Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit:...

Efficient Privacy-Preserving Biometric Identification

Yan Huang Lior Malka David Evans Jonathan Katz

http://www.mightbeevil.org/secure-biometrics/

Feb 9, 2011

Motivating Scenario: Private No-Fly Checking

Threat Models

Semi-honest adversaryMust follow the protocol correctly

Malicious adversaryCan deviate arbitrarily from the protocol

In both threat models, an adversary attempts to break either thecorrectness or the privacy property of the protocol.

Threat Models

Semi-honest adversaryMust follow the protocol correctly

Malicious adversaryCan deviate arbitrarily from the protocol

In both threat models, an adversary attempts to break either thecorrectness or the privacy property of the protocol.

Filterbank-based Fingerprint Recognition [Jain et al., 2000]

Also used by Barni et al. [2010].

Non-private Protocol

Privacy-preserving Protocol

Privacy-preserving Protocol

Euclidean Distance

Let di be the distance between vi = [vi,j]1≤j≤N and v′ = [v′j]1≤j≤N

di = ‖vi − v′‖2 =N

∑j=1

(vi,j − v′j)2

=N

∑j=1

v2i,j︸ ︷︷ ︸

Si,1

+N

∑j=1

(−2vi,j · v′j)︸ ︷︷ ︸Si,2

+N

∑j=1

v′j2

︸ ︷︷ ︸S3

For privacy, want to compute JdiKpk.

Additive Homomorphic Encryption

JaKpk

JbKpk

=⇒ Ja + b mod pKpk = JaKpk · JbKpk

JaKpk

c

=⇒ Jc · a mod pKpk = JaKcpk

We used Paillier cryptosystem [Catalano et al., 2001,Paillier, 1999] in our prototype.

Additive Homomorphic Encryption

JaK

pk

JbK

pk

=⇒ Ja + b mod pK

pk

= JaK

pk

· JbK

pk

JaK

pk

c

=⇒ Jc · a mod pK

pk

= JaKc

pk

We used Paillier cryptosystem [Catalano et al., 2001,Paillier, 1999] in our prototype.

Private Euclidean Distance

JdiK =

tN

∑j=1

v2i,j︸ ︷︷ ︸

Si,1

+N

∑j=1

(−2vi,jv′j)︸ ︷︷ ︸Si,2

+N

∑j=1

v′j2

︸ ︷︷ ︸S3

|

= JSi,1K · JSi,2K · JS3K

JSi,2K =

tN

∑j=1

(−2vi,jv′j)

|

=N

∏j=1

q−2vi,j

yv′j

Improving the Efficiency

Modular exponentiation is slow. For every i, computing JSi,2Krequires N modular exponentiations. Overall, it involves MNmodular exponentiationsEncode many messages in one homomorphic encryption

Packing was introduced by Sadeghi et al. [2009] tosave bandwidth, but is exploited more aggressivelyhere to save computation also.

Padding 0’s to Ensure Correctness

Vertical Partitioning to Speedup Computing JSi,2K

JSi,2K =N

∏j=1

q−2vi,j

yv′j

JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N

r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j

z

r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j

z=

q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j

yv′j

−2v1,1 −2v1,2 · · · −2v1,N

−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...

−2vκ,1 −2vκ,2 · · · −2vκ,N

Vertical Partitioning to Speedup Computing JSi,2K

JSi,2K =N

∏j=1

q−2vi,j

yv′j

JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N

r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j

z

r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j

z=

q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j

yv′j

−2v1,1 −2v1,2 · · · −2v1,N

−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...

−2vκ,1 −2vκ,2 · · · −2vκ,N

Vertical Partitioning to Speedup Computing JSi,2K

JSi,2K =N

∏j=1

q−2vi,j

yv′j

JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N

r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j

z

r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j

z=

q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j

yv′j

−2v1,1 −2v1,2 · · · −2v1,N

−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...

−2vκ,1 −2vκ,2 · · · −2vκ,N

Vertical Partitioning to Speedup Computing JSi,2K

JSi,2K =N

∏j=1

q−2vi,j

yv′j

JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N

r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j

z

r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j

z=

q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j

yv′j

−2v1,1 −2v1,2 · · · −2v1,N

−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...

−2vκ,1 −2vκ,2 · · · −2vκ,N

Effects of Packing

15

20

25

30

35

40

45

50

55

60

65Time

Bandwidth

Sharing the Secrets

The server generates nonce masks r = [r1, r2, · · · , rM] and sendsq

d′1‖ · · · ‖d′My

pk = J(d1 + r1)‖(d2 + r2)‖ · · · ‖(dM + rM)Kpk

where pk is the client’s public key.

Make the sampling range of ri large enough so thatd′i and di is statistically indistinguishable.

Privacy-preserving Protocol

Garbled Circuits Protocol

Efficient oblivious transfer protocol combining schemes from both[Naor and Pinkas, 2001] and [Ishai et al., 2003]Standard garbled circuits [Yao, 1986] combined with free-XORtechnique [Kolesnikov and Schneider, 2008]

Finding the Minimum Differnce

GoalGiven d′ = d + r and r, securely compute d∗ = min

1≤i≤M(di, ε).

Reducing the Bit-width

Saves 2M(`− k) non-free gates in total.

Privacy-preserving Protocol

Finding the Record

Ultimate goal is to retrieve the record associated with d∗

Prior work [Kolesnikov et al., 2009] accomplished this by relayingindices throughout the M-to-1 Min circuitWe achieve this with a backtracking protocol

1 No need to propagate ID numbers2 Obtain record without an extra secure information retrieval by ID3 Use labels obtained in garbled circuit execution

The 2-to-1 Min

Mini Example — The Server

Mini Example — The Server

Selection Wires in the M-to-1 Min Tree

Backtracking — The Sender

n1, n2, n3 are random nonces knownonly to the sender.

Backtracking — The Receiver

Backtracking — The Receiver

Client knows λ0ε , λ0

1, λ12, λ0

3 from circuit evaluation,

sois able to infer n1, n2, and Radu.

Backtracking — The Receiver

Client knows λ0ε , λ0

1, λ12, λ0

3 from circuit evaluation, sois able to infer n1

, n2, and Radu.

Backtracking — The Receiver

Client knows λ0ε , λ0

1, λ12, λ0

3 from circuit evaluation, sois able to infer n1, n2

, and Radu.

Backtracking — The Receiver

Client knows λ0ε , λ0

1, λ12, λ0

3 from circuit evaluation, sois able to infer n1, n2, and Radu.

System Recap

Results — Online Performance

0

2

4

6

8

10

12

14

16

18

0

1000

2000

3000

4000

5000

6000

7000

8000

DistanceOT Circuit Backtracking

4.6× faster and uses 58% less bandwidth than Barni et al.[2010], even though we compute the global minimum

Thank you!

Software available for download at:http://www.mightbeevil.org/secure-biometrics/

References IMauro Barni, Tiziano Bianchi, Dario Catalano, Mario Di Raimondo, Ruggero Donida Labati,

Pierluigi Faillia, D. Fiore, R. Lazzeretti, V. Piuri, F. Scotti, and A. Piva. Privacy-PreservingFingercode Authentication. In ACM Multimedia and Security Workshop, 2010.

Dario Catalano, Rosario Gennaro, Nick Howgrave-Graham, and Phong Nguyen. Paillier’sCryptosystem Revisited. In ACM Conference on Computer and Communications Security, 2001.

Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending Oblivious TransfersEfficiently. In CRYPTO, 2003.

Anil Jain, Salil Prabhakar, Lin Hong, and Sharath Pankanti. Filterbank-based FingerprintMatching. IEEE Transactions on Image Processing, pages 846–859, January 2000.

Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates andApplications. In International Colloquium on Automata, Languages and Programming, 2008.

Vladimir Kolesnikov, Ahmad-Reza Sadeghi, and Thomas Schneider. Improved Garbled CircuitBuilding Blocks and Applications to Auctions and Computing Minima. In InternationalConference on Cryptology and Network Security, 2009.

Moni Naor and Benny Pinkas. Efficient Oblivious Transfer Protocols. In ACM-SIAM Symposiumon Discrete Algorithms, 2001.

Pascal Paillier. Public-key Cryptosystems based on Composite Degree Residuosity Classes.EUROCRYPT, 1999.

Ahmad-Reza Sadeghi, Thomas Schneider, and Immo Wehrenberg. Efficient Privacy-PreservingFace Recognition. In International Conference on Information Security and Cryptology, 2009.

Andrew Yao. How to Generate and Exchange Secrets. In Symposium on Foundations of ComputerScience, 1986.