Post on 06-Mar-2018
FUZZY VAULTFOR MULTIPLE USERSJuly 10th 2012, Ifrane, MoroccoMélanie Favre
Joint work with Julien Bringer and Hervé Chabanne
Sponsored by French ANR project BMOS
1/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Content
1 Introduction
2 Fuzzy Vault
3 Extended Fuzzy Vault
4 Conclusion
2/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
/01/Introduction
3/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Introduction
: Starting point: Juels and Sudan’s Fuzzy Vault (2002)� Secret sharing scheme
� Error-tolerant� Deals with unordered sets of different cardinalities
� Relies on polynomial reconstruction problem� Multiple applications
� Well suited for biometrics
: Our goal: extend Fuzzy Vault scheme for multiple users� One scheme for many users
� Database
� Application in biometrics
4/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Introduction
: Starting point: Juels and Sudan’s Fuzzy Vault (2002)� Secret sharing scheme
� Error-tolerant� Deals with unordered sets of different cardinalities
� Relies on polynomial reconstruction problem� Multiple applications
� Well suited for biometrics
: Our goal: extend Fuzzy Vault scheme for multiple users� One scheme for many users
� Database
� Application in biometrics
4/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
/02/Fuzzy Vault
5/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Fuzzy Vault
: Starting point� A secret κ ∈ Fkq transformed into a polynomialp ∈ Fq[X] with degree smaller than k
� A set A = {ai ∈ Fq|i = 1..t}� A security parameter r ≥ t
: LOCK algorithm� Evaluate each element of A by p
� for i = 1 to t doxi = aiyi = p(xi)
� Add chaff points� for i = t+ 1 to r do
xi ∈ Fq \Ayi ∈ Fq \ p(xi)
� Final vault VA = {(xi, yi)|i = 1..r}
Ari Juels, Madhu Sudan, A Fuzzy Vault Scheme, Proceedings of IEEE International
Symposium on Information Theory, ISIT, 2002
6/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Fuzzy Vault
: Starting point� A secret κ ∈ Fkq transformed into a polynomialp ∈ Fq[X] with degree smaller than k
� A set A = {ai ∈ Fq|i = 1..t}� A security parameter r ≥ t
: LOCK algorithm� Evaluate each element of A by p
� for i = 1 to t doxi = aiyi = p(xi)
� Add chaff points� for i = t+ 1 to r do
xi ∈ Fq \Ayi ∈ Fq \ p(xi)
� Final vault VA = {(xi, yi)|i = 1..r}
Ari Juels, Madhu Sudan, A Fuzzy Vault Scheme, Proceedings of IEEE International
Symposium on Information Theory, ISIT, 2002
x
y
p
x
y
p
x
y
p
x
y
6/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Fuzzy Vault
: UNLOCK algorithm� Given a set B = {bi ∈ Fq|i = 1..t}, construct V = {(xj , yj) ∈ VA|xj ∈ B}� Use Reed-Solomon decoding over V
� RS codes can be decoded up to t−k2
errors by Peterson-Berlekamp-Massey algorithm� If A and B overlap substantially, recover κ
7/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Fuzzy Vault
: UNLOCK algorithm� Given a set B = {bi ∈ Fq|i = 1..t}, construct V = {(xj , yj) ∈ VA|xj ∈ B}� Use Reed-Solomon decoding over V
� RS codes can be decoded up to t−k2
errors by Peterson-Berlekamp-Massey algorithm� If A and B overlap substantially, recover κ
x
y
B
VA
x
y
B
x
y
V
x
y
pB
7/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Fuzzy Vault
: UNLOCK algorithm� Given a set B = {bi ∈ Fq|i = 1..t}, construct V = {(xj , yj) ∈ VA|xj ∈ B}� Use Reed-Solomon decoding over V
� RS codes can be decoded up to t−k2
errors by Peterson-Berlekamp-Massey algorithm� If A and B overlap substantially, recover κ
x
y
B
VA
x
y
B
x
y
V
x
y
B
7/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Fuzzy Vault
: Example: movie lover’s problem� Alice is a movie lover� She shares her phone number only with people having the same tastes as her
� Secret κ: her phone number on k = 14 symbols� Set A: her t = 22 favorite movies
� Bob can get Alice’s number only if he likes at least t+k2
= 18 movies in common withAlice
8/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
/03/Extended Fuzzy Vault
9/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
General idea
: Multiple users but still one vault� One polynomial per user� One single decoding� "Natural" chaff from the other users� Ability to recover more than one
identity� Bob wants to know all the people
sharing his tastes
� Ability to deal with overlap� Several people can like the same
movie
: Tools� List recovery� Folded Reed-Solomon codes
x
y
p1p2
p3
x
y
p1p2
p3
x
y
10/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
General idea
: Multiple users but still one vault� One polynomial per user� One single decoding� "Natural" chaff from the other users� Ability to recover more than one
identity� Bob wants to know all the people
sharing his tastes
� Ability to deal with overlap� Several people can like the same
movie
: Tools� List recovery� Folded Reed-Solomon codes
x
y
p1p2
p3
x
y
p1p2
p3
x
y
10/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Folded Reed-Solomon codes
: Definition Given γ a generator of Fq , the m-folded version of the Reed Solomon codeC[n, k], denoted FRSFq,γ,m,N,k, is a code of block length N = n/m over Fmq wheren = q − 1 is divisible by m. The encoding of a message p ∈ Fq[X] of degree at mostk − 1 is given by
p(X) =
p(1)p(γ)
...p(γm−1)
,
p(γm)p(γm+1)
...p(γ2m−1)
, . . . ,
p(γn−m)p(γn−m+1)
...p(γn−1)
� We have N symbols in Fmq .� m = 1: classical Reed-Solomon code C[n, k]
11/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
List recovery
: List decoding� Relaxation of unique decoding
� Given an errorbound e, outputs all codewords whose encoding differ with received word inat most e symbols
� We use Guruswami’s list decoding algorithm for FRS codes (2011)� Easy algorithm: two linear systems to solve� Parameter s: output list size bounded by qs−1 and s ≤ m� Fractional agreement is
τ >1
s+ 1+
s
s+ 1
mR
m− s+ 1
: List recovery� Extension of list decoding with overlaping: for each position i, the input is of the form
of a set Ti of possible values� Guruswami’s list decoding algorithm is still useable
� Giving ` = max|Ti| and ` ≤ s ≤ m, fractional agreement becomes
τ >`
s+ 1+
s
s+ 1
mR
m− s+ 1
Venkatesan Guruswami, Linear-algebraic list decoding of folded Reed-Solomon codes, IEEE Conference on
Computational Complexity, 2011
12/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
List recovery
: List decoding� Relaxation of unique decoding
� Given an errorbound e, outputs all codewords whose encoding differ with received word inat most e symbols
� We use Guruswami’s list decoding algorithm for FRS codes (2011)� Easy algorithm: two linear systems to solve� Parameter s: output list size bounded by qs−1 and s ≤ m� Fractional agreement is
τ >1
s+ 1+
s
s+ 1
mR
m− s+ 1: List recovery
� Extension of list decoding with overlaping: for each position i, the input is of the formof a set Ti of possible values
� Guruswami’s list decoding algorithm is still useable� Giving ` = max|Ti| and ` ≤ s ≤ m, fractional agreement becomes
τ >`
s+ 1+
s
s+ 1
mR
m− s+ 1
Venkatesan Guruswami, Linear-algebraic list decoding of folded Reed-Solomon codes, IEEE Conference on
Computational Complexity, 2011
12/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Extended Fuzzy Vault
: Starting point: d users� d secrets κ1, .., κd transformed into d polynomials p1, .., pd� d sets A1, ..Ad
� Security parameters ` and r < N
: Formalization for FRS codes� Let E be an alphabet containing N symbols x1, ..., xN
� Each set Ai possesses t symbols among them
� Each set Ai is associated to a function Fi such that
Fi(xj) = (pi(γ(j−1)m), pi(γ
(j−1)m+1), ..., pi(γ(j−1)m+m−1))
It is the j’st symbol of FRS encoding of pi
pi(X) =
pi(1)pi(γ)
...pi(γ
m−1)
, . . . ,
pi(γ(j−1)m)
pi(γ(j−1)m+1)
...pi(γ
(j−1)m+m−1)
, . . . ,
pi(γn−m)
pi(γn−m+1)
...pi(γ
n−1)
13/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Extended Fuzzy Vault
: Starting point: d users� d secrets κ1, .., κd transformed into d polynomials p1, .., pd� d sets A1, ..Ad
� Security parameters ` and r < N
: Formalization for FRS codes� Let E be an alphabet containing N symbols x1, ..., xN
� Each set Ai possesses t symbols among them
� Each set Ai is associated to a function Fi such that
Fi(xj) = (pi(γ(j−1)m), pi(γ
(j−1)m+1), ..., pi(γ(j−1)m+m−1))
It is the j’st symbol of FRS encoding of pi
pi(X) =
pi(1)pi(γ)
...pi(γ
m−1)
, . . . ,
pi(γ(j−1)m)
pi(γ(j−1)m+1)
...pi(γ
(j−1)m+m−1)
, . . . ,
pi(γn−m)
pi(γn−m+1)
...pi(γ
n−1)
13/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Extended Fuzzy Vault
: LOCK algorithm� Evaluate elements of sets Ai with Fi and fill with chaff
Si ← ∅, i = 1, . . . , Ncpt← 0for i = 1 to N do
for j = 1 to d doif xi ∈ Aj then
Si ← Si ∪ {Fj(xi)}end
endif #Si 6= 0 then
cpt← cpt + 1for j = #Si + 1 to ` do
yji ∈ Fm
q \ {Fh(xi)}h=1,...,d
Si ← Si ∪ {yji }
endend
endFill randomly r − cpt empty sets Si up to `
� Final vault V = {(xi, Si)|i = 1, .., N}� N − r empty sets
x
y
x
y
x
y
x
y
14/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Extended Fuzzy Vault
: UNLOCK algorithm� Given a set B = {bi ∈ E|i = 1..t}, take sets Sj1 , ..., Sjt where je such that xje = be� Use Guruswami’s list recovery algorithm with input ((xj1 , Sj1), .., (xjt , Sjt))
� Restriction of FRS code to FRSFq,γ,m,t,k of length t with codewords of the form
p(γ(j1−1)m)...
p(γ(j1−1)m+m−1)
, . . . ,
p(γ(jt−1)m)...
p(γ(jt−1)m+m−1)
for any p ∈ Fq [X] of degree at most k − 1
� Algorithm outputs all codewords c = 〈cj1 , . . . , cjt 〉 such that cje ∈ Sje for at least(1− ρ)t positions je with ρ = 1− ( `
s+1+ ss+1
mRm−s+1
)
� Corrects up to ε = 1s+1
((s+ 1− `)t− skm−s+1
) errors
: Remark� EFV scheme can also be constructed using other codes, instead of FRS codes
� They need to have a list recovery algorithm
� However, with RS codes list recovery is suboptimal
15/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Extended Fuzzy Vault
: UNLOCK algorithm� Given a set B = {bi ∈ E|i = 1..t}, take sets Sj1 , ..., Sjt where je such that xje = be� Use Guruswami’s list recovery algorithm with input ((xj1 , Sj1), .., (xjt , Sjt))
x
y
x
y
x
y
x
y
: Remark� EFV scheme can also be constructed using other codes, instead of FRS codes
� They need to have a list recovery algorithm
� However, with RS codes list recovery is suboptimal
15/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Extended Fuzzy Vault
: UNLOCK algorithm� Given a set B = {bi ∈ E|i = 1..t}, take sets Sj1 , ..., Sjt where je such that xje = be� Use Guruswami’s list recovery algorithm with input ((xj1 , Sj1), .., (xjt , Sjt))
x
y
x
y
x
y
x
y
: Remark� EFV scheme can also be constructed using other codes, instead of FRS codes
� They need to have a list recovery algorithm
� However, with RS codes list recovery is suboptimal
15/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Security of EFV
: Uniform case� Uniform distribution (assumption of FV scheme)� Number of possible polynomials, for each µ > 0 with probability at least 1− µ
� FV with parameter r: µ3qk−t( r
t)t
� EFV with parameters `, r: µ3`rqk−t( r
t)t
: General case (FRS codes)� Any distribution for the Aj
� Conditional min-entropy, as defined for secure sketch(l log2
(N
t
)− log2
(N
λ
))+ log2
( rλ
)− ((mt− k)l × log2 q)
where t ≤ λ ≤ lt is the number of indexing sets covered by genuine points� Comparable entropies between EFV with l users and l independent FV schemes
� r needs to be large to ensure high entropy
16/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Security of EFV
: Uniform case� Uniform distribution (assumption of FV scheme)� Number of possible polynomials, for each µ > 0 with probability at least 1− µ
� FV with parameter r: µ3qk−t( r
t)t
� EFV with parameters `, r: µ3`rqk−t( r
t)t
: General case (FRS codes)� Any distribution for the Aj
� Conditional min-entropy, as defined for secure sketch(l log2
(N
t
)− log2
(N
λ
))+ log2
( rλ
)− ((mt− k)l × log2 q)
where t ≤ λ ≤ lt is the number of indexing sets covered by genuine points� Comparable entropies between EFV with l users and l independent FV schemes
� r needs to be large to ensure high entropy
16/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Results
: Advantages with respect to classical Fuzzy Vault� One single decoding� Smaller vault size for the same entropy
� Less chaff is needed, due to the multiple sets
: Limitations of the scheme� Restrictions on the parameters: ` can’t be too big
� People involved in the scheme can’t love all together the same movie
� Output list size can be very big� Limitation on the number of sets in the scheme
� Memory space grows quickly
: Implementation using PARI/GP� EFV scheme with 100 users on F2053
� On common desktop computer (Intel core 2, 2.8GHz, 3.5Go RAM)
t m s ` k e System size Execution time22 5 4 3 14 3 132*133 125 ms50 10 8 6 15 12 900*905 14.5 sec73 14 11 8 16 20 2336*2343 6 min 44 sec
17/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Results
: Advantages with respect to classical Fuzzy Vault� One single decoding� Smaller vault size for the same entropy
� Less chaff is needed, due to the multiple sets
: Limitations of the scheme� Restrictions on the parameters: ` can’t be too big
� People involved in the scheme can’t love all together the same movie
� Output list size can be very big� Limitation on the number of sets in the scheme
� Memory space grows quickly
: Implementation using PARI/GP� EFV scheme with 100 users on F2053
� On common desktop computer (Intel core 2, 2.8GHz, 3.5Go RAM)
t m s ` k e System size Execution time22 5 4 3 14 3 132*133 125 ms50 10 8 6 15 12 900*905 14.5 sec73 14 11 8 16 20 2336*2343 6 min 44 sec
17/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Results
: Advantages with respect to classical Fuzzy Vault� One single decoding� Smaller vault size for the same entropy
� Less chaff is needed, due to the multiple sets
: Limitations of the scheme� Restrictions on the parameters: ` can’t be too big
� People involved in the scheme can’t love all together the same movie
� Output list size can be very big� Limitation on the number of sets in the scheme
� Memory space grows quickly
: Implementation using PARI/GP� EFV scheme with 100 users on F2053
� On common desktop computer (Intel core 2, 2.8GHz, 3.5Go RAM)
t m s ` k e System size Execution time22 5 4 3 14 3 132*133 125 ms50 10 8 6 15 12 900*905 14.5 sec73 14 11 8 16 20 2336*2343 6 min 44 sec
17/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
/04/Conclusion
18/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Conclusion
: Achievements� Functional scheme� Less memory space for the same security
: Outlook� Find decoding algorithms with smaller output list size in order to embed more sets in
one vault� Adapt EFV to the fuzziness of biometric data
19/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Conclusion
: Achievements� Functional scheme� Less memory space for the same security
: Outlook� Find decoding algorithms with smaller output list size in order to embed more sets in
one vault� Adapt EFV to the fuzziness of biometric data
19/ Fuzzy Vault for Multiple Users / July 10th 2012
This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.