by Juels
and many others
3
? =
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
4
Authentication
Alice Server “How do I know
you’re Alice”?
Solution #1: Store a copy on server
Problem: Password in the Clear
?
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
5
Authentication
Alice “How do I know
you’re Alice”?
Solution #2: Store a hash of password
Problem: No Error Tolerance
H( ) Server
? = H( ) H( )
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
6
General Tool: Fuzzy Extractor
1. Error-correction: If x’ is “close” to x, then recover R
2. Secrecy: Given only P(x), the key R(x) looks random
Goals: - Maximize tolerance: how “far” x’ can be from x
- Maximize length of key R(x)
… given assumptions about x
Recover x’
P(x) R(x)
x P(x)
FE R(x)
safe to release
key
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
7
General Tool: Fuzzy Extractor
1. Error-correction: If x’ is “close” to x, then recover R
2. Secrecy: Given only P(x), the key R(x) looks random
Goals: - Maximize tolerance: how “far” x’ can be from x
- Maximize length of key R(x)
… given assumptions about x
Recover x’
P(x) R(x)
x P(x)
FE R(x)
safe to release
key
• What does “far” mean?
• What does attacker know
about x?
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
8
Fuzzy Extractors and Authentication “How do I know
you’re Alice”?
x’=
x =
P(x), Hash(x)
• Given assumptions about x,
system is as secure as with regular passwords
Analysis
Recover
Hash
? =
Alice Server
R(x)
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
9
What kinds of assumptions?
• X a random variable on {0,1}n
• Probability of predicting X = maxx Pr[X = x]
• There are various ways to measure entropy
• Min-entropy: H (X) = -log2 (maxx Pr[X=x])
• Uniform on {0,1}n : H (Un) = n
• “ Password has min-entropy t ” means that adversary’s
probability of guessing the password is 2-t
• Passwords had better have high entropy!
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
Designing “fuzzy extractors”
• Building block: “secure sketch”
Short string S(x) (much shorter than x)
that allows recovery for x’ “close to” x
• Need to specify what we
mean by “close”
Current tools work for
mathematically clean
distance functions
• Research: using clean functions or finding new sketches
Only partly answered in literature
10
x S(x)
x’
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
“Fuzzy” cryptography
• Other tools: noise-tolerance integrated into
Encryption using biometrics as “keys”
Remote authentication
[lots of literature…]
• Features
clean abstraction
rigorous analysis of security leads to clear formulation of
assumptions about attack model
• Of course, you may realize that assumptions are false!
11
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
Secure Function Evaluation
• Alice and Bob want to jointly compute some function f
without leaking anything to each other about x or y, e.g.
y is a data base of biometric templates
x is a measurement
f(x,y) = does there exist a matching template in the database?
• Started out inefficient (1980’s), now better [e.g., “Fairplay”]
Efficient implementations requires tailored protocols
12
Alice Bob x y
f(x,y)
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
Noise-tolerant searchable encryption
• Functional encryption: Alice can delegate
partial decryption abilities to Bob
e.g. delegate ability to check proximity according to a well-
defined metric
• Powerful tool!
Devil is in the details: what functionality should we delegate?
how do we measure proximity? who keeps the master key? 13
Alice
Bob
master
sk
pk
delegated
ska
Encryptionpk(b)
Is a close to b?
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
Crypto’s role in (research on) biometrics
• Change the design space
Very powerful, general tools
“Anything that doesn’t have inherent contradictions, you can
do” (G. Itkis)
• Abstraction, modeling
What are the (implicit) assumptions?
• One issue:
People who
understand
biometrics
People who
understand
crypto
?
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
Questions ?
15
for you
NSF Workshop on Fundamental Research Challenges for Trustworthy Biometrics 2010
Questions for you
• Are the assumptions that cryptographers make reasonable?
Clearly, not always. But identifying flawed assumptions is progress.
• How should crypto influence design space?
• How can get different scientific communities to interact?
Well-defined challenges?
Common data sets?
• Ethical considerations?
Scalability of these tools raises new concerns
Should we think before we build? [ rhetorical question.]
16