fuzzy commitment ari juels rsa laboratories ajuels@rsasecurity.com dimacs workshop on cryptography:...

Fuzzy Commitment

Ari JuelsRSA Laboratories

ajuels@rsasecurity.com

DIMACS Workshop on Cryptography: Theory Meets Practice15 October 2004

Part I:Data secrecy in biometric authentication systems

The Classical View of Biometric Authentication

Is it Woody? Yes, it’s Woody!

The Classical View of Biometric Authentication

Is it Woody? Yes, it’s Woody!

WoodyAllen

=?

The Classical View of Biometric Authentication

WoodyAllen

=?

Hello,Mr. Woody Allen

In these scenarios, biometric data need not be kept secret

• Spoofing is difficult with human oversight

• Indeed, your face is public anyway • (Assuming, of course, that passport

is not a forgery)

But what happens when…

A human-guided process

WoodyAllen

=?

Becomes automated?

WoodyAllen

=?

Secrecy of biometric data is now more important to

security• Reason 1:

Automation will mean relaxation of human oversight– More opportunity for

spoofing– Spoofing iris / face

readers with printed images, “gummy” fingers, etc.

Schiphol airport: Iris scanning

Secrecy of biometric data is now more important to

security• Reason 2: Spillover

into remote / home authentication!

WoodyAllen

Woody’s PC

Server

And revocation is hard!

First password

Second password

Yet passports will transmit biometrics via RFID to any

standard reader…

WoodyAllen

Clandestine scanning

10cm range under legal conditions

How much with a rogue reader? One meter?

How much from eavesdropping on legitimate reader?

Optical keys / Faraday cages?

ICAO (International CivilAviation Organization) standard –imminent adoption through DHS effort

But isn’t my face public anyway?

Copying a biometric is somewhat like copying a painting…

•Facial images require special conditions for matching to work. In U.K., you’re not allowed to smile in passport photos any longer!•Best for forger to have target image, i.e., one in passport serving as basis for authentication•Iris and fingerprint are harder to capture than face

Suppose you want to copy a painting…

snapshot professional photo

Part II:Towards secrecy in biometric

authentication systems

password

Cryptographic tools for password secrecy

password

Cryptographic tools for password secrecy

h (password, salt)

Epassword[key]

Password-based key agreement

Cryptographic tools for biometric secrecy

h ( , salt)

E [key]

Finger-based key agreement?

?

Problem: Biometrics are variable,

i.e., error-prone…

• Differing angles of presentation• Differing amounts of pressure• Chapped skin

and standard crypto does not tolerate errors!

WoodyAllen

!

We want “fuzzy” cryptography

• Error-tolerant crypto primitives– E.g., Ek[m]Dk’ [ ]= m if k ≈ k’

• Body of “fuzzy” crypto literature:– Davida, Frankel, & Matt ’98– “Biometric encryption” (breakable)– Juels & Wattenberg ’99 (“fuzzy commitment”)

Application of FJ ‘01 to “life questions” now in RSA product…

– Monrose, Reiter, & Wetzel ’99 + follow-on– Juels & Sudan ’01– Dodis, Rezyin, & Smith ’04– Boyen in ten minutes…

But no rigorous application to real biometrics yet!

Why everybody has nice eyes

• An iriscode has an estimated 250 bits of entropy! – Contrast 1/10,000 false

acceptance for fingerprints…

– Most people have two eyes!

• Hamming distance is the metric for iriscode similarity– E. g. , fuzzy commitment

applies directly…

iris

iriscode

Why it’s not so easy…

• An iriscode can be as long as 4096 bits– Where are those 250 bits of entropy hidden?– Bits are not independent…

• Signal processing data folded into iriscode• Eyelids, eyelashes, and reflections can

occlude much of iris• We could get only 37 pairs of eyes for

experiments…

A first attempt

Tricks:1. Use staggered samples: yields up to 75 independent bits2. Use multiple scans to reduce error rate3. Play some ad-hoc tricks with signal-processing data

Result: Able to extract a 60-bit or so key from a pair of irises, but how much were methods fitted to data?

Conclusion

• Ongoing work (joint with Mike Szydlo & Brent Waters)– Trying to understand iriscode distribution– Need programming help!

• Other groups trying to apply fuzzy crypto to fingerprints

• Natural place where theory (crypto) meets practice (the human being)– … and error-prone devices too, e.g., POWFs,

PUFs…• With biometrics on the march, imminent

surge of interest in these techniques?