Security of the Improved Fuzzy Vault Scheme in the Presence of Record Multiplicity (Full Version)

Dodis et al. proposed an improved version of the fuzzy vault scheme, one of the most popular primitives used in biometric cryptosystems, requiring less storage and leaking less information. Recently, Blanton and Aliasgari have shown that the relation of two improved fuzzy vault records of the same individual may be determined by solving a system of non-linear equations. However, they conjectured that this is feasible for small parameters only. In this paper, we present a new attack against the improved fuzzy vault scheme based on the extended Euclidean algorithm that determines if two records are related and recovers the elements by which the protected features, e.g., the biometric templates, differ. Our theoretical and empirical analysis demonstrates that the attack is very effective and efficient for practical parameters. Furthermore, we show how this attack can be extended to fully recover both feature sets from related vault records much more efficiently than possible by attacking each record individually. We complement this work by deriving lower bounds for record multiplicity attacks and use these to show that our attack is asymptotically optimal in an information theoretic sense. Finally, we propose remedies to harden the scheme against record multiplicity attacks.

[1]  Peng Li,et al.  An alignment-free fingerprint cryptosystem based on fuzzy vault scheme , 2010, J. Netw. Comput. Appl..

[2]  Christoph Busch,et al.  Fuzzy Vault for 3D Face Recognition Systems , 2008, 2008 International Conference on Intelligent Information Hiding and Multimedia Signal Processing.

[3]  Marina Blanton,et al.  On the (Non-)Reusability of Fuzzy Sketches and Extractors and Security Improvements in the Computational Setting , 2012, IACR Cryptol. ePrint Arch..

[4]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[5]  Joachim von zur Gathen,et al.  Factoring Polynomials Over Finite Fields: A Survey , 2001, J. Symb. Comput..

[6]  Elwyn R. Berlekamp,et al.  Algebraic coding theory , 1984, McGraw-Hill series in systems science.

[7]  T. Charles Clancy,et al.  Secure smartcardbased fingerprint authentication , 2003, WBMA '03.

[8]  Anil K. Jain,et al.  Biometric cryptosystems: issues and challenges , 2004, Proceedings of the IEEE.

[9]  Sharath Pankanti,et al.  Fingerprint-Based Fuzzy Vault: Implementation and Performance , 2007, IEEE Transactions on Information Forensics and Security.

[10]  Christoph Busch,et al.  A Reference Framework for the Privacy Assessment of Keyless Biometric Template Protection Systems , 2010, BIOSIG.

[11]  Martin Wattenberg,et al.  A fuzzy commitment scheme , 1999, CCS '99.

[12]  アリ ジュエルズ,et al.  Fuzzy commitment scheme , 2000 .

[13]  Marina Blanton,et al.  Analysis of Reusability of Secure Sketches and Fuzzy Extractors , 2013, IEEE Transactions on Information Forensics and Security.

[14]  Madhu Sudan,et al.  Maximum-likelihood decoding of Reed-Solomon codes is NP-hard , 1996, IEEE Transactions on Information Theory.

[15]  Bart Preneel,et al.  Privacy Weaknesses in Biometric Sketches , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[16]  Kang Ryoung Park,et al.  A New Method for Generating an Invariant Iris Private Key Based on the Fuzzy Vault System , 2008, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[17]  Anil K. Jain,et al.  Hardening Fingerprint Fuzzy Vault Using Password , 2007, ICB.

[18]  Anil K. Jain,et al.  Securing Fingerprint Template: Fuzzy Vault with Helper Data , 2006, 2006 Conference on Computer Vision and Pattern Recognition Workshop (CVPRW'06).

[19]  Shuhong Gao,et al.  A New Algorithm for Decoding Reed-Solomon Codes , 2003 .

[20]  T.E. Boult,et al.  Cracking Fuzzy Vaults and Biometric Encryption , 2007, 2007 Biometrics Symposium.

[21]  Raymond N. J. Veldhuis,et al.  Preventing the Decodability Attack Based Cross-Matching in a Fuzzy Commitment Scheme , 2011, IEEE Transactions on Information Forensics and Security.

[22]  Venkatesan Guruswami,et al.  Improved decoding of Reed-Solomon and algebraic-geometric codes , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[23]  Phong Q. Nguyen,et al.  Noisy Polynomial Interpolation and Noisy Chinese Remaindering , 2000, EUROCRYPT.

[24]  Heinrich Ihmor,et al.  Performance of the Fuzzy Vault for Multiple Fingerprints , 2010, BIOSIG.

[25]  Benjamin Tams Attacks and Countermeasures in Fingerprint Based Biometric Cryptosystems , 2013, ArXiv.

[26]  Anil K. Jain,et al.  A hybrid biometric cryptosystem for securing fingerprint minutiae templates , 2010, Pattern Recognit. Lett..

[27]  R. Gregory Taylor,et al.  Modern computer algebra , 2002, SIGA.

[28]  Aggelos Kiayias,et al.  Cryptographic Hardness Based on the Decoding of Reed–Solomon Codes , 2002, IEEE Transactions on Information Theory.

[29]  Heinrich Ihmor,et al.  Provable Security for the Fuzzy Fingerprint Vault , 2010, 2010 Fifth International Conference on Internet Monitoring and Protection.

[30]  Josef Kittler,et al.  Audio- and Video-Based Biometric Person Authentication, 5th International Conference, AVBPA 2005, Hilton Rye Town, NY, USA, July 20-22, 2005, Proceedings , 2005, AVBPA.

[31]  H. Niederreiter,et al.  Introduction to finite fields and their applications: Factorization of Polynomials , 1994 .

[32]  Madhu Sudan,et al.  A Fuzzy Vault Scheme , 2006, Des. Codes Cryptogr..

[33]  N. Kiyavash,et al.  Secure Smartcard-Based Fingerprint Authentication ∗ , 2003 .

[34]  Yevgeniy Dodis,et al.  Correcting errors without leaking partial information , 2005, STOC '05.

[35]  Axel Munk,et al.  The Fuzzy Vault for Fingerprints is Vulnerable to Brute Force Attack , 2007, BIOSIG.

[36]  Berrin A. Yanikoglu,et al.  Realization of correlation attack against the fuzzy vault scheme , 2008, Electronic Imaging.

[37]  Benjamin Tams,et al.  Absolute fingerprint pre-alignment in minutiae-based cryptosystems , 2013, 2013 International Conference of the BIOSIG Special Interest Group (BIOSIG).

[38]  Sharath Pankanti,et al.  Fuzzy Vault for Fingerprints , 2005, AVBPA.

[39]  Julien Bringer,et al.  The best of both worlds: Applying secure sketches to cancelable biometrics , 2008, Sci. Comput. Program..