Ari Juels RSA Laboratories
Marty Wattenberg 328 W. 19th Street,
NYC
A Fuzzy Commitment Scheme
Biometrics
Biometric authentication:Computer Authentication through
Measurement of Biological Characteristics
Fingerprint scanning Iris scanning Voice recognition
Types of biometric authentication
Many others...
Face recognition Body odor
Authenticating...
Enrollment / Registration
Template t
Alice
Enrollment / Registration
AliceServer
Authentication
Server
Authentication
AliceServer
Server verifies against template
?
The Problem...
Template theft
Limited password changes
First password
Second password
Templates represent intrinsic information about you
Alice
Theft of template is theft of identity
Towards a solution
“password”
UNIX protection of passwords
“password” h(“password”)
“Password”
Template protection?
h( )
Fingerprint is variable
Differing angles of presentation Differing amounts of pressure Chapped skin
Don’t have exact key!
We need “fuzzy” commitment
( )
Seems counterintuitive
Cryptographic (hash) function scrambles bits to produce random-looking structure, but
“Fuzziness” or error resistance means high degree of local structure
Error Correcting Codes
Noisy channel
AliceBob
“ Alice, I love… crypto ”s
Error correcting codes
AliceBob
“ 110 ”
g110 111 111 000
Function g adds redundancy
Bob
M
3 bits
C
9 bits
c
Message spaceCodeword space
g
Error correcting codes
AliceBob
“ 111 111 000 ”0 1
101 111 100 111 111 000 f
c
C
Function f corrects errors
Alice f
Alice uses g-1 to retrieve message
9 bits
CM
3 bits
Alice
g-1
cAlice gets original, uncorrupted message
110
Constructing C
Idea: Treat template like message
W
g
C(t) = h(g(t))
What do we get?
“Fuzziness” of error-correcting code Security of hash function-based
commitment
Problems
Davida, Frankel, and Matt (‘97) Results in very large error-correcting
code Do not get good fuzziness Cannot prove security easily Don’t really have access to “message”!
Our (counterintuitive) idea:
Express template as “corrupted” codewordNever use message space!
Express template as “corrupted” codeword
W
t
w
t = w +
t = w +
h(w) Idea: hash most significant part for security
Idea: leave some local information in clearfor “fuzziness”
How we use fuzzy commitment...
Computing fuzzy hash of template t
Choose w at random Compute = t - w Store (h(w), ) as commitment
(h(w),)
Verification of fingerprint t’
Retrieve C(t) = (h(w), ) Try to decommit using t’:
– Compute w’ = f(t’ - )– Is h(w’) = h(w)?
?
Characteristics of
Good fuzziness (say, 17%) Simplicity
Provably strong security – I.e., nothing to steal
Open problems
What do template and error distributions really look like?
What other uses are there for fuzzy commitment?– Graphical passwords
Questions?
Top Related