Transcript Slides - Ari Juels

A Fuzzy Commitment
Scheme
Ari Juels
RSA Laboratories
Marty Wattenberg
328 W. 19th Street,
NYC
Biometrics
Biometric authentication:
Computer Authentication through
Measurement of Biological Characteristics
Types of biometric authentication
u
Fingerprint scanning
Iris scanning
u
Voice recognition
u
Face recognition
Body odor
Many others...
u
u
u
Authenticating...
Enrollment / Registration
Alice
Template t
Enrollment / Registration
Alice
Server
Authentication
Server
Authentication
Alice
Server
Server verifies against template
?

The Problem...
Template theft
Limited password changes
First password
Second password
Templates represent intrinsic
information about you
Alice
Theft of template is theft of identity
Towards a solution
UNIX protection of passwords
“password” “password”h(“password”)
“Password”
Template protection?
h(
)
Fingerprint is variable
u
u
u
Differing angles of presentation
Differing amounts of pressure
Chapped skin

Don’t have exact key!
We need “fuzzy” commitment
(
)
Seems counterintuitive
Cryptographic (hash) function
scrambles bits to produce randomlooking structure, but
“Fuzziness” or error resistance means
high degree of local structure
Error Correcting Codes
Noisy channel
s”
“ Alice, I love… crypto
Bob
Alice
Error correcting codes
“ 110 ”
Bob
Alice
Function g adds redundancy
C
M
g
110
g
111 111c 000
Bob
3 bits
Message space
9 bits
Codeword space
Error correcting codes
1 ”
0 111 000
“ 111
Bob
Alice
Function f corrects errors
C
101 111 100
Alice
f
111 111 000
f
c
Alice uses
-1
g to
retrieve message
C
g-1
Alice
M
Alice cgets original, uncorrupted message
110
9 bits
3 bits
Constructing C
Idea:
Treat template like message
W
g
C(t) = h(g(t))
What do we get?
“Fuzziness” of error-correcting code
Security of hash function-based
commitment
Problems
Davida, Frankel, and Matt (‘97)
Results in very large error-correcting
code
Do not get good fuzziness
Cannot prove security easily
Don’t really have access to “message”!
Our (counterintuitive) idea:
Express template as “corrupted” codeword
Never use message space!
Express template as “corrupted”
codeword
W
t=w+
w

t
h(w)
Idea: hash most significant part
for security
t=w+

Idea: leave some local information in clear
for “fuzziness”
How we use fuzzy
commitment...
Computing fuzzy hash of
template t
Choose w at random
Compute  = t - w
Store (h(w), ) as commitment
(h(w),)
Verification of fingerprint t’
Retrieve C(t) = (h(w), )
Try to decommit using t’:
– Compute w’ = f(t’ - )
– Is h(w’) = h(w)?

?
Characteristics of
Provably strong security
– I.e., nothing to steal
Good fuzziness (say, 17%)
Simplicity
Open problems
What do template and error distributions
really look like?
What other uses are there for fuzzy
commitment?
– Graphical passwords
Questions?