Cryptographic Keys Binding Based on Function Minimization

1 downloads 0 Views 534KB Size Report
rita[email protected]. Abstract ... binding process by measuring the system performance in ... Trustable authentication represents a key point in ... One of the first BCSs implementing the key-binding, ... biometric template are used to lock a cryptographic key ... based fuzzy vault scheme that is robust to such kind of.
2016 12th International Conference on Signal-Image Technology & Internet-Based Systems

Biometric/Cryptographic Keys Binding based on Function Minimization Daniel Riccio

University of Naples Federico II, Napoli, Italy [email protected]

Clemente Galdi

Rita Manzo

University of Naples Federico II, Napoli, Italy [email protected]

Accenture Security, Rome, Italy [email protected] seriously jeopardize the security of biometric based cryptographic key, as uniform distribution is fundamental against attacks. This topic is quite new in the research community, but it takes on great importance in the industry, to ensure that research projects translate in realistic implementations and use cases. The debate between biometricians and cryptographers leaded to some interesting bio-crypto primitives: biometric hashing, cancelable biometrics, homomorphic encryption schemes, fuzzy extractors, etc. In most of these applications, the main challenge for the BCS is to implement a binding process of a biometric template bitstream with a cryptographic key, which is stable notwithstanding the intrinsic intra-class variability of the biometric templates belonging to the same user. For this purpose, BCSs require to store side information that depend on the specific biometric trait and are referred as helper data. For this reason, BCSs are often named as helper-data-based-methods. According to how they derive helper data from biometric templates, BCSs can be classified as: i) key-binding systems or ii) key-generation systems. Key-binding systems compute helper data as a combination of the biometric template and the cryptographic key. Furthermore, a retrieval algorithm that exploits helper data to derive the cryptographic key from different templates of the same user is provided. Keybinding BCSs show the desirable property of generating revocable helper data, as those depend from the cryptographic key and they change when a new key is generated by the system for the same user. In key-generation systems, the helper data only depend on the biometric templates. Though it could be not mandatory to save helper data, most algorithms store them just because they can assist during the reconstruction of the cryptographic key. One of the first BCSs implementing the key-binding, namely Mytec2, has been proposed by Soutar et al. [1]. Mytec2 was based on biometric fingerprint templates and did exploit correlation algorithms for the binding process. However, it revealed some security breaches. In 1999 Juels and Watemberg [2], proposed a cryptographic primitive combining encryption techniques and correction codes that they called fuzzy commitment scheme (FCS). In [3], Hao et al. applied the FCS to a 2048 bit iris code by adopting Hadamard and Reed-Solomon codes to deal with intrinsic variation of the biometric templates. Bringer et al. [4][5] tried to improve the error correction procedure by introducing Reed-Muller binary codes.

Abstract — Traditional cryptosystems are based on the possession of secret keys that can be stolen or shared by non legitimate users. On the other hand, binding the real identity of a system user to what he is instead of something he knows or possesses is the main desirable property of biometric systems. Biometric Crypto-Systems (or BCSs) are designed to bind a cryptographic key with a biometric template to ensure that only a legitimate user can access to encrypted data. In this paper, we propose a new biometric cryptosystem that reformulates the binding process as a minimization problem in such a way that the cryptographic key cannot be derived from the parameters of the objective functions unless the system is provided with a valid biometric template. The idea this method is based on is quite novel and unexplored, and shows the advantage of being robust to attacks that commonly break some of the existing approaches. Moreover, unlike most of biometric cryptosystems, it doesn’t need any error correction code technique. The paper formally discusses about the security of the system by evaluating the probability of an attacker to retrieve the correct cryptographic key, while experimental results show the efficiency and the effectiveness of the binding process by measuring the system performance in terms of accuracy, computational time and storage requirements. Keywords - biometric crypto-system, key binding, nonlinear minimization.

I. INTRODUCTION Trustable authentication represents a key point in secure applications, which commonly address this issue by implementing password based protocols for identity proving. The wide spread cryptosystems (CSs) are possession based and exploits secret keys that are long and random. Since keys produced by CSs are difficult to memorize, the users generally store them in a password/PIN protected file/device, so increasing the probability that a secret key could be stolen by an illegitimate attacker and, in any case, reducing the overall security of the system. Biometric Crypto-Systems (BCSs) directly bind cryptographic keys to biometric templates, which brings substantial benefits in terms of security, as it is objectively more difficult to forge, copy, share or distribute biometric data than a password/key. However, the inherent nature of biometrics makes it impossible to always capture the same digital data. In other words, multiple acquisitions of the same biometric trait from the same subject produces template bitstreams that are close in terms of bit distance, but not identical, thus making it impossible to just exploit a biometric bitstream as a cryptographic key. Moreover, biometric data do not show a uniform distribution, since biometric templates tend to clusterize in specific regions instead of spanning over the whole search space randomly. This bias may 978-1-5090-5698-9/16 $31.00 © 2016 IEEE DOI 10.1109/SITIS.2016.31

The fuzzy vault became one of the most popular BCSs after it has been introduced by Juels and Sudan [6] in

144

having been acquired, the captured image is segmented to locate the iris region, which is limited by two concentric circles, the outer corresponding to the iris/sclera border, and the inner to the iris/pupil boundary. Two of the best known systems, by Wildes [15] and by Daugman [14], model iris contours through simple geometric shapes, such as circle or ellipses, but differ in the way they search for such structures within the image, by using suitable filters and local operators. The segmented iris region undergoes a normalization process, which aims at transforming it so to have constant dimensions allowing feature extraction. One of the most used methods for normalization is the Rubber Sheet Model proposed by Daugman [14]. As for the feature extraction, wavelet transforms, such as Gabor or Log-Gabor, are widely used in literature to decompose iris data into components appearing at different resolutions. In his study, Daugman investigated the phase of complex-valued 2D Gabor wavelets coefficients. Two bits of information are derived by quantizing the angle of a phasor to one of the four quadrants, so by repeating the process for all wavelet sizes, frequencies, and orientations a 2,048 bits biometric key is extracted from the iris.

2002. In such a scheme, features extracted from the biometric template are used to lock a cryptographic key by means of a vault V built up from fingerprint minutiae points. A very important aspect in fingerprint recognition systems as well in fingerprint based fuzzy vault is the prealignment of the minutiae points, as demonstrated by the number of work in literature addressing this problem [7][8]. On the other hand, some applications of the fuzzy vault to biometric data not suffering this problem have been presented, in particular for the iris, as the corresponding bitstreams consist in aligned onedimensional data. In their method [9], Wu et al. extract a 256 iris vector that is combined to a Reed-Solomon code. The resulting feature vector is then input to a hashing function that translates it to a cipher key. Even if the fuzzy vault approach is one of the well accepted techniques for binding biometric with cryptographic keys, Mihailescu et al. presented in [10] an improved version of the brute force attack proposed by Clancy et. al. in 2003 [11] for fingerprints fuzzy vault. This new kind of attack shows that three implementations of the fingerprint vault are susceptible in such a way that a mere parameter tuning is not enough to deal with this vulnerability. They also presented an improved fingerprint based fuzzy vault scheme that is robust to such kind of attacks [12]. Scheirer and Boult in [13] argued that some technologies are considered ready for deployment just because of lack of published attacks, so they introduce three new classes of attacks against biometric fuzzy vault and biometric encryption.

II.

Biometric bitstreams can be thought as noisy bit sequences with low intra-class variability (templates extracted from the same subject) and high inter-class variability (templates belonging to different subjects). Small changes in the bit sequence of multiple acquisitions from the same subject prevent biometric bitstreams to be used as cryptographic keys sic et simpliciter. According to where this problem is addressed in the biometric/cryptographic key translation pipeline, two main strategies can be considered:

The rest of the paper is organized as follows. Section 1 presents an overview of the iris biometric. Iris bitstreams represent the input data to the proposed approach, which is formally described in Section II. The experiments and obtained results are discussed in Section III, while Section IV draws conclusions and marks out some future work. I.

THE PROPOSED APPROACH

i) to define a mapping function for biometric key stabilization; ii) to implement a cryptographic algorithm, which is tolerant to small changes of the key.

IRIS BIOMETRIC

The high-level architecture of a biometric system consists of four components: capture sensor, feature extractor, template matcher, and policy maker. In BCSs the feature extractor has a key role, since it processes biometric data to build a strong repeatable bitstream. In order to ensure the success of the key binding process, biometric bitstreams must show two basic properties that are high stability (low intra-class variability) and uniform distribution over the feature space. Among the existing biometric traits, iris represents a good candidate according to studies conducted by John Daugman in [14]. The analysis of iris bitstreams of a representative set of individuals shown that phase structure of iris patterns is epigenetic; indeed, it arises from random events in the morphogenesis of this tissue. This bestow to iris both a high discriminant power (even between identical twins) and a uniform distribution of biometric bitstreams over the feature space.

The first approach is more convenient as it operates on the biometric key directly, which then can be used as cryptographic key regardless of the encryption/decryption algorithm. To design such a binding strategy entails the requirement that the cryptographic key must be hidden from everyone, but the real owner. Indeed, in symmetric schemes the cryptographic key represents a quite sensitive datum in itself. A. Binding Biometric/Cryptographic Keys based on a Nonlinear Minimization Problem In this paper, we reformulate the binding process as an unconstrained nonlinear minimization problem, where the cryptographic key is split in several components, each of them is related to one of local minima of an objective function. The minimization procedure takes two input parameters that are the objective function to be minimized and the point in the search space where the optimization has to start from. Starting from a given point, the minimization procedure iteratively converges to the closest

The most of commercial iris recognition systems work on images acquired in the near-infrared light spectrum. After

145

local minimum. Our goal is to identify a family of objective functions having an infinite number of local minima, so that the minimization procedure will converge to a specific local minimum only if its distance from the starting point is lower than a fixed threshold. It is clearly apparent that properly designing the objective function is the key point of the proposed approach. In particular, we identified three essential requirements an objective function must satisfy to fit for our purpose: 1. 2. 3.

as an integer value kj[0, 2s-1] referred as cryptographic item (or crypto-item, for short). In this case, if l is not a multiple of s, the last crypto-item is padded with l-s˜t random bits. Our goal is to define a set of q objective functions f(x), so that for each of them the following properties hold: 1.

high regularity – the local minimum related to a cryptographic key component is not discernible from all the other minima. low complexity – a little number of parameters is needed to control the shape of the objective function. numerical stability – small fluctuations in initial data do not cause a large deviation of final answer from the desired local minimum.

2.

At least one local minimum xmin exists, for which the objective function assumes a finite value, that is f(xmin)=ymin, with ymin ℝ. The neighborhood U of the local minimum xmin for which the function converges to xmin, must be easy to control.

It is clear that qtt is a strict requirement. Indeed, our goal consists in binding each crypto-item to a bio-item at least. In the case that the number of bio-items is strictly greater than that of cryptographic ones (q>t), a selection criterion is needed to extract a subset of t bio-items to be related to crypto-items. Since bio-items ai are affected by some variability, it is not wise to implement selection criteria on them, directly. Thus, it is expedient to rely on the corresponding local minimum yi calculated by the corresponding objective function f(x), as they are more stable. In particular, the median value my among the q local minima yi is calculated. The bio-items are then sorted according to their distance to the median my calculated as − and the first t bio-items are extracted from the resulting sorted list. These bio-items are referred as anchors. On the other hand, if only a small subset of bio-items partake in representing the crypto-items, the robustness of the binding may decrease, as only a limited part of the biometric key is considered. To cope with this problem, the average value My of the q local minima is computed, so that the anchors Yi are assigned with the value yi˜My. Each crypto-item is then represented as ki=Zi˜ Yi, where Ziℝ is a multiplicative coefficient.

Multiple biometric bitstreams captured from the same subject concentrate on a cloud of points in the search space (low intra-class variability), while clouds of points corresponding to different subjects present a small (or often null) intersection (high inter-class variability). Thus, the idea underlying the proposed approach consists in linking a biometric bitstream, or part of it, to one of the local minimum of the objective function. The original biometric bitstream is split in several parts, so an equivalent number of objective functions is defined, each of them having one of its local minimum in correspondence of the related part of the bitstream. Doing so, the minimization procedure will converge to this local minimum only if the starting point is sufficiently close to the original biometric data. In other words, the desired local minimum can be found only if biometric data of a genuine user is input as starting point to the minimization procedure. Otherwise, the minimization process will converge in a different local minimum. Because of the high regularity property, an attacker is not able to find the specific local minimum, as this is not discernible from all the remaining local minima of the objective function.

C. The Objective Function The objective function plays a key role in the binding process and selecting the right one is a non trivial task, as it must meet all requirements defined in Sections A and B. In this paper, we considered fluctuating exponential functions that are defined as:

B. The Binding Process A biometric bitstream B consists in a finite sequence of m bits B=bm-1bm-2…b0 where m=|B| represents the length of the bitstream. Let p be an integer number. For the ease of presentation let us assume that m is a multiple of p. We can partition the overall bitstream B in q subsequences Bi, where q=¬m/p¼ and qℕ, so that B=Bp-1Bp2,…B0. Each sub-sequence Bi can be interpreted as an integer value aiℕ indicated as biometric item (or bioitem, for short), while the set of bio-item {a1, a2, …, aq} is referred as biometric key. If m is not a multiple of p, the last m-p˜q bits of the bitsream are just discarded. The sub-sequence partitioning scheme can be also applied to cryptographic keys in similar way. In other words, a cryptographic key K consists of a finite sequence of l bits K=cl-1cl-2…c0, where l=|K| represents the length of the key. Let s be an integer number, we can partition the key K in t sub-sequences Kj, where t=ªl/sº and tℕ, so that K=Ks-1Ks-2,…K0. Each sub-sequence Kj can be interpreted

( ) = (−c) ,

(1)

where c>0. It is worth noting that this function is defined in ℂ and it is multivalued, so it is not a continuous real valued function of a real variable. Indeed, it consists in a pair of curves, the real and imaginary ones. Thus, we limit the target set of the objective function to ℝ by only considering the real part. This provides us with a continuous and differentiable real function. The objective function is defined as: ( )=−

(−c)

(

)

,

(2)

where c is a constant, a represents a bio-item, G is the parameter controlling the neighborhood, in which f

146

converges to a given local minimum and H is a random value in ℕ. The helper data produced by the binding algorithm consists in a sequence of couples HD={ℎ = ( + 2 H ), } with i=1,2,…,q and j=1,2,…,t. An example of three different objective functions is provided in Fig. 1.

Figure 1. Three functions.

examples

of

objective

fluctuating

As previously explained, assuming that the range for bio-items ai is limited to [0, A]ℕ, the objective function shows at least = ⌊A⁄(4 )⌋ local minima in that range, but only one of them is the one adopted to generate the corresponding hi. It comes out that given a biometric key that has been split in q bio-items, there are exactly q objective functions each of them having at least nmin local minima in the range [0, ℕa]. A potential attacker must derive all the bio-items ai to compute the corresponding yi, which are required to select the subset of t bio-items that have been really bound to the corresponding crypto-items. This means that the attacker must guess the correct local minimum for all q objective functions by checking all ) trials. Since possible combinations that leads to ( depends on G, which on turn depends on the intrinsic noise of the biometric data, we can consider this parameter fixed once and for all. Thus, it comes clear that the complexity of the problem is strictly related to the length of the biometric key, which determines the value of q. A different way of exploiting helper data to derive the cryptographic key is represented by the correlation attack [10]. In this case, the attacker tries to compute either genuine bio-items or crypto-items by investigating the correlation among helper data generated by the binding process when applied to multiple instances of the same biometric key. Thus, let we suppose the attacker accesses to at least two genuine instances of the helper data HD1={[h11,…,h1q], [w11,…,w1t]} and HD2={[h21,…,h2q], [w21,…,w2t]}. Since the same crypto-item is hidden in two different couples (w1i˜y1i) and (w2j˜y2j), the attacker just would has to search for those pairs verifying the test (w1i˜y1i)=(w2j˜y2j) to argue which are the real local minima of interest and derive the corresponding bio-items. However, this is not feasible for two reasons:

exponential

All the functions shown in Fig. 1 present the same local minima, even being characterized by different values of hi. In particular, assuming that the range for bio-items ai is limited to [0, A]ℕ, the objective function shows at least = ⌊A⁄(4 )⌋ local minima in that range. It is worth noting that the magnitude of local minima of f(x) increases proportionally to the value of x that could make some of them dominant w.r.t. the others. Since, the binding process strongly relies on values of local minima, we must prevent this case. Thus, the value of local minima is (| |)⌋ normalized to = | | ∙ 10 ⌊ . According to its definition, the function f converges to the local minimum ai with the value yi for values , such that − , < . Thus, the whole binding process succeeds only if all objective functions converge to the correct local minimum. This is a strong requirement, since it means that the Chebyshev distance between pairs of biometric keys captured from the same subject must be lower than G. On the other hand, for two biometric keys captured from different subjects it must exist at least a pair of homologous bio-items with distance larger than G.

a) in both HD1 and HD2, the attacker is not aware of which are the t out of q local minima that are related to the w coefficients (checking all combinations would be prohibitive even for reasonable values of t and q); b) even if the attacker would check a correct pair {(w1i˜y1i), (w2j˜y2j)}, the test (w1i˜y1i)=(w2j˜y2j) will not be verified, as the t anchors in HD1 and HD2 have been made dependent on values of all local minima. III. THE EXPERIMENTAL SETUP The proposed approach has been tested on iris biostreams that were extracted from eye images acquired in the near-infrared light spectrum. Techniques adopted for iris detection and feature extraction come from the literature and are shortly resumed in the following sections, while little more attention is paid to the mapping function we designed to generate integer bio-items from biostream subsequences. Moreover, in all the experiments, cryptographic keys have been simulated by generating random bit sequences of different length.

D. Robustness to the Brute Force Attack and Correlation Attack The parameter Hi plays an important role. Indeed, just considering ( + 2 ) as helper data allows a potential attacker to derive the bio-item ai knowing the value of G. By summing ai with a random value GHi (with Hi>1) prevents this possibility. We excluded the case when Hi=1, as it is equivalent to ( + 2 ). Doing so, the property of f to converge to the same local minimum for multiple instances of the ith bio-item , (acquired by the same subject) is preserved, but a potential attacker is not able to derive the real value of , only with the information provided by ℎ .

The eye images come from the CASIA Iris Image Database Version 2.0 (CASIA-IrisV2) [16]1. This dataset 1

Portions of the research in this paper use the CASIA-IrisV2 collected by the Chinese Academy of Sciences' Institute of Automation (CASIA).

147

is composed by two subsets, which have been captured with two different devices, the Irispass-h and the CASIAIrisCamV2. The near-infrared eye images have a resolution of 640u480 pixels and have been acquired indoor from 60 subjects (20 pictures for each subject), during a single session. We selected a subset of 120 eye images that consists in the first two images for each subject. Thus, in the experiments the former is considered as a gallery sample, that is the one we use to bind the cryptographic key, while the latter is used as probe sample, in order to reconstruct the cryptographic key.

cryptographic key reconstruction given a biometric key and the helper data. [HD] = BindBioCryptoKeys(B,K,G) 1 [a1,…,aq] m GetBioItems(B) 2 [k1,…,kt] m GetCryptoItems(K)

8

For i=1 to q H m random number in ℕ hi m ai+2GH yi m -real[(-1.1)(ai-hi)/G] yi m |yi|*10-¬log10(|yi|)¼; End

9

My m avg(yi)

10 12

m m median([y1,…,yq]) L m sort([y1,…,yq] w.r.t |yi-m|) Lt m truncate(L,q-t)

13

Yi m yi˜My yiLt

14

wi m ki/Yi

15

HD m {[h1,…,hq],[w1,…,wt]}

3 4 5 6 7

The iris region is detected by means of the ISIS algorithm [17], while it is normalized to a standard resolution of 64u240 by applying the rubber sheet model proposed by Daugman in [14] and implemented in [18]. The resulting rectangular image undergoes a grey level normalization process that consists in Gaussian filtering with a kernel size of 7u7 before being input to a 1D LogGabor filters. The output of this filter is then encoded by quantizing phase information to four levels, so obtaining an iris bitstream of 30720 bits. According to the partitioning scheme reported in Section II.B, a mapping function is defined to transform the iris bitstream in a set of bio-items. We fix the length of the biokey to 128 bio-items, to be able to experiment with cryptographic keys of different lengths, while still guaranteeing a high robustness of the binding process. This induces a partitioning of the bitstream in 128 subsequences of 240 bits, which cannot be transformed in integer values by a mere binary-to-decimal conversion, because the value of bio-items would be heavily affected by noise. Thus, we argued that a preferable way to convert a bit subsequence into a bio-item is by counting the number of 1s it contains that provide us with values into the range [0, 240]. Finally, the minimum (mina), maximum (maxa) and average (Pa) over all bio-items are computed, so their values are normalized to ai=(Pa)˜(ai mina)/ (maxa - mina).

11

[K] = ReconstructCryptoKeys(B,HD,G) 1 [a1,…,aq] m GetBioItems(B) 2 [h1,…,hq, w1,…,wt]m ParseHelperData(HD)

7

For i=1 to q f(x) m -real[(-1.1)(x-hi)/G] yi m NonLinearMinimization(f(x), ai) yi m |yi|*10-¬log10(|yi|)¼; End

8

My m avg(yi)

9

m m median([y1,…,yq]) L m sort([y1,…,yq] w.r.t |yi-m|) Lt m truncate(L,q-t)

3 4 5 6

In our experiments, we tested several aspects of the proposed approach, so we present here the measures that have been adopted to quantitatively assess its performance. The accuracy of the binding process in separating genuine and impostor requests is measured in terms of standard indices, such as Genuine Acceptance Rate (GAR), False Acceptance Rate (FAR), Genuine Rejection Rate (GRR) and False Rejection Rate (FRR). In our tests, GAR represents the percentage of cases where the cryptographic key K is correctly reconstructed by submitting the biometric key of a genuine user, while FAR measures the probability that biometric key of an impostor allows to reconstruct K. Moreover, in all the reconstruction attempts from biometric data of an impostor, we also measure the Wrongly Decoded bit Rate (WDR) between the original cryptographic key K and K’ that is the reconstructed one. The WDR index is calculated as HD(K, K’)/|K|, where HD stands for the Hamming Distance. We also take into account secondary aspects like the computational costs and the size of the helper data, which are measured in microseconds (ms) and bytes (b), respectively. For sake of reading, we also report the pseudo-code of the binding algorithm and the

10 11 12 13 14 15 16 76

For i=1 to t If yiLt Yi m yi˜My ki m wi˜Yi End End

A. The Experiments Tests have been conducted on an Intel Core i5 2.80 GHz with 8 GB RAM, running a Windows 7 64-bit Operating system. In the first experiment, we assessed the performance of the objective function defined in Equation (2) with respect to its convergence stability when bio-items are affected by a certain amount of random noise Ki[1,50]ℕ and the parameter G ranges in the interval [1,50]ℕ. In particular, we randomly generated a cryptographic key K and a biometric key B. The biometric key B has a fixed length and is composed by 128 bio-item a1,…,a128[0,240],

148

The parameter G must be set to the highest distance value, for which none of the impostors would be accepted. In this case we would set G=46. In the third experiment, we investigated the performance obtained by the proposed approach for different lengths of the cryptographic keys K (256, 512, 1024, 2048 bits), when the value of G ranges between 35 and 55. The GAR, FAR and WDR curves for the case |K|=256 bits are shown in Fig. 4.

while four different lengths have been considered for the cryptographic key, which are 256, 512, 1024 and 2048 bits. The helper data are generated by binding the cryptoitem of K with the bio-item extracted from B, then a reconstruction of K is attempted from noisy bio-item (ai+ Ki). The binding/reconstruction test is repeated 100 times for each parameter configuration and the success rate is evaluated. Results are shown as a surface relating the amount of noise, the value of G and the rate of success. Fig. 2 shows four surfaces that correspond to different lengths of the cryptographic keys that we have considered.

Figure 4. Performance of the proposed approach in terms of GAR, FAR, GRR and FRR for G[35, 55] when |K|=256 bits.

The quantitative evaluation of different tests are summarized in Table 1. It comes out from results that the length of the cryptographic key does not affect the accuracy, since there are no variations in GAR and FAR. Similarly, no appreciable changes have been observed in terms of WDR and computational time with K length increasing from 256 to 2048 bits. The only measure being influenced by |K| is the size of the helper data. Indeed, this latter is proportional to |K| according to the relation |HD|= (q+|K|)uP/8 byte, where P is the number of bits used to represent coefficients. In our case, we considered a precision of 32 bits for both hi and wi coefficients.

Figure 2. Rate of success of the key binding/reconstruction process for different length of the cryptographic keys. From left to right and top to bottom |K|=256, |K|=512, |K|=1024 and |K|=2048.

The second experiment is devoted to estimate a proper value for the parameter G with real biometric keys, since its value affects the accuracy of the binding process and strongly depends on the distribution of the biometric data (as discussed in Section II.D). In this test, we performed an all vs. all comparisons on the whole dataset according to the Chebyshev distance with the aim of deriving the value of G, which better separate the genuine and impostor distributions. The sample distributions are shown in Fig. 3, where genuine are represented with a solid line and the impostors with a dotted one.

Table 1. Performance of the binding algorithm with G fixed to 46.

Length of K

GAR

FAR

256 bits 512 bits 1024 bits 2048 bits

0.857 0.857 0.857 0.857

0.000 0.000 0.000 0.000

Time (sec) 0.487 0.489 0.491 0.492

Size (byte) 576 640 768 1024

WDR 0.438 0.431 0.430 0.418

B. Discussion The main purpose of our experiments was to assess the performance of the proposed key binding technique with respect to different configurations of parameters. The first experiment was aimed to heavily stress the method by performing about 50,000 key binding/reconstruction operation by varying the parameter configuration, the length of the cryptographic key and the amount of noise in biometric data. The results show that the proposed approach is quite robust and stable, as its behavior is not significantly affected by these changes. The results are also confirmed by tests we conducted on real data. We have carried out a second experiment with the aim of estimating the matching accuracy provided by the

Figure 3. The two sample distributions: i) genuine (solid line) and ii) impostors (dotted line).

149

biometric data to be considered as a baseline. Indeed, score distributions in Fig. 3 suggest that the best recognition accuracy the system can reach while guaranteeing a zero FAR is about 84% when biometric keys are matched according to the Chebyshev distance and this value is obtained by setting the distance threshold to 46. Actually, a narrow observation of curves shown in Fig. 4 points out that the best GAR (with FAR=0) of the key binding/reconstruction algorithm is obtained right for G=46 and it is about 85%. This underlines that the proposed binding process does not bias the discriminating power of the original biometric data. IV.

[4]

[5]

[6] [7]

[8]

CONCLUSIONS

[9]

In this paper, we discussed a novel biometric cryptosystem that implements the key binding process as a minimization problem. The biometric key is split in a set of bio-items and a set of objective functions is derived from them. The helper data produced by the algorithm includes the parameters governing the objective functions and the coefficients relating the cryptographic key to the bio-items. The paper formally discusses about the security of the system to demonstrate that the cryptographic key cannot be derived from the helper data unless the system is provided with a valid biometric template. The proposed scheme is quite novel and unexplored, and shows the great advantage of not requiring any error correction code technique. Moreover, we demonstrated that it is robust to attacks that commonly break some of the existing approaches. From a quantitative point of view, several experiments have been conducted to assess its performance in terms of accuracy, computational time and storage requirements. In the future work we will also compare its performance to that of other existing techniques such as fuzzy commitment scheme and fuzzy vault. Furthermore, we have started to extend this approach to other biometric traits like fingerprints and finger/hand veins. A possible extension to the correlation attack presented in Section II.D might be the application of the technique described and developed in [19][20][21]. The idea is to encode the correlation among multiple genuine instances of the helper data in a SAT formula, whose satisfiability assignments correspond to the t out of q local minima needed to extract the w coefficients. In this case, as done in [22], the evaluation of the relation between the number of genuine helper data needed to execute the attack and the size of the associated Boolean formula is a crucial aspect about the real applicability of the attack.

[10] [11] [12] [13] [14] [15] [16] [17] [18] [19]

[20]

[21]

[22]

REFERENCES [1]

[2] [3]

C. Soutar, D. Roberge, A. Stoianov, R. Gilroy, B. V. Kumar, Biometric encryption: enrollment and verification procedures. In Proceedings of SPIE, Optical Pattern Recognition IX 3386, pp. 2435, 1998. A. Juels, M. Wattenberg, A fuzzy commitment scheme. In Proceedings of 6th ACM Conference on Computer and Communications Security, pp. 28-36, 1999. Hao F, Anderson R, Daugman J: Combining cryptography with biometrics effectively, in IEEE Transactions on Computing, vol. 55, no. 9, pp. 1081-1088, 2006.

150

J. Bringer, H. Chabanne, G. Cohen, B. Kindarji, G. Zemor, Optimal iris fuzzy sketches. In Proceedings of 1st IEEE Int Conf on Biometrics: Theory, Applications, and Systems (BTAS'07), pp. 1-6 , 2007. J. Bringer, H. Chabanne, G. Cohen, B. Kindarji, G. Zemor, Theoretical and practical boundaries of binary secure sketches. In IEEE Trans Information Forensic and Security vol. 3, no. 4, pp. 673-683, 2008. A. Juels and M. Sudan, A fuzzy vault scheme, In International Symposium on Information Theory (ISIT), p. 408, 2002. S. Yang, I. Verbauwhede, Automatic secure fingerprint verification system based on fuzzy vault scheme, in Proceedings of IEEE Int Conf Audio, Speech and Signal Processing (ICASSP'05), pp. 609612, 2005. P. Li, X. Yang, K. Cao, X. Tao, R. Wang, J. Tian, An alignment free fingerprint cryptosystem based on fuzzy vault scheme, in Journal of Network and Computing Application, vol. 33, no. 3, pp. 207-220, 2010. X. Wu, N. Qi, K. Wang, D. Zhang, A Novel Cryptosystem based on Iris Key Generation, in Proceedings of the Fourth Int Conf on Natural Computation, pp. 53-56, 2008. P. Mihailescu, A. Munk, B. Tams, The Fuzzy Vault for Fingerprints is Vulnerable to Brute Force Attack, in Proceedings of the CAST Workshop BIOSIG, pp. 43-54, 2009. T. C. Clancy, Negar Kiyavash, D. J. Lin, Secure smartcard-based fingerprint authentication, in Proc. of the SIGMM Workshop on Biometrics methods and applications, pp. 45-52, 2003. B. Tams, P. Mihailescu, A. Munk, Security Considerations in Minutiae-based Fuzzy Vaults, in IEEE Trans. on Information Forensics and Security, vol. 10, no. 5, pp. 985-998, 2015. W. J. Scheirer, T. E. Boult, Cracking Fuzzy Vaults and Biometric Encryption, in Biometrics Symposium, , pp. 1-6, 2007. J. Daugman, How Iris Recognition Works, in IEEE Transactions on Circuits and Systems for Video Technology, vol. 14, no. 1, pp.21-30, 2004. R. P. Wildes, Iris recognition: an emerging biometric technology, in Proceedings of IEEE, vol. 85, no. 9, pp. 1348-1364, 1997. CASIA-IrisV2, http://biometrics.idealtest.org/ M. De Marsico, M. Nappi and R. Daniel, IS_IS: Iris Segmentation for Identification Systems, in Proceedings of the International Conference on Pattern Recognition (ICPR), 2857-2860, 2010. http://www.peterkovesi.com/studentprojects/libor/ P. Golle, D. Wagner, Cryptanalysis of a cognitive authentication scheme (extended abstract), in Proceedings of the IEEE Symposium on Security and Privacy, pp. 66-70, 2007. Asghar, Hassan Jameel, et al. "On the linearization of human identification protocols: Attacks based on linear algebra, coding theory, and lattices." IEEE Transactions on Information Forensics and Security 10.8 (2015): 1643-1655. Catuogno, L., Galdi, C.: On the security of a two-factor authentication scheme. In: Proceedings of the 4th Workshop on Information Security Theory and Practices (WISTP 2010) Passau (Germany), April 12-14, 2010, Volume to Appear of Lecture Notes in Computer Science. Springer, Berlin (2010) Luigi Catuogno, Clemente Galdi, Analysis of a two-factor graphical password scheme. Int. J. Inf. Sec. 13(5): 421-437 (2014)