We describe an identity based signature scheme that uses biometric information to construct the public key.  Such a scheme would be beneficial in a legal dispute over whether a contract had been signed or not by a user. A biometric reading provided by the alleged  signer would be enough to verify the signature. We make use of Fuzzy extractors to generate a key string from a biometric measurement. We use this biometric based key string and an elliptic curve point embedding technique to create the public key and corresponding private key. We then make use of a pairing based signature scheme to perform signing and verification with these keys. We describe a possible attack on this system and suggest ways to combat it. Finally we describe how such a biometric signature scheme can be developed by reusing existing components in our Java Identity Based Encryption implementation. The design allows traditional as well as biometric identity based signatures

Adam Duffy

Andrew Burnett

Tom Dowling

Cryptology ePrint Archive

A Biometric Identity Based Signature SchemeAndrew Burnett Adam DuffyCrypto GroupComputer Science Dept.NUI MaynoothCo. Kildare, Irelande-mail: cryptogrp@cs.may.ieTom DowlingAbstractWe describe an identity based signature scheme that uses biometric information to construct thepublic key. Such a scheme would be beneficial in a legal dispute over whether a contract had been signedor not by a user. A biometric reading provided by the alleged signer would be enough to verify thesignature. We make use of Fuzzy extractors [7] to generate a key string from a biometric measurement.We use this biometric based key string and an elliptic curve point embedding technique [13] to createthe public key and corresponding private key. We then make use of a pairing based signature scheme [5]to perform signing and verification with these keys. We describe a possible attack on this system andsuggest ways to combat it. Finally we describe how such a biometric signature scheme can be developedby reusing existing components in our Java Identity Based Encryption implementation. The designallows traditional as well as biometric identity based signatures. [8].1 IntroductionIn this paper we present a biometric identity based signature scheme (BIO-IBS). Traditional public keycryptosystems use very long integers, typically 2048 bits, as public keys. These systems rely on digitalcertificates to connect an identity like a person or a machine to a public key. Identity based systems havethe advantage that a public key is the identity, usually an arbitrary string like an email address. In our casewe use a biometric measurement of an individual. Using biometrics does however create a problem withvariation due to biometric identities changing over time. We discuss how to overcome this problem below.One of the key uses of signature schemes is in the area of non-repudiation of documents. Our scheme isparticularly useful in this area as biometric measurements such as fingerprints are long established evidentialtools [14].Consider the following situation: A user signs a contract using BIO-IBS and later a dispute developsabout the signature on the contract. The user only needs to present their biometric measurement to anarbitrator to determine the validity of the signature. As the biometric measurement is used as a public keyhere there is no need to worry about the biometric measurement being compromised [15]. Also a trainedarbitrator can detect attempts to deny signing such as using a film containing another user’s print on averifier’s finger [14]. The paper is organized as follows. In section 2 we briefly outline the basics of ellipticcurves over finite fields. In section 3 we give an overview of the process of turning biometric data into keystrings. Section 4 will discuss how the key string is converted into a key pair for use in the signature scheme.Section 5 will give an overview of the BLS identity based signature scheme using the key pair generatedfrom the biometric data. Section 6 outlines a possible attack on the system and suggests countermeasures.Section 7 will outline design issues involved in incorporating BIO-IBS into our existing Java Identity Basedencryption system. Finally, we will discuss conclusions and future work.2 Elliptic curve backgroundWe use the symbol ⊕ to denote bitwise exclusive or, XOR. We define the finite field Fp = {0, 1, 2, 3, . . . , p−2, p− 1}. We define the finite extension field F2p = {a + ib} where a, b ∈ Fp and i =√−1. The inverse of aninteger, a, in the finite field Fp is denoted by a−1 and defined by a ∗a−1 = 1 mod p. The concept of divisionin finite fields is equivalent to multiplication by an inverse i.e. a÷ b mod p ≡ a ∗ b−1 mod p.The basic units for elliptic curve arithmetic are points (x, y) on an elliptic curve, E, over a finite field,Fp, denoted E(Fp), of the formy2 = x3 + ax + b with x, y, a, b ∈ Fp .We define abstract concepts of addition, P + Q, and scalar multiplication by an integer, sQ, on the pointsof E(Fp). We also define a special point at infinity, ∞. These operations combine to make E(Fp) a finiteAbelian group. Details of how these concepts are implemented appear in [1, 13]. The order of a point P isdefined to be the smallest integer n such that nP = ∞. We let E(Fp)[q] be the subgroup of E(Fp) consistingof points of order q. We let µ(q) = {a ∈ F2p | aq = 1}.Fundamental to identity based systems is the concept of a bilinear mapping. An example of such a mappingis the Tate pairing,τq : E(Fp)[q]× E(F2p)/qE(F2p) → µ(q).A computationally efficient approach to evaluating the Tate pairing appears in [17]. A very useful propertyof the Tate pairing is bilinearity,τq(xP, yQ) = τq(P,Q)xy for any points P,Q and for any integers x, y.Identity Based systems make heavy use of these operations and mappings.3 Generating Key data from BiometricsUsing biometric data as a basis for cryptographic keys is problematic as biometric measurement is notperfectly reproducible. Recent work by Dodis [7] demonstrates how such data can be used to generatestrong keys for any kind of cryptographic application. They use the notion of a fuzzy extractor to describethe process of extracting a random string U from a biometric input b, in such a way that a certain amountof error is allowed for. If the input changes slightly to b′ then the extracted U will be the same. To enablethe recovery of U from b′ the fuzzy extractor also outputs a public string V . The extractor is structuredin such a way that the public value V does not leak any information about U . Dodis [7] describe threemetrics to measure the variation in the biometric reading: Hamming Distance, Set Difference and EditDistance. They then detail the construction of fuzzy extractors using these metrics. Hamming Distanceis defined to be the number of bit positions that differ between b and b′ and is probably the most naturaland straightforward metric to work with, although the other metrics may be more efficient for particularbiometrics and applications.The fuzzy extractor construction using the Hamming Distance metric is based on previous work on afuzzy commitment scheme in [11]. We now give a simplified outline of how such an extractor is constructed.A comprehensive account appears in [7, 11] more on the other metrics can be found in [7, 12, 6].First we give the formal definition of a fuzzy extractor. Let M be a finite dimensional metric spaceconsisting of biometric data points, with a distance function dis: M ×M → Z+, which calculates thedistance between two points based on the metric chosen. Also, let l be the number of bits of the extractedoutput string U and t be the error threshold (i.e. for two points b, b′ ∈ M to be classed as the samedis(b, b′) ≤ t ). An (M, l, t)-fuzzy extractor is constructed using two functions Gen and Rep. Gen is aprobabilistic generation procedure, which on input b ∈ M outputs an “extracted” string U ∈ {0, 1}l andpublic string V . Rep is a deterministic reproduction procedure allowing recovery of U from the correspondingpublic string V and any b′ sufficiently close to b. To clarify∀ b, b′ ∈M with dis(b, b′) ≤ t, if Gen(b) → 〈U, V 〉, then Rep(b′, V ) → U.We now outline the construction of a fuzzy extractor for the space M = {0, 1}n under the HammingDistance metric. We define C to be a binary error-correcting code of k-bit binary string codewords with anencoding function Ce : M → {0, 1}k and a decoding function Cd : {0, 1}k → M. Then Gen(b) produces arandom U ∈ {0, 1}l and V = b ⊕ Ce(U). The equivalent Rep(b′, V ) function returns Cd(V ⊕ b′) which isequal to U if and only if dis(b, b′) ≤ t.Both of the values output from the Gen function U and V are passed to the key generation phase, whichis dealt with in the next section.4 Key Pair GenerationThis section details how the biometric data is used in the generation of a key pair for use in an IBS schemesuch as the BLS Short Signature Scheme [5]. First we show how the biometric is embedded onto a point onthe elliptic curve. Then, we show how that point is used as part of the key pair generation for the signaturescheme.The “extracted” string, U , has to be embedded onto a point P on the elliptic curve E(Fp). This requiresthe use of a hash function H1 : {0, 1}∗ → G∗1 where G1 is a subgroup of the points on an elliptic curve. Ratherthan hash directly onto G∗1 we use a standard hash function, H, i.e. Secure Hash Algorithm 1 (SHA-1), tohash to a set A ⊆ {0, 1}∗ . Then we use a deterministic encoding function, g, to map A onto G∗1 so thatH1(U) = g(H(U)). See [3] for more details.Various algorithms exist to embed onto a point on the curve. We use the algorithm by Koblitz [13, §6.2],as we were using the curve of the form y2 = x3 + x. Boneh and Franklin [3, §4.3] detail a simpler methodfor embedding points on curves of the form y2 = x3 + 1 which is suitable for Weil Pairing.With this, we can generate Pb = g(H(U)) and Ps = xPb where x is a randomly generated secret key inF ∗p . The variable Pb is the point corresponding to the biometric input. The key pair consists of the privatekey x and the public key Ps.The techniques given here can be applied to key pair generation for other IBS schemes including BlindSignature Scheme [2], Multisignature Scheme [2], Aggregate Signature [4], Bilinear Verifiably EncryptedSignature [4], ID-Based Blind Signature Scheme [18] and ID-Based Signature from Pairing [10] among others.A summary of each of these schemes can be found in the survey by Dutta et al [9].5 Incorporating into an Identity Based Signature schemeAn overview of the BLS Short Signature Scheme is given in this section. This scheme was proposed byBoneh, Lynn and Shacham [5] and consists of three stages. The first stage is the Key Generation stage. Thisstage was discussed above and should result in a point Pb and a key pair (Ps, x).The second stage is the Signing stage. Given the secret key x ∈ F ∗p and a message m ∈ {0, 1}∗ thesignature can be computed by σ = xg(H(m)). The security of the scheme depends on keeping x a secret.The third and final stage is the Verification stage. The verifier uses V and biometric input b′ to recalculatePb by reproducing U = Rep(b′, V ) and calculating Pb = g(H(U)). The verifier has the signature σ, themessage m and the public key Ps. Note that the signer’s secret key x is not needed for verification. Thesignature is verified ifτq(Pb, σ) = τq(Ps, g(H(m)))since, using the bilinearity of the Tate pairing,τq(Pb, σ) = τq(Pb, xg(H(m)))= τq(Pb, g(H(m)))x= τq(xPb, g(H(m)))= τq(Ps, g(H(m)))Figure 1: Fuzzy Extractor Class Model6 A Possible AttackHere we describe a possible attack to the scheme and identify ways of preventing it.It is possible for an attacker to imitate a signer by obtaining a copy of their biometric data. For example,see [16] for methods of duplicating fingerprints. After obtaining a copy of the signer’s biometric data, theattacker can sign a forged message that will appear genuine on verification by the signer.To prevent this attack, genuine messages can be signed in the presence of a trusted witness. Alternatively,signers can utilise a digital certificate obtained from a trusted certificate authority. The digital certificatewill contain the public key Ps as well as some information about the signer.The attack described here is possible in traditional IBS schemes and not just the BIO-IBS schemeproposed here. However, the use of biometric data increases the effort required by an attacker than thatrequired for traditional IBS schemes.7 Extension of an existing IBE API to accomodate BiometricSignaturesThe design issues of developing a pairing based biometric signing scheme are discussed in this section. Wefirst introduce the design of the fuzzy extractor classes. Next we present the design of classes for key pairgeneration. Following that, the design for an implementation of the IBS BLS scheme is given.The core technology, an implementation of the Tate pairing, was previously developed for use in anIdentity Based Encryption system [8]. The flexible design accomodates both perfectly and not perfectlyreproducible identities and, where appropriate, adheres to the Java Cryptographic Architecture (JCA). Thedesign follows a pluggable architecture allowing for use of both alternative and enhanced implementations.The fuzzy extractor class (FuzzyExtractor in Figure 1) performs two functions, the generation functionGen and the reproduction function Rep. Since the generation function returns two strings U and V , thosestrings are encapsulated in the Generator class. The reproduction function result is encapsulated in theReproducer class. This allows for alternative representations of the results from the fuzzy extractor.Figure 2: Key Generation Class ModelA binary error correcting code and a metric space make up the attributes of the fuzzy extractor. Theseattributes are represented by the interfaces BinaryErrorCorrectingCode and MetricSpace respectively,allowing for alternative correcting codes and metric spaces to be used. We extend the MetricSpace classwith a HammingDistanceMetricSpace that implements the Hamming Distance metric.The design of the classes needed for the key pair and key pair generation are shown in Figure 2. Theseclasses can also be used in generating key pairs for other IBE based signature schemes such as Blind SignatureScheme, Multisignature Scheme and so on.The key pair generation utilises the mapToPoint functionality of the Tate pairing implementation TatePairing.This is an implementation of the hash function H1 mentioned earlier.The design of the classes for signing and verification are given in Figure 3. The IbeShortSignature classand related classes may be substituted for alternative IBE based signature schemes with minimal impact onthe remaining code.Figure 3: Biometric Identity Based Signature Scheme Class Model8 ConclusionWe have presented a biometric identity based signature scheme. We have reused ideas in the areas ofstring construction from biometric data, key generation, and pairing based signature schemes to form thecomponents of our system. We have discussed the application of such a scheme to non-repudiation ofcontracts or documents. Finally we outlined how such a biometric signature scheme could be incorporatedinto an existing identity based encryption software package. Our pluggable architecture provided for easyincorporation of different implementations of algorithms to perform the various component procedures in thesystem. This will facilitate inclusion of future performance enhancements to existing algorithms or inclusionof new algorithms to the system.References[1] I. Blake, G. Seroussi, and N. Smart. Elliptic Curves in Cryptography. Cambridge University Press, 1stedition, 1999.[2] A. Boldyreva. Efficient Threshold Signature Multisignature and Blind Signature Schemes Based onthe Gap-Diffie-Hellman Group Signature Scheme. Proceedings on the 6th International Workshop onPractice and Theory in Public Key Cryptography, 2003.[3] D. Boneh and M. Franklin. Identity Based Encryption from the Weil Pairing. SIAM Journal of Com-puting, Vol. 32, No. 3, pages 586–615, 2001.[4] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and Verifiably Encrypted Signature fromBilinear Maps. Proceedings from Advances in Cryptology - EuroCrypt, 2003.[5] D. Boneh, B. Lynn, and H. Shacham. Short Signatures from the Weil Pairing. Proceedings from Advancesin Cryptology - Asiacrypt, 2001.[6] T. Clancy, N. Kiyavash, and D. Lin. Secure Smartcard-Based Fingerprint Authentication. Proceedingsof the 2003 ACM SIGMM workshop on Biometrics methods and applications, 2003.[7] Y. Dodis, L. Reyzin, and A. Smith. Fuzzy Extractors: How to Generate Strong Keys from Biometricsand Other Noisy Data. Proceedings from Advances in Cryptology - EuroCrypt, 2004.[8] T. Dowling, A. Duffy, and L. Owens. An Identity Based Encryption System. Proceedings of the 3rdInternational Conference on Principles and Practice of Programming in Java, 2004.[9] R. Dutta, R. Barua, and P. Sarkar. Pairing-Based Cryptographic Protocols: A Survey. CryptologyePrint Archive, 2004.[10] F. Hess. Efficient Identity Based Signature Schemes Based on Pairings. Proceedings from Symposiumon Applied Computing, 2002.[11] A. Juels and M. Wattenberg. A Fuzzy Commitment Scheme. Proceedings of the 6th ACM conferenceon Computer and Communications Security, pages 28–36, 1999.[12] A. Juels and M. Wattenberg. A Fuzzy Vault Scheme. Proceedings of the IEEE International Symposiumon Information Theory, 2002.[13] N. Koblitz. A Course in Number Theory and Cryptography. Springer, 2nd edition, 1994.[14] D. Maltoni, D. Maio, A. Jain, and S. Prabhakar. Handbook of Fingerprint Recognition. Springer, 2003.[15] B. Schneier. Inside Risks: The Uses and Abuses of Biometrics. Communications of the ACM, Vol. 42,page 136, 1999.[16] T. van der Putte and J. Keuning. Biometrical Fingerprint Recognition: Don’t Get Your Fingers Burned.Proceedings of the Fourth Working Conference on Smart Card Research and Advanced Applications,2000.[17] L. Washington. Elliptic Curves: Number Theory and Cryptography. Chapman and Hall, CRC, 1stedition, 2003.[18] F. Zhang and K. Kim. ID-Based Blind Signature and Ring Signature from Pairings. Proceedings fromAdvances in Cryptology - Asiacrypt, 2002.

A Biometric Identity Based Signature Scheme

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive