Identification and Key Distribution Based on Biometric Information

Prof. Dr. Valery KorzhikUniversity of Telecommunications

St. Petersburg (Russia)-2007-

2

1. Identification of users

Alice y(password)

?

f(.) – one way function

Important remark:With the use of one-way function it is assumed that “y” is distributed trullyrandomly. Otherwise – nothing is taken for granted.

Defects of this approach:• Good password can be forgotten by Alice,• Storing of password in memory increases the risk of its theft,• Short password can be easy memorized but it can be easy found by

adversary

Access controlx=f(y)

x

3

Conventional key applicationAlice

К(secret key)

Shortcoming of this approach:The key that is storing in some memory can be stolen or erased

How can we remove this defect?Use Alice’s biometric or her psychology.

«My body is my password»[1]+

Psychology: say Alice’s preferences are: young, rich and healthy men.

КEncryption/decryption,

Digital signature

4

Biometrics as a source of passwords and keys

The main types of biometrics:• Palmprint verification,• Iris biometric,• Face recognition,• Fingerprint system,• Speaker recognition,• Signature system,• Keystroke biometrics,• Using a small subset of values from a large universe (e.g. favorite movies),• A combining of methods.

Remark:Both hardware and software to transform human biometrics into digital form were designed by many companies [1].

Defects of biometrical approach:Digital data producing by biometrics are not truly random and it is very difficult to reproduce them repeatedly.

• Vein pattern• Ear• Facial thermogram• Gait

5

Configuration of pattern recognition system [1]

The main methods using in recognition:• Image segmentation• Pattern classification• Discriminant functions• Bayes and non-Bayes classification• Neural networks• Support vector machine

Model of recognition:-set of features

-the feature of i-th userThen it is possible to store data as ,where h – OWF (one way function)However, if the recognition follows to the rule , then - cannot be used.

Dataacquisition

Datapreprocessing

Featureextraction

Decisionclassification

preprocessing

Physicalvariables

∑ =−′=

L

j ijiji

xxArgi1

2 )(min ρ)( ijxh

)( ijxh

1X

1ix

2X

2ix

LX

iLx

Class

6

Methods to remove defects:1. Recognition on biometrics. (Then the parameters have to store in secret)2. The use of secure sketch [2] – SS3. The use of fuzzy extractors [2] – FE

Definition and properties of SS and FE.Non-formal definition:

SS:(for identification on BI)

FE:(for key generation on BI)

ω s = f(ω)

ω’ω’ ω’is “close” to ω

ω

ω’

R = R(ω)

P = P(ω)

ω’ ω’ is “close” toω

R – is truly random even if it is known Pthat is stored publicly

7

1. Hamming metrics)',( ωωρH = is the number of position in which binary vectors ω and 'ω are

differentExample. 10011=ω 3)',( =ωωρH

01010'=ω(This metrics is very natural for BI)2. Set difference

where “ ” is symmetric difference of the sets A and 'A .|B| is a cardinality of B.Example. },6,5,4,3,2,1{=U 4,3,2,1, =⊆ AUA

6,5,2,1,6,5,4,3, =Δ=⊆ BABUB

2),( =BASρ

Psychometry: A selection of small subset from a large universe (e.g. favorite movies)

,'21)',()',( AAAASS Δ== ρωωρ

Specification of the notion “ is close to “:'ω ω

Δ

Δ

8

3. Edit distance

21)',( =ωωρe (is the minimum number of omissions and insertions that

are needed in order to transform ω into 'ω ) Example. 1̂10101 /=ω 110111'=ω 1)',( =ωωρe (This distance is very natural in recognition of handwritten text.)

9

3. Exact definition SS and FE: Let us Μ be metrix space,

- is given metrix

),',,( tmmΜ - SS is randomized mapping

*

)(}0,1{→Μ

ω with a following properties:

(i) (...)Rec∃ such that ))(,'(Rec ωωω SS= for all t≤Μ∈ )',(,', ωωρωω .

(ii) '))(|(~

mWSSWH ≥∞ for any random variable W on Μ , having mWH =∞ )( , where ))Pr(maxlog()( WWH

W−=∞

})2{log())(|( ))(|( sWSSWHsEWSSWH =−

∞∞−=

Remark: The condition (ii) makes impossible to recover W given )(WSSs = unconditionally (that means that it cannot be recovered

independently on computing power of opponent!)

)(,, ρN=Μ

10

),,,,( εtlmΜ - FE is determined by two procedures: (Gen, Rep): (i) Gen – is randomized mapping

lRW }1,0{∈⇒Μ∈ P ,

for which ε≤),,,( PUPRSD l , if mWH ≥∞ )( . (ii) Rep – is deterministic procedure P),'Rep(ω=R , if t≤)',( ωωρ , where ),( YXSD - is statistical distance between two probability distributions on X and Y , e.g.:

∑ =−==v

rr vYPvXPYXSD )()(21),( .

Remark: The small value (...)SD means that the probability distribution on lR }1,0{∈ is close to uniform distribution )( lU even known P , (e.g. it is

close to truly random variable).

11

Identification based on BI using SS

Remarks:1. Storing s in memory does not require a protection2. One way functions are not needed3. Good statistical properties (close to truly randomness) for

s=SS(ω) are not provided (but they are not required)4. It is necessary to provide a condition mH ≥∞

Server for access control

Identification

Alice (BI)Initialization ω

ω′

Calculation ( ) sSS =ωMemory (s)

Calculation ( ) s~~SS =ω

Calculation( ) ωω ~s,cRe =′

Comparison s with .Taking a decision.

s~

12

Key generation based on BI using FE

Remarks:1. Key R is close to truly random value.2. Storing Р, Е in memory does not require protection.3. Calculation and storing P can be performed in a reader of BI.4. It is necessary to protect P against a forgery by adversary (the use

of digital signature or “robust fuzzy extractors” – see further)

Alice (BI) ω

ω′Alice (BI)

Calculation the key RCalculation PMemory (P, E)Encryption

( )R,MfE =Calculation the key

( )ω′,PRDecryption

( )R,EM ϕ=

13

4. Design of FE given SS and SE (strong extractors)

Definition SE.

SE – is randomized mapping: { } { } { }ldn 1,01,0,1,0 → such that for input strings { }n1,0∈ω with arbitrary probability distribution but with min entropy at least m′ ;

( )( ) ,X,U,X,WSESD l ε≤

if { }d,X 10∈ , ( ) lUXPr = . Clear demonstration of SE. This is a generator of “good” output randomness (close touniform distribution) presented as binary string of shorter lengthl than it’s input binary string of the length n that has “bad” randomness given short (length d) truly random seed, whereasthe knowledge of this seed does not affect on good outputrandomness.

14

How to design FE given SE and SS?Let us assume that there is SS(M, m, m′, t) and SE(n, m′, l, ε) with

( )ε/1log2−′= ml . Then the following construction (Gen, Rep) gives FE(M, m, l, t, ε):

– Gen(X

X,X;W 21 ): ( )( )21 ,; XXWSSP = , ( )2X,WSER = .

– ( )P,WRep ′ : ( )P,WcReW SS ′= , ( )2X,WSER = .

2x

2x( )2X,WSS

ωSSREC

Ω

X 1X2X

ω

ω′1

X2

X2

15

Conclusion: In order to design FE we have to design both SS and SE.

Construction SS for Hamming distance.Let C is (n,k,2t+1) error correcting code (not necessary linear).Then:SS(ω,x)= ω⊕C(x), where x is chosen randomly and С(x) is a code word,

Rec(ω',SS(ω): ω' ⊕ SS(ω,x)= ω' ⊕ω⊕C(x)=e⊕C(x), te ≤// ,where /e/ is Hamming weight of e.D(ω' ⊕ SS(ω,x))=D(e⊕C(x))=x, where D is a decoding procedure under the condition that C corrects at least t errors. Thenω= SS(ω,x) ⊕C(x).It can be proved [2] that: m'≥m-r, ∀ m,r.

SS(ω,x)

ω

x Encoder

Practical implementation of SS:If C is linear code then (syndrom to w on the code C),e.g. , where H is check matrix of the code C.In this case a randomness X is not required at all!In fact, let us take s=SS(ω)= ωH and ω’= ω e, where e is error pattern over the weight at most t. Then we have ω’H=(ω e)H== ωH eH that gives relation eH= ω’H s. Since C is capable to correct all errors of the weight at most t, we can recover e on givensyndrom eH. After that we can recover ω as follows: ω = ω’ e.If , e.g. , then we getFE: R=X,

This construction does not work in general case, because if , then P gives a leakage of information about X=R.

)()( ωω csynSS =

HSS ωω =)(

nU∉ω

nmWH ==∞ )(

),(XCP ⊕=ω

nUW ∈

)(),( ωω ′⊕=′ PDPREP

16

⊕⊕

⊕ ⊕

⊕

In order to design FE it is necessary to design SE.Trevisan’s extractor:

Parameters of Trevisan’s extractor:

vnnvcc

ncWHl 2~;logO ,log;

log1logOd ;)(

222

22 =⎟

⎠⎞

⎜⎝⎛==⎟⎟

⎠

⎞⎜⎜⎝

⎛⎟⎠⎞

⎜⎝⎛== ∞

ελ

ε

Error correcting code

…1 2 l

w),~( nn

…

Block schemes

…

S1 :

0 11

2

d

1

1

0

0

1

... …

…

…

…

00 … 0 … 00

00 … 0 … 01

00 … 1 … 11

11 … 1 … 11

a1, a2, … , av

u

1

0

0

1

Random binarysequence(seed)

s11,s12,…,s1v

s21,s22,…,s2vS2 :

sl1,sl2,…,slv

si1,si2,…,sivSi :

Sl :

0

0

1

Boolean functionγ

)(af

i0...

17

Almost universal class of hash functions[6]

.

Definition. A family of mapping }{ ihH = ln }1,0{}1,0{ → is called δ -almost universal )( AU−δ , if for any

:xx ≠′ δ≤′= ))()(Pr( xhxh ii under uniformly selected ih from the set H. In a particular case when l−= 2δ we get a conventional family of universal hash functions. Asymptotic behavior of parameters for some classes of AU hash functions has been considered in [6]. However constructive methods todesign such hash functions are not sufficiently advanced. In application to authentication problem AU functions were used in [7].

18

Reducing AU to SE

Statement [8].Let us consider any m, and . Then if

is AU for , it results in the fact that H is SE.Thus, if it is known how to design AU then it is known also how to design SE with some given parameters. But constructive methods to design AU are known not so much

0>ε lml 2−≤{ } { }{ }ln

ihH 1,01,0: →= )1(2 2εδ += −l

Reducing of linear q-ary codes to SE If qTqkT ])/11(,,[ δ−− is some q-ary linear code with given parameters, then the exists )2/,/1( δδ q - extractor that can be presented as ixCxExtr == )]([),( ωω , where )(ωC - code words corresponding to ω and ix=[.] - is a random choice of i-th symbol. 19

20

How to use SE in a solution of key distribution problem [3, 4]

Two main techniques to solve key distribution problem:1. Privacy amplification (РА)2. The use of SE

Model of key distribution:

s

A B

E

Channel of publicdiscussion

а) Е - is passive eavesdropper

Y ( )BεX ( )Aε б) Е - is active eavesdropper but

EB ,, εεεΑ are any but :( )02

1 >≠ ΕΑ εεε ,, B

( ),, B ΕΕΑ << εεεε

Z ( )Eε

21

1. Privacy amplification (РА)

X, Y – the strings received by A and B, C – the string of check symbols to X (on the code V), h – hash function

( ) ( ) 1~Pr1~Pr ≈=⇒≈= KKYX

A B

X

Ch

K

Y

C

hY~

K~Noiseless channelof public discussion

22

Privacy amplification (continuation)

( ) ( ) 2ln2;;/ lttn chCZKI −−−−≤ , if AEAB εε < . where: n – the length of the strings X,Y,Z;

Z – the string received by E; t – the number of bits in С; l – the length of the key К; ct – Renyi information about the string X given Z.

For BSC ZX → with error probability AEε ,

( )( )( )22 1 AEAEc logNt εε −+−= , where EAEAAEBABAAB εε εεεεεεεε 2 ,2 −+=−+= If AEAB εε > , then it is necessary to perform some information exchange protocol over public discussion channel before hashing.

23

Hashing with class of universal hash functions

[ ]lhxK ×= , where «×» is multiplication over the field ( )nGF 2 , [ ]l – a choice of l bits from the string of the length ln ≥ . The strings h should be taken uniformly distributed.

Defects of this technique:

1. If X(Y) are not truly random, then truly randomness of K is not taken for granted.

2. The strings h of the length n should be generated as truly randomand transmitted over the channel.

3. Security of key distribution system is determined by Shannon’s information leaking to eavesdropper. This criterion is not alwaysconvenient in order to estimate an efficiency of brute force attackagainst the key.

24

2. The use of SE in a key distribution

Y~

K~

mP

( )mP

ωP

Г– is the string (seed) of the length d ( ) ( ) 1~Pr1~Pr ≈=⇒≈= KKYX

Г),,( XSEK = Г),,~(~ YSEK =

Channel of public discussion

S

25

The use of SE in a key distribution (continuation)

( ) εlK/Z;C;ΓI 2≤ [4], where ( )( )dl UUГXSESD ,,,=ε

( ) ( )( ) sAE stnCZXentropy −

∞ −≥−−−≥= 21)1(;HminPr ε ε – is a function of ( )∞H , d and l and depends on a construction of SE (see below). Asymptotic [5]:

( ) SEmHn ∃→≥∀ ∞ 0,, ε with the parameters: ( ) ( ) ( )11log2log Omnd ++−= ε

( ) ( )11log2 Odml −−+= ε

26

The use of FE in a broadcast key distribution [9]

K′=?

noiseless channel

PZK

K K K

ωmω3ω2ω1

PP

Center of broadcasting

E

noisy channels (Pm,Pw)

kH ≥∞

. . .

X2 X2 SE(X2,w)SS(w) w

K

RECSS(X2,w1)

SE(w,X2)

… …

U1 U2 U3 Um

…

27

Broadcast key distribution(continuation)

tiH ≤),( ωωρ , ⇒≥∞ kzH )/(ω ε≤),/,( ZPUKSD

It is obviously that this approach fails if wiretap channel is better than main (legal) channel. However it is still unclearly if it is better or not than the methods considered above as Pm<Pw .

28

Selection of SS parameters),',( tmm :

mWH =∞ )( , '))(|(~

mWSSWH ≥∞ , t≤)',( ωωρ

HsynWSS c ωω == )()( ,where H is check matrix of some (n,n-r) linear code .n is the length of the string ω, r is the number of check symbols .

Interconnect ion of the parameters n, r and t is due to Varshamov -Gilbert bound: r=nH(2t/n); H(x)= − xlogx + (1-x)log(1-x).How to determine the requirement to m′?If the best method of statistical finding ω on SS(ω) is used, then the probability of success after sL 2= trails of ω is

msP ′−= 2 .How to find m for BI ?This is open problem . (Experimental testing with an estimation Н(ω) and then

an estimation of )(ω∞H ).

29

Robust fuzzy extractors (RFE)Definition

This is ordinary FE with the parameters (m, l, t, ε), that in addition provides the probability of undetected substitution P to any PP ≠′ at most δ for any strings ( ',ωω ).

Parameters of RFE: (m, l, t, ε, δ). Interconnection between parameters is determined by the followingassertion[9]: Let n=ω and (m, m-k, t) is SS for Hamming metrix. Then there exists construction [9] of (m, l, t, ε, δ) robust extractor for appropriated choice of v and any m, l, t, ε, δ, if

( ) ( ) ( )1222 2 Of/nlogt/enlogtknml −−−−−≤ ε . However construction of RFE is complex enough and it isquestionably the need in protection against active attack when the keyis generated from BI.

30

Open problems

1. Which of BI is preferentially?2. How can we estimate H∝(ω), where ω is BI?3. How can be established a secure level of H∝(ω/SS (ω)) for SS and ε for FE. 4. Constructive design of SE given its complexity.5. Parameter optimization for SS and FE. 6. Parameter optimization for broadcast key distribution system based on FE technique. 7. Practical implementation of identification systems based on particular types of BI.8. Design of SS and FE for Euclidian metrics on the plane.

31

References1. Zhang D.D. Automated Biometrics. Technologies and Systems. Wiley and

Sons,2002. 2. Dodis Y., Reyzin L., Smith A. Fuzzy Extractors: How to Generate Strong Keys from

Biometrics and Other Noisy Data. Lecture Notes in Computer Science 3027, p. 523-540, Springer-Verlag, 2004.

3. Maurer U., Wolf S. Secret-key agreement over unauthenticated public channels - part III: Privacy amplification. IEEE Transactions on Information Theory, 2003, April, Vol. 49, No. 4, pp. 839 – 851.

4. V. Yakovlev, V. Korzhik, M. Bakaev, “Key Distribution protocols with the use of extractors based on noisy channels under the condition of active eavesdropper” Problems of Information Security (in Russian), N2, 2006, pg. 63-84.

5. Trevisan L. Construction of extractors using pseudo-random generator. Proceedings of the 31 annual ACM symposium on theory of computing, Atlanta, 1999, pp. 141 – 148.

6. Stinson D.R. Universal hashing and authentication codes. LNCS, v. 576. 7. Korjik V., Morales-Luna G. Hybrid authentication based on noisy channels .

International Journal of information security, 2003, vol. 1, No. 4, pp.203 – 210. 8. Hasted J. et. al, Construction of pseudorandom generator from any one-way

function. SIAM J. of Computing, 28(4), 1999, p. 1369 –1396. 9. Dodis Y. et. al, Robust Fuzzy Extractors and Authenticated Key Agreement from Close Secrets. Proc. of EUROCRYPT 2004. 10. Maurer U. Information-theoretically secure secret-key agreement by NOT

authenticated public discussion . Advances in Cryptology – EUROCRYPT 97. Berlin, Germany: Springer-Verlag, 1997, vol. 1233, pp. 209 – 225.

11. V. Yakovlev, V. Korzhik, G. Morales-Luna, “Key Distribution Protocols Based on Noisy Channels in Presence of Active Adversary: Conventional and New Versions with Parameter Optimization”, IEEE Trans. on IT, Special Issue on Information Security. (submitted, 2007)

12. Bernadette Dorizzi and Carmen Garcia-Mateo, “Multimedia Biometrics”, Annals of telecommunications, vol.62,No.1,2, 2007.