extended private information retrieval (epir) and its application in biometrics authentications...
TRANSCRIPT
EXTENDED PRIVATE INFORMATION RETRIEVAL (EPIR)AND ITS APPLICATIONIN BIOMETRICS AUTHENTICATIONS
AUTHOR: SUMUKHI CHANDRASHEKAR
AGENDA Importance of Privacy
Live examples: Bank, Location retrieval by defense Thus, Private Information Retrieval (PIR)
Formal definitions and PIR Models Privacy Properties of PIR PIR Approaches
An example: Almost optimal PIR An example: Helger Lipmaa’s Protocol
Another Generation of PIR EPIR for Biometrics' Authentication Privacy Properties of EIPR
EPIR Protocols Testing Equality Hamming Distance
Authentication Schemes Using Biometrics The first Scheme: with the use of secure sketches Second Scheme: Iris data Comparison between EPIR Equally and EPIR Hamming
distance Conclusions Future Research Questions
IMPORTANCE OF PRIVACY: BANK
Account Information
Credit Card Information
LOCATION RETRIEVAL FOR DEFENSE
Location1
Location2
PRIVATE INFORMATION RETRIEVAL (PIR)FORMAL DEFINITIONS & A MODEL
Private information retrieval (PIR) is a general problem of privately retrieving the ith record from an N-record array stored on the server.
(Based on: Querying Data Base Privately, Dmitri Asonov,1998)
PRIVACY PROPERTIES OF PIR
User-Privacy
i B
query E(Q(i))
reply E(B(i))
PIR APPROACHES
Theoretical Private Information Retrieval -Trivial solutions
Hardware – Based Private Information Retrieval,
Using a special Hard ware - SC(Secure Co processor)
PIR with Preprocessing and Offline Communication
Number Theory Based(Computational)
PIR APPROACHES - TRIVIAL
HARD WARE BASED PROTOCOL
DATABASE
Reads the entire Data Base, But keeps only R i
Secure Co Processor
SERVER
CLIENTSends e(Query i, Pk) and Retrieves i
EVALUATION SUMMARY FOR HARD WARE BASED & PRE PROCESSOR
Parameter Protocols Ideal Protocol
[SS00 - SS01] (S C based)
[BDF00 - SJ00] (Pre Processing)
Communication(online)
Optimal Optimal Optimal
Response Time O(N) O(1) O(1)
Communication(offline)
NO O(N) NO
Pre Processing NO YES YES
AN EXAMPLE FOR PIR: ALMOST OPTIMAL PIR
Basic Idea of the Protocol Previous approaches that used SC(Secure Co
Processor), O(1) communication complexity but O(N) complexity of Responses
The Pre Processing approaches, O(1) response time but O(N) communication complexity
Combine the 2 above approachesSteps involved in our Protocol
Preprocessing data inside SC Process Query online Protocol for SC and Users
BASIC PROTOCOL MODEL
USER
SERVER
The Model is based on the book: Querying Data Base Privately, Asonov
STEPS INVOLVED: PREPROCESSING DATA INSIDE SC
The Purpose To generate permutation of the data base
records (N) , transforms DB into DB П , Such that
DB [i] = DB П[П[i]] SC keeps the shuffle index as a secrete Server does not know the Index of shuffling
THE PROTOCOL
Protocol between Server and Client to process the query
i
E R(?)
E R(?)
INTER NAL
V1 index
PROCESSES QUERY ONLINE
Required: DB shuffled & V1 , a copy of the shuffled records and the index of DB shuffled
k: The sequence number of the query being processed
i: The number of DB record requested
Ensured: Answer, R I , the record retrieved without server’s knowledge.
3 steps are involved Read the already accessed records, If found,
Return Read all records in the cache of DB shuffled , if
found, Return Randomly select records from DB and put into
cache
AN OBLIVIOUS TRANSFER PROTOCOLAUTHOR: PROF. LIPMAA
CIPR l n Protocol, with log-squared
communication Length flexible additively homomorphic
public key crypto system with additional length parameter involved
LFAH is 3 tuple , [Gen, Encrypt, Decrypt]
Generator Algo
Encrpt(pk,s,m,r) decrpt(sk,s,c)
OVER VIEW
A CPIRnl protocol (Query; Transfer; Recover)
Consider S sized DB as an dimensional database
Index every element of S to S[i] ….. S[] Use homomorphic property to create a new
DB S1
With -1 dimension, such that new S1 = Encrypt(S)
Recursively perform this procedure until we get S that is encryption of S[q]
s >=1: encrypts plaintext of sk bits to a cipher text of (s+1)k bits
E s K(m1) . E s K (m2) = E s K (m1+m2) , Thus also E s+1 K(m1) . E s K (m2) = E s+1K (m1 . E s K
(m2) )
GENERIC IDEA WHEN THE RANGE = 2
11 = 12 = 13 = 14 =
E s K(0) E s K(0) E s K(0) E s K(0)
(1,1)
(2,1)
(3,1)
(4,1)
(1,2)
(2,2)
(3,2)
(4,2)
(1,3)
(2,3)
(3,3)
(4,3)
(1,4)
(2,4)
(3,4)
(4,4)
w11 = i 1i (1,i) E s K ((1,1 ))
w12 = i 1i (1,i) E s K ((2,1 ))
w13 = i 1i (1,i) E s K ((3,1 ))
w14 = i 1i (1,i) E s K ((4,1 ))
ALGORITHM IN DETAIL
Inputs: Alice has query i [n], Bob has D = (D1, .. Dn) where Dj ZN
Alice generates a new public/private key pair (pk, sk) for an additively homomorphic secure public-key cryptosystem E
Alice generates her message a Epk (i ; *) and sends
A(i) (pk, a) to Bob, He stops if Public is not valid Bob does for every j {1, . . . , n}, he
Sets bj (a/Epk (j ; 1))* · Epk (Dj ; *) Bob sends (b1, . . . , bn) to Alice, Alice decrypts bi
and obtains Thus Di = Dsk (bi )
CORRECTNESS AND SECURITY Bob does for every j{1, . . . , n}
Sets bj (a/Epk (j ; 1))* · Epk (Dj ; *) Since a = Epk (i ; * ),
bj = (Epk (i ; * )/Epk (j ; 1)) · Epk (Dj ; *) Because E is additively homomorphic,bj = (Epk (i − j ;* ))* · Epk (Dj;*) = (Epk (*· (i − j );
r )) · Epk (Dj;*)for some rIf i = j thenbj = Epk (0; r ) · Epk (Dj ; *) = Epk (Dj ; * )and thus Dsk (bj ) = Dj Thus Alice obtains Di
COMPLEXITY & PROTOCOL ANALYSIS
Suitable for sending integers from Zd User sends (s+( +1/2)) n1/ k bits Sk = log (d) => ( log(d)+ ( +1/2)k) n1/
bits Optimal if = O(log2n)
GENERALIZATION OF PIR – EPIR FOR BIOMETRIC DATA
Motivation Processing sensitive information such as
biometrics. Biometric data can be represented as
Strings.
FORMAL DEFINITION OF EPIR
Generalized concept of PIR The concept of SC Shuffling of Database
EIPR protocol enables user to retrieve a block data as a function of (Block of Database, Input)
This is an extension to PIR: with f (Ri , x) = Ri
PRIVACY PROPERTIES OF EPIR
User Privacy Database Privacy
USER PRIVACY – ATTACK GAME
Assume , adversary A plays the role of the database, and tries to learn some information from the user. The function f is fixed:
Definition First instance of A, generates the database:
(R1,R2, · · · ,RN) , N records in Database A outputs (i0, i1, x0, x1) : The Part of
database & input String The user randomly chooses b in {0, 1} and
issues a retrieve-query on input (ib, xb) with A
A outputs a guess b1.
DATA BASE PRIVACY – ATTACK GAME
Assume A plays the role of the user, and tries to distinguish between the execution with an actual database, from the execution with a simulator. The function f is fixed:
Definition The challenger, Data Base randomly chooses b
in {0, 1}.If b = 0 then A will interact with an actual database.If b = 1 then A will interact with a simulator S that,
for a retrieve-query on input (i, x), only knows f (Ri , x).
User A generates the database: (R1,R2, · · · ,RN) , N record Data Base
User A issues retrieve-queries , May query the Data base or the Simulators
Then, A outputs a guess b1.
SECURE EPIR
An EPIR protocol must satisfy User-Privacy: The attacker must have
negligible advantages of guessing b1 Database-Privacy: The attacker (User) must
have minimum knowledge while guessing b1.
EPIR PROTOCOLS
Equality : ElGamal Variant Hamming Distance :BGN
EQUALITY EPIR PROTOCOL
I B
Compare information form User U and a Block B from the DB
f(R b , i) == 1 , if they are equal Else 0.
EQUALITY EPIR PROTOCOL
Variant of ElGamal:sk = x pk = y = gx ξ(m) = ξ(m, r ) = (gr , yrgm). User U wants to retrieve the value f (R i ,m) U generates an ElGamal key pair (pk (Public
Key), sk (Private Key)) U first sends pk and c = ξ(i & m) to the DB DB generates a randomized database:Cj = (c/ ξ(j & Rj )) rj = ξ ((i& m − j & Rj ) × rj) U and DB run a PIR protocol to retrieve Ci : U then decrypts Ci . It decrypts to 0 iff m = Ri
.
SECURITY OF EPIR EQUALITY
User-Privacy: PIR user-privacy + DDH , Therefore, EPIR achieves better user-privacy
Database-Privacy: EPIR unconditionally achieves database-privacy.
BIOMETRIC APPLICATION FOR EPIR EQUALITY
User U has to be authenticated by Server S through Client C and DB is the database which stores the relevant information
The two phases in Biometric AuthenticationEnrollment
Registration with DB Enc(ID I, Ri)
Registration, ID i
(m,m1,)
Authentication
Client C will extract the Biometric template of U C sends ID I to server and X to DB (Encg(g ID i/ b I ,
pk) DB generates a Randomized database Server runs PIR to retrieve c I Dec(ci, sk) == 1, then Equal strings and thus
accepts the request
Biometrics adjusted
ID I & (Encg(g ID i/ b I , pk)
TO VERIFY IMPERSONATION
HAMMING DISTANCE PROTOCOL WITH BGN
U wants to compute the Weighted Hamming distance between a string S chosen by itself and a block Ri from DB:
Notation: for an l-bit string S, S(k) is the k-th bit of S.
Weights: the weight vector is (w1,w2, · · · ,w), where wk are integers (1<=k<=l).
Function:f (Ri ,S) =∑k=1
l1 wk × (Rki (+) Sk)
BGN BASED HAMMING DISTANCE PROTOCOL U wants to retrieve f (Ri ,X): U generates a pk(public key) = (n, G, G1,ê ,g,
h) and sk=q1 To retrieve f (Ri ,X), User has to send (c, ck)
to the server where c=gI hr & ck = gX(k)
hsk ,where 1<=k<=l 1 & 1<=i<=n Once the server receives (c, ck), the server
would compute mj,k , where
mj,k = ˆe(g, g)X(k)⊕R(k)j ˆe(h, g)sk (1−2 R(k)j )
Compute Cj, where rj, rj are randomly chosen from Zn (Partion the DB)
And, finally U runs PIR to retrieve Ci
SECURITY OF EPIR HAMMING DISTANCE
User privacy: If the PIR protocol achieves user privacy, the EPIR protocol for computing Hamming distance achieves user privacy based on the subgroup decision assumption.
Database privacy: The EPIR protocol for computing Hamming distance achieves database privacy (unconditionally).
BIOMETRIC APPLICATION FOR EPIR HAMMING DISTANCE PROTOCOL The server S makes the decision based on
the exact matching of the biometric pattern The two phases in Biometric Authentication
Enrollment
Registration, ID i
Registration with DB Enc(ID I, i k)
Authentication Client C extras the biometric pattern ,sends c
and ck to the DB and sends ID I to the server The DB computes the hamming distance
(typically runs EPRI Hamming distance) S runs EPIR protocol to retrieve Ci and
computes d, Such that Cq1i = ˆe(gq1, g)d
If d is less than the threshold value, it accepts
COMPARISON BETWEEN THE 2 ABOVE BIOMETRICS AUTHENTICATION
Hamming distance biometrics is better for the following reasons No need for storing Sketch by Client U (user) need not store any information It works for noisy sketch also
FURTHER RESEARCH AREAS
Further optimize the on-line computation and communication, and gain a full use of such real-world assumptions, as preprocessing and off-line communication.
Similarity Comparison implementation.
CONCLUSIONS
This Presentation has discussed a new Generalization of PRI and two of its Protocol Types
The randomizations of the database are been provided in both protocols in order to achieve Privacy of Information.
We also have seen how to construct strong privacy using these protocols on biometrics data
REFERENCES
6th International Conference, CANS 2007 Singapore, December 8-10, 2007 Proceedings
Dmitri Asonov ,Querying Data Bases Privately Atallah, M.J., Frikken, K.B., Goodrich, M.T.,
Tamassia, R., Secure biometric authentication for weak computational devices. Financial Cryptography, 357–371 (2005)
Ostrovsky, R., Skeith III, W.E.: A survey of single database PIR, Techniques and applications. Cryptology ePrint Archive: Report 2007/059 (2007)
THANK YOU
Questions?