EXTENDED PRIVATE INFORMATION RETRIEVAL (EPIR) AND ITS APPLICATION IN BIOMETRICS AUTHENTICATIONS AUTHOR: SUMUKHI CHANDRASHEKAR

AGENDA Importance of Privacy Live examples: Bank, Location retrieval by defense Thus, Private Information Retrieval (PIR) ‏ Formal definitions and PIR Models Privacy Properties of PIR PIR Approaches An example: Almost optimal PIR An example: Helger Lipmaa’s Protocol Another Generation of PIR EPIR for Biometrics' Authentication Privacy Properties of EIPR EPIR Protocols Testing Equality Hamming Distance Authentication Schemes Using Biometrics The first Scheme: with the use of secure sketches Second Scheme: Iris data Comparison between EPIR Equally and EPIR Hamming distance Conclusions Future Research Questions

IMPORTANCE OF PRIVACY: BANK Account Information Credit Card Information

LOCATION RETRIEVAL FOR DEFENSE Location1 Location2

PRIVATE INFORMATION RETRIEVAL (PIR) FORMAL DEFINITIONS & A MODEL Private information retrieval (PIR) is a general problem of privately retrieving the i th record from an N-record array stored on the server. (Based on: Querying Data Base Privately, Dmitri Asonov,1998) ‏

PRIVACY PROPERTIES OF PIR User-Privacy iB query E(Q(i)) ‏ reply E(B(i)) ‏

PIR APPROACHES Theoretical Private Information Retrieval - Trivial solutions Hardware – Based Private Information Retrieval, Using a special Hard ware - SC(Secure Co processor) ‏ PIR with Preprocessing and Offline Communication Number Theory Based(Computational) ‏

PIR APPROACHES - TRIVIAL

HARD WARE BASED PROTOCOL DATABASEDATABASE Reads the entire Data Base, But keeps only R i Secure Co Processor SERVER CLIENT Sends e(Query i, Pk) and Retrieves i

EVALUATION SUMMARY FOR HARD WARE BASED & PRE PROCESSOR ParameterProtocolsIdeal Protocol [SS00 - SS01] (S C based) ‏ [BDF00 - SJ00] (Pre Processing) ‏ Communication (online) ‏ Optimal Response TimeO(N) ‏ O(1) ‏ Communication (offline) ‏ NOO(N) ‏ NO Pre ProcessingNOYES

AN EXAMPLE FOR PIR: ALMOST OPTIMAL PIR Basic Idea of the Protocol Previous approaches that used SC(Secure Co Processor), O(1) communication complexity but O(N) complexity of Responses The Pre Processing approaches, O(1) response time but O(N) communication complexity Combine the 2 above approaches Steps involved in our Protocol Preprocessing data inside SC Process Query online Protocol for SC and Users

BASIC PROTOCOL MODEL USER SERVER The Model is based on the book: Querying Data Base Privately, Asonov

STEPS INVOLVED: PREPROCESSING DATA INSIDE SC The Purpose To generate permutation of the data base records (N), transforms DB into DB П, Such that DB [i] = DB П [П[i]] SC keeps the shuffle index as a secrete Server does not know the Index of shuffling

THE PROTOCOL Protocol between Server and Client to process the query i E R(?) ‏ INTERNALINTERNAL V1 index

PROCESSES QUERY ONLINE Required: DB shuffled & V 1, a copy of the shuffled records and the index of DB shuffled k: The sequence number of the query being processed i: The number of DB record requested Ensured: Answer, R I, the record retrieved without server’s knowledge. 3 steps are involved Read the already accessed records, If found, Return Read all records in the cache of DB shuffled, if found, Return Randomly select records from DB and put into cache

AN OBLIVIOUS TRANSFER PROTOCOL AUTHOR: PROF. LIPMAA CIPR l n Protocol, with log-squared communication Length flexible additively homomorphic public key crypto system with additional length parameter involved LFAH is 3 tuple, [Gen, Encrypt, Decrypt] Generator AlgoEncrpt(pk,s,m,r) ‏ decrpt(sk,s,c) ‏

OVER VIEW A CPIR n l protocol (Query; Transfer; Recover) ‏ Consider S sized DB as an  dimensional database Index every element of S to S[i] ….. S[  ] Use homomorphic property to create a new DB S 1 With  -1 dimension, such that new S 1 = Encrypt(S) ‏ Recursively perform this procedure until we get S  that is  encryption of S[q]  s >=1: encrypts plaintext of sk bits to a cipher text of (s+1)k bits E s K (m1). E s K (m2) = E s K (m1+m2), Thus also E s+1 K (m1). E s K (m2) = E s +1 K (m1. E s K (m2) )

GENERIC IDEA WHEN THE RANGE = 2  11 =  12 =  13 =  14 = E s K (0) E s K (0)  (1,1) ‏  (2,1) ‏  (3,1) ‏  (4,1) ‏  (1,2) ‏  (2,2) ‏  (3,2) ‏  (4,2) ‏  (1,3) ‏  (2,3) ‏  (3,3) ‏  (4,3) ‏  (1,4) ‏  (2,4) ‏  (3,4) ‏  (4,4) ‏ w 11 =  i  1i  (1,i) E s K (  (1,  1 )) ‏ w 12 =  i  1i  (1,i) E s K (  (2,  1 )) w 13 =  i  1i  (1,i) E s K (  (3,  1 )) w 14 =  i  1i  (1,i) E s K (  (4,  1 ))

ALGORITHM IN DETAIL Inputs: Alice has query i  [n], Bob has D = (D1,.. Dn) where D j  ZN Alice generates a new public/private key pair (pk, sk) for an additively homomorphic secure public-key cryptosystem E Alice generates her message a Epk (i ; *) and sends A(i) (pk, a) to Bob, He stops if Public is not valid Bob does for every j  {1,..., n}, he Sets bj (a/Epk (j ; 1))* · Epk (Dj ; *) ‏ Bob sends (b1,..., bn) to Alice, Alice decrypts bi and obtains Thus Di = Dsk (bi ) ‏

CORRECTNESS AND SECURITY Bob does for every j  {1,..., n} Sets bj (a/Epk (j ; 1))* · Epk (Dj ; *) ‏ Since a = Epk (i ; * ), bj = (Epk (i ; * )/Epk (j ; 1)) · Epk (Dj ; *) ‏ Because E is additively homomorphic, bj = (Epk (i − j ;* ))* · Epk (Dj;*) = (Epk (*· (i − j ); r )) · Epk (Dj;*) ‏ for some r If i = j then bj = Epk (0; r ) · Epk (Dj ; *) = Epk (Dj ; * ) ‏ and thus Dsk (bj ) = Dj Thus Alice obtains Di

COMPLEXITY & PROTOCOL ANALYSIS Suitable for sending integers from Zd User sends  (s+(  +1/2)) n 1/  k bits Sk = log (d) => (  log(d)+  (  +1/2)k) n 1/  bits Optimal if  = O(log 2 n)

GENERALIZATION OF PIR – EPIR FOR BIOMETRIC DATA Motivation Processing sensitive information such as biometrics. Biometric data can be represented as Strings.

FORMAL DEFINITION OF EPIR Generalized concept of PIR The concept of SC Shuffling of Database EIPR protocol enables user to retrieve a block data as a function of (Block of Database, Input) ‏ This is an extension to PIR: with f (Ri, x) = Ri

PRIVACY PROPERTIES OF EPIR User Privacy Database Privacy

USER PRIVACY – ATTACK GAME Assume, adversary A plays the role of the database, and tries to learn some information from the user. The function f is fixed: Definition First instance of A, generates the database: (R1,R2, · · ·,RN), N records in Database A outputs (i0, i1, x0, x1) : The Part of database & input String The user randomly chooses b in {0, 1} and issues a retrieve-query on input (ib, xb) with A A outputs a guess b1.

DATA BASE PRIVACY – ATTACK GAME Assume A plays the role of the user, and tries to distinguish between the execution with an actual database, from the execution with a simulator. The function f is fixed: Definition The challenger, Data Base randomly chooses b in {0, 1}. If b = 0 then A will interact with an actual database. If b = 1 then A will interact with a simulator S that, for a retrieve-query on input (i, x), only knows f (Ri, x). User A generates the database: (R1,R2, · · ·,RN), N record Data Base User A issues retrieve-queries, May query the Data base or the Simulators Then, A outputs a guess b1.

SECURE EPIR An EPIR protocol must satisfy User-Privacy: The attacker must have negligible advantages of guessing b1 Database-Privacy: The attacker (User) must have minimum knowledge while guessing b1.

EPIR PROTOCOLS Equality : ElGamal Variant Hamming Distance :BGN

EQUALITY EPIR PROTOCOL I B Compare information form User U and a Block B from the DB f(R b, i) == 1, if they are equal Else 0.

EQUALITY EPIR PROTOCOL Variant of ElGamal: sk = x pk = y = g x ξ (m) = ξ (m, r ) = (g r, y r g m ). User U wants to retrieve the value f (R i,m) ‏ U generates an ElGamal key pair (pk (Public Key), sk (Private Key)) ‏ U first sends pk and c = ξ (i & m) to the DB DB generates a randomized database: Cj = (c/ ξ (j & Rj )) rj = ξ ((i& m − j & Rj ) × rj) ‏ U and DB run a PIR protocol to retrieve Ci : U then decrypts Ci. It decrypts to 0 iff m = Ri.

SECURITY OF EPIR EQUALITY User-Privacy: PIR user-privacy + DDH, Therefore, EPIR achieves better user-privacy Database-Privacy: EPIR unconditionally achieves database-privacy.

BIOMETRIC APPLICATION FOR EPIR EQUALITY User U has to be authenticated by Server S through Client C and DB is the database which stores the relevant information The two phases in Biometric Authentication Enrollment Registration with DB Enc(ID I, Ri) Registration, ID i (m,m 1, ) ‏

Authentication Client C will extract the Biometric template of U C sends ID I to server and X to DB (Encg(g ID i/ b I, pk) ‏ DB generates a Randomized database Server runs PIR to retrieve c I Dec(ci, sk) == 1, then Equal strings and thus accepts the request Biometrics adjusted ID I & (Encg(g ID i/ b I, pk) ‏

TO VERIFY IMPERSONATION

HAMMING DISTANCE PROTOCOL WITH BGN U wants to compute the Weighted Hamming distance between a string S chosen by itself and a block Ri from DB: Notation: for an l-bit string S, S(k) is the k-th bit of S. Weights: the weight vector is (w1,w2, · · ·,w), where w k are integers (1<=k<=l). Function: f (Ri,S) = ∑ k=1 l1 w k × (R k i (+) S k )

BGN BASED HAMMING DISTANCE PROTOCOL U wants to retrieve f (Ri,X): U generates a pk(public key) = (n, G, G1, ê,g, h) and sk=q1 To retrieve f (Ri,X), User has to send (c, ck) to the server where c=g I h r & ck = g X(k) h sk,where 1<=k<=l 1 & 1<=i<=n Once the server receives (c, ck), the server would compute m j,k, where m j,k = ˆ e(g, g) X(k) ⊕ R ( k) j ˆe(h, g) sk (1−2 R ( k)j ) ‏ Compute Cj, where rj, rj are randomly chosen from Zn (Partion the DB) ‏ And, finally U runs PIR to retrieve Ci

SECURITY OF EPIR HAMMING DISTANCE User privacy: If the PIR protocol achieves user privacy, the EPIR protocol for computing Hamming distance achieves user privacy based on the subgroup decision assumption. Database privacy: The EPIR protocol for computing Hamming distance achieves database privacy (unconditionally).

BIOMETRIC APPLICATION FOR EPIR HAMMING DISTANCE PROTOCOL The server S makes the decision based on the exact matching of the biometric pattern The two phases in Biometric Authentication Enrollment Registration, ID i Registration with DB Enc(ID I,  i k )

Authentication Client C extras the biometric pattern,sends c and ck to the DB and sends ID I to the server The DB computes the hamming distance (typically runs EPRI Hamming distance) ‏ S runs EPIR protocol to retrieve Ci and computes d, Such that C q1 i = ˆe(g q1, g) d If d is less than the threshold value, it accepts

COMPARISON BETWEEN THE 2 ABOVE BIOMETRICS AUTHENTICATION Hamming distance biometrics is better for the following reasons No need for storing Sketch by Client U (user) need not store any information It works for noisy sketch also

FURTHER RESEARCH AREAS Further optimize the on-line computation and communication, and gain a full use of such real- world assumptions, as preprocessing and off-line communication. Similarity Comparison implementation.

CONCLUSIONS This Presentation has discussed a new Generalization of PRI and two of its Protocol Types The randomizations of the database are been provided in both protocols in order to achieve Privacy of Information. We also have seen how to construct strong privacy using these protocols on biometrics data

REFERENCES 6th International Conference, CANS 2007 Singapore, December 8-10, 2007 Proceedings Dmitri Asonov,Querying Data Bases Privately Atallah, M.J., Frikken, K.B., Goodrich, M.T., Tamassia, R., Secure biometric authentication for weak computational devices. Financial Cryptography, 357–371 (2005) ‏ Ostrovsky, R., Skeith III, W.E.: A survey of single database PIR, Techniques and applications. Cryptology ePrint Archive: Report 2007/059 (2007) ‏

THANK YOU Questions?