Secure Smartcard-Based Fingerprint Authentication

Transcription

1 Secue Smatcad-Based Fingepint Authentication [full vesion] T. Chales Clancy Compute Science Univesity of Mayland, College Pak Nega Kiyavash, Dennis J. Lin Electical and Compute Engineeing Univesity of Illinois, Ubana-Champaign {kiyavash, ABSTRACT In this pape, the fundamental insecuities hampeing a scalable, wide-spead deployment of biometic authentication ae examined, and a cyptosystem capable of using fingepint data as its key is pesented. Fo ou application, we focus on situations whee a pivate key stoed on a smatcad is used fo authentication in a netwoked envionment, and we assume an attacke can launch off-line attacks against a stolen cad. Juels and Sudan s fuzzy vault is used as a stating point fo building and analyzing a secue authentication scheme using fingepints and smatcads called a fingepint vault. Fingepint minutiae coodinates m i ae encoded as elements in a finite field F and the secet key is encoded in a polynomial f(x) ove F [x]. The polynomial is evaluated at the minutiae locations, and the pais (m i, f(m i)) ae stoed along with andom (c i, d i) chaff points such that d i f(c i). Given a matching fingepint, a valid use can sepeate out enough tue points fom the chaff points to econstuct f(x), and hence the oiginal secet key. The paametes of the vault ae selected such that the attacke s vault unlocking complexity is maximized, subject to zeo unlocking complexity with a matching fingepint and a easonable amount of eo. Fo a featue location measuement vaiance of 9 pixels, the optimal vault is 69 times moe difficult to unlock fo an attacke compaed to a use posessing a matching fingepint, along with appoximately a 3% chance of unlocking failue. Suppoted by The Boeing Company unde Illinois Technology Challenge Gant Any opinions, findings, conclusions, o ecommendations expessed in this publication ae those of the authos and do not necessaily eflect the views of The Boeing Company o the State of Illinois. This wok was completed while T. Clancy was with the Electical and Compute Engineeing depatment at the Univesity of Illinois, Ubana-Champaign. Pemission to make digital o had copies of all o pat of this wok fo pesonal o classoom use is ganted without fee povided that copies ae not made o distibuted fo pofit o commecial advantage and that copies bea this notice and the full citation on the fist page. To copy othewise, to epublish, to post on seves o to edistibute to lists, equies pio speci c pemission and/o a fee. WBMA 3, Novembe 8, 3, Bekeley, Califonia, USA. Copyight 3 ACM /3/11...$5.. Categoies and Subject Desciptos E.3 [Data]: Data Encyption Keywods biometics, fingepint, smatcad, authentication 1. INTRODUCTION In ou inceasingly electonic envionment, eveything is becoming a netwok, fom the compute teminals we sit at, to the supemaket checkout, and even the locks on ou doos. In these abstact netwoks, all foms of authoization and access contol equie netwoks to have a secue method of authenticating uses. Smatcads offe a new paadigm fo authentication. Now, uses pivate keys ae stoed on smatcads. These uses can pove thei identity by using the cad to povide a coectly signed message to an authentication seve. Relying on the secuity of public-key authentication, the new task is to potect the pivate key on the smatcad itself. We believe that biometic authentication, in paticula fingepints, is a pactical method of poviding this potection. Thee ae two main appoaches fo using biometic infomation. The fist is fingepint matching, whee the smatcad stoes a template of the use s fingepint and equies the use to pesent a matching template befoe it will sign messages on the use s behalf. The second method is fingepint mapping, whee a fingepint is used to obscue the pivate key, without stoing a template. The pivate key can only be ecoveed and consequently used to sign an authentication message if a valid fingepint is povided. Fom a fundamental secuity standpoint, the key distinction between the two techniques is whethe a physical attack on the smatcad could yield any useful infomation. If the pivate key and biometic template ae both stoed unencypted on the smatcad, they would both be susceptible to a physical attack. The goal hee is to povide guaanteed secuity, athe than the illusion of secuity. This pape focuses on using a modified vesion of Juels and Sudan s fuzzy vault [1] temed the fingepint vault to encypt the pivate key on the smatcad using fingepint infomation, and deives theoetic bounds on its secuity. By analyzing the techniques used to pefom the authentication and the entopy of the biometic data used, the complexity of vaious attacks can be quantified. In all cases, thee is a tade-off between epoducibility and secuity. The oveall goals of this wok ae as follows: 1

2 smatcad digest, biodata signatue captue device teminal fingepint image auth equest Figue 1: Authentication Diagam define the fingepint vault scheme and its associated algoithms; pesent pobabilistic and systematic bounds on some of the vault paametes; define a class of unlocking techniques that can be used fo both attacks and by legitimate uses; and find the optimal fuzzy vault paamete choice to maximize attackes complexity and minimize uses complexity, while ensuing easonable epoducibility The emaining sections ae oganized as follows. Section two discusses backgound infomation and motivates the eseach. Section thee outlines pio simila eseach effots. Section fou pesents the fingepint vault and analyzes its applicability fom a pobabilistic sense. Section five analyzes the secuity of the fingepint vault fom a complexitytheoetic sense. Section six descibes empiical esults stemming fom sample fingepint data. Section seven concludes. Poofs ae povided in the appendix of the extended vesion found on the authos website.. BACKGROUND AND MOTIVATION An aipot is a motivating example whee a fingepint and smatcad solution is ideal. Passenges each have smatcads stoing thei pesonal infomation, including a pivate key. In ode to access the infomation on thei smatcad at ailine teminals, they must povide the smatcad with valid fingepint data. Fist, we pesent a simplified, geneic potocol fo use with smatcad-based biometic authentication. It is simila to those found in many popula public-key authentication schemes, such as SESAME [4, 16] and SSH [6]. In geneal, a seve should believe a use is who they say they ae if they can povide a signed message containing thei identity and a nonce o challenge (i.e. andom numbe) selected by the seve. If the public key associated with the specified identity coectly veifies the signatue, only the valid use could have sent it. If a cetificate is not povided by the use, the seve will need a database of public keys. Fom the client standpoint, signing ability is equied to authenticate. Figue 1 demonstates how this can be done with biometic data. Fist, a fingepint image is captued fom a scanne. This data is sent to a teminal which tanslates it into some smalle numeic epesentation, o template. Both the message digest we wish to sign and the biometic template ae sent to the smatcad. Povided the biometic data is valid, the smatcad will use its intenally stoed pivate key to geneate and etun a signatue fo the message digest. Ou analysis shall focus on the methods by which smatcads use biometic data to sign a message. This assumes the wost case scenaio: a smatcad has been stolen, and an attacke with complete physical access is attempting to etieve the pivate key. Given physical access, thee ae two main classes of physical attacks against smatcads: noninvasive o side-channel attacks, and invasive attacks. Thee of the most popula noninvasive attacks ae powe analysis [13], timing analysis [1], and electomagnetic (EM) analysis [1]. All of these attacks can be used to detemine sensitive infomation on a smatcad; howeve, noninvasive attacks can geneally be thwated by cleve algoithms, data obfuscation, and shielding techniques. Invasive attacks [14, 15] geneally involve dissolving the chip packaging and evese engineeing the pocesso itself. Given complete physical access, it is impossible to pevent an attacke fom etieving data stoed in memoy. The only way to potect against such an attack is to encypt the contents of memoy using a key not stoed on the cad itself. Then, an attacke may etieve the data fom the cad, but it will be of no use. Potecting the smatcad now equies effots on two fonts. Fist, the smatcad pocesso itself must be designed such that it is immune to the vaious on-line side-channel attacks. Secondly, without a matching fingepint, an attacke should not be able to obtain any sensitive infomation fom the cad. In paticula, uses pivate keys must be stoed in an encypted fomat. This second font is the focus of the wok pesented hee. 3. PAST WORK In the past few yeas, thee have been seveal eseach effots aimed at addessing the intesections between cyptogaphy and biometics. Hee we addess biometic cyptosystems in geneal, delve moe deeply in to the fuzzy vault, and then biefly examine vaious polynomial econstuction techniques. 3.1 Biometic Cyptosystems In 1998, Davida, et al. [6], wee among the fist to suggest off-line biometic authentication. It moved biometic data fom a cental seve into a signed fom on a potable stoage device, such as a smatcad. Thei system was essentially a PKI-like envionment that did local fingepint matching. Its main flaw is that it equied some local authentication authoity to have a key capable of decypting the template stoed on the stoage device. While they addess the key management issues, the basic pemise is still that of local fingepint matching, and is theefoe inheently insecue. The next yea thee wee thee innovative, yet simila methods that did not pefom biometic matching. The fist is the fuzzy commitment scheme [11]. Hee, a secet (pesumably a pivate key used fo late authentication) is encoded using a standad eo coecting code such as Hamming o Reed-Solomon, and then XOR-ed it with a biometic template. To etieve the secet, a slightly diffeent biometic template can again be XOR-ed, and the esult put though an eo coecting decode. Some small numbe of bit eos intoduced in the key can be coected though the decoding pocess. The majo flaw of this system is that biometic data is often subject to eodeing and easues, which cannot be handled using this simple scheme. In [19], a technique was poposed using the phase infomation of a Fouie tansfom of the fingepint image. The fin-

3 gepint infomation and a andomly chosen key ae mixed togethe to make it impossible to ecove one without the othe. In ode to toleate eos, the system used a filte that minimizes the output vaiance coesponding to the input images. To povide futhe edundancy, an encoding pocess stoes each bit multiple times. The wok does not addess how much these steps educe the entopy of the oiginal image; thus, it is not clea that thee exists a set of paametes which will allow the system to eliably ecognize legitimate uses while poviding a easonable amount of secuity. A thid pape [18] has a simila theoetical foundation to this wok, but aims towad a completely diffeent application. Hee, Monose, et al., attempt to add entopy to uses passwods on a compute system by incopoating data fom the way in which they type thei passwod. Since the biometic being used hee so so adically diffeent fom fingepints, thei esults ae not applicable to this wok. Recently, Juels and Sudan [1] poposed the fuzzy vault, a new achitectue with applications simila to Juels and Wattenbeg s fuzzy commitment scheme, but is moe compatible with patial and eodeed data. The fuzzy vault is used hee as a stating point fo the biometic scheme pesented in this pape. 3. Fuzzy Vault Hee, we descibe the oiginal fuzzy vault, with some slight notational diffeences. As with any cyptosystem, thee is some message m that needs to be encypted, o in this case locked. Some symmetic fuzzy key can be used to accomplish this task, and then used again late to decypt, o unlock the oiginal message. Hee, ou message m is fist encoded as the coefficients of some degee k polynomial in x ove a finite field F q. This polynomial f(x) is now the secet to potect. The locking set L is a set of t values l i F q making up the fuzzy encyption key, whee t > k. The locked vault contains all the pais (l i, f(l i)) and some lage numbe of chaff points (α j, β j), whee f(α j) β j. Afte adding the chaff points, the total numbe of items in the vault is. In ode to cack this system, an attacke must be able to sepaate the chaff points fom the legitimate points in the vault. The difficulty of this opeation is a function of the numbe of chaff points, among othe things. A legitimate use should be able to unlock the vault if they can naow the seach space. In geneal, to successfully intepolate the polynomial they have an unlocking set U of t elements such that L U contains at least k + 1 elements To summaize the vault paametes: f(x) is a degee k polynomial in F q[x] t k points in L intepolate though f(x) t is total numbe of points in the vault This vault shall be efeed to as V(F q,, t, k). Spuious polynomials of degee k intepolated by t points may show up in the andomly selected chaff points. In [1], the authos pesent a lemma descibing the secuity of thei scheme based on the numbe of these polynomials that exist in a vault with geneal paametes. Lemma 1. Fo evey µ >, with pobability 1 µ, a vault of size t contains at least µ 3 qk t (/t) t polynomials f (x) of degee less than k such that the vault contains exactly t points of the fom (x, f (x)). 3.3 Polynomial Intepolation In ode to actually econstuct the secet locked within the fuzzy vault, the points in the unlocking set must be used to intepolate a polynomial. The unlocking set will contain both eal points and chaff points. The simplest mechanism fo ecoveing the polynomial is a bute-foce seach, whee vaious k+1 element subsets of the unlocking set ae used to intepolate a degee k polynomial, using Newtonian Intepolation [8]. A second method is to use a Reed-Solomon decode [3], as suggested by Juels and Sudan. While RS codes ae taditionally used to coect eos in messages tansmitted ove noisy channels, they ae essentially a genealization of the polynomial econstuction poblem. Using a (t, k) code, t points can be fed into the decode, and the degee k polynomial will be etuned. Thee ae two main RS decoding algoithms: the Belekamp- Massey algoithm [17], and the Guuswami-Sudan algoithm [7]. Belekamp-Massey equies k+t eal points in the unlocking set while Guuswami-Sudan only equies kt. Un- fotunately, this exta eo coecting capability equies significantly moe computation. Inteestingly enough, the two algoithms povide nealy identical unlocking complexities fo a wide ange of vault paametes, so we shall focus on the Belekamp-Massey method. Anothe field called noisy polynomial intepolation has had some ecent advances, notably by Aoa and Khot [] and Bleichenbache and Nguyen [5]. Howeve, the esults of this wok ae not applicable to the fuzzy vault. In [], they examine the poblem of finding all polynomials that intepolate though the points (x i, [y i δ, y i + δ]). The noise in ou points has been emoved by the existence of the fuzzy vault, so this is not useful to us. In [5], they look at the poblem of intepolating the points (x i, y i,1), (x i, y i,),..., but since we do not have chaff points ovelapping with eal points, thei new algoithm is also not applicable. 4. FINGERPRINT VAULT In this section, we descibe ou modified fingepint vault, and the algoithms used to lock and unlock data. Additionally, theoetic bounds on ou ability to successfully unlock the vault ae detemined. 4.1 Genealized Fuzzy Vault Fist, the fuzzy vault specifies that the size of the locking set, unlocking set, and RS codewods ae all the same size. Hee, we loosen this estiction. t is the numbe of points in L τ is the numbe of points in U n is the RS codewod size In [1], the authos conside the case whee L and U ae taken fom discete sets, howeve fo biometic puposes these values ae not discete (o ae taken fom a sufficiently high-esolution discete set). Hence, fo all the elements in U, we need to find the closest elements in vault, and then ty unlocking with those values. Consequently, a quantization poblem is intoduced. How closely can we pack chaff points and still maintain a easonable pobability of quantization eo? The key being used to lock ou fuzzy vault is pixel coodinate locations, (x i, y i), of featues on a fingepint image. 3

4 Consequently, and ideal field fo the vault is F p, such that p is pime. Lemma 1 pobabilistically gives us the numbe of spuious polynomials of a paticula degee in ou vault. The pesence of many such polynomials is the key to poof of secuity in [1]. Unfotunately, fo easonable vault paametes (see Section 6), thee exists a δ with k δ t such that the expected numbe of spuious degee k polynomials intepolated by moe than δ points is less than one. The consequence is that the bute-foce seach fo a degee k polynomial intepolating δ points will yield a unique esult, namely, the vault secet. The pecise value of δ such that the esults of an unlocking attempt can be veified will be equied late: Coollay 1. A value of δ satisfying the above equiement is log 1 3 δ pk (1) log kp Howeve, an attacke will still have to seach though the space of possible polynomials. We will show in Section 5 that this complexity can still be fomidable. Fist, howeve, we will define ou algoithms. 4. Featue Extaction Featue extaction has been the focus of much eseach in past yeas, and this pape does not addess it in detail. Fo the tests pefomed in this pape, the VeiFinge toolkit fom Neuotechnologija Ltd. [5] was used to extact fingepint featues. The featue extaction pocess is visually epesented in Figue. In (a), one can see an image scan of a fingepint. This is eceived diectly fom the fingepint captue device. Vaious edge detection algoithms ae then used to convet that infomation into (b). This figue featues a cleaned-up vesion of the oiginal scan. Fom thee, featues can be eadily identified, as in (c). Each identified ae in (c) epesents a fingepint minutiae, which is a location whee a fingepint idge eithe splits o ends. Hee, we shall conside the featue extaction and alignment as a black box, yielding nomalized (x, y) pixel coodinates of fingepint minutiae. The outputs fom the black box fo seveal scans of the same finge ae geneally close to one anothe, unless the fingepint image was seveely clipped. The inta-scan vaiance imposes limitations on ou system. 4.3 Featue Noise Each peson s fingepint consists of a fixed set of minutiae locations m i = (x i, y i) M. Howeve, due to systematic eos in image captue, pocessing, and alignment, noise is added to each point, such that ou final points ae m i = (x i + n xi, y i + n yi) Additionally, the pocessing noise may discad featues o add additional featues that ae not pesent on the actual fingepint. The next step in the analysis is to deive a model fo the noise intoduced by the captue device and extaction algoithms. Fom this infomation, we can deive matching eo pobabilities. To simplify analysis, an additive Gaussian noise model will be assumed Figue 3: Plot of minutiae fom 5 scans of the same peson, with eliable egions maked To estimate the distibution on the minutiae locations, statistical data is needed. To accomplish this, featues wee extacted fom N sample fingepint images of the same peson, and then aligned. The data used hee was associated using the bounded neaest neighbo aveaging technique descibed in the next section. The esult is a set of expected values ( x i, ȳ i) fo each detected minutiae, the numbe n N of samples having a minutiae in that neighbohood, and the vaiance and covaiance of those n minutiae, (σ x,i, σ y,i, ρ i). Figue 3 shows these egions whee featues eliably appea. These values will be used late to compute a bound on the possible density of chaff points fo a given quantization eo pobability. 4.4 Locking Set The locking set L is computed in a method simila to the method fo finding minutiae vaiances. A use s finge is scanned and pocessed N times, esulting in N sets of minutiae, b 1,..., b N. These ae coelated using the following algoithm with distance theshold T and multiplicity theshold S: 1. let A be the set of aveage points with multiplicity. fo each minutiae set b i 3. fo each minutiae m j b i 4. find element in n k A such that n k m j < T 5. select closest n k that has not aleady been used 6. if no matches, add m j to A with multiplicity one 7. else add m j to aveage and incease multiplicity 8. A = {a A : multiplicity(a) > S} Featues appeaing in S o fewe scans ae discaded as noise. These points geneally occu in the edge egions of the image, whee featue extaction is less eliable. This locking set can then be used to ceate the fingepint vault. 4.5 Chaff Points The numbe and location of chaff points is limited by the vaiance in the fingepint captuing and featue extaction algoithm. Chaff points cannot be placed too close to eal points, o they will cause quantization poblems. Given some acceptable distance d is found, chaff points can be 4

5 Figue : Featue Extaction Pocess: (a) oiginal image, (b) afte edge detection, (c) including featue points placed anywhee as long as they ae at least distance d fom any eal points. Additionally, thee is no eason to place chaff points next to each othe at any distance less than d, because an attacke can immediately ignoe them as unlikely candidates, as they ae so close togethe. Lemma. Given elements of F p have paiwise Euclidean distance no less than d, the total numbe of elements with packing density ρ is less than 4ρp d π P_eo.4 Random Packing Sample Data Optimal Packing The optimal packing technique fo cicles is using a hexagonal lattice, and has a packing density of ρ = π.91 3 [3]. Unfotunately, this density could neve be achieved, as we equie the locations of chaff points to look andom. If they all existed on a lattice, any discontinuities in the lattice patten would be the eal points. Points can be andomly packed by epeatedly selecting andom field elements and putting a chaff point thee if it is at least distance d fom all othe points. This yields a packing density of ρ.45, and is guaanteed to be andom. Anothe technique, andom close packing [9], could yield densities close to ρ.75, but these techniques have not been sufficiently studied in the two-dimensional case, and thei andomness has neve been quantified. Fo this esults to be useful, a minimum distance d between points needs to be computed in tems of the vault paametes. Hee, we make a simplifying assumptions which will slightly loosen ou bound, but yield simple esults: the noise distibution is spheically Gaussian, o the two axes ae independent and identically distibuted. Lemma 3. The pobability of successfully decoding a single point at distance at least d fom all othes using the maximum likelihood ule is ( ) d P s 1 exp () 8σ Theoem 1. The pobability of eo fo decoding points at least δ out of t points in the fuzzy vault V(F p,, t, k) is bounded below by P e ( ) t t exp i i=δ fo a given point vaiance σ. ) i ( )) t i ( ρp 1 exp ( ρp πσ πσ (3) vault_size Figue 4: Pobability of eo as a function of, using σ = 9 and p = 51, with vault paametes t = 4 and δ = 1, plotted with eo pobabilities using andom packing in sample data sets. Figue 4 shows the eo pobability as a function of the vault size fo the optimal and andomized packing methods. Also included is eo pobabilities fom actual fingepint data using the andom packing method. Fo each peson, five fingepint scans wee available. The fist fou wee used to ceate a vault, and the fifth was used to ty and unlock it. The plotted pobabilities epesent the faction of data sets that had enough tue points in the unlocking set to successfully unlock the fingepint vault. The expeimental esults ae quite close to the theoetical, which is impessive given ou simplified noise model. Note that this is the pobability of being able to successfully decode, and does not deal with the complexity of actually pefoming that decoding. 4.6 Unlocking Set The unlocking set U stats off initially as some set U of minutiae locations fom a single scan of the use s finge. To select the elements of the unlocking set, fo each point in U the use finds the closest point in the vault. If the fingepint captue pocess did not intoduce noise featues, we should have U L. Howeve, thee is some pobability that a minutiae will by chance be close to a chaff point than a tue point. Also, thee is a chance that U will contain 5

6 spuious minutiae which was not included in L. This is whee Reed-Solomon codes comes into play. Fo any n points, we can detemine the polynomial, o Reed- Solomon codewod in this case, if at least δ+n of those points ae coect. If n is easonably close to, then vey few attempts will be equied to compute the polynomial. 5. UNLOCKING COMPLEXITY Vault unlocking can be viewed in two contexts. The fist is the complexity of a valid use unlocking a vault with a matching fingepint image. One goal is to minimize this complexity. The second context is the complexity of an attacke without fingepint infomation tying to cack the vault. We wish to maximize this complexity while the attacke wishes to minimize it. Thee ae two obvious techniques fo unlocking the vault. The fist is the bute-foce method, o bf(, t, k), whee is the total numbe of points, t is the numbe of eal points, and k is the degee of the polynomial. Fo an attacke, and t ae the same as the ones in the vault paamete, howeve fo a valid use, is the size of thei unlocking set and t is the numbe of non-chaff points in that set. Theoem. The complexity of the bf(, t, k) poblem using a suitable δ to ensue a unique esult is C bf = ( t 1. δ)( δ) Example 1. Conside a vault ove F 51 with = 1 total points and t = 4 eal points ove a degee k = 8 polynomial. Unde Coollay 1, δ = 1. Using Theoem, the complexity of an attacke beaking the vault is appoximately 58 polynomial intepolations. Example. Conside the same vault, only a valid use intesects thei unlocking set with the vault to obtain = 3 points, t = of which ae eal points. With such a small vault, obviously δ = k + 1 = 9. Using Theoem, the complexity of a valid use unlocking the vault is appoximately 7 polynomial intepolations. The second example illustates that a bute-foce decoding algoithm is less than ideal a valid use. Anothe method of unlocking the vault is though the use of a Reed-Solomon decode. In the s(, t, n, δ) poblem,, t, and δ have the same meanings as befoe, and n is the size of the Reed- Solomon codewods involved. Theoem 3. The complexity of the s(, t, n, δ) poblem ove F p is C s = ( n ) min(n,t) i=max( n+δ,n +t) )( ) 1 t t n i i such that n satisfies δ n min(, t δ) and n (p 1). Coollay. The complexity of bf(, t, δ) = s(, t, δ, δ), o taking n = δ educes Reed-Solomon unlocking into a bute-foce unlocking. Coollay 3. Fo >> t, bf(, t, δ) s(, t, n, δ), fo all n δ, o unless an attacke can eliminate a significant numbe of chaff points of a locked vault, he o she can do no bette than a bute-foce attack. ( (4) Let s examine the pevious two examples in the context of Reed-Solomon decoding. Figue 5 illustates the complexity of a full-scale attack, an attack whee patial fingepint infomation is known, and a legitimate unlocking of the vault. We can see that depending on the elationship of and t, the optimal method fo unlocking the vault can change. By using a Reed-Solomon decode, a valid use can now unlock the vault in 1 o ties, while an attacke can still do no bette than a bute-foce attack. If an attacke is able to eliminate many of the chaff points, pesumably though side knowledge of some of the fingepint chaacteistics, finding the optimal attack now becomes moe inteesting. The minimum complexity is no longe one of the bounding cases. In this pape, we assume that we can choose chaff points in such a way as to confuse the attacke and foce him to conside all points. Fo the most pat we can disegad attacks whee an attacke can eliminate cetain chaff points based on the pobable minutiae configuations. Reseach [, 1, ] indicates that the pobability of two people having the same fingepint is appoximately Assuming fingepints ae equipobable, this coesponds to log (1 1 8 ) 65 bits of entopy. Thus, fo a complexity-theoetic attack, the minutiae entopy is sufficiently lage, thus tivializing attacks which take pobable minutiae configuations into account. This also indicates we could neve achieve moe than 65-bit secuity, egadless of vault paametes. 6. EMPIRICAL RESULTS Thoughout the pape, the tem easonable vault paametes has been used epeatedly. Hee, we use actual fingepint data to detemine what easonable is. Each of the vault paametes, p,, t, and k has limitations placed on it by the behavio of actual fingepint data. The locking and unlocking algoithms wee implemented in MATLAB, and sample fingepint data was used to test the eo pobabilities. Fou scans of the same individual wee used to ceate a vault, and a fifth used to ty and unlock it. The numbe of tue points in the unlocking sets fo these eal vaults was used to validate the statistical models. The field, F q, defines the undelying mechanics of ou entie system. Thoughout, we have been using F p, fo pime p. In geneal, we wish to epesent a featue pixel location. Fo the examples pesented so fa, p = 51 was used. This way, minutiae locations can be stoed in 16-bit numbes, and 51 1 = 63 = , a vey smooth numbe, yielding many choices fo the Reed-Solomon codewod size. Inceasing the fingepint image esolution and consequently the field size has little effect on the esulting secuity. As the esolution inceases, so does the minutiae vaiance, σ. These two paametes cancel one anothe out, making the undelying field selection based moe on convenience than secuity. The numbe of eal points, t, is the size of the locking set. The algoithm descibed ealie takes seveal scans of the same peson and locates minutiae that appea in two o moe of the scans. This algoithm was implemented in MATLAB and used to ceate vaious locking sets. Fo 5 scans of each peson and S = 1, we obtain locking sets which anged fom 5 to 6 points, with mean 38 and standad deviation 11. The degee of the polynomial the vault potects is bounded below by the amount of data we wish to encode in it. Each 6

7 bit complexity 7 65 bit complexity bit complexity Reed Solomon codewod size Reed Solomon codewod size Reed Solomon codewod size Figue 5: Log of complexity fo Reed-Solomon decoding as a function of codewod size; (a) complexity of full attack, s(1, 4, n, 1); (b) complexity of patial infomation attack, s(1, 4, n, 1); (c) complexity of legitimate unlocking, s(3,, n, 1). log complexity vault size () attack complexity unlocking complexity complexity gap Figue 6: Vault pefomance as a function of vault size, with k = 14, τ =, and t = 38 ove F 51 coefficient is an element of F 51, and can theefoe hold 15.9 bits of infomation. As a esult, a 18-bit key can be encoded using 9 coefficients, o in a degee 8 polynomial. Consequently, we shall conside k 8. The total numbe of points depends on the numbe of chaff points added to the vault, and is a function of the desied eo pobability. Figue 4 gave the pobabilities fo a paticula set of input values. Hee, we shall examine this tade-off in moe detail. Fist, examine how the vault pefoms as a function of its size. Figue 6 shows both the complexity of a nomal use, and the complexity of an attacke fo a vault with 38 eal points ove a degee 14 polynomial. We can see that as the total numbe of points inceases, so do both complexities. In ode to keep use complexity to a minimum, we shall select the lagest value of such that the use has zeo complexity. The othe key paamete that can be vaied to alte ou vault pefomance is k, the degee of ou polynomial. Figue 7(a) shows the attack complexities as a function of k. This complexity was computed by fist finding the maximum numbe of points such that the use has zeo complexity, and fom thee computing δ, the minimum numbe of points intepolating ou polynomial in ode to guaantee success. Using and δ, the difficulty of a bute-foce attack can be computed. Figue 7(b) is essentially a eality check on ou selection of τ, the size of ou unlocking set. Fo a given τ and k, eal fingepint data was again used to compute the pobability of successfully unlocking the vault. It can be seen that given τ =, appoximately to 3 pecent eo occus. Fom a use s pespective, this means that evey couple times they access thei smatcad, a second fingepint scan will be equied in ode to successfully unlock the vault. This seems easonable given that we expect that the false positive ate to be infinitesimally small. The coesponding cuve in 7(a) indicates that the maximum complexity is 69 fo k = 14. Consequently, ove F 51 we have detemined the optimal vault to be: polynomial: k = 14, δ = 17 chaff points: = 313, d = 1.7 attack complexity: CONCLUSION In this pape, we have consideed the pactical implications of using fingepint infomation to secue a smatcad. Because fingepints ae often inconsistent, we must esot of a fuzzy scheme fo stoing the secet key. We show that with eal-life paametes, it is impossible to ensue the secuity envisioned by Juels and Sudan. Howeve, we define a modified scheme called the fingepint vault, povide associated algoithms and a mechanism fo finding optimal vault paametes. Paametes ae povided which makes etieving the secet 69 times moe difficult fo the attacke than a legitimate use. Thee ae a couple ways by which secuity may be impoved. An obvious way is to use multiple fingepints to stoe a longe pivate key which could be hashed down to the appopiate length. Anothe way is to impove the detection and extaction algoithms so as to lowe σ, allowing us to pack in moe chaff points. 8. REFERENCES [1] Agawal, D., Achambeault, B., Rao, J., and Rohtagi, P. The em-side channel(s). Wokshop on Cyptogaphic Hadwae and Embedded Systems, CHES. 7

8 attack complexity 8 7 eo pobability polynomial degee polynomial degee Figue 7: Vault pefomance as a function of k and τ: (a) attack complexities as a function of k fo vaious τ; (b) decoding failue as a function of k fo vaious τ [] Aoa, S., and Khot, S. Fitting algebaic cuves to noisy data. ACM Symposium on Theoy of Computing, STOC. [3] Blahut, R. Algebaic Codes fo Data Tansmission. Cambidge Univesity Pess, 3. [4] Blahut, R. Modem Theoy: An Intoduction to Telecommunications. Cambidge Univesity Pess, pepint. [5] Bleichenbache, D., and Nguyen, P. Q. Noisy polynomial intepolation and noisy chinese emaindeing. Advances in Cyptology, EUROCRYPT. [6] Davida, G., Fankel, Y., and Matt, B. On enabling secue applications though off-line biometic identification. IEEE Symposium on Pivacy and Secuity, [7] Guuswami, V., and Sudan, M. Impoved decoding of eed-solomon and algebaic-geometic codes. Symposium on Foundations of Compute Science, FOCS [8] Hildeband, F. B. Intoduction to Numeical Analysis. McGaw-Hill, [9] Jaege, H., and Nagel, S. Physics of ganula states. Science 55, 154 (199). [1] Juels, A., and Sudan, M. A fuzzy vault scheme. ACM Confeence on Compute and Communications Secuity, CCS. [11] Juels, A., and Wattenbeg, M. A fuzzy commitment scheme. ACM Confeence on Compute and Communications Secuity, CCS [1] Koche, P. Timing attacks on implementations of diffie-helmman, sa, dss, and othe systems. Advances in Cyptology, CRYPTO [13] Koche, P., Jaffe, J., and Jun, B. Diffeential powe analysis. Advances in Cyptology, CRYPTO [14] Kuhn, M., and Andeson, R. Tampe esistance: A cautionay note. Wokshop on Electonic Commece, USENIX [15] Kummeling, O., and Kuhn, M. Design pinciples fo tampe-esistant smatcad pocessos. Wokshop on Smatcad Technology, USENIX [16] Looi, M., Ashley, P., Seet, L. T., Au, R., and Vandenwauve, M. Enhancing sesamev4 with smat cads. Intenational Confeence on Smatcad Reseach and Applications, CARDIS [17] Massey, J. L. Shift egiste synthesis and bch decoding. IEEE Tansactions on Infomation Theoy 15, 1 (1969), [18] Monose, F., Reite, M., and Wetzel, S. Passwod hadening based on keystoke dynamics. ACM Confeence on Compute and Communications Secuity, CCS [19] Nichols, R. K., Ed. ICSA Guide to Cyptogaphy. McGaw-Hill, 1999, ch. Biometic Encyption. [] Ostebeg, J., Pathasaathy, T., Raghavan, T., and Sclove, S. Development of a mathematical fomula fo the calculation of fingepint pobabilities based on individual chaacteistics. Jounal of the Ameican Statistical Association 7 (1977), [1] Pankanti, S., Pabhaka, S., and Jain, A. On the individuality of fingepints. IEEE Tansactions on PAMI 4 (), [] Sclove, S. The occuance of fingepint chaacteistics as a two-dimensional pocess. Jounal of the Ameican Statistical Association 74 (1979), [3] Steinhaus, H. Mathematical Snapshots, 3 ed. Dove, 199. [4] Vandenwauve, M., Govaets, R., and Vandewalle, J. Oveview of authentication potocols: Kebeos and sesame. IEEE Canahan Confeence on Secuity Technology 1997, pp [5] Veifinge. Neuotechnologija ltd. [6] Ylonen, T. Ssh secue login connections ove the intenet. Secuity Symposium, USENIX 1996, pp

9 A1. PROOFS Poof of Coollay 1: A value of δ satisfying the above equiement is log 1 3 δ pk (A1) log kp The equiement on the numbe of spuious polynomials can be ewitten as ( 1 ( ) ) δ log 3 p(k δ) <. (A) δ Afte expanding and eaanging, we have δ > log 1 3 pk log δp (A3) Unable to isolate the δ, on the ight hand side substitute k fo δ. In geneal, δ is lage than k, and the logaithm of the two is elatively close. Fo easonable vault paametes, this only inceases δ by appoximately.3, and eithe does not affect the esult o adds a small pobabilistic safety net. Poof of Lemma : Given elements of F p have paiwise Euclidean distance no less than d, the total numbe of elements with packing density ρ is less than 4ρp. d π The poblem educes to packing cicles within a ectangle. The squae of possible locations has aea p, and the cicles have aea ( ) d π. As a esult, the numbe of cicles is bounded above by ( ) p ρ = 4ρp (A4) (d/) π πd V(F p,, t, k) is bounded below by ( ) t ) i ( )) t i t P e exp ( ρp 1 exp ( ρp i πσ πσ i=δ fo a given point vaiance σ. (A7) The esult above is essentially a combination of the fist two lemmas. The vault is designed to allow some decoding eos, since thee ae t δ valid points available, any combination of at least δ successful decodings is necessay. Also note that we ae ignoing the pobability of an eo yielding anothe eal point, athe than a chaff points. The eal points used in the vault can be chosen to minimize the pobability of this event. The distance d is defined by the fist lemma as d 4ρp πt. Substituting fo d in the P s, we can compute P e as P e t i=δ which expands to the given expession. (A8) ( t ) i (Ps) i (1 P s) t i (A9) Poof of Theoem : The complexity of the bf(, t, k) poblem using a suitable δ to ensue a unique esult is C bf = ( )( t ) 1. δ δ The poof is a faily staight-fowad combinatoics agument. In the bute-foce method, we must find δ points that intepolate a degee k polynomial. Thee ae ( δ) sets of any δ points. Of those sets, ( t δ) will yield successful esults, as all δ points will exist on the degee k polynomial. The quotient of the two is the expected numbe of tials equied to open the vault. Poof of Lemma 3: The pobability of successfully decoding a single point at distance at least d fom all othes using the maximum likelihood ule is ( ) d P s 1 exp (A5) 8σ The success pobability is bounded below by integating the Gaussian of distance d/ fom its mean, a fequently made simplification in communication theoy [4]. Hee, we use pola integation on the multivaiate Gaussian distibution to compute the pobability. Consequently, the computation is P s π d/ which simplifies to the above expession. 1 /σ πσ e d dθ (A6) Poof of Theoem 1: The pobability of eo fo decoding points at least δ out of t points in the fuzzy vault Poof of Theoem 3: The complexity of the s(, t, n, δ) poblem ove F p is C s = ( n ) min(n,t) i=max( n+δ,n +t) ( )( ) 1 t t n i i (A1) such that n satisfies δ n min(, t δ) and n (p 1). The agument hee is simila to the poof fo bute-foce. We select and ty codewods of size n. Thee ae ( n) such codewod selections. The numbe of such codewods that succeed is a moe difficult question to answe. In geneal, ou Reed-Solomon code equies n+δ elements to successfully poduce the degee k polynomial intepolated n+δ by at least δ points. As a esult, t (o if is elatively small). Since n δ, the oveall condition on n is deived: δ n min(, t δ). How many sets of n points will succeed? Well, thee must be at least ν = n+δ eal points and no moe than n ν chaff points. Given we have i eal points whee ν i n, thee ae ( ( t n i) ways to choose the chaff points and t i) ways to 9

10 select the eal points. This esults in the summation ( )( ) min(n,t) t t. (A11) n i i i=max(ν,n +t) The additional constaints on i guaantee that we neve select moe chaff points o eal points than we actually have. Poof of Coollay : The complexity of bf(, t, δ) = s(, t, δ, δ), o taking n = δ educes Reed-Solomon unlocking into a bute-foce unlocking. Since δ t, the summation anges can be detemined: min(δ, ) = δ, max(δ, δ + t) = δ. Since the summation only opeates with i = δ, the combinations become ( t )( t δ to ( δ)( t δ) 1. ) ( = t ) δ. Thus, the oveall expession simplifies Poof of Coollay 3: Fo >> t, bf(, t, δ) s(, t, n, δ), fo all n δ, o unless an attacke can eliminate a significant numbe of chaff points of a locked vault, he o she can do no bette than a bute-foce attack. We wish to select an n, such that k n t k that minimizes C s. To do this, well shall expand the equation fo C, and examine the tems that most significantly contibute to the oveall complexity. Fist, fo >> t, the tems can be slightly simplified. ( ) C s = n min(n,t) i=(n+δ)/ ( )( ) t t 1 n i i Now, expanding the summation: ( ) (( )( ) n t (n δ)/ t (n + δ)/ (A1) + ) 1 (A13) Howeve, notice that we eally ae only inteested in the fist tem of the summation. Fo >> t, the fist combination is significantly lage than the second. Additionally, the second tem in the summation will be appoximately times smalle. As a esult, if we wite out the dominant tems: ( )( ) 1 t (A14) n (n δ)/ To minimize ou complexity, we wish to minimize the numeato and maximize the denominato. Howeve, these ae conflicting goals. Fotunately, the fist tem contibutes appoximately t times moe to the esult than the second tem. Consequently, to minimize ( n), select the smallest n possible. 1