Today
large amount of biometric data is being collected by all the countries like
USA, UAE, UK, India, etc for the authentication process of their citizens and
foreigners entering their country. Though these data are extremely
efficient in authentication, but it has some problems. The data must be
securely stored without any leakage as this biometric data of a person can be
easily used to replicate him for authentication and thus imposter that person
to perform malicious deeds. So the computation, for authentication, on the
biometric data requires the data to remain private and reveal only the outcome
of the computation.
Feature
Vector:
The
biometric data we are going to work on is collected in the form of a feature
vector X from the iris of a person. Iris code, X is an m-bit string, where each
Xi gives
information about some particular feature.
X = X1 X2 X3 X4 …. Xm
But not
all Xi have correct
data as there is always some amount of noise which gets captured during the
feature extraction from the iris. So we have another vector M(X) of m bits
which says
M(X) =
M(X1)M(X2) M( X3) M( X4) ….M(Xm )
M(Xi)
= 0, Xi is noise and
should not be considered for computation
M(Xi)
= 1, Xi is correctly
captured and should be considered for computation
So we use
only those Xi for
which M(Xi) is 1. Now for authentication we need to match two
biometric data X and Y and check whether they have a threshold amount of
matching or not.
Hamming
Distance:
Definition:
The
hamming distance of two vectors X and Y can be computed as follows:
HD(X, Y)
= (∑mi=1 (Xi ⊕ Yi ))/m
Modification:
But here
since the X and Y vectors have some unreliable bits we skip them by multiplying
the term by both M(Xi) and M(Yi). D(X, Y) is the
distance between the two vectors and M(X, Y) is the number of bits on which the
computation is done. So our HD(X, Y) becomes:
HD(X, Y)
= (∑mi=1 (Xi ⊕ Yi )M(Xi)M(Yi))/(
∑mi=1(M(Xi)M(Yi))
= D(X, Y)/ M(X ,Y)
HD(X, Y) = D(X, Y)/ M(X ,Y) ≤ T
Additive
Homomorphic Encryption:
We need
additive homomorphic encryption for this scheme. In additive homomorphic
scheme, if a1 = Enc(m1)
and a2 = Enc(m2)
then a1.a2 =
Enc(m1+ m2).
Main Protocol:
Y is the feature vector that has been captured previously and stored in the database and X is the feature vector that has been captured to authenticate the person later. When the person comes for authentication, X is presented to the authenticator and he tries to find an Y from his database which has HD(X, Y) ≤ T. If he finds such a Y then the person is authenticated else the authentication fails. Here the authenticator is the server and the person who wants to be authenticated is the client. Client C does not share its Xi value and server S does not share its Yi. Using the protocol, C and S securely compute whether the feature vector X has a threshold matching with any of the Y’s or not. The vector X and Y may be misaligned. So the Y vector is shifted 2c+1 times, for j= -c to c. This can be seen in the protocol. We use
the following computations in our protocol.
Xi ⊕ Yi = (1- Xi)Yi ⊕ (1-Yi)Xi
D(X, Y) =
∑mi=1 ((1-
Xi)Yi ⊕ (1-Yi)Xi )M(Xi)M(Yi)
M(X, Y) = ∑mi=1(M(Xi)M(Yi)
The main
protocol is as follows:
Input: C has biometric X, M(X) and key pair (pk,
sk); S has a database D composed of Y, M(Y ) biometrics.
Output: C learns what records in D resulted in match
with X if any, i.e., it learns a bit as a result of comparison of X with each Y ∈ D.
Protocol:
- For each i = 1, . . ., m, C computes encryptions <ai1, ai2> = <Enc(XiM(Xi)), Enc((1− Xi)M(Xi))> and sends them to S.
- For each i = 1, . . ., m, S computes encryption of M(Xi) by setting ai3 = ai1 · ai2 = Enc(XiM(Xi)) · Enc((1 − Xi)M(Xi)) = Enc(M(Xi)).
- For each record Y in the database, S and C perform the following steps in parallel:
a. For each amount of shift j = −c, . .
., 0, . . ., c, S rotates the bits of Y by the appropriate number of positions
to obtain Yj and
proceeds with all Yj ’s
in parallel.
i. To compute (Xi ⊕ Yji )M(Xi)M(Yji)
= (Xi(1 − Yji ) + (1 − Xi) Yji )M(Xi)M(Yji)
in encrypted form, S computes
bji = a(1− Yji )M(Yji ) i1 · aYji M(Yji)i2
= Enc(XiM(Xi)(1 − Yji )M(Yji) + (1 − Xi)M(Xi) Yji M(Yji)).
bji = a(1− Yji )M(Yji ) i1 · aYji M(Yji)i2
= Enc(XiM(Xi)(1 − Yji )M(Yji) + (1 − Xi)M(Xi) Yji M(Yji)).
ii. S adds the values contained in bji’s
to obtain bj = πm i=1 bji = Enc( ∑m i=1(Xi ⊕ Yji )M(Xi)M(Yji )) = Enc(||(X ⊕ Yj ) ∩ M(X) ∩ M(Y j)||). S then
“lifts up” the result, blinds, and randomizes it as cj = (bj ) 2^ℓ · Enc(r jS ), where r jS
iii. To obtain T(||M(X) ∩ M(Y j)||), S
computes dj i = a M(Yji
) i3 = Enc(M(Xi) · M(Y j i )) and dj = ( πm i=1 dji)T = Enc(T(∑m i=1 M(Xi)M(Y j i ))). S blinds and randomizes the
result as ej = dj · Enc(t j S ), where tj S
iv. C decrypts the received values and
sets r j C = Dec(c j ) and t jC = Dec(e j ).
b. C and S perform 2c + 1 comparisons and
OR of the results of the comparisons using garbled circuit. C enters rjC’s
and tjC’s, S enters − rjS ’s and −tjS ’s, and C learns bit b computed as Vcj=−c ((r j C − rj S ) ?< (t j C − t j S )). To achieve this, S creates the
garbled circuit and sends it to C. C obtains keys corresponding to its inputs
using OT, evaluates the circuit, and S sends to C the key-value mapping for the
output gate.
After the
protocol C learns a bit whether Y was a matching of X or not and then he
conveys the message to S. Since this is a semi honest protocol, C will not
manipulate the output bit to get himself authenticated. So both S and C will
know whether C was authenticated successfully or not. The
Client needs to compute 2m bit encryptions for step 1 in the protocol. These
encryptions are expensive, so they can be done offline. Client only needs to
know the number of 0s and 1s it needed to encrypt.
Optimizations:
1. Let p0 and p1 (q0 and q1) denote the fraction
of 0’s and 1’s in an iris code (resp., its mask), where p0 + p1 = q0 + q1 = 1. Therefore, to have a sufficient
supply of ciphertexts to form tuples <ai1, ai2>, the client
needs to precompute (2q0 +
q1(p1 + ε)
+ q1(p0 +
ε))m = (1 + q0 + 2q1ε)m
encryptions of 0 and (q1(p1 + ε) + q1(p0 + ε))m = q1(1 + 2ε)m
encryptions of 1, where ε is used as a cushion since the number of 0’s and 1’s
in X might not be exactly p0 and
p1, respectively. Then at the time of the protocol the client simply
uses the appropriate ciphertexts to form its transmission. Similarly, the
server can precomputes r jS ’s and tjS ’s for all records. He produce 2(2c +
1)|D| encryptions of different random values of length ⌈log m⌉ + ℓ + κ, where |D| denotes the size of the
database D. The server generates one garbled circuit for each record Y in its
database (for step 3(b) of the protocol) and communicates the circuits to the
client.
2. S computes bji = a(1− Yji )M(Yji ) i1 · aYji M(Yji)i2 during the protocol but the number of modular
multiplications in calculation of bji can be significantly reduced as
follows:
a. Yji = (0 or 1)and M(Yji ) = 0: both M(Yji )(Yji ) and M(Yji ) (1-Yji ) are 0 so bji = Enc(0)
b. Yji = 0 and M(Yji ) = 1: M(Yji )(Yji ) = 0 and M(Yji ) (1-Yji ) =1, and so bji = ai1
c. Yji = 1 and M(Yji ) = 1: M(Yji )(Yji ) = 1 and M(Yji ) (1-Yji ) =0, and so bji = ai2
3. To reduce online communication client
randomly choose 2m bits - u1 u2.. u2m, encrypt it and send it
to the server during the offline phase. So that in the online phase, client
just need to send vi=xi⊕ui = (xi)(1- ui) ⊕ (1-xi)( ui). Then when the protocol
begins, the server sets either Enc(xi) = Enc(ui), if vi =0 or Enc(xi) =
Enc(1 − ui) , if vi =0.
