Embed Size (px)
Citation preview
Efficient Privacy-Preserving Biometric Identification
Yan Huang Lior Malka David Evans Jonathan Katz
http://www.mightbeevil.org/secure-biometrics/
Feb 9, 2011
Motivating Scenario: Private No-Fly Checking
Threat Models
Semi-honest adversaryMust follow the protocol correctly
Malicious adversaryCan deviate arbitrarily from the protocol
In both threat models, an adversary attempts to break either thecorrectness or the privacy property of the protocol.
Threat Models
Semi-honest adversaryMust follow the protocol correctly
Malicious adversaryCan deviate arbitrarily from the protocol
In both threat models, an adversary attempts to break either thecorrectness or the privacy property of the protocol.
Filterbank-based Fingerprint Recognition [Jain et al., 2000]
Also used by Barni et al. [2010].
Non-private Protocol
Privacy-preserving Protocol
Privacy-preserving Protocol
Euclidean Distance
Let di be the distance between vi = [vi,j]1≤j≤N and v′ = [v′j]1≤j≤N
di = ‖vi − v′‖2 =N
∑j=1
(vi,j − v′j)2
=N
∑j=1
v2i,j︸ ︷︷ ︸
Si,1
+N
∑j=1
(−2vi,j · v′j)︸ ︷︷ ︸Si,2
+N
∑j=1
v′j2
︸ ︷︷ ︸S3
For privacy, want to compute JdiKpk.
Additive Homomorphic Encryption
JaKpk
JbKpk
=⇒ Ja + b mod pKpk = JaKpk · JbKpk
JaKpk
c
=⇒ Jc · a mod pKpk = JaKcpk
We used Paillier cryptosystem [Catalano et al., 2001,Paillier, 1999] in our prototype.
Additive Homomorphic Encryption
JaK
pk
JbK
pk
=⇒ Ja + b mod pK
pk
= JaK
pk
· JbK
pk
JaK
pk
c
=⇒ Jc · a mod pK
pk
= JaKc
pk
We used Paillier cryptosystem [Catalano et al., 2001,Paillier, 1999] in our prototype.
Private Euclidean Distance
JdiK =
tN
∑j=1
v2i,j︸ ︷︷ ︸
Si,1
+N
∑j=1
(−2vi,jv′j)︸ ︷︷ ︸Si,2
+N
∑j=1
v′j2
︸ ︷︷ ︸S3
|
= JSi,1K · JSi,2K · JS3K
JSi,2K =
tN
∑j=1
(−2vi,jv′j)
|
=N
∏j=1
q−2vi,j
yv′j
Improving the Efficiency
Modular exponentiation is slow. For every i, computing JSi,2Krequires N modular exponentiations. Overall, it involves MNmodular exponentiationsEncode many messages in one homomorphic encryption
Packing was introduced by Sadeghi et al. [2009] tosave bandwidth, but is exploited more aggressivelyhere to save computation also.
Padding 0’s to Ensure Correctness
Vertical Partitioning to Speedup Computing JSi,2K
JSi,2K =N
∏j=1
q−2vi,j
yv′j
JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z=
q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j
yv′j
−2v1,1 −2v1,2 · · · −2v1,N
−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...
−2vκ,1 −2vκ,2 · · · −2vκ,N
Vertical Partitioning to Speedup Computing JSi,2K
JSi,2K =N
∏j=1
q−2vi,j
yv′j
JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z=
q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j
yv′j
−2v1,1 −2v1,2 · · · −2v1,N
−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...
−2vκ,1 −2vκ,2 · · · −2vκ,N
Vertical Partitioning to Speedup Computing JSi,2K
JSi,2K =N
∏j=1
q−2vi,j
yv′j
JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z=
q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j
yv′j
−2v1,1 −2v1,2 · · · −2v1,N
−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...
−2vκ,1 −2vκ,2 · · · −2vκ,N
Vertical Partitioning to Speedup Computing JSi,2K
JSi,2K =N
∏j=1
q−2vi,j
yv′j
JS1,2‖S2,2‖ · · · ‖Sκ,2K = ∏1≤j≤N
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z
r−2v1,jv′j‖−2v2,jv′j‖ · · · ‖−2vκ,jv′j
z=
q−2v1,j‖−2v2,j‖ · · · ‖−2vκ,j
yv′j
−2v1,1 −2v1,2 · · · −2v1,N
−2v2,1 −2v2,2 · · · −2v2,N... ... . . . ...
−2vκ,1 −2vκ,2 · · · −2vκ,N
Effects of Packing
15
20
25
30
35
40
45
50
55
60
65Time
Bandwidth
Sharing the Secrets
The server generates nonce masks r = [r1, r2, · · · , rM] and sendsq
d′1‖ · · · ‖d′My
pk = J(d1 + r1)‖(d2 + r2)‖ · · · ‖(dM + rM)Kpk
where pk is the client’s public key.
Make the sampling range of ri large enough so thatd′i and di is statistically indistinguishable.
Privacy-preserving Protocol
Garbled Circuits Protocol
Efficient oblivious transfer protocol combining schemes from both[Naor and Pinkas, 2001] and [Ishai et al., 2003]Standard garbled circuits [Yao, 1986] combined with free-XORtechnique [Kolesnikov and Schneider, 2008]
Finding the Minimum Differnce
GoalGiven d′ = d + r and r, securely compute d∗ = min
1≤i≤M(di, ε).
Reducing the Bit-width
Saves 2M(`− k) non-free gates in total.
Privacy-preserving Protocol
Finding the Record
Ultimate goal is to retrieve the record associated with d∗
Prior work [Kolesnikov et al., 2009] accomplished this by relayingindices throughout the M-to-1 Min circuitWe achieve this with a backtracking protocol
1 No need to propagate ID numbers2 Obtain record without an extra secure information retrieval by ID3 Use labels obtained in garbled circuit execution
The 2-to-1 Min
Mini Example — The Server
Mini Example — The Server
Selection Wires in the M-to-1 Min Tree
Backtracking — The Sender
n1, n2, n3 are random nonces knownonly to the sender.
Backtracking — The Receiver
Backtracking — The Receiver
Client knows λ0ε , λ0
1, λ12, λ0
3 from circuit evaluation,
sois able to infer n1, n2, and Radu.
Backtracking — The Receiver
Client knows λ0ε , λ0
1, λ12, λ0
3 from circuit evaluation, sois able to infer n1
, n2, and Radu.
Backtracking — The Receiver
Client knows λ0ε , λ0
1, λ12, λ0
3 from circuit evaluation, sois able to infer n1, n2
, and Radu.
Backtracking — The Receiver
Client knows λ0ε , λ0
1, λ12, λ0
3 from circuit evaluation, sois able to infer n1, n2, and Radu.
System Recap
Results — Online Performance
0
2
4
6
8
10
12
14
16
18
0
1000
2000
3000
4000
5000
6000
7000
8000
DistanceOT Circuit Backtracking
4.6× faster and uses 58% less bandwidth than Barni et al.[2010], even though we compute the global minimum
Thank you!
Software available for download at:http://www.mightbeevil.org/secure-biometrics/
References IMauro Barni, Tiziano Bianchi, Dario Catalano, Mario Di Raimondo, Ruggero Donida Labati,
Pierluigi Faillia, D. Fiore, R. Lazzeretti, V. Piuri, F. Scotti, and A. Piva. Privacy-PreservingFingercode Authentication. In ACM Multimedia and Security Workshop, 2010.
Dario Catalano, Rosario Gennaro, Nick Howgrave-Graham, and Phong Nguyen. Paillier’sCryptosystem Revisited. In ACM Conference on Computer and Communications Security, 2001.
Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending Oblivious TransfersEfficiently. In CRYPTO, 2003.
Anil Jain, Salil Prabhakar, Lin Hong, and Sharath Pankanti. Filterbank-based FingerprintMatching. IEEE Transactions on Image Processing, pages 846–859, January 2000.
Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates andApplications. In International Colloquium on Automata, Languages and Programming, 2008.
Vladimir Kolesnikov, Ahmad-Reza Sadeghi, and Thomas Schneider. Improved Garbled CircuitBuilding Blocks and Applications to Auctions and Computing Minima. In InternationalConference on Cryptology and Network Security, 2009.
Moni Naor and Benny Pinkas. Efficient Oblivious Transfer Protocols. In ACM-SIAM Symposiumon Discrete Algorithms, 2001.
Pascal Paillier. Public-key Cryptosystems based on Composite Degree Residuosity Classes.EUROCRYPT, 1999.
Ahmad-Reza Sadeghi, Thomas Schneider, and Immo Wehrenberg. Efficient Privacy-PreservingFace Recognition. In International Conference on Information Security and Cryptology, 2009.
Andrew Yao. How to Generate and Exchange Secrets. In Symposium on Foundations of ComputerScience, 1986.
