None.
A secret (e.g., a password such as an alphanumeric string, a cryptographic key, etc.) is commonly used by a user operating a user device to securely access a resource, such as an account, or a location. For example, the user may use the user device to encrypt data with a cryptographic key and transmit the encrypted data to an external device. The user device may then store the secret, so that it may be used to later access the encrypted data from the external device. In some cases, the secret may only be stored on the user device. Therefore, if the user loses access to the user device, the cryptographic key may also be lost.
Some existing methods to recover secrets use multiple user devices in order to recover the secret. This requires the user to have a backup user device, resulting in a higher cost to the user, and the risk of loss exists for the backup user device. The backup device may then be used to access the resource, but some methods do not recover the secret.
Other existing methods allow the external device to store the secret. These methods place a burden on the external device, requiring the external device to have the ability to securely store the secret. Additionally, these methods place complete trust in the external device. If the external device is misused, the user's secret may be compromised, or if the external device malfunctions, the user may not be able to recovery the secret.
Embodiments of the disclosure address these problems and other problems individually and collectively.
One embodiment of the invention includes a method. The method comprising: receiving, in a user device, a user identifier unique to a user; obscuring, by the user device, the user identifier, with a function to form an obscured user identifier; transmitting, by the user device, the obscured user identifier to a first entity computer; transmitting, by the user device, the obscured user identifier to a second entity computer; wherein the first entity computer and the second entity computer do not communicate with each other in the method, and wherein the first entity computer generates a first output after receiving the obscured user identifier, and the second entity computer generates a second output after receiving the obscured user identifier; receiving, by the user device, the first output from the first entity computer; receiving, by the user device, the second output from the second entity computer; and generating a secret key after processing the first output and the second output.
Another embodiment is related to a user device comprising: a processor; and a non-transitory a computer readable medium, the computer readable medium comprising code, executable by the processor, to perform a method including receiving a user identifier unique to a user; obscuring the user identifier, with a function to form an obscured user identifier; transmitting the obscured user identifier to a first entity computer; transmitting the obscured user identifier to a second entity computer; wherein the first entity computer and the second entity computer do not communicate with each other in the method, and wherein the first entity computer generates a first output after receiving the obscured user identifier, and the second entity computer generates a second output after receiving the obscured user identifier; receiving the first output from the first entity computer; receiving the second output from the second entity computer; and generating a secret key after processing the first output and the second output.
Yet another embodiment is related to a method comprising: receiving, by a first entity computer, an obscured user identifier from a user device, the obscured user identifier formed using a function and a user identifier unique to the user, and wherein the user device also transmits the obscured user identifier to a second entity computer, and wherein the first entity computer and the second entity computer do not communicate with each other in the method; generating, by the first entity computer, a first output after receiving the obscured user identifier, and wherein the second entity computer generates a second output after receiving the obscured user identifier; and transmitting, by the first entity computer, the first output to the user device, wherein the user device generates a secret key after processing the first output and the second output received from the second entity computer
Further details regarding embodiments of the invention better understanding of the nature and advantages of embodiments of the invention may be gained with reference to the following detailed description and accompanying drawings.
Prior to discussing embodiments of the disclosure, some terms can be described in further detail.
A “user” may include an individual or a machine. In some embodiments, a user may be associated with one or more user devices.
A “user device” may be any suitable device that is operated by a user. User devices may be in any suitable form. Some examples of user devices include cellular phones, a card (e.g., a payment card), PDAs, personal computers (PCs), tablet computers, and the like. In some embodiments, where a user device is a mobile device, the mobile device may include a display, a memory, a processor, a computer-readable medium, and any other suitable component.
A “mobile device” (sometimes referred to as a mobile communication device) may comprise any suitable electronic device that may be transported and operated by a user, which may also provide remote communication capabilities to a network. A mobile communication device may communicate using a mobile phone (wireless) network, wireless data network (e.g. 3G, 4G or similar networks), Wi-Fi, Bluetooth, Bluetooth Low Energy (BLE), Wi-Max, or any other communication medium that may provide access to a network such as the Internet or a private network. Examples of mobile devices include mobile phones (e.g. cellular phones), PDAs, tablet computers, net books, laptop computers, wearable devices (e.g., watches), vehicles such as automobiles and motorcycles, personal music players, hand-held specialized readers, etc. A mobile device may comprise any suitable hardware and software for performing such functions, and may also include multiple devices or components (e.g. when a device has remote access to a network by tethering to another device—i.e. using the other device as a modem—both devices taken together may be considered a single mobile device).
A “user identifier” may include any suitable information or combination of information to identify a user. Examples of user identifiers may include biometric samples and biometric templates, such as those derived from facial scans, fingerprints, retinal scans and the like. User identifiers may also include passwords or secrets known the user.
A “trusted entity” may be an entity that is trusted by a user. The trusted entity may securely provide data or services to the user. Examples of a trusted entity may be a governmental institution, a financial institution such as a bank or payment processing network, an educational institution such as a university or college, etc. In some embodiments, a trusted entity may operate an entity computer.
A “key” or a “cryptographic key” may include a piece of information that is used in a cryptographic algorithm to transform data into another representation. A cryptographic algorithm can be an encryption algorithm that transforms original data into an alternate representation, or a decryption algorithm that transforms encrypted information back to the original data. Examples of cryptographic algorithms may include triple data encryption standard (TDES), data encryption standard (DES), advanced encryption standard (AES), etc.
A “processor” may include any suitable data computation device or devices. A processor may comprise one or more microprocessors working together to accomplish a desired function. The processor may include CPU comprises at least one high-speed data processor adequate to execute program components for executing user and/or system-generated requests. The CPU may be a microprocessor such as AMD's Athlon, Duron and/or Opteron; IBM and/or Motorola's PowerPC; IBM's and Sony's Cell processor; Intel's Celeron, Itanium, Pentium, Xeon, and/or XScale; and/or the like processor(s).
A “memory” may be any suitable device or devices that can store electronic data. A suitable memory may comprise a non-transitory computer readable medium that stores instructions that can be executed by a processor to implement a desired method. Examples of memories may comprise one or more memory chips, disk drives, etc. Such memories may operate using any suitable electrical, optical, and/or magnetic mode of operation.
In embodiments of the invention, a user operating an original user device may cause the original user device to generate a cryptographic key to encrypt sensitive data. In particular, the user may cause the original user device to generate a public-private key pair, and the private key may be the cryptographic key. The user device may then store the generated cryptographic key in a secure memory.
At a later time, the user may cause original user device to encrypt sensitive data (e.g., sensitive data such as financial data, identity data, etc.) using the cryptographic key. The user may then transmit the encrypted sensitive data to an external computer, where it can be securely stored. At a later time, the user may cause the user device to request the encrypted data from the external computer, so that the user can decrypt the data using the cryptographic key.
It is possible, however, that the user may lose their original user device. This can result in the user losing the cryptographic key, since the cryptographic key never leaves the original user device. As a result, the user may not be able to decrypt any requested encrypted data.
In some cases, the user may try and access the encrypted data using a second user device, after the user loses the original user device. However, as the cryptographic key was stored securely on the original user device, the second user device would not be able to decrypt any encrypted data that was formed using the cryptographic key stored on the original user device.
Embodiments of the invention allow the user to recover a cryptographic key using a user device that is not the original user device.
The user device 102, and the first entity computer 104 or the second entity computer 106, may be in operative communication with each other through any suitable communication channel(s) or communications network. Suitable communications networks may be any one and/or the combination of the following: a direct interconnection; the Internet; a Local Area Network (LAN); a Metropolitan Area Network (MAN); an Operating Missions as Nodes on the Internet (OMNI); a secured custom connection; a Wide Area Network (WAN); a wireless network (e.g., employing protocols such as, but not limited to a Wireless Application Protocol (WAP), I-mode, and/or the like); and/or the like. Messages between the computers, networks, and devices may be transmitted using a secure communications protocols such as, but not limited to, File Transfer Protocol (FTP); HyperText Transfer Protocol (HTTP); Secure Hypertext Transfer Protocol (HTTPS), Secure Socket Layer (SSL), ISO (e.g., ISO 8583) and/or the like.
The first entity computer 104 and second entity computer 106 may be operated by separate trusted entities such as government institutions, financial institutions, data warehouses, etc. For example, the first entity computer 104 may be a payment processing network computer, and the second entity computer 104 could be a financial institution such as a bank that holds an account of the user of the user device 102. The user device 102 may communicate with either or both of the first and second entity computers 104, 106 to store encrypted data. For example, the user device 102 may wish to store encrypted identity data (e.g., data such as name, date of birth, government issued identification number, home address, phone number, account numbers, etc.) or encrypted assertions of identity data (e.g., user A is over 21 years hold, user A has more than one credit card account, etc.) with the first entity computer 104.
In conventional methods, the user device 102 would encrypt data with a secret key (e.g., a private key) and would transmit the encrypted data to the first entity computer 104. At a later time, the user device 102 would then use the secret key to decrypt the encrypted data when it is retrieved from the first entity computer 104.
A user may wish to generate a secret key that will be used to encrypt data. The encrypted data may be stored with at an external computer, such as the first entity computer 204 or the second entity computer 206. The user operating a user device 202 may choose to set up a recovery for the secret key using personal user data such as one or more of password and/or a biometric template. The method shown in
In step S200A, the user operating the user device 202 may input a password, pwd, into the user device 202. The user device 202 may then encode the password, pwd, to form an encoded password, z. The user device 202 may encode the password using, for example, a threshold oblivious pseudorandom function (TOPRF). One construction of a TOPRF is described in Agrawal, et. Al PASTA: PASsword-based Threshold Authentication, Cryptology ePrint Archive, Report 2018/885, 2018. The threshold oblivious pseudorandom function may have an encoding function which takes as input a string and a random number ρ, then output an encoding of the string according to the random number ρ. For example, the encoding function may hash the password, pwd, using a public hashing function H and raise the hashed password to the random number ρ to form the encoded password z=H(pwd)ρ. Further details of the threshold oblivious pseudorandom function are described in reference to
Prior to step S200B, the user device 202 may communicate with the first entity computer 204 and the second entity computer 206 regarding the user's desire to set up a key recovery process.
In step S200B, after receiving the communication from the user device 202 that it wants to set up a secret key recovery process, the first entity computer 204 may generate and store a first pseudorandom function key share, K1. The first entity computer 204 may use a setup function of a threshold oblivious pseudorandom function to generate the pseudorandom function key share, K1.
In some embodiments, the first entity computer 204 may begin with a set of initial inputs including a value k, which can be a security parameter which determines the size of the key share to be formed. The set of inputs may also include a value such as n, which may be the number of shares to be generated, and t, which is a threshold, which determines the number of shares needed to construct a secret key. In this example, n and t may be equal to “1” because the first entity computer 204 only generates a key share K1 for itself. The initial input k may be input into a function GroupGen (1k) to obtain parameters including p, g, and G. p can be used to define Zp, which may be a set of integers dependent upon p. A value sk1 may be randomly selected from the set of numbers Zp. The values p, n, t, and sk1 may then be input into a GenShare function to obtain the key share K1. Further details on the GroupGen and GenShare functions can be found in Agrawal, et al. “PASTA: PASsword-based Threshold Authentication,” Cryptology ePrint Archive, Report 2018/885, 2018.
The pseudorandom function key share, K1, may be used by a pseudorandom function (e.g., a function such as the threshold oblivious pseudorandom function) to mask an input value (e.g., such as the encoded password z) so that is appears to be random, even though it is not. The second entity computer 206 may perform a similar step in S200C to generate and store a second pseudorandom function key share, K2. The first and second pseudorandom function key shares, K1 and K2 may be different, since the second entity computer 206 would have selected different random value sk2 from the set of numbers Zp. The values sk1 and sk2 could be stored by the first entity computer 204 and the second entity computer 206, respectively, so that these values could be used in a secret key regeneration process (described in
Note that although a specific process is described for generating the first and second pseudorandom function key shares, K1 and K2, they can be generated in other ways. For instance, they may be random numbers selected from a pre-defined numerical space, where the random numbers have the same length in binary space, or they may be generated by the user device 202 and transmitted to the entity computers.
In step S202A, after encoding the password, pwd, to form the encoded password, z, the user device 202 may transmit the encoded password, z, to the first entity computer 204. Similarly, in step S202B, the user device 202 may transmit the encoded password, z, to the second entity computer 204.
In step S204A, after receiving the encoded password, z, the first entity computer 204 may generate a first share of the encoded password, T1. The first share of the encoded password, T1, may be an output of an evaluation function of the threshold oblivious pseudorandom function. The evaluation function may take the first pseudorandom function key share, K1, and the encoded password, z, as input to generate the first share of the encoded password, T1. For example, the evaluation function may raise the encoded password, z, to the power of the first pseudorandom function key share, K1, to generate the first share of the encoded password, T1=zK1. In step S204B, the second entity computer 206 may perform a similar process to generate a second share of the encoded password, T2.
In step S206A, after generating a first share of the encoded password, T1, the first entity computer 204 may transmit the first share of the encoded password, T1, to the user device 202. In step S206B, the second entity computer 206 may transmit the second share of the encoded password, T2, which may be T2=zK2.
In step S208, after receiving both the first and second shares of the encoded passwords T1 and T2, the user device 202 may generate a secret key, SK. The user device 202 may use a combine function of the threshold oblivious pseudorandom function to generate the secret key SK. The combine function may use the password, pwd, two shares of the encoded password, T1 and T2, and the random value, ρ, used to encode the password as input to generate the secret key, SK.
For example, the user device 202 may multiply the two shares T1 (i.e., zK1) and T2 (i.e., zK2) to obtain a value v. The secret key SK may be obtained using an equation such as SK=hash(pwd∥ρ√{square root over (v)}).
The user device 202 may then use the secret key, SK, to generate a first secret key share, SK1, and a second secret key share, SK2. The user device 202 may use any suitable key share forming technique to form the first and second secret key shares, SK1 and SK2. Suitable key share forming techniques may include Shamir's secret sharing, or simply splitting the secret key, SK, into two shares (and potentially pad the resulting two shares). The secret key, SK, may be used to encrypt data, such as the identity data described in
In step S209, the user device 202 may use a biometric sensor in the user device 202 to measure a biometric template, BT, of the user operating the user device 202. For example, the user device 202 may use a camera to take a picture of the user's face, and the user device 202 may form a biometric template from it. In another example, the user device 202 may use a fingerprint scanner to scan a fingerprint of the user, and may form a biometric template from it. The user device 202 may then use the biometric template, BT, to generate a first biometric share, BT1, and a second biometric share, BT2. The biometric shares may be generated in a similar manner to the shares of the secret key.
The user device 202 may then generate and store several pseudorandom function keys. The user device 202 may generate a garbled circuit randomness, R, a second random value, R2, three message authentication code (MAC) key generators (U, V, W), and a session identifier generator, N. The garbled circuit randomness, R, and the second random value, R2, may be used by the first and second entity computers to generate garbled circuits. The pseudorandom function keys may be used by the first and second entity computers 204, 206 during a later recovery attempt. The three MAC key generators (U, V, W) may be used to generate three unique MAC keys. The three MAC keys may be keys used to authenticate three different messages. For example, one MAC key may be used in a recovery attempt to authenticate that a message came from the first entity computer 204, and that the message was not altered. The session identifier generator, N, may be used to efficiently verify a computation (e.g., a comparison of a biometric measurement to the biometric template in
In step S210A, the user device 202 may transmit one or more of the first secret key share, SK1, the first biometric share, BT1, the garbled circuit randomness, R, the second random value, R2, the three MAC key generators (U, V, W), and the session identifier generator, N, to the first entity computer 204.
In step S210B, the user device 202 may transmit one or more of the second secret key share, SK2, the second biometric share, BT2, the garbled circuit randomness R, the second random value, R2, the three MAC key generators (U, V, W), and the session identifier generator, N, to the second entity computer 206.
After the first and second entity computers 204, 206 receive the data in steps S210A and S210B, a recovery attempt may be made. For example, the user operating the user device 202 may wish to retrieve data that was encrypted using the secret key, SK. The user device 202 may initiate a recovery attempt and using a user identifier unique to the user (e.g., either one or both of the password, pwd, or the biometric template, BT) to authenticate the user.
Note that all steps in
As noted above,
In step S300, the user operating the user device 302 may input a password guess, pwd′. The password guess, pwd′, may be an example of a user identifier unique to the user. The user device 302 may then obscure the user identifier unique to the user. For example, the user device 302 may encode the password guess, pwd′, to form an encoded password guess, z′. The user device 302 may perform the encoding in a similar manner to the encoding in step S200 of
In step S302A, after encoding the password guess, pwd′, to form, z′, the user device 302 may transmit the encoded password guess, z′, to the first entity computer 204. Similarly, in step S302B, the user device 302 may transmit the encoded password guess, z′, to the second entity computer 206.
In step S304A, after receiving the encoded password guess, z′, the first entity computer 204 may generate a first share of the encoded password guess, T1′. The first share of the encoded password guess, T1′, may be an example of a first output. The first share of the encoded password guess, T1′, may be an output of the evaluation function of the threshold oblivious pseudorandom function used in step S204A of
In step S306A, after generating a first share of the encoded password guess, T1′, the first entity computer 204 may transmit the first share of the encoded password guess, T1′, to the user device 302. In step S306B, the second entity computer 206 may transmit the second share of the encoded password guess, T2′, to the user device 302.
In step S308, after receiving both the first and second shares of the encoded password guesses T1′ and T2′, the user device 302 may generate a secret key, SK′. The user device 302 may process the first output (e.g., the first share of the encoded password guess T1′) and the second output (the second share of the encoded password guess T2′) to generate the secret key. For example, the user device 302 may use the combine function of the threshold oblivious pseudorandom function of step S208 of
The user device 302 may then request the data from the entity computer which holds the encrypted data that it wants to obtain. For example (if the encrypted data was stored by the first entity computer 204), after generating the secret key, SK′, the user device 302 may request encrypted data from the first entity computer 204. The user device 302 may then use the secret key, SK′, to decrypt the encrypted data. In some embodiments, the entity computer storing the encrypted data may require the user of the user device 302 to authenticate herself using both the password and the biometric template stored in
In step S400, the user operating the user device 402 may measure a biometric measurement, BT′, using a biometric sensor of the user device 402. For example, the user may use a camera of the user device 402 to take a picture of the user's face (i.e., measure a facial scan). The biometric measurement, BT′, may be an example of a user identifier unique to a user. The user device 402 may then obscure the biometric measurement, BT′. For example, the user device 402 may then generate a first oblivious transfer receiver message, OT11(BT′), using the biometric measurement, BT′, where the first oblivious transfer receiver message, OT11(BT′), contains an obscured user identifier in the form of the obscured biometric measurement. The obscuring may be performed using any suitable method including public-private cryptography techniques. The user device 402 may then transmit the obscured user identifier (e.g., in the first oblivious transfer receiver message, OT11(BT′)) to the first entity computer 204. For example, the user device 402 may then transmit the first oblivious transfer receive message, OT11(BT′), to the first entity computer 204.
The user device 402 may use any suitable oblivious transfer protocol to generate the first oblivious transfer receiver message, OT11(BT′). One example may be that of a two-message oblivious transfer protocol. Examples of oblivious transfer protocols can be found in “Smooth Projective Hashing and Two-Message Oblivious Transfer” by Halevi et al. in Journal of Cryptology volume 25, pages 158-193 (2012). Two-message oblivious transfer protocols allow the user device 402 to securely communicate with an external computer, such as the first entity computer 204. The receiver (e.g., the user device 402) may transmit an obscured input (e.g., the obscured biometric measurement, BT′) to a sender (e.g., the first entity computer 204). The sender (e.g., the first entity computer 204) may then generate an oblivious transfer sender message and transmit it to the receiver (e.g., the user device 402). Thus, an oblivious transfer protocol allows a receiver (e.g., the user device 402) to transmit an obscured input to a sender, and a sender to perform a computation (e.g., a comparison) using the obscured input, without ever learning the input. The receiver (e.g., the user device 402) may learn the result of the computation without learning any extra information.
In step S402, after receiving the first oblivious transfer receiver message, OT11(BT′), the first entity computer 204 may generate a first random number, r1. The first entity computer may then generate a MAC key using one of the three MAC key generators described above in the flow of
The first entity computer 204 may then generate a first output. The first output may include a garbled circuit, GC1. Details of garbled circuits can be found in Heath and Kolesnikov, “Stacked Garbling: Garbled Circuit Proportional to Longest Execution Path,” Cryptology ePrint Archive: Report 2020/973, 2020. The first garbled circuit, GC1, may be an encrypted circuit, which encrypts the inputs and outputs of a circuit according to assigned labels. The first entity computer 204 may first generate a circuit that can compare the biometric measurement, BT′, to the first biometric share, BT1, obscure a comparison result, and can generate a MAC hashed message. The first entity computer 204 and may then encrypt the circuit thereby garbling it. As is known in the art, the first garbled circuit, GC1, may be eventually be decrypted according using the labels (e.g., decryption keys). The labels may transform bits of an input into an encrypted representation according to the garbled circuit randomness, R (e.g., the garbled circuit randomness, R, may be used to generate an encryption key used to generate labels or may be used to directly generate random labels).
For example, a bit 0 may have a corresponding encryption or label, X0j, where j is the position of the bit in a string. A string of length three bits, such as 101, may thus have a label of X12X01X10. The first garbled circuit, GC1, may receive two inputs and perform a comparison between the two inputs (e.g., the two inputs may be the biometric measurement, BT′, and the first biometric share, BT1) and output the comparison between the two inputs, and a first MAC hashed message MACU(x1) using the first MAC key, MACU. For example, the first garbled circuit, GC1, may take as input a biometric (e.g., the biometric measurement such as BT′) and a biometric template share (e.g., the first biometric template share BT1) and compute a distance (e.g., by computing an inner product) between the input biometric and the biometric template share. The garbled circuit GC1 may then mask the computed distance by the random number, r1. Thus, the output of the first garbled circuit, GC1, may be a first partial computation x1=<BT′, BT1>+r1, and a first MAC hashed message MACU(x1) (e.g., the first partial computation hashed using the MAC hash function with the first MAC key MACU).
The first entity computer 204 may then generate a first oblivious transfer sender message, OT21. The first oblivious transfer sender message, OT21, may reveal labels for the biometric measurement, BT, for the garbled circuit, GC1, without revealing information on other labels used in the garbled circuit GC1. The contents of the first oblivious transfer sender message, OT21 may be considered part of the output from the first entity computer 204 in response to the message S402.
In step S406, the first entity computer 204 may transmit the first garbled circuit, GC1, (e.g., an example of a first output), and the first oblivious transfer sender message, OT21, and labels for the first biometric share BT1, the first random number, r1, and the MAC key generator, U, to the user device 402.
In step S408, after receiving the first oblivious transfer sender message OT21, the labels for BT1, r1, and U, the user device 402 may complete the oblivious transfer protocol to learn labels for the biometric measurement, BT′. The user device 402 may then run the first garbled circuit, GC1, using the labels for the biometric measurement BT′ and the labels for the first biometric share BT1 as input. After running the first garbled circuit, GC1, the user device 402 may learn the first partial computation x1=<BT′, BT1>+r1 and the first MAC hashed message MACU(x1). The user device 402 may verify the first MAC hashed message MACU(x1) (e.g., by reconstructing it using the MAC key generator, U, the first partial computation, x1, and the common MAC hash function) to verify both the integrity and the authenticity of the first garbled circuit, GC1.
In step S410A, the user device 402 may transmit the first oblivious transfer receiver message OT11(BT′) (e.g., the obscured user identifier) to the second entity computer 206. In an optional step S410B, the user device 402 may transmit the first oblivious transfer receiver message OT11(BT′) to the first entity computer 204. In some embodiments, step S410B is not needed, and step S416 can be executed any time after step S402.
In step S412, after receiving the first oblivious transfer receiver message, OT11(BT′), the second entity computer 206 may generate a second random number, r2, using the second random value, R2. The second entity computer 206 may then generate a second MAC key, MACV, using the MAC key generator, V, and the common MAC hash function and a second MAC hashed message MACV(x2). The second entity computer 206 may then generate a second output. The second output may be a second garbled circuit, GC2. The second garbled circuit, GC2, may be generated and operate in a similar manner to the first garbled circuit, GC1 (e.g., it may generate labels using the same garbled circuit randomness R), however, it may use the second MAC hashed message MACV(x2). The output of the second garbled circuit, GC2, may be a second partial computation x2=<BT′, BT2>+r2 and the second MAC hashed message MACV(x2). The second entity computer 206 may then generate a second oblivious transfer sender message, OT22. The second oblivious transfer sender message, OT22, may reveal labels for the second biometric share, BT2.
In step S414, the second entity computer 206 may transmit the second garbled circuit, GC2 (e.g., an example of the second output) and the second oblivious transfer sender message, OT22, to the user device 402. In some embodiments, the second entity computer 206 may transmit labels for the random number, r2, and the MAC key generator, V.
In step S416, after receiving the first oblivious transfer receiver message, OT11(BT′), the first entity computer 204 may generate the second garbled circuit, GC2, and the second oblivious transfer sender message, OT22. Although the first entity computer 204 does not have the proper labels for the second biometric share, BT2, the first entity computer 204 may still construct the correct form of the second garbled circuit GC2 as it knows both the garbled circuit randomness, R, and the MAC key generator, V. The first entity computer 406 may then hash, using a hash function (e.g., the MAC hash function can be used) known to the user device 402, the second garbled circuit, GC2, and the second oblivious transfer sender message, OT22. The hashed second garbled circuit, GC2, and the hashed second oblivious transfer sender message, OT22, may then be transmitted to the user device 402. In some embodiments, step S416 may occur any time after step S402. In some embodiments, the first entity computer 204 may transmit labels for the second random number, r2, and the MAC key generator, V.
In step S418, after receiving the hashed second garbled circuit, GC2, and the hashed second oblivious transfer sender message, OT22, from the first entity computer 204 and the non-hashed equivalents from the second entity computer 206, the user device 402 may verify the hashes. If the second garbled circuit, GC2, and the second oblivious transfer sender message, OT22, hash correctly and after the labels for the second random number, r2, the MAC key generator, V, and the second biometric share BT2 are known to the user device 402 (e.g., after completing the oblivious transfer protocol with the second entity computer 206 and receiving the labels for the second random number, r2, and the MAC key generator, V, directly), the user device 402 may then evaluate the second garbled circuit GC2 to learn the second partial computation x2=<BT′, BT2>+r2 and the second MAC key, MACV. The user device 402 may verify the second MAC key, MACV (e.g., by reconstructing it using the MAC key generator, V, and the common MAC hash function) to verify both the integrity and the authenticity of the second garbled circuit, GC2.
Steps S416 and S418 may be optional. These steps may be performed by the first entity computer 404, such as in the event that first entity computer 404 is a trusted authority, and needs to verify the trustworthiness of the second entity computer 406 or other entity computers.
In step S420, the user device 402 may generate a second oblivious transfer receiver message OT12(x1, x2, MACU(x1), MACV(x2)) using the first partial computation, x1, the second partial computation, x2, the first MAC hashed message MACU(x1), and the second MAC hashed message MACV(x2). The user device 402 may then transmit the second oblivious transfer receiver message OT12(x1, x2, MACU(x1), MACV(x2)) to the first entity computer 204.
In step S422, after receiving the second oblivious transfer receiver message OT12(x1, x2, MACU(x1), MACV(x1)), the first entity computer 204 may generate a random session identifier, sid, using the session identifier generator, N. The first entity computer 204 may then generate a third MAC key, MACW, using the MAC key generator, W, and use the third MAC key, MACW, to hash (e.g., using the public MAC hash function) the session identifier, sid to form a MAC verification message MACw(sid). The first entity computer 204 may then generate a third garbled circuit, GC3, using the garbled circuit randomness R. The third garbled circuit, GC3, may first verify the first and second MAC hashed messages, MACU(x1) and MACV(x2), and compare the biometric measurement BT′ to the stored biometric template BT of
In step S424, the first entity computer 204 may transmit the third garbled circuit, GC3, and the third oblivious transfer sender message, OT23, to the user device 302.
In step S426, after receiving the third garbled circuit, GC3, the third oblivious transfer sender message, OT23, and the set of labels, the user device 302 may complete the oblivious transfer protocol to learn the labels for partial computations x1, and x2, and the first and second MAC hashed messages MACU(x1) and MACV(x2). The user device 302 may then evaluate the third garbled circuit, GC3, which verifies the first and second MAC hashed messages, MACU(x1) and MACV(x2), uses the partial computations x1, and x2 to determine if the biometric measurement (BT′) and the biometric template (BT, which is formed from BT1 and BT2) to determine a match. If the biometric measurement and the biometric template match, then third garbled circuit, GC3, outputs the first secret key share, SK1. For example, the third garbled circuit, GC3, may first verify the first and second MAC hashed messages, MACU(x1) and MACV(x2), by comparing them to a reconstructed form of the hashed messages (e.g., reconstruct by computing the first and second MAC keys MACU and MACV, and then hash the first and second partial computations x1 and x2 accordingly). Then, the third garbled circuit, GC3, may compute a total distance between the biometric measurement, BT′, and the first and second biometric shares, BT1 and BT2, and if the total distance is lower than a threshold, the third garbled circuit, GC3, may reveal the first secret key share SK1. For example, the third garbled circuit, GC3, may compute the total distance IP (inner product)=x1+x2−r1−r2=<BT, BT′>, as <BT1, BT′>+<BT2, BT>=<BT, BT′>. The total distance, IP, may then be compared to a threshold. If it is lower than the threshold, then the third garbled circuit, GC3, may reveal the first secret key share, SK1, and the MAC verification message, MACW(sid).
In step S428, after learning the MAC verification message, MACW(sid), the user device 402 may transmit the MAC verification message, MACW(sid), to the second entity computer 206.
In step S430, after receiving the MAC verification message, MACW(sid), the second entity computer 206 may verify the MAC verification message, MACW(sid). For example, the second entity computer 206 may generate the MAC verification message, MACW(sid), any time after step S414, and compare the generated MAC verification message, MACW(sid), to the received MAC verification message, MACW(sid).
In step S432, after comparing the generated and computed third MAC keys, and verifying the generated and computed MAC verification messages match, the second entity computer 206 may transmit the second secret key share, SK2, to the user device 402. The user device 402 only learns the MAC verification message, MACW(sid) if the biometric measurement matches the biometric template. Thus, by simply verifying the MAC verification message, MACW(sid), the second entity computer 206 may ensure that the user device 402 should have access to the second secret key share SK2, without the need to generate another garbled circuit similar to the third garbled circuit GC3.
In step S434, after receiving the second secret key share, SK2, the user device 402 may reconstruct the secret, SK, using the first and second secret key shares SK1 and SK2 according to the secret sharing technique that was used.
The user device 402 may then request the data from the entity computer which holds encrypted data. For example (if the encrypted data was stored by the first entity computer 204), after reconstructing the secret key, SK, the user device 402 may request encrypted data from the first entity computer 204. The user device 402 may then use the secret key, SK, to decrypt the encrypted data. In some embodiments, the entity computer storing the encrypted data may require the user device 402 to authenticate using both the biometric template and the password stored in
The setup function 510 may take as input a security parameter, L, a number of shares, n, and a threshold t that is less than or equal to the number of shares n. The security parameter, L, may determine the length of the shares that will be generated, with a larger parameter leading to a longer and therefore more secure share. The threshold, t, may determine the number of shares required to reconstruct a secret. The output of the setup function 510 may be a set of n total key shares {ki} and a set of public parameter, pp. The public parameters, pp, may be an implicit input to the subsequent functions. In embodiments of the invention, the number of shares n may be equal to 1, and the threshold t may also be equal to 1. For example, in step S200B, the first entity computer 204 may generate the pseudorandom function key share K1.
The encode function 520 may take as input a value x and random value ρ. The output of the encode function 520 may be an encoding z of the value x. For example, in step S200A, the user device 202 may encode the password pwd to form the encoded password z.
The evaluate function 530 may take as input a key share ki and the encoding z. The evaluate function 530 may generate a share of the encoding T1. For example, the first entity computer 204 may take the pseudorandom function key share K1 and the encoded password z as input and generate a first share of the encoded password T1 in step S204A of
The combine function 540 may take as input a value x, a set of shares of the encodings {i, Ti}, and the random value ρ. The combine function 540 may output a value SK. For example, the user device 202 may input the password pwd, the first share of the encoded password K1, the second share of the encoded password K2, and the random value p to generate the secret key SK in step S208 of
The memory 604 may be used to store data and code. The memory 604 may be coupled to the processor 602 internally or externally (e.g., via cloud based data storage), and may comprise any combination of volatile and/or non-volatile memory such as RAM, DRAM, ROM, flash, or any other suitable memory device. In some embodiments, the memory 604 may securely store the secret used to encrypt data.
The network interface 606 may include an interface that can allow the custodian computer 600 to communicate with external computers and/or devices. The network interface 606 may enable the custodian computer 600 to communicate data to and from another device such as an entity computer. Some examples of the network interface 606 may include a modem, a physical network interface (such as an Ethernet card or other Network Interface Card (NIC)), a virtual network interface, a communications port, a Personal Computer Memory Card International Association (PCMCIA) slot and card, or the like. The wireless protocols enabled by the network interface 606 may include Wi-Fi. Data transferred via the network interface 606 may be in the form of signals which may be electrical, electromagnetic, optical, or any other signal capable of being received by the external communications interface (collectively referred to as “electronic signals” or “electronic messages”). These electronic messages that may comprise data or instructions may be provided between the network interface 606 and other devices via a communications path or channel. As noted above, any suitable communication path or channel may be used such as, for instance, a wire or cable, fiber optics, a telephone line, a cellular link, a radio frequency (RF) link, a WAN or LAN network, the Internet, or any other suitable medium.
The computer readable medium 608 may comprise code, executable by the processor 602, for a method comprising: entering, in a user device, a user identifier unique to a user; obscuring, by the user device, the user identifier, with a function to form an obscured user identifier; transmitting, by the user device, the obscured user identifier to a first entity computer; transmitting, by the user device, the obscured user identifier to a second entity computer; wherein the first entity computer and the second entity computer do not communicate with each other in the key recovery process, and wherein the first entity computer generates a first output using the obscured user identifier and a first share, and the second entity computer generates a second output using the obscured user identifier and a second share; receiving, by the user device, the first output from the first entity computer; receiving, by the user device, the second output from the second entity computer; and generating a secret key after processing the first output and the second output
The computer readable medium 608 may comprise a number of software modules including, but not limited to, a threshold oblivious pseudorandom function module 608A, a computation module 608B, a random number generating module 608C, and a communication module 608D.
The threshold oblivious pseudorandom function module 608A may comprise code that causes the processor 602 to execute functions of a threshold oblivious pseudorandom function. For example, the threshold oblivious pseudorandom function module 608A may execute the encode function to encode a password in step S200A of
The computation module 608B may comprise code that causes the processor 602 to perform computations. For example, the computation module 608B may assist the threshold oblivious pseudorandom function module 608A in executing functions. The computation module 608B may additionally evaluate the garbled circuits of
The random number generating module 608C may comprise code that causes the processor 602 to generate random numbers. For example, the random number generating module 608C may be used to generate the pseudorandom functions keys used for the threshold oblivious pseudorandom function, the MAC keys, the garbled circuits, etc.
The communication module 608D, in conjunction with the processor 602, can generate messages, forward messages, reformat messages, and/or otherwise communicate with other entities. For example, communication module 608D can be used to facilitate communications between the user device 600 and an entity computer. The communication module 608D may generate and verify communications between the user device 600 and entity computers. For example, the communication module 608D may receive a MAC key and a MAC key generator, then verify the MAC key generator correctly generates the MAC key. The communication module 608D may be used to complete oblivious transfer protocols.
The biometric sensor 610 and input elements 612 may be used to input a user identifier unique to the user (e.g., a biometric or a password). Examples of the biometric sensor 610 may be a camera, a microphone, a fingerprint sensor, etc. Input elements 612 may be a touchscreen, a keypad, a microphone, etc.
The memory 704 may be used to store data and code. The memory 704 may be coupled to the processor 702 internally or externally (e.g., via cloud based data storage), and may comprise any combination of volatile and/or non-volatile memory such as RAM, DRAM, ROM, flash, or any other suitable memory device. In some embodiments, the memory 704 may securely store encrypted data. The memory 704 may be used to stored pseudorandom function keys (e.g., MAC key generators, garbled circuit randomness, etc.), threshold oblivious pseudorandom function key shares, encrypted data (e.g., data received from a user device), etc.
The network interface 706 may have the same or different features to the previously described network interface 606.
The computer readable medium 708 may comprise code, executable by the processor 702, for a method comprising: receiving, by an entity computer from a user device, an obscured user identifier; generating, by the entity computer, an output using the obscured user identifier and a share, wherein the share was previously generated using the obscured user identifier and stored by the entity computer; and transmitting, by the entity computer to the user device, the output
The computer readable medium 708 may comprise a number of software modules including, but not limited to, a TOPRF module 708A, a computation module 708B, and a communication module 708C.
The TOPRF module 708A may comprise code that causes the processor 702 to execute some or all of the functions of a threshold oblivious pseudorandom function. For example, the TOPRF module 708A may execute the setup function to generate a pseudorandom key share in S200B of
The computation module 708B may comprise code that causes the processor 702 to perform computations. For example, the computation module 708B may assist the TOPRF module 708A in executing functions. The computation module 708B may generate a circuit and encrypt (e.g., garble) the circuit to generate the garbled circuits and labels of the garbled circuits of
The communication module 708C may have the same or different features to the previously described network interface 608D.
Any of the software components or functions described in this application may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C, C++, C#, Objective-C, Swift, or scripting language such as Perl or Python using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions or commands on a computer readable medium for storage and/or transmission, suitable media include random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a compact disk (CD) or DVD (digital versatile disk), flash memory, and the like. The computer readable medium may be any combination of such storage or transmission devices.
Such programs may also be encoded and transmitted using carrier signals adapted for transmission via wired, optical, and/or wireless networks conforming to a variety of protocols, including the Internet. As such, a computer readable medium according to an embodiment of the present invention may be created using a data signal encoded with such programs. Computer readable media encoded with the program code may be packaged with a compatible device or provided separately from other devices (e.g., via Internet download). Any such computer readable medium may reside on or within a single computer product (e.g. a hard drive, a CD, or an entire computer system), and may be present on or within different computer products within a system or network. A computer system may include a monitor, printer, or other suitable display for providing any of the results mentioned herein to a user.
The above description is illustrative and is not restrictive. Many variations of the invention will become apparent to those skilled in the art upon review of the disclosure. The scope of the invention should, therefore, be determined not with reference to the above description, but instead should be determined with reference to the pending claims along with their full scope or equivalents.
One or more features from any embodiment may be combined with one or more features of any other embodiment without departing from the scope of the invention.
As used herein, the use of “a,” “an,” or “the” is intended to mean “at least one,” unless specifically indicated to the contrary.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US2021/046851 | 8/20/2021 | WO |