FUZZY VAULT FOR MULTIPLE USERS - aui.ma vault.pdf · FUZZY VAULT FOR MULTIPLE USERS July 10th2012,...

33
FUZZY VAULT FOR MULTIPLE USERS July 10 th 2012, Ifrane, Morocco Mélanie Favre Joint work with Julien Bringer and Hervé Chabanne Sponsored by French ANR project BMOS 1/ Fuzzy Vault for Multiple Users / July 10th 2012 This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Transcript of FUZZY VAULT FOR MULTIPLE USERS - aui.ma vault.pdf · FUZZY VAULT FOR MULTIPLE USERS July 10th2012,...

FUZZY VAULTFOR MULTIPLE USERSJuly 10th 2012, Ifrane, MoroccoMélanie Favre

Joint work with Julien Bringer and Hervé Chabanne

Sponsored by French ANR project BMOS

1/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Content

1 Introduction

2 Fuzzy Vault

3 Extended Fuzzy Vault

4 Conclusion

2/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

/01/Introduction

3/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Introduction

: Starting point: Juels and Sudan’s Fuzzy Vault (2002)� Secret sharing scheme

� Error-tolerant� Deals with unordered sets of different cardinalities

� Relies on polynomial reconstruction problem� Multiple applications

� Well suited for biometrics

: Our goal: extend Fuzzy Vault scheme for multiple users� One scheme for many users

� Database

� Application in biometrics

4/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Introduction

: Starting point: Juels and Sudan’s Fuzzy Vault (2002)� Secret sharing scheme

� Error-tolerant� Deals with unordered sets of different cardinalities

� Relies on polynomial reconstruction problem� Multiple applications

� Well suited for biometrics

: Our goal: extend Fuzzy Vault scheme for multiple users� One scheme for many users

� Database

� Application in biometrics

4/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

/02/Fuzzy Vault

5/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Fuzzy Vault

: Starting point� A secret κ ∈ Fkq transformed into a polynomialp ∈ Fq[X] with degree smaller than k

� A set A = {ai ∈ Fq|i = 1..t}� A security parameter r ≥ t

: LOCK algorithm� Evaluate each element of A by p

� for i = 1 to t doxi = aiyi = p(xi)

� Add chaff points� for i = t+ 1 to r do

xi ∈ Fq \Ayi ∈ Fq \ p(xi)

� Final vault VA = {(xi, yi)|i = 1..r}

Ari Juels, Madhu Sudan, A Fuzzy Vault Scheme, Proceedings of IEEE International

Symposium on Information Theory, ISIT, 2002

6/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Fuzzy Vault

: Starting point� A secret κ ∈ Fkq transformed into a polynomialp ∈ Fq[X] with degree smaller than k

� A set A = {ai ∈ Fq|i = 1..t}� A security parameter r ≥ t

: LOCK algorithm� Evaluate each element of A by p

� for i = 1 to t doxi = aiyi = p(xi)

� Add chaff points� for i = t+ 1 to r do

xi ∈ Fq \Ayi ∈ Fq \ p(xi)

� Final vault VA = {(xi, yi)|i = 1..r}

Ari Juels, Madhu Sudan, A Fuzzy Vault Scheme, Proceedings of IEEE International

Symposium on Information Theory, ISIT, 2002

x

y

p

x

y

p

x

y

p

x

y

6/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Fuzzy Vault

: UNLOCK algorithm� Given a set B = {bi ∈ Fq|i = 1..t}, construct V = {(xj , yj) ∈ VA|xj ∈ B}� Use Reed-Solomon decoding over V

� RS codes can be decoded up to t−k2

errors by Peterson-Berlekamp-Massey algorithm� If A and B overlap substantially, recover κ

7/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Fuzzy Vault

: UNLOCK algorithm� Given a set B = {bi ∈ Fq|i = 1..t}, construct V = {(xj , yj) ∈ VA|xj ∈ B}� Use Reed-Solomon decoding over V

� RS codes can be decoded up to t−k2

errors by Peterson-Berlekamp-Massey algorithm� If A and B overlap substantially, recover κ

x

y

B

VA

x

y

B

x

y

V

x

y

pB

7/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Fuzzy Vault

: UNLOCK algorithm� Given a set B = {bi ∈ Fq|i = 1..t}, construct V = {(xj , yj) ∈ VA|xj ∈ B}� Use Reed-Solomon decoding over V

� RS codes can be decoded up to t−k2

errors by Peterson-Berlekamp-Massey algorithm� If A and B overlap substantially, recover κ

x

y

B

VA

x

y

B

x

y

V

x

y

B

7/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Fuzzy Vault

: Example: movie lover’s problem� Alice is a movie lover� She shares her phone number only with people having the same tastes as her

� Secret κ: her phone number on k = 14 symbols� Set A: her t = 22 favorite movies

� Bob can get Alice’s number only if he likes at least t+k2

= 18 movies in common withAlice

8/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

/03/Extended Fuzzy Vault

9/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

General idea

: Multiple users but still one vault� One polynomial per user� One single decoding� "Natural" chaff from the other users� Ability to recover more than one

identity� Bob wants to know all the people

sharing his tastes

� Ability to deal with overlap� Several people can like the same

movie

: Tools� List recovery� Folded Reed-Solomon codes

x

y

p1p2

p3

x

y

p1p2

p3

x

y

10/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

General idea

: Multiple users but still one vault� One polynomial per user� One single decoding� "Natural" chaff from the other users� Ability to recover more than one

identity� Bob wants to know all the people

sharing his tastes

� Ability to deal with overlap� Several people can like the same

movie

: Tools� List recovery� Folded Reed-Solomon codes

x

y

p1p2

p3

x

y

p1p2

p3

x

y

10/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Folded Reed-Solomon codes

: Definition Given γ a generator of Fq , the m-folded version of the Reed Solomon codeC[n, k], denoted FRSFq,γ,m,N,k, is a code of block length N = n/m over Fmq wheren = q − 1 is divisible by m. The encoding of a message p ∈ Fq[X] of degree at mostk − 1 is given by

p(X) =

p(1)p(γ)

...p(γm−1)

,

p(γm)p(γm+1)

...p(γ2m−1)

, . . . ,

p(γn−m)p(γn−m+1)

...p(γn−1)

� We have N symbols in Fmq .� m = 1: classical Reed-Solomon code C[n, k]

11/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

List recovery

: List decoding� Relaxation of unique decoding

� Given an errorbound e, outputs all codewords whose encoding differ with received word inat most e symbols

� We use Guruswami’s list decoding algorithm for FRS codes (2011)� Easy algorithm: two linear systems to solve� Parameter s: output list size bounded by qs−1 and s ≤ m� Fractional agreement is

τ >1

s+ 1+

s

s+ 1

mR

m− s+ 1

: List recovery� Extension of list decoding with overlaping: for each position i, the input is of the form

of a set Ti of possible values� Guruswami’s list decoding algorithm is still useable

� Giving ` = max|Ti| and ` ≤ s ≤ m, fractional agreement becomes

τ >`

s+ 1+

s

s+ 1

mR

m− s+ 1

Venkatesan Guruswami, Linear-algebraic list decoding of folded Reed-Solomon codes, IEEE Conference on

Computational Complexity, 2011

12/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

List recovery

: List decoding� Relaxation of unique decoding

� Given an errorbound e, outputs all codewords whose encoding differ with received word inat most e symbols

� We use Guruswami’s list decoding algorithm for FRS codes (2011)� Easy algorithm: two linear systems to solve� Parameter s: output list size bounded by qs−1 and s ≤ m� Fractional agreement is

τ >1

s+ 1+

s

s+ 1

mR

m− s+ 1: List recovery

� Extension of list decoding with overlaping: for each position i, the input is of the formof a set Ti of possible values

� Guruswami’s list decoding algorithm is still useable� Giving ` = max|Ti| and ` ≤ s ≤ m, fractional agreement becomes

τ >`

s+ 1+

s

s+ 1

mR

m− s+ 1

Venkatesan Guruswami, Linear-algebraic list decoding of folded Reed-Solomon codes, IEEE Conference on

Computational Complexity, 2011

12/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Extended Fuzzy Vault

: Starting point: d users� d secrets κ1, .., κd transformed into d polynomials p1, .., pd� d sets A1, ..Ad

� Security parameters ` and r < N

: Formalization for FRS codes� Let E be an alphabet containing N symbols x1, ..., xN

� Each set Ai possesses t symbols among them

� Each set Ai is associated to a function Fi such that

Fi(xj) = (pi(γ(j−1)m), pi(γ

(j−1)m+1), ..., pi(γ(j−1)m+m−1))

It is the j’st symbol of FRS encoding of pi

pi(X) =

pi(1)pi(γ)

...pi(γ

m−1)

, . . . ,

pi(γ(j−1)m)

pi(γ(j−1)m+1)

...pi(γ

(j−1)m+m−1)

, . . . ,

pi(γn−m)

pi(γn−m+1)

...pi(γ

n−1)

13/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Extended Fuzzy Vault

: Starting point: d users� d secrets κ1, .., κd transformed into d polynomials p1, .., pd� d sets A1, ..Ad

� Security parameters ` and r < N

: Formalization for FRS codes� Let E be an alphabet containing N symbols x1, ..., xN

� Each set Ai possesses t symbols among them

� Each set Ai is associated to a function Fi such that

Fi(xj) = (pi(γ(j−1)m), pi(γ

(j−1)m+1), ..., pi(γ(j−1)m+m−1))

It is the j’st symbol of FRS encoding of pi

pi(X) =

pi(1)pi(γ)

...pi(γ

m−1)

, . . . ,

pi(γ(j−1)m)

pi(γ(j−1)m+1)

...pi(γ

(j−1)m+m−1)

, . . . ,

pi(γn−m)

pi(γn−m+1)

...pi(γ

n−1)

13/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Extended Fuzzy Vault

: LOCK algorithm� Evaluate elements of sets Ai with Fi and fill with chaff

Si ← ∅, i = 1, . . . , Ncpt← 0for i = 1 to N do

for j = 1 to d doif xi ∈ Aj then

Si ← Si ∪ {Fj(xi)}end

endif #Si 6= 0 then

cpt← cpt + 1for j = #Si + 1 to ` do

yji ∈ Fm

q \ {Fh(xi)}h=1,...,d

Si ← Si ∪ {yji }

endend

endFill randomly r − cpt empty sets Si up to `

� Final vault V = {(xi, Si)|i = 1, .., N}� N − r empty sets

x

y

x

y

x

y

x

y

14/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Extended Fuzzy Vault

: UNLOCK algorithm� Given a set B = {bi ∈ E|i = 1..t}, take sets Sj1 , ..., Sjt where je such that xje = be� Use Guruswami’s list recovery algorithm with input ((xj1 , Sj1), .., (xjt , Sjt))

� Restriction of FRS code to FRSFq,γ,m,t,k of length t with codewords of the form

p(γ(j1−1)m)...

p(γ(j1−1)m+m−1)

, . . . ,

p(γ(jt−1)m)...

p(γ(jt−1)m+m−1)

for any p ∈ Fq [X] of degree at most k − 1

� Algorithm outputs all codewords c = 〈cj1 , . . . , cjt 〉 such that cje ∈ Sje for at least(1− ρ)t positions je with ρ = 1− ( `

s+1+ ss+1

mRm−s+1

)

� Corrects up to ε = 1s+1

((s+ 1− `)t− skm−s+1

) errors

: Remark� EFV scheme can also be constructed using other codes, instead of FRS codes

� They need to have a list recovery algorithm

� However, with RS codes list recovery is suboptimal

15/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Extended Fuzzy Vault

: UNLOCK algorithm� Given a set B = {bi ∈ E|i = 1..t}, take sets Sj1 , ..., Sjt where je such that xje = be� Use Guruswami’s list recovery algorithm with input ((xj1 , Sj1), .., (xjt , Sjt))

x

y

x

y

x

y

x

y

: Remark� EFV scheme can also be constructed using other codes, instead of FRS codes

� They need to have a list recovery algorithm

� However, with RS codes list recovery is suboptimal

15/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Extended Fuzzy Vault

: UNLOCK algorithm� Given a set B = {bi ∈ E|i = 1..t}, take sets Sj1 , ..., Sjt where je such that xje = be� Use Guruswami’s list recovery algorithm with input ((xj1 , Sj1), .., (xjt , Sjt))

x

y

x

y

x

y

x

y

: Remark� EFV scheme can also be constructed using other codes, instead of FRS codes

� They need to have a list recovery algorithm

� However, with RS codes list recovery is suboptimal

15/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Security of EFV

: Uniform case� Uniform distribution (assumption of FV scheme)� Number of possible polynomials, for each µ > 0 with probability at least 1− µ

� FV with parameter r: µ3qk−t( r

t)t

� EFV with parameters `, r: µ3`rqk−t( r

t)t

: General case (FRS codes)� Any distribution for the Aj

� Conditional min-entropy, as defined for secure sketch(l log2

(N

t

)− log2

(N

λ

))+ log2

( rλ

)− ((mt− k)l × log2 q)

where t ≤ λ ≤ lt is the number of indexing sets covered by genuine points� Comparable entropies between EFV with l users and l independent FV schemes

� r needs to be large to ensure high entropy

16/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Security of EFV

: Uniform case� Uniform distribution (assumption of FV scheme)� Number of possible polynomials, for each µ > 0 with probability at least 1− µ

� FV with parameter r: µ3qk−t( r

t)t

� EFV with parameters `, r: µ3`rqk−t( r

t)t

: General case (FRS codes)� Any distribution for the Aj

� Conditional min-entropy, as defined for secure sketch(l log2

(N

t

)− log2

(N

λ

))+ log2

( rλ

)− ((mt− k)l × log2 q)

where t ≤ λ ≤ lt is the number of indexing sets covered by genuine points� Comparable entropies between EFV with l users and l independent FV schemes

� r needs to be large to ensure high entropy

16/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Results

: Advantages with respect to classical Fuzzy Vault� One single decoding� Smaller vault size for the same entropy

� Less chaff is needed, due to the multiple sets

: Limitations of the scheme� Restrictions on the parameters: ` can’t be too big

� People involved in the scheme can’t love all together the same movie

� Output list size can be very big� Limitation on the number of sets in the scheme

� Memory space grows quickly

: Implementation using PARI/GP� EFV scheme with 100 users on F2053

� On common desktop computer (Intel core 2, 2.8GHz, 3.5Go RAM)

t m s ` k e System size Execution time22 5 4 3 14 3 132*133 125 ms50 10 8 6 15 12 900*905 14.5 sec73 14 11 8 16 20 2336*2343 6 min 44 sec

17/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Results

: Advantages with respect to classical Fuzzy Vault� One single decoding� Smaller vault size for the same entropy

� Less chaff is needed, due to the multiple sets

: Limitations of the scheme� Restrictions on the parameters: ` can’t be too big

� People involved in the scheme can’t love all together the same movie

� Output list size can be very big� Limitation on the number of sets in the scheme

� Memory space grows quickly

: Implementation using PARI/GP� EFV scheme with 100 users on F2053

� On common desktop computer (Intel core 2, 2.8GHz, 3.5Go RAM)

t m s ` k e System size Execution time22 5 4 3 14 3 132*133 125 ms50 10 8 6 15 12 900*905 14.5 sec73 14 11 8 16 20 2336*2343 6 min 44 sec

17/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Results

: Advantages with respect to classical Fuzzy Vault� One single decoding� Smaller vault size for the same entropy

� Less chaff is needed, due to the multiple sets

: Limitations of the scheme� Restrictions on the parameters: ` can’t be too big

� People involved in the scheme can’t love all together the same movie

� Output list size can be very big� Limitation on the number of sets in the scheme

� Memory space grows quickly

: Implementation using PARI/GP� EFV scheme with 100 users on F2053

� On common desktop computer (Intel core 2, 2.8GHz, 3.5Go RAM)

t m s ` k e System size Execution time22 5 4 3 14 3 132*133 125 ms50 10 8 6 15 12 900*905 14.5 sec73 14 11 8 16 20 2336*2343 6 min 44 sec

17/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

/04/Conclusion

18/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Conclusion

: Achievements� Functional scheme� Less memory space for the same security

: Outlook� Find decoding algorithms with smaller output list size in order to embed more sets in

one vault� Adapt EFV to the fuzziness of biometric data

19/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Conclusion

: Achievements� Functional scheme� Less memory space for the same security

: Outlook� Find decoding algorithms with smaller output list size in order to embed more sets in

one vault� Adapt EFV to the fuzziness of biometric data

19/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Thank you for your attention

Questions?

20/ Fuzzy Vault for Multiple Users / July 10th 2012

This document and the information therein are the property of Morpho. They must not be copied or communicated to a third party without the prior written authorization of Morpho.