Efficient Privacy-Preserving Biometric Identification

Transcription

1 Efficient Privacy-Preserving Biometric Identification Yan Huang Lior Malka David Evans Jonathan Katz Feb 9, 2011

2 Motivating Scenario: Private No-Fly Checking

3 Threat Models Semi-honest adversary Must follow the protocol correctly Malicious adversary Can deviate arbitrarily from the protocol In both threat models, an adversary attempts to break either the correctness or the privacy property of the protocol.

4 Threat Models Semi-honest adversary Must follow the protocol correctly Malicious adversary Can deviate arbitrarily from the protocol In both threat models, an adversary attempts to break either the correctness or the privacy property of the protocol.

5 Filterbank-based Fingerprint Recognition [Jain et al., 2000] Also used by Barni et al. [2010].

6 Non-private Protocol

7 Privacy-preserving Protocol

8 Privacy-preserving Protocol

9 Euclidean Distance Let d i be the distance between v i = [v i,j ] 1 j N and v = [v j ] 1 j N d i = v i v 2 = = N j=1 v 2 i,j }{{} S i,1 + N j=1 N (v i,j v j )2 j=1 ( 2v i,j v j ) + } {{ } S i,2 N j=1 v j 2 }{{} S 3 For privacy, want to compute d i pk.

10 Additive Homomorphic Encryption a pk b pk = a + b mod p pk = a pk b pk a pk c = c a mod p pk = a c pk We used Paillier cryptosystem [Catalano et al., 2001, Paillier, 1999] in our prototype.

11 Additive Homomorphic Encryption a b = a + b mod p = a b a c = c a mod p = a c We used Paillier cryptosystem [Catalano et al., 2001, Paillier, 1999] in our prototype.

12 Private Euclidean Distance d i = N v 2 i,j + j=1 }{{} S i,1 N j=1 ( 2v i,j v j ) + } {{ } S i,2 = S i,1 S i,2 S 3 N j=1 v j 2 }{{} S 3 S i,2 = N j=1 ( 2v i,j v j ) = N j=1 2vi,j v j

13 Improving the Efficiency Modular exponentiation is slow. For every i, computing S i,2 requires N modular exponentiations. Overall, it involves MN modular exponentiations Encode many messages in one homomorphic encryption Packing was introduced by Sadeghi et al. [2009] to save bandwidth, but is exploited more aggressively here to save computation also.

14 Padding 0 s to Ensure Correctness

15 Vertical Partitioning to Speedup Computing S i,2 S i,2 = N j=1 2vi,j v j 2v 1,1 2v 1,2 2v 1,N 2v 2,1. 2v 2,2. 2v 2,N.... 2v κ,1 2v κ,2 2v κ,n

16 Vertical Partitioning to Speedup Computing S i,2 S 1,2 S 2,2 S κ,2 = S i,2 = 1 j N N j=1 2vi,j v j 2v 1,j v j 2v 2,jv j 2v κ,jv j 2v 1,1 2v 1,2 2v 1,N 2v 2,1. 2v 2,2. 2v 2,N.... 2v κ,1 2v κ,2 2v κ,n

17 Vertical Partitioning to Speedup Computing S i,2 S 1,2 S 2,2 S κ,2 = S i,2 = 1 j N N j=1 2v 1,j v j 2v 2,jv j 2v κ,jv j 2vi,j v j 2v 1,j v j 2v 2,jv j 2v κ,jv j = v 2v 1,j 2v 2,j 2v j κ,j 2v 1,1 2v 1,2 2v 1,N 2v 2,1. 2v 2,2. 2v 2,N.... 2v κ,1 2v κ,2 2v κ,n

18 Vertical Partitioning to Speedup Computing S i,2 S 1,2 S 2,2 S κ,2 = S i,2 = 1 j N N j=1 2v 1,j v j 2v 2,jv j 2v κ,jv j 2vi,j v j 2v 1,j v j 2v 2,jv j 2v κ,jv j = v 2v 1,j 2v 2,j 2v j κ,j 2v 1,1 2v 1,2 2v 1,N 2v 2,1. 2v 2,2. 2v 2,N.... 2v κ,1 2v κ,2 2v κ,n

19 Effects of Packing Time Bandwidth

20 Sharing the Secrets The server generates nonce masks r = [r 1, r 2,, r M ] and sends d 1 d M pk = (d 1 + r 1 ) (d 2 + r 2 ) (d M + r M ) pk where pk is the client s public key. Make the sampling range of r i large enough so that d i and d i is statistically indistinguishable.

21 Privacy-preserving Protocol

22 Garbled Circuits Protocol Efficient oblivious transfer protocol combining schemes from both [Naor and Pinkas, 2001] and [Ishai et al., 2003] Standard garbled circuits [Yao, 1986] combined with free-xor technique [Kolesnikov and Schneider, 2008]

23 Finding the Minimum Differnce Goal Given d = d + r and r, securely compute d = min 1 i M (d i, ε).

24 Reducing the Bit-width Saves 2M(l k) non-free gates in total.

25 Privacy-preserving Protocol

26 Finding the Record Ultimate goal is to retrieve the record associated with d Prior work [Kolesnikov et al., 2009] accomplished this by relaying indices throughout the M-to-1 Min circuit We achieve this with a backtracking protocol 1 No need to propagate ID numbers 2 Obtain record without an extra secure information retrieval by ID 3 Use labels obtained in garbled circuit execution

27 The 2-to-1 Min

28 Mini Example The Server

29 Mini Example The Server

30 Selection Wires in the M-to-1 Min Tree

31 Backtracking The Sender n 1, n 2, n 3 are random nonces known only to the sender.

32 Backtracking The Receiver

33 Backtracking The Receiver Client knows λ 0 ε, λ 0 1, λ1 2, λ0 3 from circuit evaluation,

34 Backtracking The Receiver Client knows λ 0 ε, λ 0 1, λ1 2, λ0 3 from circuit evaluation, so is able to infer n 1

35 Backtracking The Receiver Client knows λ 0 ε, λ 0 1, λ1 2, λ0 3 from circuit evaluation, so is able to infer n 1, n 2

36 Backtracking The Receiver Client knows λ 0 ε, λ 0 1, λ1 2, λ0 3 from circuit evaluation, so is able to infer n 1, n 2, and Radu.

37 System Recap

38 Results Online Performance OT Circuit Distance Backtracking 4.6 faster and uses 58% less bandwidth than Barni et al. [2010], even though we compute the global minimum

39 Thank you! Software available for download at:

40 References I Mauro Barni, Tiziano Bianchi, Dario Catalano, Mario Di Raimondo, Ruggero Donida Labati, Pierluigi Faillia, D. Fiore, R. Lazzeretti, V. Piuri, F. Scotti, and A. Piva. Privacy-Preserving Fingercode Authentication. In ACM Multimedia and Security Workshop, Dario Catalano, Rosario Gennaro, Nick Howgrave-Graham, and Phong Nguyen. Paillier s Cryptosystem Revisited. In ACM Conference on Computer and Communications Security, Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending Oblivious Transfers Efficiently. In CRYPTO, Anil Jain, Salil Prabhakar, Lin Hong, and Sharath Pankanti. Filterbank-based Fingerprint Matching. IEEE Transactions on Image Processing, pages , January Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages and Programming, Vladimir Kolesnikov, Ahmad-Reza Sadeghi, and Thomas Schneider. Improved Garbled Circuit Building Blocks and Applications to Auctions and Computing Minima. In International Conference on Cryptology and Network Security, Moni Naor and Benny Pinkas. Efficient Oblivious Transfer Protocols. In ACM-SIAM Symposium on Discrete Algorithms, Pascal Paillier. Public-key Cryptosystems based on Composite Degree Residuosity Classes. EUROCRYPT, Ahmad-Reza Sadeghi, Thomas Schneider, and Immo Wehrenberg. Efficient Privacy-Preserving Face Recognition. In International Conference on Information Security and Cryptology, Andrew Yao. How to Generate and Exchange Secrets. In Symposium on Foundations of Computer Science, 1986.