Presentation is loading. Please wait.

Presentation is loading. Please wait.

EXTENDED PRIVATE INFORMATION RETRIEVAL (EPIR) AND ITS APPLICATION IN BIOMETRICS AUTHENTICATIONS AUTHOR: SUMUKHI CHANDRASHEKAR.

Published byMarcus Parrish Modified over 9 years ago

Similar presentations

Presentation on theme: "EXTENDED PRIVATE INFORMATION RETRIEVAL (EPIR) AND ITS APPLICATION IN BIOMETRICS AUTHENTICATIONS AUTHOR: SUMUKHI CHANDRASHEKAR."— Presentation transcript:

1 EXTENDED PRIVATE INFORMATION RETRIEVAL (EPIR) AND ITS APPLICATION IN BIOMETRICS AUTHENTICATIONS AUTHOR: SUMUKHI CHANDRASHEKAR

2 AGENDA Importance of Privacy Live examples: Bank, Location retrieval by defense Thus, Private Information Retrieval (PIR) ‏ Formal definitions and PIR Models Privacy Properties of PIR PIR Approaches An example: Almost optimal PIR An example: Helger Lipmaa’s Protocol Another Generation of PIR EPIR for Biometrics' Authentication Privacy Properties of EIPR EPIR Protocols Testing Equality Hamming Distance Authentication Schemes Using Biometrics The first Scheme: with the use of secure sketches Second Scheme: Iris data Comparison between EPIR Equally and EPIR Hamming distance Conclusions Future Research Questions

3 IMPORTANCE OF PRIVACY: BANK Account Information Credit Card Information

4 LOCATION RETRIEVAL FOR DEFENSE Location1 Location2

5 PRIVATE INFORMATION RETRIEVAL (PIR) FORMAL DEFINITIONS & A MODEL Private information retrieval (PIR) is a general problem of privately retrieving the i th record from an N-record array stored on the server. (Based on: Querying Data Base Privately, Dmitri Asonov,1998) ‏

6 PRIVACY PROPERTIES OF PIR User-Privacy iB query E(Q(i)) ‏ reply E(B(i)) ‏

7 PIR APPROACHES Theoretical Private Information Retrieval - Trivial solutions Hardware – Based Private Information Retrieval, Using a special Hard ware - SC(Secure Co processor) ‏ PIR with Preprocessing and Offline Communication Number Theory Based(Computational) ‏

8 PIR APPROACHES - TRIVIAL

9 HARD WARE BASED PROTOCOL DATABASEDATABASE Reads the entire Data Base, But keeps only R i Secure Co Processor SERVER CLIENT Sends e(Query i, Pk) and Retrieves i

10 EVALUATION SUMMARY FOR HARD WARE BASED & PRE PROCESSOR ParameterProtocolsIdeal Protocol [SS00 - SS01] (S C based) ‏ [BDF00 - SJ00] (Pre Processing) ‏ Communication (online) ‏ Optimal Response TimeO(N) ‏ O(1) ‏ Communication (offline) ‏ NOO(N) ‏ NO Pre ProcessingNOYES

11 AN EXAMPLE FOR PIR: ALMOST OPTIMAL PIR Basic Idea of the Protocol Previous approaches that used SC(Secure Co Processor), O(1) communication complexity but O(N) complexity of Responses The Pre Processing approaches, O(1) response time but O(N) communication complexity Combine the 2 above approaches Steps involved in our Protocol Preprocessing data inside SC Process Query online Protocol for SC and Users

12 BASIC PROTOCOL MODEL USER SERVER The Model is based on the book: Querying Data Base Privately, Asonov

13 STEPS INVOLVED: PREPROCESSING DATA INSIDE SC The Purpose To generate permutation of the data base records (N), transforms DB into DB П, Such that DB [i] = DB П [П[i]] SC keeps the shuffle index as a secrete Server does not know the Index of shuffling

14 THE PROTOCOL Protocol between Server and Client to process the query i E R(?) ‏ INTERNALINTERNAL V1 index

15 PROCESSES QUERY ONLINE Required: DB shuffled & V 1, a copy of the shuffled records and the index of DB shuffled k: The sequence number of the query being processed i: The number of DB record requested Ensured: Answer, R I, the record retrieved without server’s knowledge. 3 steps are involved Read the already accessed records, If found, Return Read all records in the cache of DB shuffled, if found, Return Randomly select records from DB and put into cache

16 AN OBLIVIOUS TRANSFER PROTOCOL AUTHOR: PROF. LIPMAA CIPR l n Protocol, with log-squared communication Length flexible additively homomorphic public key crypto system with additional length parameter involved LFAH is 3 tuple, [Gen, Encrypt, Decrypt] Generator AlgoEncrpt(pk,s,m,r) ‏ decrpt(sk,s,c) ‏

17 OVER VIEW A CPIR n l protocol (Query; Transfer; Recover) ‏ Consider S sized DB as an  dimensional database Index every element of S to S[i] ….. S[  ] Use homomorphic property to create a new DB S 1 With  -1 dimension, such that new S 1 = Encrypt(S) ‏ Recursively perform this procedure until we get S  that is  encryption of S[q]  s >=1: encrypts plaintext of sk bits to a cipher text of (s+1)k bits E s K (m1). E s K (m2) = E s K (m1+m2), Thus also E s+1 K (m1). E s K (m2) = E s +1 K (m1. E s K (m2) )

18 GENERIC IDEA WHEN THE RANGE = 2  11 =  12 =  13 =  14 = E s K (0) E s K (0)  (1,1) ‏  (2,1) ‏  (3,1) ‏  (4,1) ‏  (1,2) ‏  (2,2) ‏  (3,2) ‏  (4,2) ‏  (1,3) ‏  (2,3) ‏  (3,3) ‏  (4,3) ‏  (1,4) ‏  (2,4) ‏  (3,4) ‏  (4,4) ‏ w 11 =  i  1i  (1,i) E s K (  (1,  1 )) ‏ w 12 =  i  1i  (1,i) E s K (  (2,  1 )) w 13 =  i  1i  (1,i) E s K (  (3,  1 )) w 14 =  i  1i  (1,i) E s K (  (4,  1 ))

19 ALGORITHM IN DETAIL Inputs: Alice has query i  [n], Bob has D = (D1,.. Dn) where D j  ZN Alice generates a new public/private key pair (pk, sk) for an additively homomorphic secure public-key cryptosystem E Alice generates her message a Epk (i ; *) and sends A(i) (pk, a) to Bob, He stops if Public is not valid Bob does for every j  {1,..., n}, he Sets bj (a/Epk (j ; 1))* · Epk (Dj ; *) ‏ Bob sends (b1,..., bn) to Alice, Alice decrypts bi and obtains Thus Di = Dsk (bi ) ‏

20 CORRECTNESS AND SECURITY Bob does for every j  {1,..., n} Sets bj (a/Epk (j ; 1))* · Epk (Dj ; *) ‏ Since a = Epk (i ; * ), bj = (Epk (i ; * )/Epk (j ; 1)) · Epk (Dj ; *) ‏ Because E is additively homomorphic, bj = (Epk (i − j ;* ))* · Epk (Dj;*) = (Epk (*· (i − j ); r )) · Epk (Dj;*) ‏ for some r If i = j then bj = Epk (0; r ) · Epk (Dj ; *) = Epk (Dj ; * ) ‏ and thus Dsk (bj ) = Dj Thus Alice obtains Di

21 COMPLEXITY & PROTOCOL ANALYSIS Suitable for sending integers from Zd User sends  (s+(  +1/2)) n 1/  k bits Sk = log (d) => (  log(d)+  (  +1/2)k) n 1/  bits Optimal if  = O(log 2 n)

22 GENERALIZATION OF PIR – EPIR FOR BIOMETRIC DATA Motivation Processing sensitive information such as biometrics. Biometric data can be represented as Strings.

23 FORMAL DEFINITION OF EPIR Generalized concept of PIR The concept of SC Shuffling of Database EIPR protocol enables user to retrieve a block data as a function of (Block of Database, Input) ‏ This is an extension to PIR: with f (Ri, x) = Ri

24 PRIVACY PROPERTIES OF EPIR User Privacy Database Privacy

25 USER PRIVACY – ATTACK GAME Assume, adversary A plays the role of the database, and tries to learn some information from the user. The function f is fixed: Definition First instance of A, generates the database: (R1,R2, · · ·,RN), N records in Database A outputs (i0, i1, x0, x1) : The Part of database & input String The user randomly chooses b in {0, 1} and issues a retrieve-query on input (ib, xb) with A A outputs a guess b1.

26 DATA BASE PRIVACY – ATTACK GAME Assume A plays the role of the user, and tries to distinguish between the execution with an actual database, from the execution with a simulator. The function f is fixed: Definition The challenger, Data Base randomly chooses b in {0, 1}. If b = 0 then A will interact with an actual database. If b = 1 then A will interact with a simulator S that, for a retrieve-query on input (i, x), only knows f (Ri, x). User A generates the database: (R1,R2, · · ·,RN), N record Data Base User A issues retrieve-queries, May query the Data base or the Simulators Then, A outputs a guess b1.

27 SECURE EPIR An EPIR protocol must satisfy User-Privacy: The attacker must have negligible advantages of guessing b1 Database-Privacy: The attacker (User) must have minimum knowledge while guessing b1.

28 EPIR PROTOCOLS Equality : ElGamal Variant Hamming Distance :BGN

29 EQUALITY EPIR PROTOCOL I B Compare information form User U and a Block B from the DB f(R b, i) == 1, if they are equal Else 0.

30 EQUALITY EPIR PROTOCOL Variant of ElGamal: sk = x pk = y = g x ξ (m) = ξ (m, r ) = (g r, y r g m ). User U wants to retrieve the value f (R i,m) ‏ U generates an ElGamal key pair (pk (Public Key), sk (Private Key)) ‏ U first sends pk and c = ξ (i & m) to the DB DB generates a randomized database: Cj = (c/ ξ (j & Rj )) rj = ξ ((i& m − j & Rj ) × rj) ‏ U and DB run a PIR protocol to retrieve Ci : U then decrypts Ci. It decrypts to 0 iff m = Ri.

31 SECURITY OF EPIR EQUALITY User-Privacy: PIR user-privacy + DDH, Therefore, EPIR achieves better user-privacy Database-Privacy: EPIR unconditionally achieves database-privacy.

32 BIOMETRIC APPLICATION FOR EPIR EQUALITY User U has to be authenticated by Server S through Client C and DB is the database which stores the relevant information The two phases in Biometric Authentication Enrollment Registration with DB Enc(ID I, Ri) Registration, ID i (m,m 1, ) ‏

33 Authentication Client C will extract the Biometric template of U C sends ID I to server and X to DB (Encg(g ID i/ b I, pk) ‏ DB generates a Randomized database Server runs PIR to retrieve c I Dec(ci, sk) == 1, then Equal strings and thus accepts the request Biometrics adjusted ID I & (Encg(g ID i/ b I, pk) ‏

34 TO VERIFY IMPERSONATION

35 HAMMING DISTANCE PROTOCOL WITH BGN U wants to compute the Weighted Hamming distance between a string S chosen by itself and a block Ri from DB: Notation: for an l-bit string S, S(k) is the k-th bit of S. Weights: the weight vector is (w1,w2, · · ·,w), where w k are integers (1<=k<=l). Function: f (Ri,S) = ∑ k=1 l1 w k × (R k i (+) S k )

36 BGN BASED HAMMING DISTANCE PROTOCOL U wants to retrieve f (Ri,X): U generates a pk(public key) = (n, G, G1, ê,g, h) and sk=q1 To retrieve f (Ri,X), User has to send (c, ck) to the server where c=g I h r & ck = g X(k) h sk,where 1<=k<=l 1 & 1<=i<=n Once the server receives (c, ck), the server would compute m j,k, where m j,k = ˆ e(g, g) X(k) ⊕ R ( k) j ˆe(h, g) sk (1−2 R ( k)j ) ‏ Compute Cj, where rj, rj are randomly chosen from Zn (Partion the DB) ‏ And, finally U runs PIR to retrieve Ci

37 SECURITY OF EPIR HAMMING DISTANCE User privacy: If the PIR protocol achieves user privacy, the EPIR protocol for computing Hamming distance achieves user privacy based on the subgroup decision assumption. Database privacy: The EPIR protocol for computing Hamming distance achieves database privacy (unconditionally).

38 BIOMETRIC APPLICATION FOR EPIR HAMMING DISTANCE PROTOCOL The server S makes the decision based on the exact matching of the biometric pattern The two phases in Biometric Authentication Enrollment Registration, ID i Registration with DB Enc(ID I,  i k )

39 Authentication Client C extras the biometric pattern,sends c and ck to the DB and sends ID I to the server The DB computes the hamming distance (typically runs EPRI Hamming distance) ‏ S runs EPIR protocol to retrieve Ci and computes d, Such that C q1 i = ˆe(g q1, g) d If d is less than the threshold value, it accepts

40 COMPARISON BETWEEN THE 2 ABOVE BIOMETRICS AUTHENTICATION Hamming distance biometrics is better for the following reasons No need for storing Sketch by Client U (user) need not store any information It works for noisy sketch also

41 FURTHER RESEARCH AREAS Further optimize the on-line computation and communication, and gain a full use of such real- world assumptions, as preprocessing and off-line communication. Similarity Comparison implementation.

42 CONCLUSIONS This Presentation has discussed a new Generalization of PRI and two of its Protocol Types The randomizations of the database are been provided in both protocols in order to achieve Privacy of Information. We also have seen how to construct strong privacy using these protocols on biometrics data

43 REFERENCES 6th International Conference, CANS 2007 Singapore, December 8-10, 2007 Proceedings Dmitri Asonov,Querying Data Bases Privately Atallah, M.J., Frikken, K.B., Goodrich, M.T., Tamassia, R., Secure biometric authentication for weak computational devices. Financial Cryptography, 357–371 (2005) ‏ Ostrovsky, R., Skeith III, W.E.: A survey of single database PIR, Techniques and applications. Cryptology ePrint Archive: Report 2007/059 (2007) ‏

44 THANK YOU Questions?

Download ppt "EXTENDED PRIVATE INFORMATION RETRIEVAL (EPIR) AND ITS APPLICATION IN BIOMETRICS AUTHENTICATIONS AUTHOR: SUMUKHI CHANDRASHEKAR."

Similar presentations

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Private Information Retrieval Benny Chor, Oded Goldreich, Eyal Kushilevitz and Madhu Sudan Journal of ACM Vol.45 No6. 1998 Reporter : Chen, Chun-Hua Date.

Private Information Retrieval Benny Chor, Oded Goldreich, Eyal Kushilevitz and Madhu Sudan Journal of ACM Vol.45 No Reporter : Chen, Chun-Hua Date.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent

Similar presentations

Ads by Google