Ari Juels RSA Laboratories

Marty Wattenberg 328 W. 19th Street,

NYC

A Fuzzy Commitment Scheme

Biometrics

Biometric authentication:Computer Authentication through

Measurement of Biological Characteristics

Fingerprint scanning Iris scanning Voice recognition

Types of biometric authentication

Many others...

Face recognition Body odor

Authenticating...

Enrollment / Registration

Template t

Alice

Enrollment / Registration

AliceServer

Authentication

Server

Authentication

AliceServer

Server verifies against template

?

The Problem...

Template theft

Limited password changes

First password

Second password

Templates represent intrinsic information about you

Alice

Theft of template is theft of identity

Towards a solution

“password”

UNIX protection of passwords

“password” h(“password”)

“Password”

Template protection?

h( )

Fingerprint is variable

Differing angles of presentation Differing amounts of pressure Chapped skin

Don’t have exact key!

We need “fuzzy” commitment

( )

Seems counterintuitive

Cryptographic (hash) function scrambles bits to produce random-looking structure, but

“Fuzziness” or error resistance means high degree of local structure

Error Correcting Codes

Noisy channel

AliceBob

“ Alice, I love… crypto ”s

Error correcting codes

AliceBob

“ 110 ”

g110 111 111 000

Function g adds redundancy

Bob

M

3 bits

C

9 bits

c

Message spaceCodeword space

g

Error correcting codes

AliceBob

“ 111 111 000 ”0 1

101 111 100 111 111 000 f

c

C

Function f corrects errors

Alice f

Alice uses g-1 to retrieve message

9 bits

CM

3 bits

Alice

g-1

cAlice gets original, uncorrupted message

110

Constructing C

Idea: Treat template like message

W

g

C(t) = h(g(t))

What do we get?

“Fuzziness” of error-correcting code Security of hash function-based

commitment

Problems

Davida, Frankel, and Matt (‘97) Results in very large error-correcting

code Do not get good fuzziness Cannot prove security easily Don’t really have access to “message”!

Our (counterintuitive) idea:

Express template as “corrupted” codewordNever use message space!

Express template as “corrupted” codeword

W

t

w

t = w +

t = w +

h(w) Idea: hash most significant part for security

Idea: leave some local information in clearfor “fuzziness”

How we use fuzzy commitment...

Computing fuzzy hash of template t

Choose w at random Compute = t - w Store (h(w), ) as commitment

(h(w),)

Verification of fingerprint t’

Retrieve C(t) = (h(w), ) Try to decommit using t’:

– Compute w’ = f(t’ - )– Is h(w’) = h(w)?

?

Characteristics of

Good fuzziness (say, 17%) Simplicity

Provably strong security – I.e., nothing to steal

Open problems

What do template and error distributions really look like?

What other uses are there for fuzzy commitment?– Graphical passwords

Questions?