Transcript 下載/瀏覽
多媒體網路安全實驗室
An Application of the
Goldwasser-Micali
Cryptosystem to Biometric
Authentication
Date:2011.06.04
Reporter: Chien-Wen Huang
出處:The 12th Australasian Conference on Information Security and Privacy
多媒體網路安全實驗室
Outline
1
Introduction
2
A New Security Model
3
4
A New Biometric-based Authentication Protocol
Conclusion
2
多媒體網路安全實驗室
Introduction
In biometric-based cryptosystems
a user identifies or authenticates himself using his
biometrics
The biometric feature is captured by a sensor
(e.g. a camera for iris biometrics)will rarely be
the same twice.
To enforce privacy, we wish biometric data after
their capture to be hidden
So that an adversary is unable to find out who is the
real person.
3
多媒體網路安全實驗室
Most of these protocols uses biometry for
Identity-Based Encryption.
rely on the assumption that biometric features
belonging to live users.
This assumption is not true in practice.
As a user’s biometric information, such as
fingerprint(be easily captured in daily life.)
4
多媒體網路安全實驗室
A New Security Model
The system mainly consists of two parts: the
client and the server.
registers his reference biometric
template bi
capturing the user’s biometric and
extracting
helps the server to make a
decision related to a user’s
5
多媒體網路安全實驗室
Requirement 1
The matcher M can faithfully compute the distance
H (bi , bi' )
M can compare the distance to a given threshold
value d.
the server AS can make the right decision.
6
多媒體網路安全實驗室
Requirement 2
For any IDi : bi' , bi'
0
0
1
It is infeasible for any of M, DB, and AS to
distinguish between ( IDi0 , bi'0 )and( IDi0 , bi'1 )
Requirement 3
If U i , {0,1} makes an authentication attempt.
DB can only guess with a negligible advantage.
Suppose DB makes a guess '
7
多媒體網路安全實驗室
A New Biometric-based Authentication
Protocol
Review of the Goldwasser-Micali Scheme
設x為大於1之整數,且 (x,p)=1, 若x 2 a (mod p) 可解,則x謂之二次
剩餘,對mod p.
例如: 1,2,4為7(即mod 7)之二次剩餘; 3,5,6為二次非剩餘.
x=1,6時 x 2 1 (mod 7),同理x=3,4時x 2 2(mod 7),
x=2,5時, x 2 4 (mod 7).
•Jacobi symbol:
J(x/p)= 0 if p | x {即p是a的因數;a是p的倍數}
= 1 if x is a quadratic residue mod p
= -1 if x is a nonresidue mod p.
8
多媒體網路安全實驗室
Key generation algorithm
Input:
a security parameter
large prime numbers p and q
n=pq
a non-residue x for which the Jacobi symbol=-1
J(x,p)=J(x,q)= -1
Output:
pk
(x,n) , sk
(p,q)
9
多媒體網路安全實驗室
Encryption algorithm
Takes a message m {0,1}
c y 2 x m (mod n), y is randomly chosen from Z*n
Decryption algorithm
If c is a quadratic residue
Otherwise, m=1.
10
m=0.
多媒體網路安全實驗室
An adversary A has only a negligible advantage
11
多媒體網路安全實驗室
the attacker’s advantage
The encryption protocol possesses a nice
homomorphic property
12
多媒體網路安全實驗室
In order to encrypt a binary string we need to
encrypt every bit individually
13
多媒體網路安全實驗室
Enrollment Phase
bi (bi ,1 , bi , 2 ,..., bi , M )
U i registers (bi , i ) at DB
( IDi , i )at AS
M possesses a key pair (pk,sk)
14
多媒體網路安全實驗室
Verification Phase
AS retrieves the index i using IDi
15
多媒體網路安全實驗室
If the Hamming weight of the
corresponding plaintext vector < or =d
16
多媒體網路安全實驗室
S performs at most 2M modular multiplications
The server performs 2N modular multiplications
in step 2 and M modular multiplications in step4.
MN
The database needs to perform
modular
2
multiplications in step 3
17
多媒體網路安全實驗室
Conclusion
Consider a biometric authentication protocol
where confidentiality is required for biometric
data solely for privacy reasons.
It remains an interesting issue to improve its
performance.
18
多媒體網路安全實驗室