Saikrishna Badrinarayanan Visa Research Joint work with Shashank Agrawal Payman Mohassel Pratyay Mukherjee Sikhar Patranabis Western Digital Facebook Visa Research ID: 933337
Download Presentation The PPT/PDF document "BETA: Biometric Enabled Threshold Authen..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
BETA: Biometric Enabled Threshold Authentication
Saikrishna Badrinarayanan
(Visa Research)
Joint work with Shashank Agrawal Payman Mohassel Pratyay Mukherjee Sikhar Patranabis
Western Digital Facebook Visa Research Visa Research
Slide2Password-based Authentication
User
Enrollment phase
Enroll password on the server – store salted hashOnline phaseMatch / No MatchPasswordIssues
Offline dictionary attacks - Large scale real world breaches
Usability concerns: High entropy requirement
Server
Phone
Password
Slide3Biometric Authentication
Enrollment phasestore biometric template on a serverOnline phaseBetter usability than passwordsServer side breaches are more damagingUserServerMatch / No Match
Measurement
Phone
Enter biometric
Slide4FIDO Alliance and how it works
Enrollment phaseOnline PhaseUserServerMatch / No Matchto unlock sk
Challenge
Phone
Enter biometric
measurement
User
Server
pk
Phone
Enter biometric
template
Store
sk
Store pk
Signature
Verify signature to authenticate
Single point of failure
Need the same device each time
Slide5How to store biometric data on the phone?
Secure HardwareCostly, not easily available, hard to program.Salted HashBiometric matching is “fuzzy”.Offline attacks.Fuzzy ExtractorsRequires high-entropic biometric data.Loss in accuracy.Offline dictionary attacks.
Slide6Our Solution
: ``Distributed” FIDO
Slide7Fuzzy Threshold Tokenizer (FTT)
Enrollment phaseUserServerpk
Phone
Enter biometric
Template w
Can also replace with multiple servers
Secret share template and signing key
(
w
n
,
sk
n
)
(w
3
, sk
3
)
(w
2
, sk
2
)
(w
1
, sk
1
)
. . .
Slide8Fuzzy Threshold Tokenizer (FTT)
Online phaseUserServer
Phone
Enter biometricMeasurement u
(
w
n
,
sk
n
)
(w
3
, sk
3
)
(w
2
, sk
2
)
Match
/
No Match
Challenge
Signature
Verify signature to authenticate
. . .
Slide9Threshold Structure and Communication Pattern
Need to involve only a threshold T number of devices.The devices don’t interact amongst themselves – all communication is via the ``initiator’’.Initiator need not be the phone or the same device each time.
(
wT, skT)(w3, sk3)(w2, sk2)
Slide10Security Goals
Biometric template privacyBiometric measurement privacyUnforgeabilityAdversary should not be able to generate a valid signature without running the protocol on a valid measurement.At most one signature from each session.Malicious adversary. Corrupts a set of less than T devices.Formalized using a simulation-based definition in the UC framework.
Slide11Biometric Matching
Match if
Dist
(X, Y) < t
Match
/
No Match
How to compare two biometric measurements?
X
Y
Slide12Our Results
New Primitive for threshold biometric authentication and formal security model with UC security.Three protocols secure against malicious adversaries with various tradeoffs.Distance MetricPartiesN: no boundBased onConcrete Efficiency
T
CorruptProtocol 1AnyAnyAny2 Round MPCFeasibilityProtocol 2AnyAnyAnyThreshold FHEFeasibilityProtocol 3Cosine Similarity, Euclidean Distance31Paillier
encryption
Efficient
Fingerprint, Face recognition
Slide13Techniques2 round MPC based protocol
Slide14If no constraint on communication pattern
Run MPC for the following function: Reconstruct w from (w1, …, wT) and sk from (sk1, …, skT) If (u, w) are ``close’’, generate threshold signature on Chall.
(
wT, skT)(w3, sk3)(w2, sk2)
(w
1
, sk
1
,
u,
Chall
)
Slide15Emulating 2 round MPC
(w
3, sk3)(w2, sk2)
(w
1
, sk
1
,
u,
Chall
)
Let N = T = 3
``Begin”
``Begin”
Forward
Forward
, Signature
, Signature
, Signature
, Signature
Learn Output
What if
Check
signature
Check
signature
Slide16Conditional Disclosure
(w3, sk3
)
(w2, sk2)
(w
1
, sk
1
,
u,
Chall
)
PRF(K
2
, msg
3
)
Decrypt to learn
.
.
.
.
.
.
PRF keys K
2
, K
3
PRF key K
2
, K
3
Encrypt and send
PRF(K
3
, msg
2
)
and
Can be generalized for arbitrary N, T
Slide17Techniques3 party 1 corruption protocol
Slide18Biometric Matching: Cosine Similarity
Match if
Match
/
No Match
Typically, n is 256 or 512.
Slide19Enrollment
(w
2, sk2)
(w2, sk2)
(w
1
, sk
1
)
Randomness R
Randomness R
Slide20Online phase
(w3, sk3
, R)
(w2, sk2, R)
(w
1
, sk
1
,
u,
Chall
)
OT
1
(w
1
, u),
Chall
OT
1
(w
1
, u)
GC, OT
2
(.)
Hash( GC, OT
2
(.), )
Garble the following circuit using R:
ek
Reconstruct w from w
1
, w
2
Check if <u, w> > t
If so, output
ek
Check hash
Recover labels from OT
Evaluate GC
GC computation expensive
Input consistency for w
1
?
Slide21Paillier
encryption(w3, sk
3, R)
(w2, sk2, R)
(w
1
, sk
1
,
u,
Chall
)
OT
1
(
ip
),
Chall
OT
1
(
ip
)
GC, OT
2
(.)
Hash( GC, OT
2
(.), )
Garble the following circuit:
ek
Reconstruct w from w
1
, w
2
Check if
ip
> t
If so, output
ek
u
, pk
pk
u
, pk
pk
<u, w
2
>
Hash(. )
<u, w
2
>
Check hash
Decrypt and add local term <u, w
1
> to get
ip
= <u, w>
Much more efficient
Slide22Solving input consistency
(w3, sk3
, R)
(w2, sk2, R)
(w
1
, sk
1
,
u,
Chall
)
u
, pk
pk
u
, pk
pk
<u, w
2
>
Hash(. )
<u, w
2
>
<u, w
1
>
+ NIZK
<u, w
1
>
+ NIZK
.
.
.
.
.
.
<u, w>
<u, w>
Check hash
Decrypt to get
ip
= <u, w>
Slide23(w
3, sk3, R)
(w2, sk2, R)
(w
1
, sk
1
,
u,
Chall
)
OT
1
(
ip
),
Chall
OT
1
(
ip
)
Garble the following circuit:
<u, w> =
ip
- r
Check if <u, w> > t
If so, output
ek
Compute
ip
= <u, w>
Leakage
.
.
.
.
.
.
<u, w> + r
Compute
ip
= <u, w> + r
How to ensure that the decrypted value is used in the OT ?
Additional one-time MACs.
Handle modulus with more checks.
Other issues
Slide24Conclusion and Open Problems
New formal model with UC-secure definition for threshold biometric authentication.Two feasibility results and one efficient protocol for Cosine Similarity.Weaker game-based definition and more efficient protocols?Other distance functions like Hamming distance?Dynamic system?Adaptive corruption?
Slide25Thank you!