SECURE RE-ENROLLMENT OF BIOMETRIC TEMPLATES USING DISTRIBUTED SECURE COMPUTATION & SECRET SHARING

US 20190311096A1
Filed: 04/04/2018
Published: 10/10/2019
Est. Priority Date: 04/04/2018
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, by a computation engine of a biometric authentication system and according to biometric information of a user, helper data for authenticating the user;

generating, by the computation engine, a plurality of secret shares of the biometric information;

storing, by the computation engine, each of the plurality of secret shares of the biometric information to a corresponding one of a plurality of storage nodes; and

performing, by the computation engine, re-enrollment of the biometric information by;

outputting a plurality of messages to instruct each of the plurality of storage nodes to generate a respective share of a new helper data in accordance with the plurality of secret shares of the biometric information and a secure computation protocol,receiving the respective share of the new helper data from two or more storage nodes of the plurality of storage nodes, anddetermining the new helper data based on the respective share of the new helper data from each of the two or more storage nodes for subsequent authentication of the user,wherein the re-enrollment occurs without receiving additional or repeat biometric information of the user and thereby results in faster re-enrollment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example computing device includes a shares generation unit configured to generate secret shares of biometric information of a user; a storage interface configured to interface with storage nodes for storing each of the secret shares to a corresponding one of the storage nodes; and a computation engine configured to perform re-enrollment by outputting a plurality of messages to instruct each of the storage nodes to generate a respective share of a new helper data in accordance with the secret shares of the biometric information and a secure computation protocol, receive the respective share of the new helper data from two or more storage nodes, and determine the new helper data based on the respective share of the new helper data from each of the two or more storage nodes for subsequent authentication of the user, wherein the re-enrollment occurs without receiving additional/repeat biometric information, thereby resulting in faster re-enrollment.

6 Citations

20 Claims

1. A method comprising:
- generating, by a computation engine of a biometric authentication system and according to biometric information of a user, helper data for authenticating the user;
  
  generating, by the computation engine, a plurality of secret shares of the biometric information;
  
  storing, by the computation engine, each of the plurality of secret shares of the biometric information to a corresponding one of a plurality of storage nodes; and
  
  performing, by the computation engine, re-enrollment of the biometric information by;
  
  outputting a plurality of messages to instruct each of the plurality of storage nodes to generate a respective share of a new helper data in accordance with the plurality of secret shares of the biometric information and a secure computation protocol,receiving the respective share of the new helper data from two or more storage nodes of the plurality of storage nodes, anddetermining the new helper data based on the respective share of the new helper data from each of the two or more storage nodes for subsequent authentication of the user,wherein the re-enrollment occurs without receiving additional or repeat biometric information of the user and thereby results in faster re-enrollment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein generating the plurality of secret shares of the biometric information of the user comprises:
    - configuring a plurality of polynomials, wherein each polynomial of the plurality of polynomials is used to encode a portion of the biometric information; and
      
      generating a plurality of secret shares of each polynomial of the plurality of polynomials, wherein the plurality of secret shares are used to generate the respective share of the new helper data.
  - 3. The method of claim 2, wherein storing each of the plurality of secret shares of the biometric information to the corresponding one of the plurality of storage nodes comprises:
    - storing each of the plurality of secret shares of each polynomial of the plurality of polynomials to the corresponding one of the plurality of storage nodes.
  - 4. The method of claim 1, wherein determining the new helper data based on the respective share of the new helper data from each of the two or more storage nodes for subsequent authentication of the user comprises:
    - combining the respective share of the new helper data from each of the two or more storage nodes to recover a polynomial that encodes the new helper data.
  - 5. The method of claim 4, further comprises applying interpolation to the recovered polynomial to generate a constant for the polynomial for use as the new helper data.
  - 6. The method of claim 1, wherein performing the re-enrollment comprises performing a bulk re-enrollment of the biometric information for a plurality of users.
  - 7. The method of claim 1, further comprising:
    - configuring, by the computation engine, connectivity for the plurality of storage nodes as offline upon storing each of the plurality of secret shares of the biometric information to the corresponding one of the plurality of storage nodes;
      
      automatically reconfiguring, by the computation engine, connectivity for two or more storage nodes of the plurality of storage nodes as online when performing re-enrollment;
      
      in response to the two or more storage nodes becoming online, receiving, by the computation engine, the respective share of the new helper data from the two or more storage nodes of the plurality of storage nodes; and
      
      in response to receiving the respective share of the new helper data from each of the two or more storage nodes of the plurality of storage nodes, configuring, by the computation engine, the two or more storage nodes of the plurality of storage nodes as offline.
  - 8. The method of claim 1, wherein generating the plurality of secret shares of the biometric information comprises generating the plurality of secret shares of the biometric information according to indicia of the biometric information.

9. A computing device of a biometric authentication system comprising:
- a shares generation unit implemented in circuitry and configured to generate a plurality of secret shares of biometric information of a user;
  
  a storage interface implemented in circuitry and configured to;
  
  interface with a plurality of storage nodes for storing each of the plurality of secret shares to a corresponding one of the plurality of storage nodes; and
  
  a computation engine implemented in circuitry and configured to;
  
  generate helper data according to biometric information of the user for authenticating a user, andperform a re-enrollment of the biometric information, wherein to perform the re-enrollment of the biometric information, the computation engine is configured to;
  
  output a plurality of messages to instruct each of the plurality of storage nodes to generate a respective share of a new helper data in accordance with the plurality of secret shares of the biometric information and a secure computation protocol,receive the respective share of a new helper data from two or more storage nodes of the plurality of storage nodes, anddetermine the new helper data based on the respective share of the new helper data from each of the two or more storage nodes for subsequent authentication of the user,wherein the re-enrollment occurs without receiving additional or repeat biometric information of a user and thereby results in faster re-enrollment.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computing device of claim 9, wherein, to generate the plurality of secret shares of the biometric information of the user, the shares generation unit is further configured to:
    - configure a plurality of polynomials, wherein each polynomial of the plurality of polynomials is used to encode a portion of the biometric information; and
      
      generate a plurality of secret shares of each polynomial of the plurality of polynomials, wherein the plurality of secret shares are used to generate the respective share of the new helper data.
  - 11. The computing device of claim 9, wherein, to interface with a plurality of storage nodes for storing each of the plurality of secret shares of the biometric information to the corresponding one of the plurality of storage nodes, the storage interface is further configured to:
    - interface with the plurality of storage nodes to store each of the plurality of secret shares of each polynomial of the plurality of polynomials to the corresponding one of the plurality of storage nodes.
  - 12. The computing device of claim 9, wherein, to determine the new helper data based on the respective share of the new helper data from each of the two or more storage nodes for subsequent authentication of the user, the computation engine is further configured to:
    - combine the respective share of the new helper data from each of the two or more storage nodes to recover a polynomial that encodes the new helper data.
  - 13. The computing device of claim 12, wherein the computation engine is further configured to apply interpolation to the recovered polynomial to generate a constant for the polynomial for use as the new helper data.
  - 14. The computing device of claim 9, wherein the re-enrollment is a bulk re-enrollment of the biometric information for a plurality of users.
  - 15. The computing device of claim 9, the storage interface is further configured to:
    - configure connectivity for the plurality of storage nodes as offline upon storing each of the plurality of secret shares of the biometric information to the corresponding one of the plurality of storage nodes;
      
      automatically reconfigure connectivity for two or more storage nodes of the plurality of storage nodes as online when performing re-enrollment;
      
      in response to two or more storage nodes becoming online, receive the respective share of the new helper data from the two or more storage nodes of the plurality of storage nodes; and
      
      in response to receiving the respective share of the new helper data from each of the two or more storage nodes of the plurality of storage nodes, configure the two or more storage nodes of the plurality of storage nodes as offline.
  - 16. The computing device of claim 9, wherein, to generate the plurality of secret shares of the biometric information, the shares generation unit is further configured to generate the plurality of shares of the biometric information according to indicia of the biometric information.

17. A computer-readable storage medium of a biometric authentication system having stored thereon instructions that, when executed, cause a processor to:
- generate, according to biometric information of a user, helper data for authenticating the user;
  
  generate, according to the biometric information of the user, a plurality of secret shares of the biometric information;
  
  store each of the plurality of secret shares of the biometric information to a corresponding one of a plurality of storage nodes; and
  
  perform re-enrollment of the biometric information, wherein the instructions to perform re-enrollment of the biometric information comprise instructions that, when executed, cause the processor to;
  
  output a plurality of messages to instruct each of the plurality of storage nodes to generate a respective share of a new helper data in accordance with the plurality of secret shares of the biometric information and a secure computation protocol,receive a respective share of the new helper data from two or more storage nodes of the plurality of storage nodes, anddetermine the new helper data based on the respective share of the new helper data from each of the two or more storage nodes for subsequent authentication of the user,wherein the re-enrollment occurs without receiving additional or repeat biometric information of a user and thereby results in faster re-enrollment.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable storage medium of claim 17, wherein the instructions to generate the plurality of secret shares of the biometric information of the user comprise instructions that, when executed, cause the processor to:
    - configure a plurality of polynomials, wherein each polynomial of the plurality of polynomials is used to encode a portion of the biometric information; and
      
      generate a plurality of secret shares of each polynomial of the plurality of polynomials, wherein the plurality of secret shares are used to generate the respective share of the new helper data.
  - 19. The computer-readable storage medium of claim 17, wherein the instructions to determine the new helper data based on the respective share of the new helper data from each of the two or more storage nodes for subsequent authentication of the user comprise instructions that, when executed, cause a processor to:
    - combine the respective share of the new helper data from each of the two or more storage nodes to recover a polynomial that encodes the new helper data; and
      
      apply interpolation to the recovered polynomial to generate a constant for the polynomial for use as the new helper data.
  - 20. The computer-readable storage medium of claim 17, wherein the instructions further comprise instructions that, when executed, cause a processor to:
    - configure connectivity for the plurality of storage nodes as offline upon storing each of the plurality of secret shares of the biometric information to the corresponding one of the plurality of storage nodes;
      
      automatically reconfigure connectivity for two or more storage nodes of the plurality of storage nodes as online when performing re-enrollment;
      
      in response to the two or more storage nodes becoming online, receive the respective share of the new helper data from the two or more storage nodes of the plurality of storage nodes; and
      
      in response to receiving the respective share of the new helper data from each of the two or more storage nodes of the plurality of nodes devices, configure the two or more storage nodes of the plurality of storage nodes as offline.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Eldefrawy, Karim

Granted Patent

US 10,719,594 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 2221/2117   User registration

H04L 9/008   involving homomorphic encry...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3231   Biological data, e.g. finge...

SECURE RE-ENROLLMENT OF BIOMETRIC TEMPLATES USING DISTRIBUTED SECURE COMPUTATION & SECRET SHARING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE RE-ENROLLMENT OF BIOMETRIC TEMPLATES USING DISTRIBUTED SECURE COMPUTATION & SECRET SHARING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links