A Novel Fuzzy Vault Scheme for Secret Key Exchange
Lin You
1
and Jie Lu
2
1
Institute of Cryptography and Information Security, Hangzhou Dianzi University, Hangzhou 310018, China
2
Zhejiang Wellcom Technology Co., Ltd, Hangzhou 310012, China
Keywords:
Fuzzy Vault, Secret Key Exchange, Finite Group, Biometrics, Polynomial Interpolation.
Abstract:
Based on the classical fuzzy vault and the Diffie-Hellman key exchange scheme, a novel fuzzy vault scheme
for the secret key exchange is proposed. In this fuzzy vault scheme, the two users can respectively use their
biometric features to unlock the fuzzy vault to get their shared secret key without running the risk of disclosure
of their biometric features. The security of our scheme is based on the polynomial reconstruction problem and
the discrete logarithm problem in a given finite group.
1 INTRODUCTION
In a cryptosystem, one of the most important proce-
dure is to securely store the secret key. Generally, the
secret key is stored in the user’s computer, a smart
card or other storage medias by using a password for
accessing, but it will run the risks that the storage
medias be lost or stolen, or the password will suffer
from the exhaustive search attack. A better way is to
use the user’s biometric features as the access control
measure, while the user’s biometric feature or secret
key may also be disclosed if his biometric template
and key are separately stored. Therefore, to ensure
their safety simultaneously, the user’s biometric fea-
ture and secret key should be completely blended into
one set or a data. A classical solution is the fuzzy
vault proposed by A. Juels and M. Sudan in 2002
(Juels and Sudan, 2002). In their fuzzy vault scheme,
they used the user’s unique set to blend his secret into
a vault based on Reed-Solomon codes, and the user
can recover his secret by providing a set that overlaps
largely with the original set. Even if an attacker can
get the vault he cannot obtain the the user’s secret or
the information about the set.
The secret sharing scheme or Diffie-Hellman key
exchange scheme is a key cryptographic protocol,
and how to safely store the shared key between the
users is also a thorny problem. Based on the ideal
of A. Juels and M. Sudans fuzzy vault, a fuzzy vault
scheme for the secret key exchange is proposed in this
work. The security of this fuzzy vault scheme is based
on both the discrete logarithm problem and that the
users’biometric features are not illegally exposed.
In Section 2, the classical fuzzy vault scheme is in-
troduced, and our novel fuzzy vault scheme for the
secret key exchange is proposed in Section 3. Finally,
some conclusions are presented in Section 4.
2 THE CLASSICAL FUZZY
VAULT SCHEME
Essentially, the classical fuzzy vault is a scheme for
the secure protection of one’s secret (value or key) by
the use of his some private message set which gener-
ally comes from his unique biometrics. A fuzzy vault
is composed of two algorithms, one is called ’Locking
Algorithm’, and the other is called ’Unlocking Algo-
rithm’. The security of this scheme is based on the
polynomial reconstruction problem.
A fuzzy vault scheme includes two public pa-
rameters, one is a finite field F
q
with q a power of
a prime, and the other is a Reed-Solomon decoding
algorithm (denoted as RS
DECODE
for short). The best
practical choice for RS
DECODE
is the Reed-Solomon
decoding algorithm based on Newton’s interpolation
(Sorger, 1993). The following two algorithms for the
fuzzy vault scheme comes originally from the revised
work of A. Juels and M. Sudan (Juels and Sudan,
2006) except for some minor changes.
Locking Algorithm
Input: Parameters n, t, and r such that n t r q,
a pre-selected secret key k F
n
q
, a set A = {a
i
}
t
i=1
with a
i
F
q
being distinct.
426
You L. and Lu J..
A Novel Fuzzy Vault Scheme for Secret Key Exchange.
DOI: 10.5220/0004125404260429
In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 426-429
ISBN: 978-989-8565-24-2
Copyright
c
2012 SCITEPRESS (Science and Technology Publications, Lda.)
Output: A fuzzy vaultV = {R, (n, r, q)} with R being
a set of points {(x
i
, y
i
)}
r
i=1
such that x
i
, y
i
F
q
and
all x
i
being distinct.
1. X, R, V Ø;
2. P k, that is, k is block-encoded into the coeffi-
cients of a polynomials of degree n in F
q
;
3. For i = 1 to t do
(x
i
, y
i
) (a
i
, P(a
i
));
X X
S
{x
i
};
R R
S
{(x
i
, y
i
)};
for i = t + 1 to r do
x
i
U
F
q
\X;
X X
S
{x
i
};
y
i
U
F
q
\{P(x
i
)};
R R
S
{(x
i
, y
i
)}.
4. Output R or V = {R, (n, r, q)}.
In order not to leak information about the order in
which the x
i
are chosen, the set R should be output
in a pre-determined order, e.g., the points in R may
be arranged in order of ascending x-coordinates, or
else in a random order. Note that the chaff points
in the locking algorithm should be selected so as
to intersect neither the set A nor the polynomial P.
This is for technical reasons, namely to simplify our
security proofs. Generally, the set R together with the
parameter pair (n, q) is called a fuzzy vault.
Unlocking Algorithm
Input : A fuzzy vault V comprising a parameter pair
(n, r, q) such that n r q and a set R of r points
with their two coordinations in F
q
. A query set
B = {b
i
}
t
i=1
with b
i
F
q
.
Output : An element k
F
n
q
S
{‘null’}.
1. Q Ø;
2. For i = 1 to t do
If there exists some y
i
F
q
such that (b
i
, y
i
)
R, set Q Q
S
{(b
i
, y
i
)};
k
null’ if Q has less than n points;
k
RS
DECODE
(n, Q);
3. Output k
.
Suppose that V is created by Alice and Bob tries
to unlockV to recover the secret key k, Bob has to use
his set B to determine the codeword that encodes the
secret key k to get a possible secret key k
. Since the
set A specifies the x-coordinates of “correct” points
that lie on the polynomial P. Thus, if B is close to A,
then B will identify a large majority of these “correct”
points. Any divergence between B and A will intro-
duce a certain amount of error. Provided that there
is a sufficient overlap, however, this noise may be re-
moved by means of a Reed-Solomon decoding algo-
rithm.
The most convenient and unique features to the
user is his biometric feature set, such as the finger-
print features, iris features, retinal features and etc. In
2005, U. Uludag and et al.(Uludag et al., 2005) pro-
posed a fingerprint-based fuzzy vault. One can also
use our other biometric features to construct fuzzy
vault schemes.
3 A NOVEL FUZZY VAULT
SCHEME FOR A SECRET KEY
EXCHANGE
The most popular and classical secret key exchange
scheme is the Diffie-Hellman key exchange scheme
(Diffie and Hellman, 1976) which is a specific method
for the exchanging secret keys between two parties,
and it is one of the earliest practical examples of secret
key exchange scheme implemented within the field
of cryptography. The Diffie-Hellman key exchange
method allows two parties that have no prior knowl-
edge of each other to jointly establish a shared secret
key over an insecure communications channel. This
established shared secret key can then be used in a
symmetric key algorithm.
In practical applications, the multiplicative group
G is generally chosen to be multiplicative group F
p
of
the Galois field F
p
with p a large prime, and g is se-
lected to be a primitive element of F
p
. To increase its
security strength, we can set up the shared secret key
scheme on a (hyper)elliptic curve rational point group
since the discrete logarithm problem is much harder
than the discrete logarithm problem in the multiplica-
tive group of a Galois field.
In this section, we will put out a novel fuzzy vault
scheme for secret key exchange based on the classical
fuzzy vault and a multiplicativegroup, here we denote
this scheme as FV-DH scheme.
We suppose that Alice and Bob want to establish
a shared secret key for their future cryptographic uses
by using their biometric features (such as fingerprint
features, iris features, or other part features of their
bodies), then they agree on a finite multiplicative
group G = F
q
with q a power of a large prime and
a cyclic subgroup < g > of G with g an element of
some large prime p order. Here, G, q, g and p are
assumed to be public parameters.
ANovelFuzzyVaultSchemeforSecretKeyExchange
427
Locking Algorithm
Input: A finite multiplicative group G = F
q
; pos-
itive integers n, s, t, r
A
and r
B
such that n
min{s, t} s+ t r
A
, r
B
q ; a cyclic subgroup
< g > of order p. These parameters are made pub-
lic.
Output: V
A
= {R
A
, (p, g, n)} and V
B
=
{R
B
, (p, g, n)} for Alice and Bob, respec-
tively. Where R
A
and R
B
are two sets that are
respectively composed of much more than n
points with their coordinations in F
p
.
1. X, R, R
A
, R
B
Ø;
2. Alice and Bob extract their private biometric fea-
tures A = {a
i
}
s
i=1
and B = {b
j
}
t
j=1
, respectively;
3. Mapping all a
i
and b
j
into the numbers in
{1, . . . , p 1}. For convenience, they are still re-
spectively represented as a
i
and b
j
, and they are
supposed to be different from each others. The
corresponding sets are denoted as S
A
and S
B
, re-
spectively;
4. Alice randomly selects a select key a: 1 a
p 1, computes g
a
and sends it to Bob;
5. Bob randomly selects a select key b: 1 b p
1, computes g
b
and sends it to Alice;
6. Alice and Bob compute (g
b
)
a
and (g
a
)
b
, respec-
tively;
7. k g
ab
(Since (g
b
)
a
= g
ba
= g
ab
= (g
a
)
b
, k can
be regarded as the shared key of Alice and Bob);
8. Alice and Bob, respectively, set P(x) k. That is,
k is block-encoded into the coefficients of a poly-
nomial of degree n in F
p
[x];
9. Alice does the following steps:
(a) For i = 1, . . . , s, computes g
a
i
and set it to α
i
;
(b) For i = 1 to s do
(x
i
, y
i
) (α
i
, P(α
i
));
X X
S
{x
i
};
R R
S
{(x
i
, y
i
)};
(c) For i = s+ 1 to r
A
do
x
i
U
G\X;
X X
S
{x
i
};
y
i
U
G\{P(x
i
)};
R
A
R
S
{(x
i
, y
i
)}.
10. Bob does the similar steps to generate R
B
with t
real points and r
B
t chaff pints.
11. Output V
A
= {R
A
, (p, g, n)} and V
B
=
{R
B
, (p, g, n)} respectively for Alice and Bob.
The V
A
and V
B
are the fuzzy vaults of the shared
key k owned by Alice and Bob, respectively. If
one of them wants to restore the shared key, he/she
can independently use his/her own fuzzy vault to
restore the possible shared sky k
by the following
“Unlocking Algorithm”.
Unlocking Algorithm
Input: A group G = F
q
and a cyclic subgroup <
g > of order p; Alice and Bob’s biometric sets
A
= {a
i
}
s
i=1
and B
= {b
j
}
t
j=1
with a
i
, b
j
G, re-
spectively; Two setsV
A
= {R
A
, (p, g, n)} andV
B
=
{R
B
, (p, g, n)} satisfying that n s
,t
< s
+ t
q, and the all points of the sets R
A
and R
B
are in
F
p
× F
p
.
Output: An element k
F
p
S
{null}.
1. Q
A
, Q
B
Ø;
2. If Alice wants to recover the shared key k, she
does the following:
(a) For i = 1 to s
do
i. Convert her biometric set A
into a subset of
{1, . . . , p 1} which is still denoted as A
for
convenience;
ii. α
i
g
a
i
;
iii. If there exists some y F
q
such that (α
i
, y)
R
A
, do
(x
i
, y
i
) (α
i
, y);
Q
A
Q
A
S
{(x
i
, y
i
)}.
iv. k
null
if Q
A
has less than n points;
v. k
RS
DECODE
(n, Q
A
) (that is, apply New-
ton’s interpolation polynomial to get a possi-
ble key k
if Q
A
has no less than n points. );
vi. k
null if Q
A
has less than n points.
(b) k
RS
DECODE
(n, Q
A
) or ‘null’.
3. Similarly, Bob can do the same steps as Alice does
to recover the possible shared key k
.
4. Output k
.
The locking algorithm and unlocking algorithm
can be described as the following Figure 1 and Figure
2, respectively. Here the used biometrics are supposed
to be the users’ fingerprints.
If Alice and Bob can provide their biometric sets
A
and B
that sufficiently overlap A and B, respec-
tively. That is, if their biometric sets A
and B
con-
tain no less than n “correct” biometric features, then
they will recover their real shared key k successfully,
otherwise, they will fail.
Since the two users’ biometric features are not di-
rectly stored in our novel fuzzy vault, any third party
(attacker) who plan to get the users’s features has to
solve the discrete logarithm problems on the multi-
plicative group G. Therefore, if any third party (at-
tacker) cannot solve the discrete logarithm problems,
SECRYPT2012-InternationalConferenceonSecurityandCryptography
428
Bob
Biometric Feature Set
S
B
={b
j
|b
j
Î{1,...,p-1}
Compute
g
b
mod p
Compute
(g
a
)
b
mod p (= k)
P(x)
Block- encoded
into
b
Alice
Biometric Number Set
S
A
={a
i
| a
i
Î{1,..., p-1}
Compute
(g
b
)
a
mod p (= k)
g
b
a
Compute
g
a
mod p
g
a
P(x)
Block- encoded
into
Chaff Point Set
, , , , , ,
' {( , )| , , ( )}
A Ai Ai Ai Ai q Ai Ai
Q c d c d d Pc= Î ¹
Ai Ai q
, , , , ,, , , , ,
, , , , ,, , , , ,
, ,
, ,
, ,
, ,
, , , , ,, , , , ,
, ,
, ,
, ,
, ,
, ,
, ,
Chaff Point Set
, , , , , ,
' {( , )| , , ( )}
B B j B j B j B j q B j B j
Q c d c d d P c= Î ¹
B j B j q B j B j
, , , , ,, , , , ,
, , (
, , (
, , (
, , (
, , (
, , (
, , (
, , (
, , (
, , (, , (
, , , , ,
, , , , ,
, , (
, , (
, , (
, , (
, , (
, , (
, , (
, , (
, , (
, , (
, , (
, , (, , (
, , (
Alice’s Fuzzy Vault for Secret Key Exchange
Bob’s
biometrics
Alice’s
biometrics
Figure 1: FV-DH’s Locking Algorithm
Bob’s Fuzzy Vault for Secret Key Exchange
{ ,( , , )} with '
B B B B B
V R p g n R Q Q= =
'
'
'
B B B B B
'
'
'
'
'
'
'
'
'
'
'
'
{ ,( , , )} with '
A A A A A
V R p g n R Q Q= =
'
'
'
A A A A A
'
'
'
'
'
'
'
'
'
'
'
i
a
i
g
a
¬
j
b
j
g
b
¬
Biometric Feature Set
A ={a
i
| i=1,...,s}
Real Point Set
{( , ( )) | }
A
S
A i i i
Q P g
a a a
= Î
Group Element Set
{ | 1,..., }
A
S
i
g G i s
a
= Î =
Biometric Feature Set
B ={b
i
| i=1,...,t}
Biometric Feature Set
{ | 1,..., }
B
S
j
g G j t
b
= Î =
Real Point Set
{( , ( ))| }
B
S
B j j j
Q P g
b b b
= Î
Figure 1: FV-DH’s locking algorithm.
Figure 2: FV-DH’s Unlocking Algorithm (for Alice)
Alice
Query
Biometrics
þnullÿ
No
Yes
If is close to or nearly
overlaps , then k
¢
should be
equal to the real shared secret k
'
A
S
A
S
A
S
Possible Shared Secret Key
'k GÎ
Using Reed-Solomon Decoding
Algorithm to Convert
into a possible secret k
¢
'
( , )
A
n Q
Alice’s Fuzzy Vault
for Secret Key Exchange
{ , ( , , )}
A A
V R p g n=
Query Point Set
'
'' '
{( , ) | , }
A
S
i i i i AA
RQ c g c G
a a
= Î $ Î Ì
Query Biometric Features Set
(suppose that they are converted
into the elements in {1,...,p-1})
' '
{ | 1, . .., '}
A i
S a i s= =
E
'
D E CO D
(RS , )
A
n Q
'
?
| |
A
Q n
³
'
'
' ' ' '
{ | , }
i
A
a
S
i i i A
g g a S
a a
= = Î
'
A
S
Figure 2: FV-DH’s unlocking algorithm (for Alice).
he is unable to get enough biometric numbers to re-
cover a possible real shared key.
4 CONCLUSIONS
A novel fuzzy vault secret key exchange scheme
based on fuzzy vault scheme for the secret key ex-
change is proposed in this work. The security of
this fuzzy vault scheme is based on both the discrete
logarithm problem and the polynomial reconstruction
problem. This fuzzy vault scheme is just a detailed
model but it will be simulated for fingerprints in our
future work. In addition, similar to our method, a
fuzzy vault scheme for the multiparty secret key ex-
change can also be set up.
ACKNOWLEDGEMENTS
This work is partially supported by the Research Proj-
ects of Zhejiang Natural Science Foundations
(No.R10900138) and The Key Laboratory of Infor-
mation Assurance Technology (KJ-11-05).
REFERENCES
Diffie, W. and Hellman, M. (1976). New directions in cryp-
tography. IEEE Transactions on Information Theory,
22:644–654.
Juels, A. and Sudan, M. (2002). A fuzzy vault scheme.
In ISIT'02, International Symposium on Information
Theory. IEEE Press.
Juels, A. and Sudan, M. (2006). A fuzzy vault scheme.
Designs, Codes, and Cryptography, 38:237–257.
Sorger, U. K. (1993). A new reed-solomon code decod-
ing algorithm based on newton’s interpolation. IEEE
Transactions on Information Theory, 39:358–365.
Uludag, U., Pankanti, S., and Jain, A. K. (2005). Fuzzy
vault for fingerprints. Lecture Notes in Computer Sci-
ence, 3546:310–319.
ANovelFuzzyVaultSchemeforSecretKeyExchange
429