T Tanya Ignatenko

Biometric Systems: Privacy and Secrecy Aspects

This paper addresses privacy leakage in biometric secrecy systems. Four settings are investigated. The first one is the standard Ahlswede-Csiszar secret-generation setting in which two terminals observe two correlated sequences. They form a common secret by interchanging a public message. This message should only contain a negligible amount of information about the secret, but here, in addition, we require it to leak as little information as possible about the biometric data. For this first case, the fundamental tradeoff between secret-key and privacy-leakage rates is determined. Also for the second setting, in which the secret is not generated but independently chosen, the fundamental secret-key versus privacy-leakage rate balance is found. Settings three and four focus on zero-leakage systems. Here the public message should only contain a negligible amount of information on both the secret and the biometric sequence. To achieve this, a private key is needed, which can only be observed by the terminals. For both the generated-secret and the chosen-secret model, the regions of achievable secret-key versus private-key rate pairs are determined. For all four settings, the fundamental balance is determined for both unconditional and conditional privacy leakage.

Information Leakage in Fuzzy Commitment Schemes

In 1999, Juels and Wattenberg introduced the fuzzy commitment scheme. This scheme is a particular realization of a binary biometric secrecy system with chosen secret keys. It became a popular technique for designing biometric secrecy systems, since it is convenient and easy to implement using standard error-correcting codes. This paper investigates privacy- and secrecy-leakage in fuzzy commitment schemes. The analysis is carried out for four cases of biometric data statistics, i.e., memoryless totally symmetric, memoryless input-symmetric, memoryless, and stationary ergodic. First, the achievable regions are determined for the cases when data statistics are memoryless totally symmetric and memoryless input-symmetric. For the general memoryless and stationary ergodic cases, only outer bounds for the achievable rate-leakage regions are provided. These bounds, however, are sharpened for systematic parity-check codes. Given the achievable regions (bounds), the optimality of fuzzy commitment is assessed. The analysis shows that fuzzy commitment is only optimal for the memoryless totally symmetric case if the scheme operates at the maximum secret-key rate. Moreover, it is demonstrated that for the general memoryless and stationary ergodic cases, the scheme leaks information on both the secret and biometric data.

Estimating the Secrecy-Rate of Physical Unclonable Functions with the Context-Tree Weighting Method

We propose methods to estimate the secrecy-rate of fuzzy sources (e.g. biometrics and physical unclonable functions (PUFs)) using context-tree weighting. In this paper we focus on PUFs. In order to show that our estimates are realistic we first generalize Maurers (1993) result to the ergodic case. Then we focus on the fact that the entropy of a stationary two-dimensional structure is a limit of a series of conditional entropies, a result by Anastassiou and Sakrison (1982). We extend this result to the conditional entropy of one two-dimensional structure given another one. Finally we show that the general CTW-method approaches the source entropy also in the two-dimensional stationary case. We further extend this result to the two-dimensional conditional entropy. Based on the obtained results we do several measurements on (our) optical PUFs. These measurements allow us to conclude that a secrecy-rate of 0.3 bit/location is possible

Privacy protected biometric templates: acoustic ear identification

Unique Biometric Identifiers offer a very convenient way for human identification and authentication. In contrast to passwords they have hence the advantage that they can not be forgotten or lost. In order to set-up a biometric identification/authentication system, reference data have to be stored in a central database. As biometric identifiers are unique for a human being, the derived templates comprise unique, sensitive and therefore private information about a person. This is why many people are reluctant to accept a system based on biometric identification. Consequently, the stored templates have to be handled with care and protected against misuse [1, 2, 3, 4, 5, 6]. It is clear that techniques from cryptography can be used to achieve privacy. However, as biometric data are noisy, and cryptographic functions are by construction very sensitive to small changes in their input, and hence one can not apply those crypto techniques straightforwardly. In this paper we show the feasibility of the techniques developed in [5], [6] by applying them to experimental biometric data. As biometric identifier we have choosen the shape of the inner ear-canal, which is obtained by measuring the headphone-to-ear-canal Transfer Functions (HpTFs) which are known to be person dependent [7].

Privacy leakage in biometric secrecy systems

Motivated by Maurer [1993], Ahlswede and Csiszar [1993] introduced the concept of secret sharing. In their source model two terminals observe two correlated sequences. It is the objective of both terminals to form a common secret by interchanging a public message (helper data), that should contain only a negligible amount of information about the secret. Ahlswede and Csiszar showed that the maximum secret key rate that can be achieved in this way is equal to the mutual information between the two source outputs. In a biometric setting, where the sequences correspond to the enrollment and authentication data, it is crucial that the public message leaks as little information as possible about the biometric data, since compromised biometric data cannot be replaced. We investigate the fundamental trade-offs for four biometric settings. The first one is the standard (Ahlswede-Csiszar) secret generation setting, for which we determine the secret key rate - privacy leakage region. Here leakage corresponds to the mutual information between helper data and biometric enrollment sequence conditional on the secret. In the second setting the secret is not generated by the terminals but independently chosen, and transmitted using a public message. Again we determine the region of achievable rate - leakage pairs. In setting three and four we consider zero-leakage, i.e. the public message contains only a negligible amount of information about the secret and the biometric enrollment sequence. To achieve this a private key is needed which can be observed only by the terminals. We consider again both secret generation and secret transmission and determine for both cases the region of achievable secret key rate - private key rate pairs.

Biometric Security from an Information-Theoretical Perspective

The issue of biometric security has become a major research area recently. While systems based on iris-recognition, DNA analysis and fingerprinting are being deployed, there are instances where these alone cannot provide fool-proof security. Biometric Security from an Information-Theoretical Perspective provides an overview of the state-of-the-art of biometric security systems. Using information theoretic techniques it discusses some of the most promising methods to provide practical, but safe, systems. Biometric Security from an Information-Theoretical Perspective studies a number of problems related to the design of biometric secrecy systems for both authentication and identification. First, it reviews the problem of secret sharing in order to set theoretical grounds for the subsequent discussion of secret-key rates and privacy leakage in biometric secrecy systems. Biometric authentication systems are discussed in depth using discrete and Gaussian biometric sources, before describing biometric identification techniques in detail. Since biometric data are typically used for both identification and authentication purposes, the trade-off between identification, secret-key and privacy-leakage rates are determined. Finally, practical considerations are treated. The realization of binary biometric authentication systems with chosen secret keys, called fuzzy commitment, is analyzed. The monograph concludes by investigating how binary quantization of biometric sequences influences the performance of biometric secrecy systems with respect to secret-key rates and privacy leakage. Biometric Security from an Information-Theoretical Perspective is an in-depth review of the topic, which gives the reader an excellent starting point for further research.

Achieving Secure Fuzzy Commitment Scheme for Optical PUFs

Home security surveillance systems, using stable and fully equipped monitors, may reduce losses caused by burglary and increase home safety. In this paper, we present the implementation of a quick and cost-effective wireless connected home security surveillance system using Lego Mindstorms NXT robot tool kit and JAVA language. The system implemented uses Bluetooth protocol to record data monitored.

Secure Key Storage with PUFs

Nowadays, people carry around devices (cell phones, PDAs, bank passes, etc.) that have a high value. That value is often contained in the data stored in it or lies in the services the device can grant access to (by using secret identification information stored in it). These devices often operate in hostile environments and their protection level is not adequate to deal with that situation. Bank passes and credit cards contain a magnetic stripe where identification information is stored. In the case of bank passes, a PIN is additionally required to withdraw money from an ATM (Automated Teller Machine). At various occasions, it has been shown that by placing a small coil in the reader, the magnetic information stored in the stripe can easily be copied and used to produce a cloned card. Together with eavesdropping the PIN (by listening to the keypad or recording it with a camera), an attacker can easily impersonate the legitimate owner of the bank pass by using the cloned card in combination with the eavesdropped PIN.

On Privacy in Secure Biometric Authentication Systems

We focus here on two secure biometric systems (a common randomness based scheme and a fuzzy commitment scheme) and discuss their privacy preserving properties. We derive bounds on the privacy leakage in these schemes. We also show the relation between employed error-correction and leakage on biometric information, and between privacy and security for the fuzzy commitment scheme.

Quantization effects in biometric systems

The fundamental secret-key rate vs. privacy-leakage rate trade-offs for secret-key generation and transmission for i.i.d. Gaussian biometric sources are determined. These results are the Gaussian equivalents of the results that were obtained for the discrete case by the authors and independently by Lai et al. in 2008. Also the effect that binary quantization of the biometric sequences has on the ratio of the secret-key rate and privacy-leakage rate is considered. It is shown that the squared correlation coefficient must be increased by a factor of π2/4 to compensate for such a quantization action, for values of the privacy-leakage rate that approach zero, when the correlation coefficient is close to zero.