A Novel Fuzzy Vault Scheme for Secret Key Exchange

Lin You1 and Jie Lu2 1Institute of Cryptography and Information Security, Hangzhou Dianzi University, Hangzhou 310018, China 2Zhejiang Wellcom Technology Co., Ltd, Hangzhou 310012, China

Keywords: Fuzzy Vault, Secret Key Exchange, Finite Group, Biometrics, Polynomial Interpolation.

Abstract: Based on the classical fuzzy vault and the Diffie-Hellman key exchange scheme, a novel fuzzy vault scheme for the secret key exchange is proposed. In this fuzzy vault scheme, the two users can respectively use their biometric features to unlock the fuzzy vault to get their shared secret key without running the risk of disclosure of their biometric features. The security of our scheme is based on the polynomial reconstruction problem and the discrete logarithm problem in a given finite group.

1 INTRODUCTION In Section 2, the classical fuzzy vault scheme is in- troduced, and our novel fuzzy vault scheme for the In a cryptosystem, one of the most important proce- secret key exchange is proposed in Section 3. Finally, dure is to securely store the secret key. Generally, the some conclusions are presented in Section 4. secret key is stored in the user’s computer, a smart card or other storage medias by using a password for accessing, but it will run the risks that the storage 2 THE CLASSICAL FUZZY medias be lost or stolen, or the password will suffer from the exhaustive search attack. A better way is to VAULT SCHEME use the user’s biometric features as the access control measure, while the user’s biometric feature or secret Essentially, the classical fuzzy vault is a scheme for key may also be disclosed if his biometric template the secure protection of one’s secret (value or key) by and key are separately stored. Therefore, to ensure the use of his some private message set which gener- their safety simultaneously, the user’s biometric fea- ally comes from his unique biometrics. A fuzzy vault ture and secret key should be completely blended into is composed of two algorithms, one is called ’Locking one set or a data. A classical solution is the fuzzy Algorithm’, and the other is called ’Unlocking Algo- vault proposed by A. Juels and M. Sudan in 2002 rithm’. The security of this scheme is based on the (Juels and Sudan, 2002). In their fuzzy vault scheme, polynomial reconstruction problem. they used the user’s unique set to blend his secret into A fuzzy vault scheme includes two public pa- F a vault based on Reed-Solomon codes, and the user rameters, one is a finite field q with q a power of can recover his secret by providing a set that overlaps a prime, and the other is a Reed-Solomon decoding largely with the original set. Even if an attacker can algorithm (denoted as RSDECODE for short). The best get the vault he cannot obtain the the user’s secret or practical choice for RSDECODE is the Reed-Solomon the information about the set. decoding algorithm based on Newton’s interpolation The secret sharing scheme or Diffie-Hellman key (Sorger, 1993). The following two algorithms for the exchange scheme is a key cryptographic protocol, fuzzy vault scheme comes originally from the revised and how to safely store the shared key between the work of A. Juels and M. Sudan (Juels and Sudan, users is also a thorny problem. Based on the ideal 2006) except for some minor changes. of A. Juels and M. Sudan’s fuzzy vault, a fuzzy vault scheme for the secret key exchangeis proposed in this Locking Algorithm work. The security of this fuzzy vault scheme is based Input: Parameters n, t, and r such that n ≤ t ≤ r ≤ q, Fn t on both the discrete logarithm problem and that the a pre-selected secret key k ∈ q, a set A = {ai}i=1 users’biometric features are not illegally exposed. with ai ∈ Fq being distinct.

426 You L. and Lu J.. A Novel Fuzzy Vault Scheme for Secret Key Exchange. DOI: 10.5220/0004125404260429 In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 426-429 ISBN: 978-989-8565-24-2 Copyright c 2012 SCITEPRESS (Science and Technology Publications, Lda.) ANovelFuzzyVaultSchemeforSecretKeyExchange

Output: A fuzzy vault V = {R,(n,r,q)} with R being points. Any divergence between B and A will intro- r F a set of points {(xi,yi)}i=1 such that xi,yi ∈ q and duce a certain amount of error. Provided that there all xi being distinct. is a sufficient overlap, however, this noise may be re- moved by means of a Reed-Solomon decoding algo- 1. X, R, V ← Ø; rithm. 2. P ← k, that is, k is block-encoded into the coeffi- The most convenient and unique features to the cients of a polynomials of degree n in Fq; user is his biometric feature set, such as the finger- 3. For i = 1 to t do print features, iris features, retinal features and etc. In 2005, U. Uludag and et al.(Uludag et al., 2005) pro- • (xi,yi) ← (ai,P(ai)); posed a fingerprint-based fuzzy vault. One can also • X ← X S {xi}; use our other biometric features to construct fuzzy • R ← R S {(xi,yi)}; vault schemes. for i = t + 1 to r do • x ∈ F \X; i U q 3 A NOVEL FUZZY VAULT • X ← X S{xi}; • yi ∈U Fq\{P(xi)}; SCHEME FOR A SECRET KEY • R ← R S {(xi,yi)}. EXCHANGE 4. Output R or V = {R,(n,r,q)}. The most popular and classical secret key exchange In order not to leak information about the order in scheme is the Diffie-Hellman key exchange scheme which the xi are chosen, the set R should be output (Diffie and Hellman, 1976)which is a specific method in a pre-determined order, e.g., the points in R may for the exchanging secret keys between two parties, be arranged in order of ascending x-coordinates, or and it is one of the earliest practical examplesof secret else in a random order. Note that the chaff points key exchange scheme implemented within the field in the locking algorithm should be selected so as of cryptography. The Diffie-Hellman key exchange to intersect neither the set A nor the polynomial P. method allows two parties that have no prior knowl- This is for technical reasons, namely to simplify our edge of each other to jointly establish a shared secret security proofs. Generally, the set R together with the key over an insecure communications channel. This parameter pair (n,q) is called a fuzzy vault. established shared secret key can then be used in a symmetric key algorithm. Unlocking Algorithm In practical applications, the multiplicative group F∗ Input : A fuzzy vault V comprising a parameter pair G is generally chosen to be multiplicative group p of (n,r,q) such that n ≤ r ≪ q and a set R of r points the Galois field Fp with p a large prime, and g is se- F∗ with their two coordinations in Fq. A query set lected to be a primitive element of p. To increase its t F security strength, we can set up the shared secret key B = {bi}i=1 with bi ∈ q. scheme on a (hyper)elliptic curve rational point group Output : An element k′ Fn S ‘null’ . ∈ q { } since the discrete logarithm problem is much harder 1. Q ← Ø; than the discrete logarithm problem in the multiplica- tive group of a Galois field. 2. For i = 1 to t do In this section, we will put out a novel fuzzy vault F • If there exists some yi ∈ q such that (bi,yi) ∈ scheme for secret key exchange based on the classical R, set Q ← QS{(bi,yi)}; fuzzy vault and a multiplicative group, here we denote • k′ ← ‘null’ if Q has less than n points; this scheme as FV-DH scheme. ′ • k ← RSDECODE(n,Q); We suppose that Alice and Bob want to establish a shared secret key for their future cryptographic uses 3. Output k′. by using their biometric features (such as fingerprint Suppose that V is created by Alice and Bob tries features, iris features, or other part features of their to unlock V to recover the secret key k, Bobhastouse bodies), then they agree on a finite multiplicative F∗ his set B to determine the codeword that encodes the group G = q with q a power of a large prime and secret key k to get a possible secret key k′. Since the a cyclic subgroup < g > of G with g an element of set A specifies the x-coordinates of “correct” points some large prime p order. Here, G, q, g and p are that lie on the polynomial P. Thus, if B is close to A, assumed to be public parameters. then B will identify a large majority of these “correct”

427 SECRYPT2012-InternationalConferenceonSecurityandCryptography

Locking Algorithm one of them wants to restore the shared key, he/she Input: A finite multiplicative group G = F∗ ; pos- can independently use his/her own fuzzy vault to q restore the possible shared sky k′ by the following itive integers n, s, t, rA and rB such that n ≤ “Unlocking Algorithm”. min{s,t}≤ s +t ≤ rA,rB ≪ q ; a cyclic subgroup < g > of order p. These parameters are made pub- lic. Unlocking Algorithm Input: A group G F∗ and a cyclic subgroup < Output: V = {R ,(p,g,n)} and V = = q A A B g > of order p; Alice and Bob’s biometric sets {RB,(p,g,n)} for Alice and Bob, respec- ′ ′ A′ = {a′}s and B′ = {b′ }t with a′, b′ ∈ G, re- tively. Where RA and RB are two sets that are i i=1 j j=1 i j respectively composed of much more than n spectively; Two sets VA = {RA,(p,g,n)} and VB = F∗ {R ,(p,g,n)} satisfying that n ≤ s′,t′ < s′ +t′ ≪ points with their coordinations in p. B q, and the all points of the sets RA and RB are in 1. X, R, RA, RB ← Ø; F∗ F∗ p × p. 2. Alice and Bob extract their private biometric fea- ′ F s t Output: An element k ∈ p S{‘null’}. tures A = {ai}i=1 and B = {b j} j=1, respectively; 1. QA, QB ← Ø; 3. Mapping all ai and b j into the numbers in {1,..., p − 1}. For convenience, they are still re- 2. If Alice wants to recover the shared key k, she does the following: spectively represented as ai and b j, and they are supposed to be different from each others. The (a) For i = 1 to s′ do corresponding sets are denoted as SA and SB, re- i. Convert her biometric set A′ into a subset of spectively; {1,..., p − 1} which is still denoted as A′ for 4. Alice randomly selects a select key a: 1 ≤ a ≤ convenience; ′ a α′ ai p − 1, computes g and sends it to Bob; ii. i ← g ; F α′ 5. Bob randomly selects a select key b:1 ≤ b ≤ p − iii. If there exists some y ∈ q such that ( i,y) ∈ 1, computes gb and sends it to Alice; RA, do ′ • (xi,yi) ← (α ,y); 6. Alice and Bob compute (gb)a and (ga)b, respec- i • QA ← QA S{(xi,yi)}. tively; ′ ′ iv. k ← ‘null if QA has less than n points; ab b a ba ab a b ′ 7. k ← g (Since (g ) = g = g = (g ) , k can v. k ← RSDECODE(n,QA) (that is, apply New- be regarded as the shared key of Alice and Bob); ton’s interpolation polynomial to get a possi- ′ 8. Alice and Bob, respectively, set P(x) ← k. That is, ble key k if QA has no less than n points. ); ′ k is block-encoded into the coefficients of a poly- vi. k ← null if QA has less than n points. F ′ nomial of degree n in p[x]; (b) k ← RSDECODE(n,QA) or ‘null’. 9. Alice does the following steps: 3. Similarly, Bob candothe same stepsas Alice does a to recover the possible shared key k′. (a) For i = 1,...,s, computes g i and set it to αi; ′ (b) For i = 1 to s do 4. Output k . • (xi,yi) ← (αi,P(αi)); The locking algorithm and unlocking algorithm • X ← X S {xi}; can be described as the following Figure 1 and Figure • R ← R S {(xi,yi)}; 2, respectively. Here the used biometrics are supposed to be the users’ fingerprints. (c) For i = s + 1 to rA do If Alice and Bob can provide their biometric sets x G X; • i ∈U \ A′ and B′ that sufficiently overlap A and B, respec- • X ← X S{xi}; tively. That is, if their biometric sets A′ and B′ con- • yi ∈U G\{P(xi)}; tain no less than n “correct” biometric features, then • RA ← R S {(xi,yi)}. they will recover their real shared key k successfully, 10. Bob does the similar steps to generate RB with t otherwise, they will fail. real points and rB −t chaff pints. Since the two users’ biometric features are not di- rectly stored in our novel fuzzy vault, any third party 11. Output V R , p,g,n and V A = { A ( )} B = (attacker) who plan to get the users’s features has to R , p,g,n respectively for Alice and Bob. { B ( )} solve the discrete logarithm problems on the multi- The VA and VB are the fuzzy vaults of the shared plicative group G. Therefore, if any third party (at- key k owned by Alice and Bob, respectively. If tacker) cannot solve the discrete logarithm problems,

428 ANovelFuzzyVaultSchemeforSecretKeyExchange

Alice Bob Compute a Compute b ga mod p gbmod p ’s Compute Compute Bob’s lc-encoded Block- Alice encoded Block- b a gb ga a b biometrics biometrics (g ) mod p (= k) (g ) mod p (= k) into Biometric Feature Set into Biometric Feature Set

A ={ai | i=1,...,s} B ={bi | i=1,...,t} P(x) P(x) Biometric Number Set Biometric Feature Set SA ={ai | ai+{1,..., p-1} SB={bj |bj+{1,...,p-1}

a a g i bj i b g Real Point Set Real Point Set j SA Q={(a , P ( a )) | a + g } SB Group Element Set A i i i Q={(b , P ( b ))| b + g } B j j j Biometric Feature Set gSA = {a + Gi | = 1,..., s } i gSB ={b + Gj | = 1,...,} t Chaff Point Set Chaff Point Set j Q'{(,= cdcd )| , + , d  Pc ()}( QA'{(,= cdcd Ai,,,, Ai )|Ai , Ai + qqAi , d ,  Pc ()} Ai , B BjBj,,,,Bj BjBj Bj qqBj Bj , Bj ,

Alice’s Fuzzy Vault for Secret Key Exchange Bob’s Fuzzy Vault for Secret Key Exchange

VAA={ Rpgn ,( , , )} with RQQ AAA = ' VBB={ Rpgn ,( , , )} with RQQ BBB = '

FigureFigure 1: FV-DH’s 1: FV-DH’s Locking locking Algorithm algorithm.

Alice

Alice’s Fuzzy Vault Query for Secret Key Exchange Biometrics VA= { R A ,( pgn , , )} þnullÿ Query Biometric Features Set (suppose that they are converted into the elements in {1,...,p-1}) ' ' No SA = { ai i | = 1,..., s '}

IfS ' is close toS orS ' nearly Query Point Set A A A ? overlapsS , then k¢ should be S ' ''a' '' ' A A i ' |Q |  n g ={|aii a = gaS , iA + } '' ' SA A equal to the real shared secret k QA ={(,)|aiii c a + g , $+) cG i } R A

Yes Using Reed-Solomon Decoding ' Algorithm to Convert (,n Q A ) ' Possible Shared Secret Key RSDECOD E (n , Q A ) into a possible secret k¢ k'+ G

Figure 2: FV-DH’sFigure 2: FV-DH unlocking’s Unlocking algorithm Algorithm (for (for Alice) Alice). he is unable to get enough biometric numbers to re- ects of Zhejiang Natural Science Foundations cover a possible real shared key. (No.R10900138) and The Key Laboratory of Infor- mation Assurance Technology (KJ-11-05).

4 CONCLUSIONS REFERENCES A novel fuzzy vault secret key exchange scheme based on fuzzy vault scheme for the secret key ex- Diffie, W. and Hellman, M. (1976). New directions in cryp- change is proposed in this work. The security of tography. IEEE Transactions on Information Theory, this fuzzy vault scheme is based on both the discrete 22:644–654. logarithm problem and the polynomial reconstruction Juels, A. and Sudan, M. (2002). A fuzzy vault scheme. In ISIT'02, International Symposium on Information problem. This fuzzy vault scheme is just a detailed Theory. IEEE Press. model but it will be simulated for fingerprints in our Juels, A. and Sudan, M. (2006). A fuzzy vault scheme. future work. In addition, similar to our method, a Designs, Codes, and Cryptography, 38:237–257. fuzzy vault scheme for the multiparty secret key ex- Sorger, U. K. (1993). A new reed-solomon code decod- change can also be set up. ing algorithm based on newton’s interpolation. IEEE Transactions on Information Theory, 39:358–365. Uludag, U., Pankanti, S., and Jain, A. K. (2005). Fuzzy vault for fingerprints. Lecture Notes in Computer Sci- ACKNOWLEDGEMENTS ence, 3546:310–319.

This work is partially supported by the Research Proj-

429