EXTENDED PRIVATE INFORMATION RETRIEVAL (EPIR)AND ITS APPLICATIONIN BIOMETRICS AUTHENTICATIONS

AUTHOR: SUMUKHI CHANDRASHEKAR

AGENDA Importance of Privacy

Live examples: Bank, Location retrieval by defense Thus, Private Information Retrieval (PIR)

Formal definitions and PIR Models Privacy Properties of PIR PIR Approaches

An example: Almost optimal PIR An example: Helger Lipmaa’s Protocol

Another Generation of PIR EPIR for Biometrics' Authentication Privacy Properties of EIPR

EPIR Protocols Testing Equality Hamming Distance

Authentication Schemes Using Biometrics The first Scheme: with the use of secure sketches Second Scheme: Iris data Comparison between EPIR Equally and EPIR Hamming

distance Conclusions Future Research Questions

IMPORTANCE OF PRIVACY: BANK

Account Information

Credit Card Information

LOCATION RETRIEVAL FOR DEFENSE

Location1

Location2

PRIVATE INFORMATION RETRIEVAL (PIR)FORMAL DEFINITIONS & A MODEL

Private information retrieval (PIR) is a general problem of privately retrieving the ith record from an N-record array stored on the server.

(Based on: Querying Data Base Privately, Dmitri Asonov,1998)

PRIVACY PROPERTIES OF PIR

User-Privacy

i B

query E(Q(i))

reply E(B(i))

PIR APPROACHES

Theoretical Private Information Retrieval -Trivial solutions

Hardware – Based Private Information Retrieval,

Using a special Hard ware - SC(Secure Co processor)

PIR with Preprocessing and Offline Communication

Number Theory Based(Computational)

PIR APPROACHES - TRIVIAL

HARD WARE BASED PROTOCOL

DATABASE

Reads the entire Data Base, But keeps only R i

Secure Co Processor

SERVER

CLIENTSends e(Query i, Pk) and Retrieves i

EVALUATION SUMMARY FOR HARD WARE BASED & PRE PROCESSOR

Parameter Protocols Ideal Protocol

[SS00 - SS01] (S C based)

[BDF00 - SJ00] (Pre Processing)

Communication(online)

Optimal Optimal Optimal

Response Time O(N) O(1) O(1)

Communication(offline)

NO O(N) NO

Pre Processing NO YES YES

AN EXAMPLE FOR PIR: ALMOST OPTIMAL PIR

Basic Idea of the Protocol Previous approaches that used SC(Secure Co

Processor), O(1) communication complexity but O(N) complexity of Responses

The Pre Processing approaches, O(1) response time but O(N) communication complexity

Combine the 2 above approachesSteps involved in our Protocol

Preprocessing data inside SC Process Query online Protocol for SC and Users

BASIC PROTOCOL MODEL

USER

SERVER

The Model is based on the book: Querying Data Base Privately, Asonov

STEPS INVOLVED: PREPROCESSING DATA INSIDE SC

The Purpose To generate permutation of the data base

records (N) , transforms DB into DB П , Such that

DB [i] = DB П[П[i]] SC keeps the shuffle index as a secrete Server does not know the Index of shuffling

THE PROTOCOL

Protocol between Server and Client to process the query

i

E R(?)

E R(?)

INTER NAL

V1 index

PROCESSES QUERY ONLINE

Required: DB shuffled & V1 , a copy of the shuffled records and the index of DB shuffled

k: The sequence number of the query being processed

i: The number of DB record requested

Ensured: Answer, R I , the record retrieved without server’s knowledge.

3 steps are involved Read the already accessed records, If found,

Return Read all records in the cache of DB shuffled , if

found, Return Randomly select records from DB and put into

cache

AN OBLIVIOUS TRANSFER PROTOCOLAUTHOR: PROF. LIPMAA

CIPR l n Protocol, with log-squared

communication Length flexible additively homomorphic

public key crypto system with additional length parameter involved

LFAH is 3 tuple , [Gen, Encrypt, Decrypt]

Generator Algo

Encrpt(pk,s,m,r) decrpt(sk,s,c)

OVER VIEW

A CPIRnl protocol (Query; Transfer; Recover)

Consider S sized DB as an dimensional database

Index every element of S to S[i] ….. S[] Use homomorphic property to create a new

DB S1

With -1 dimension, such that new S1 = Encrypt(S)

Recursively perform this procedure until we get S that is encryption of S[q]

s >=1: encrypts plaintext of sk bits to a cipher text of (s+1)k bits

E s K(m1) . E s K (m2) = E s K (m1+m2) , Thus also E s+1 K(m1) . E s K (m2) = E s+1K (m1 . E s K

(m2) )

GENERIC IDEA WHEN THE RANGE = 2

11 = 12 = 13 = 14 =

E s K(0) E s K(0) E s K(0) E s K(0)

(1,1)

(2,1)

(3,1)

(4,1)

(1,2)

(2,2)

(3,2)

(4,2)

(1,3)

(2,3)

(3,3)

(4,3)

(1,4)

(2,4)

(3,4)

(4,4)

w11 = i 1i (1,i) E s K ((1,1 ))

w12 = i 1i (1,i) E s K ((2,1 ))

w13 = i 1i (1,i) E s K ((3,1 ))

w14 = i 1i (1,i) E s K ((4,1 ))

ALGORITHM IN DETAIL

Inputs: Alice has query i [n], Bob has D = (D1, .. Dn) where Dj ZN

Alice generates a new public/private key pair (pk, sk) for an additively homomorphic secure public-key cryptosystem E

Alice generates her message a Epk (i ; *) and sends

A(i) (pk, a) to Bob, He stops if Public is not valid Bob does for every j {1, . . . , n}, he

Sets bj (a/Epk (j ; 1))* · Epk (Dj ; *) Bob sends (b1, . . . , bn) to Alice, Alice decrypts bi

and obtains Thus Di = Dsk (bi )

CORRECTNESS AND SECURITY Bob does for every j{1, . . . , n}

Sets bj (a/Epk (j ; 1))* · Epk (Dj ; *) Since a = Epk (i ; * ),

bj = (Epk (i ; * )/Epk (j ; 1)) · Epk (Dj ; *) Because E is additively homomorphic,bj = (Epk (i − j ;* ))* · Epk (Dj;*) = (Epk (*· (i − j );

r )) · Epk (Dj;*)for some rIf i = j thenbj = Epk (0; r ) · Epk (Dj ; *) = Epk (Dj ; * )and thus Dsk (bj ) = Dj Thus Alice obtains Di

COMPLEXITY & PROTOCOL ANALYSIS

Suitable for sending integers from Zd User sends (s+( +1/2)) n1/ k bits Sk = log (d) => ( log(d)+ ( +1/2)k) n1/

bits Optimal if = O(log2n)

GENERALIZATION OF PIR – EPIR FOR BIOMETRIC DATA

Motivation Processing sensitive information such as

biometrics. Biometric data can be represented as

Strings.

FORMAL DEFINITION OF EPIR

Generalized concept of PIR The concept of SC Shuffling of Database

EIPR protocol enables user to retrieve a block data as a function of (Block of Database, Input)

This is an extension to PIR: with f (Ri , x) = Ri

PRIVACY PROPERTIES OF EPIR

User Privacy Database Privacy

USER PRIVACY – ATTACK GAME

Assume , adversary A plays the role of the database, and tries to learn some information from the user. The function f is fixed:

Definition First instance of A, generates the database:

(R1,R2, · · · ,RN) , N records in Database A outputs (i0, i1, x0, x1) : The Part of

database & input String The user randomly chooses b in {0, 1} and

issues a retrieve-query on input (ib, xb) with A

A outputs a guess b1.

DATA BASE PRIVACY – ATTACK GAME

Assume A plays the role of the user, and tries to distinguish between the execution with an actual database, from the execution with a simulator. The function f is fixed:

Definition The challenger, Data Base randomly chooses b

in {0, 1}.If b = 0 then A will interact with an actual database.If b = 1 then A will interact with a simulator S that,

for a retrieve-query on input (i, x), only knows f (Ri , x).

User A generates the database: (R1,R2, · · · ,RN) , N record Data Base

User A issues retrieve-queries , May query the Data base or the Simulators

Then, A outputs a guess b1.

SECURE EPIR

An EPIR protocol must satisfy User-Privacy: The attacker must have

negligible advantages of guessing b1 Database-Privacy: The attacker (User) must

have minimum knowledge while guessing b1.

EPIR PROTOCOLS

Equality : ElGamal Variant Hamming Distance :BGN

EQUALITY EPIR PROTOCOL

I B

Compare information form User U and a Block B from the DB

f(R b , i) == 1 , if they are equal Else 0.

EQUALITY EPIR PROTOCOL

Variant of ElGamal:sk = x pk = y = gx ξ(m) = ξ(m, r ) = (gr , yrgm). User U wants to retrieve the value f (R i ,m) U generates an ElGamal key pair (pk (Public

Key), sk (Private Key)) U first sends pk and c = ξ(i & m) to the DB DB generates a randomized database:Cj = (c/ ξ(j & Rj )) rj = ξ ((i& m − j & Rj ) × rj) U and DB run a PIR protocol to retrieve Ci : U then decrypts Ci . It decrypts to 0 iff m = Ri

.

SECURITY OF EPIR EQUALITY

User-Privacy: PIR user-privacy + DDH , Therefore, EPIR achieves better user-privacy

Database-Privacy: EPIR unconditionally achieves database-privacy.

BIOMETRIC APPLICATION FOR EPIR EQUALITY

User U has to be authenticated by Server S through Client C and DB is the database which stores the relevant information

The two phases in Biometric AuthenticationEnrollment

Registration with DB Enc(ID I, Ri)

Registration, ID i

(m,m1,)

Authentication

Client C will extract the Biometric template of U C sends ID I to server and X to DB (Encg(g ID i/ b I ,

pk) DB generates a Randomized database Server runs PIR to retrieve c I Dec(ci, sk) == 1, then Equal strings and thus

accepts the request

Biometrics adjusted

ID I & (Encg(g ID i/ b I , pk)

TO VERIFY IMPERSONATION

HAMMING DISTANCE PROTOCOL WITH BGN

U wants to compute the Weighted Hamming distance between a string S chosen by itself and a block Ri from DB:

Notation: for an l-bit string S, S(k) is the k-th bit of S.

Weights: the weight vector is (w1,w2, · · · ,w), where wk are integers (1<=k<=l).

Function:f (Ri ,S) =∑k=1

l1 wk × (Rki (+) Sk)

BGN BASED HAMMING DISTANCE PROTOCOL U wants to retrieve f (Ri ,X): U generates a pk(public key) = (n, G, G1,ê ,g,

h) and sk=q1 To retrieve f (Ri ,X), User has to send (c, ck)

to the server where c=gI hr & ck = gX(k)

hsk ,where 1<=k<=l 1 & 1<=i<=n Once the server receives (c, ck), the server

would compute mj,k , where

mj,k = ˆe(g, g)X(k)⊕R(k)j ˆe(h, g)sk (1−2 R(k)j )

Compute Cj, where rj, rj are randomly chosen from Zn (Partion the DB)

And, finally U runs PIR to retrieve Ci

SECURITY OF EPIR HAMMING DISTANCE

User privacy: If the PIR protocol achieves user privacy, the EPIR protocol for computing Hamming distance achieves user privacy based on the subgroup decision assumption.

Database privacy: The EPIR protocol for computing Hamming distance achieves database privacy (unconditionally).

BIOMETRIC APPLICATION FOR EPIR HAMMING DISTANCE PROTOCOL The server S makes the decision based on

the exact matching of the biometric pattern The two phases in Biometric Authentication

Enrollment

Registration, ID i

Registration with DB Enc(ID I, i k)

Authentication Client C extras the biometric pattern ,sends c

and ck to the DB and sends ID I to the server The DB computes the hamming distance

(typically runs EPRI Hamming distance) S runs EPIR protocol to retrieve Ci and

computes d, Such that Cq1i = ˆe(gq1, g)d

If d is less than the threshold value, it accepts

COMPARISON BETWEEN THE 2 ABOVE BIOMETRICS AUTHENTICATION

Hamming distance biometrics is better for the following reasons No need for storing Sketch by Client U (user) need not store any information It works for noisy sketch also

FURTHER RESEARCH AREAS

Further optimize the on-line computation and communication, and gain a full use of such real-world assumptions, as preprocessing and off-line communication.

Similarity Comparison implementation.

CONCLUSIONS

This Presentation has discussed a new Generalization of PRI and two of its Protocol Types

The randomizations of the database are been provided in both protocols in order to achieve Privacy of Information.

We also have seen how to construct strong privacy using these protocols on biometrics data

REFERENCES

6th International Conference, CANS 2007 Singapore, December 8-10, 2007 Proceedings

Dmitri Asonov ,Querying Data Bases Privately Atallah, M.J., Frikken, K.B., Goodrich, M.T.,

Tamassia, R., Secure biometric authentication for weak computational devices. Financial Cryptography, 357–371 (2005)

Ostrovsky, R., Skeith III, W.E.: A survey of single database PIR, Techniques and applications. Cryptology ePrint Archive: Report 2007/059 (2007)

THANK YOU

Questions?