Helper data schemes for privacy-preserving biometrics Boris kori - - PowerPoint PPT Presentation

Boris Škorić

TU Eindhoven

van der Meulen seminar Leuven, December 2011

Helper data schemes for privacy-preserving biometrics

1

Outline

• “Security with noisy data”
• biometrics & privacy
• Physical Unclonable Functions (PUFs)
• anti-counterfeiting
• Secure Sketches & Fuzzy Extractors
• basics
• Leftover Hash Lemma
• some easy constructions

2

Example A: biometric authentication

• Biometrics are not really secret
• easy to obtain
• don’t entrust important secrets to biometric key
• ... but have to be treated confidentially
• privacy legislation
• large databases, insider attacks

3

Example A: biometric authentication

• Biometrics are not really secret
• easy to obtain
• don’t entrust important secrets to biometric key
• ... but have to be treated confidentially
• privacy legislation
• large databases, insider attacks
• Solution
• treat biom. authentication same as Unix passwords
• store hash of {biometric + salt}
• Problem
• noisy measurements
• hash has no noise tolerance

0010110101 1110111001... 3

PUFs

• Relatively new security primitive (Pappu 2001)
• Physical Unclonable Function
• complex piece of material
• challenge-response pairs (CRPs)
• difficult to characterize (“opaque”)
• difficult to clone physically
• difficult to emulate (“mathematical unclonability”)
• Various applications
• authentication token
• anti-counterfeiting
• secure key storage
• software to hardware binding
• tamper evidence

4

Silicon PUF [Gassend et al. 2002]

TiN TiO2

Coating PUF

Posch 1998; Tuyls et al. 2006

SRAM PUF

Guajardo et al. Su et al. 2007

FPGA ‘butterfly’ PUF

Kumar et al. 2008

Optical PUF

Pappu 2001

5

Anti-counterfeiting

Traditional approach:

• add authenticity mark to product
• hard to forge
• all marks are identical

6

Anti-counterfeiting

Traditional approach:

• add authenticity mark to product
• hard to forge
• all marks are identical } Er, ... WTF?

6

Anti-counterfeiting

Traditional approach:

• add authenticity mark to product
• hard to forge
• all marks are identical } Er, ... WTF?

Imagine your company needs a security label ...

• how do you know what you are buying?
• nobody discloses technology details
• there is no “AES” for anti-counterfeiting
• perfect market for snake oil
• by the way, many of the suppliers are Chinese

6

is a high-tech company which is professional in laser security. (...) We can supply our clients with the comprehensive products in this field, such as: hologram label design, hologram master shooting, related professional equipments and related hologram materials. (...) And our clients are quite satisfied with our products and services. We are sure that we can meet your demands as well. Welcome to visit our company.Any more requirements, please connect us.

From a Chinese company webpage:

7

!"#$%&'()"*+,%" !"-.#*$/"&0)-" !"10$2"&-)0*34" !"#"$%&'("#)%$*+,'

• .'/*$01+"$.'234'
• Unique marks
• uncontrollable process
• even manufacturer cannot clone
• digitally signed by Enrollment Authority.
• Two-step verification
• check signature of Authority
• check the mark.
• Forgery needs either
• physical cloning
• or fake signature.
• Allows open approach
• no longer security-by-obscurity.

Certificate

Example B: anti-counterfeiting with bare PUFs

[Bauder, Simmons < 1991]

8

!"#$%&'()"*+,%" !"-.#*$/"&0)-" !"10$2"&-)0*34" !"#"$%&'("#)%$*+,'

• .'/*$01+"$.'234'
• Unique marks
• uncontrollable process
• even manufacturer cannot clone
• digitally signed by Enrollment Authority.
• Two-step verification
• check signature of Authority
• check the mark.
• Forgery needs either
• physical cloning
• or fake signature.
• Allows open approach
• no longer security-by-obscurity.

Certificate

Example B: anti-counterfeiting with bare PUFs

[Bauder, Simmons < 1991]

Manufacturer afraid to reveal product properties

• just like biometric privacy
• store hash of {mark + salt} → problem with noise

8

Example C: remote authentication with bare PUF

• PUF serves as huge repository of keys
• Problem: noisy measurements !

Alice has {ci, Si} Bob has the PUF

Random i ci

Check if ci is replay Measure PUF response S’ Never use ci again Authenticated channel; MAC key Si

Eve has occasional access to the PUF

9

Example D: Read-proof key storage

Device secrets stored during off state

• attacker has full access
• assumption: digital NV memory is insecure

Derive encryption key from Silicon/Coating PUF

• only when needed
• non-digital, hard to read from outside
• tampering destroys key
• Physically Obfuscated Key (POK)

EK[Device secrets] Insecure NV-mem

crypto processor POK sensor

Integrated components

K

Noise!

10

Secure Sketches & Fuzzy Extractors

11

ˆ X

A special kind of noise correction

Juels, Wattenberg 1999 Dodis, Reyzin, Smith 2003 Linnartz, Tuyls 2003

Redundancy data

• required for error correction
• created at enrollment
• assumed public! (stored e.g. in DB)
• must not leak

Secure Sketch Fuzzy Extractor SS Rec

ˆ X

W (helper data)

X X’ Gen Rep

W

X X’ S’ S

• Prob[ ≠X] is low
• I(W; X) is small
• Prob[S’≠S] is low
• I(W; S) is small
• don’t care about I(W;X)

12

Which technique to use, SS or FE?

Application privacy

• f X ?

uniform secret? Technique

authentication by password

∎

One-Way Function biometric authentication ∎ Secure Sketch + OWF anticounter- feiting PUF

∎

Secure Sketch + OWF anticounter- feiting PUF

• PUF authent.

w/o MACs

• PUF authent.

with MACs

∎

Fuzzy Extractor POK

∎

Fuzzy Extractor

bare PUF

13

Privacy-preserving biometric database

ID helper data salt hash 1 W1 c1 H1=h(c1||X1) ... ... ... ... n Wn cn Hn=h(cn||Xn)

Enrollment: Authentication: SS Xi Wi X'i Rec Wi ̂ Xi h(.||.) ci Compare

Hi

yes/no

14

Helper Data; some intuition

SS

Rec

ˆ X

W

X

X’

Noisy measurement X stable part noisy part

}

W

Gen

Rep

W

X

X’

S’ S

key FE SS

15

Helper Data; some intuition

SS

Rec

ˆ X

W

X

X’

Noisy measurement X stable part noisy part

}

W

Helper Data reveals noisy part of X.

• SS: How much privacy is lost?

Not so bad:

• W is subject to noise anyway
• many people may have same W
• FE: How much of the key is leaked?

Zero if W, S derived from independent parts of X

Gen

Rep

W

X

X’

S’ S

key FE SS

15

Bluff your way in Secure Sketches

Enrollment phase:

w ← SS(x) Discrete non-uniform noisy X.

16

Bluff your way in Secure Sketches

Enrollment phase:

w ← SS(x)

x w

Discrete non-uniform noisy X.

16

Reconstruction phase:

x̂ = Rep(x’,w)

x’

17

Reconstruction phase:

x̂ = Rep(x’,w)

x’ w

17

Reconstruction phase:

x̂ = Rep(x’,w)

x’ w

17

x̂

Secure Sketch: privacy of X

How much does W leak?

• position of X in a tile

w How bad is that?

• generally not so bad
• “least significant bits”
• subject to noise anyway
• attacker must guess which tile

18

Secure Sketch: privacy of X

How much does W leak?

• position of X in a tile

w How bad is that?

• generally not so bad
• “least significant bits”
• subject to noise anyway
• attacker must guess which tile

Can you do without helper data?

• only if all enrollments occur first
• but then the tiling itself leaks

18

Fuzzy Extractor: generic construction from SS

Dodis, Reyzin, Smith 2003

SS Rec

W

X X’ UHF UHF x̂

random r

S S’ UHF = universal hash function Gen Rep

public

19

Almost Universal Hash Functions

Φ:X×R→T is called η-almost universal if, for fixed x, x’

Prob[ΦR(x) = ΦR(x′)] ≤ η

Called Universal for η = 1/ |T |

Distance of F(X,R) from uniformity, given Y and R

Leftover hash lemma

∆(F(X, R)Y R; UℓY R) ≤ 1 2

• δ + 2ℓ−e

H2(X|Y )

If F: X×R→{0,1}ℓ is 2−ℓ(1+δ)-almost universal, then

20

Carter, Wegman 1979

Extractable randomness Invert the leftover hash lemma:

ℓε

ext(X|Y ) ≥

H2(X|Y ) + 2 − 2 log 1 ε

penalty due to uniformity requirement

Rather bad

• H2 ≤ Shannon entropy
• Penalty term depends on target ε,

not on uniformity improvement.

21

Basic examples

• f

Fuzzy Extractors

22

Code offset method

• X = binary string
• Use a linear ECC

Enrollment

• random key s
• encode to cs
• w = cs-x

Reconstruction

• s’ = decode(x’+w)

23

Fuzzy Extractor purely from UHFs

MAC key helper data

BŠ, Tuyls 2008

24

Fuzzy Extractor purely from UHFs

MAC on w

MAC key helper data

BŠ, Tuyls 2008

24

• First partition:

equiprobable keys

• 2nd partition:

helper data,

• equiprob. subpartitions
• S | W=w is uniform

Fuzzy Extractor from partitions

Verbitskiy, Tuyls, Obi, Schoenmakers, BŠ 2008

25

“robustness”

• f helper data

Protecting the helper data (no PKI)

Boyen 2005

Random oracle model

SS Rec

w and h=hash(x, w)

x x’

Check h’==hash(x̂,w’)

x̂

attack

w’, h’

26

“robustness”

• f helper data

Protecting the helper data (no PKI)

Boyen 2005

Random oracle model

SS Rec

w and h=hash(x, w)

x x’

Check h’==hash(x̂,w’)

x̂

attack

w’, h’

Standard model

Gen Rep

w and m=MAC(s1,w)

x x’ s’ = s’1||s’2 s = s1||s2

attack

w’, m’ Check m’==MAC(s’1,w’) Use s2 as secret

“KMS-MAC”

Cramer et al. 2008

26

Topics I did not mention

• noisy identification;

search in fuzzy database

• cross-correlating users in multiple DBs
• privacy vs. key rate tradeoffs
• properties of actual biometric data
• noise patterns
• tricks with error-correcting codes
• ...

27

Summary (sort of)

Main messages

• Error correction inevitable in some security scenarios
• privacy-preserving biometric DB
• anti-counterfeiting with PUFs
• key extraction from physical sources
• Well established primitives
• Secure Sketch
• Fuzzy Extractor
• Universal Hash Functions
• it can be very simple !

28