Matchmaker: Fuzzy Vault Scheme for Weighted Preference

매치메이커: 선호도를 고려한 퍼지 볼트 기법

Abstract

Juels and Sudan's fuzzy vault scheme has been applied to various researches due to its error-tolerance property. However, the fuzzy vault scheme does not consider the difference between people's preferences, even though the authors instantiated movie lover' case in their paper. On the other hand, to make secure and high performance face authentication system, Nyang and Lee introduced a face authentication system, so-called fuzzy face vault, that has a specially designed association structure between face features and ordinary fuzzy vault in order to let each face feature have different weight. However, because of optimizing intra/inter class difference of underlying feature extraction methods, we can easily expect that the face authentication system does not successfully decrease the face authentication failure. In this paper, for ensuring the flexible use of the fuzzy vault scheme, we introduce the bucket structure, which differently implements the weighting idea of Nyang and Lee's face authentication system, and three distribution functions, which formalize the relation between user's weight of preferences and system implementation. In addition, we suggest a matchmaker scheme based on them and confirm its computational performance through the movie database.

Juels와 Sudan의 퍼지 볼트 기법은 기법이 갖는 오류 내성 때문에 많은 연구에 사용 되어오고 있다. 그러나 이들의 퍼지 볼트 기법은 그들의 논문에서 영화 애호가 문제를 예를 들었음에도 불구하고, 사람들이 일반적으로 갖는 선호도(preference)의 차이에 대한 고려가 존재하지 않는다. 한편, Nyang과 Lee는 안전하고 성능이 좋은 얼굴인증 시스템을 만들기 위해서, 얼굴 특징이 서로 다른 가중치를 갖도록 얼굴 특징과 퍼지 볼트(vault) 사이에 특별한 연관 구조를 갖는 얼굴 인증 시스템(이른바, 퍼지 얼굴 볼트)을 소개하였다. 그러나 그들의 기법은 일반적인 특징 추출 기법들이 클래스 내부/간 차이를 최적화하려는 특성이 있기 때문에 인증 실패율을 성공적으로 낮추지 못할 것으로 쉽게 예상할 수 있다. 이 논문에서는 퍼지 볼트의 유연성을 제공해주기 위하여 Nyang과 Lee의 퍼지 볼트기반의 얼굴 인증 시스템에서 가중치 아이디어를 다른 방식으로 구현한 버킷(bucket) 구조와 사용자 선호도와 시스템 구현 간 관계를 공식화하는 세 가지 분포 함수에 대해서 소개한다. 또한 이를 바탕으로 선호도 매치메이커(preference matchmaker) 기법을 제안하며, 영화 데이터베이스를 이용하여 이러한 매치메이커의 연산 성능을 확인해본다.

I. Introduction

The fuzzy vault, which is introduced by Juels and Sudan in 2002[1], is a useful cryptographic tool. It provides a user to lock her or his secret using a set and another user to unlock the secret using another set if two sets are sufficiently overlapped. In their paper, the authors instance the movie lover who wants to find someone with similar preference. Due to its error-tolerance property, the fuzzy vault scheme has been utilized in various researches, especially in biometrics area [2-11].

In 2007, Nyang and Lee proposed a face authentication system, so-called fuzzy face vault, based on the fuzzy vault scheme[12]. In the system, the authors introduce the concept of weighted features. Features, for a face, are represented as a vector and used for comparing with other face features. In the comparison, some methods of extracting features from faces such as principal component analysis (PCA) and linear discriminant analysis (LDA) use geometric distances. In a feature vector, there are significant or less significant features. Therefore, when the fuzzy vault scheme is applied to face authentication system, the authentication failure (in terms of false acceptance or false rejection) may increase if one feature is mapped to only one point. To compensate the loss of significance, the method of weighting features is essential in [12]. However, their face authentication scheme does not seem to decrease the authentication failure because it still uses geometric distances to find correct features and chaff features are located within narrow ranges.

In this paper, we newly suggest a weighted fuzzy vault scheme. Our contributions in this paper are as follows: 1) We introduce ‘bucket’ structure for implementing the weighting idea in a different manner for the ordinary fuzzy vault scheme. By doing so, we can make the fuzzy vault scheme to be used not only in equal preference environments, but also in weighted preference environments. 2) We propose three distribution functions for guaranteeing the flexible use of the fuzzy vault scheme to various applications. They formalize the relation between user’s preference and system implementation, so that they directly affect the usability and security of the system. As an example of our proposal, we implement the movie matchmaker system.

The rest of this paper is organized as follows. In Section 2, we briefly address the polynomial and Reed-Solomon (RS) error correction code. In Section 3, we analyze the fuzzy face vault. In Section 4, we introduce our proposal, matchmaker. The computational performance of the matchmaker is shown in Section 5. In Section 6, we discuss some issues related the matchmaker. Section 7 includes the conclusion.

II. Preliminaries

2.1 Polynomial over Galois field

Galois field F_p^r is field that has finite elements with the order p^r, where p is a prime number and r is a natural number. Each element in F_p^r can be represented to a vector such as (a₁,a₂,⋯,a_r)∈(Z_p)^r. When r = 1 and p≠2, F_p is often referred to as ‘prime field.’ When r≠1 and p = 2, F_p is often referred to as ‘binary field.’

Over a Galois field F, a polynomial P(x) = m₀ + m₁x+ ⋯ + m_k-1x^k-1 can be defined as a set of points {(x_i,P(x_i)}_{\(x_{i} \in \mathbb{F}\)}. For example, P(x) = 4x²+ 3x+2 over F₇ can be determined as {(0,2),(1, 2),(2, 3), (3, 5),(4,1),(5, 5),(6, 3)}. If we gather k or more points on P(x), we can reconstruct P(x) though the Gaussian elimination.

2.2 Reed-Solomon error-correcting code

RS code is a group of error-correcting codes[13]. It is able to detect and correct multiple errors from the received code word. As shown in Fig.1, there is RS code with parameters q, n, and k: the number of all possible elements q, a code word length n(≤ q), and a message length k(≤ n). Each element is interpreted as Galois field F.

Fig. 1. Reed-Solomon encoding and its parameters

As the original view of RS code, our intention is to interpret an original message m = (m₀, m₁,⋯, m_k-1) as coefficient of a certain polynomial \(P(x)=\sum_{i=0}^{k-1} m_{i} x^{i}\) over F. To compute the code word, P(x) is evaluated at n distinct elements (x₁, x₂, ⋯, x_n). The code word is equal to {P(x₁),P(x₂), ⋯,P(x_n)} . If (x₁, x₂,⋯, x_n) are unknown, the code word should be represented as the set of points such as {(x₁,P(x₁)),(x₂,P(x₂)),⋯,(x_n,P(x_n))}.

To decode the code word, many algorithms were introduced: Berlekamp-Welch[14], Berlekamp-Massey[15], Euclid’s algorithm[16], Gao[17] and so on. In this paper, we used Berlekamp-Welch algorithm for our experiments.

In [k,n,q] Berlekamp-Welch algorithm, the upper bound of errors that can be corrected is less than (n-k+1)/2. In other word,

\(0<e<\frac{n-k+1}{2}\)       (1)

where e denotes the number of errors. Berlekamp-Welch algorithm returns a non-zero polynomial P(x) of degree at most k-1.

To recover P(x), Berlekamp-Welch algorithm first computes non-zero error locator polynomial E(x) of degree e and Q(x) of degree (e +k-1), and computes P(x) = Q(x)/E(x). Computing E(x) and Q(x) are as difficult as computing P(x). While each of these polynomials are difficult to find individually, the pair of polynomials (E(x), Q(x)) can be found in polynomial time (i.e., O(n³)). BerlekampWelch algorithm successfully returns P(x) if E(x) divides Q(x) without any remainder.

2.3 Symbols and their explanations

In this paper, we use the following symbols show in Table 1. for simplicity of description.

Table 1. Symbols and their explanations

III. Nyang and Lee’s Fuzzy Face Vault

In the fuzzy vault scheme, every preferences have equal strength. In other words, each preference is transformed a certain amount of points on the secret polynomial. Therefore, the fuzzy vault scheme cannot be directly applied to the environments that different strength of preferences should be considered.

In 2007, Nyang and Lee introduced a face authentication system based on the fuzzy vault, so-called the fuzzy face vault[12]. In their paper, the authors illustrated their scheme in the face verification system. Different from the fuzzy vault scheme, the fuzzy face vault has two-layered structure: it consists of intermediate and coordinate layer.

In the intermediate layer, a single captured feature (e.g., an element of a feature vector) is transferred to several number of X-Y coordinates. In the coordinate layer is created by RS code word representing a secret as a polynomial P(x) as the ordinary fuzzy vault does.

3.1 Locking and unlocking procedures

In the paper of Nyang and Lee[1], the features are obtained by using a classifier (e.g., PCA or LDA) from facial images. The weights of the features can be proportionally decided according to the distribution of features’ differences.

Let F = {f₁,f₂,⋯} be a set of genuine features. To lock a vault in the fuzzy face vault scheme, a feature f_i with a certain weight w_i is reconstructed as

\(X_{i}=\left\{h\left(f_{i} \| x\right) \in \mathbb{F} \mid 1 \leq x \leq w_{i}\right\}\)       (2)

where h( ) denotes one way and collision free hash function. And then, the system randomly generates a secret polynomial P(x). The system stores a set of points \(\left\{(x, P(x)\}_{x \in X_{1} \cup X_{2} \cup \cdots}\right.\) with chaff features on the intermediate layer and chaff points on the coordinate layer. Note that every chaff points should be matched to certain chaff features. As the result, higher weighted features are mapped into more points.

To unlock the vault, the user inputs her or his features. As doing similar task with the locking procedure, the system collects the points on the coordinate layer. By using RS decoding algorithm, P(x) can be recovered from the collected points when the number of errors caused mistakenly capturing is less than a certain threshold.

3.2 Difficulty of implementation

To determine feature on the intermediate layer, the fuzzy face value uses the geometric distance measurement such as Euclidean and Manhattan distances. Therefore, too many chaffs on intermediate layer are not desirable because the distance between genuine and chaff feature may be closer than threshold for error tolerance.

In PCA, for example, the distribution of features’ differences (between maximum and minimum values) seems to be lied on exponential curve. It means that matching on the most significant feature (on the intermediate layer) may derive the half of genuine points (on the coordinate layer) to reconstruct the secret polynomial. Thus, to guarantee the minimum level of security (e.g., 1/10,000), the system should add more chaffs for more significant features. In this case, the system may not correctly find significant features even user correctly input her or his genuine facial image. Even if two values are really similar, their hashed values are totally differentiated. Therefore, chaff features must not be located within reasonable error bound (in terms of differences of inter-class and/or intra-class). Considering feature extraction methods optimize the differences, the fuzzy face vault does not seem to work with the facial verification and authentication system because we cannot avoid the chaff features to be located within error bound (i.e., difference of intra-class).

IV. Our Proposal: Weighted Fuzzy Vault

Even though Nyang and Lee’s fuzzy face vault scheme does not seem to work as their expectation, the weighting idea is reasonable. In this paper, rather than improving the fuzzy face vault, we generalize the fuzzy vault to cover various applications by implementing weighting idea in a different manner. As one of applications, we introduce the matchmaker, which helps people to find out other people who have the similar preferences without revealing their preferences.

4.1 Overview

People may have different preference in different issues or areas. Someone who has a big concern about movies may not have any concern about sports stars. Even though two girls like the same celebrities, their most favorite celebrities may be different. A question may arise when we use the ordinary fuzzy vault for checking their preferences: can we say that they have the similar preference? To answer the question, we can make the following system, so called ‘matchmaker.’

The matchmaker consists of two procedures: template making and user searching. In the template making procedure, a user must offer their favorites with certain weight values. For example, Alice may input “Alice in wonderland” with weight value 10 and “Harry Potter and the Half-Blood Prince” with weight value 2. The matchmaker system makes a Alice’s template and stores it. In the user searching procedure, another user also must offer their favorites without weight values. For example, Bob may input “Alice in wonderland” and “Harry Potter and the Potter and Chamber of secret.” The matchmaker system compares Bob’s favorite movies with all templates stored in the system. In this example, the system is likely to find Alice.

To generalize the face vault, we newly introduce the concept of preference buckets B = {B₁,B₂,⋯}, weight distribution Ω(i), chaff distribution Γ(i), and code word distribution Θ(i). Each preference bucket is filled a genuine favorite and a huge number of counterfeits and the number of buckets depends on the number of user’s favorites. The weight distribution is defined by the weight values from users, but we assume that the weight distribution follows a certain well-known distribution such as linear, exponentiation, and normal distribution (i.e., S-curve). The chaff distribution indicates the number of counterfeits in each bucket for the security reason. The code word distribution means how many points should be generated from a single favorite or counterfeit in a bucket. The chaff and code word distributions depend on the weight distribution.

In the following section, we explain in detail how the matchmaker works with movie scenario as illustrated in the ordinary fuzzy vault scheme.

4.2 How to make preference template

Let n be the size of cord word, k be the size of message, and q be the order of Galois field F as parameters of RS error correction code. Basically, k≤n≤q. Then, n should be equal to \(\sum_{i=1}^{v} \Omega(i), \quad(k-1)\) should be the degree of the secret polynomial P(x).

Alice suggests her favorite movies set {(m_i, w_i)}_i∈[1..v] to the matchmaker system, where m_i is movie name, w_i is weight of movie, and v is the number of favorite movies. Note that the movies’ weight follows the weight distribution g(i) (i.e., w_i = Ω(i)).

The system randomly generates a secret s= (s₀, s₁, ⋯,s_k-1) , computes S = h(s), and interprets as secret polynomial \(P(x)=\sum_{i=0}^{k-1} s_{i} x^{i}\) . Alice’s personal information u is encrypted by using s such that U = Enc(s,u). Each favorite movie m_i is classified into each preference bucket B_i(i.e., m_i ∈B_i). When two or more movies have the same weight, they should be classified into the same bucket. Thus the number of buckets v′ is less than or equal to v.

Let C_i be a set of counterfeits for bucket B_i. According to the chaff distribution Γ(i), the system adds counterfeits into each bucket. Then, B_i = C_i ∪{m_i}, |C_i|= Γ(w_i) , and C_i∩C_j = ∅ if i≠j. After that, the system shuffles all bucket for hiding the favorite movies and computes x-coordinates for all movies (including favorite and counterfeit movies) in each bucket such that

\(X_{i}^{f a v}=\left\{h\left(m_{i} \| x\right) \mid 1 \leq x \leq \Theta\left(w_{i}\right)\right\} \text { and }\)       (3)

\(\left.X_{i}^{c n t}=\left\{h\left(c_{j} \| x\right) \mid 1 \leq x \leq \Theta\left(w_{i}\right), c_{j} \in C_{i}\right)\right\}\).       (4)

For all x-coordinates in \(X_{i}^{f a v}\) and \(X_{i}^{c n t}\), the system evaluates the secret polynomial such that

\(Z_{i}^{f a v}=\left\{(x, P(x)) \mid x \in X_{i}^{f a v}\right\} \text { and }\)       (5)

\(Z_{i}^{c n t}=\left\{(x, y) \mid x \in X_{i}^{c n t} \wedge x \not \subset X_{i}^{f a v} \wedge y=R(x)\right\}\),       (6)

where R( ) denotes a random element generator avoiding P(x). Note that \(\left|Z_{i}=Z_{i}^{f a v} \cup Z_{i}^{c n t}\right| \leq\left|B_{i}\right| \times \Theta\left(w_{i}\right)\) because of the hash collision and all points in \(Z=\bigcup_{i=1}^{v} Z_{i}\) have different x-coordinates and the number of points in Z cannot exceed q.

Finally, the system store

\(\left\langle\left\{\left(B_{i}, w_{i}\right)\right\}_{i=\left[1 \ldots v^{\prime}\right]}, Z, S, U\right\rangle\)       (7)

as Alice’s preference template. This procedure is illustrated in Fig.2.

Fig. 2. Procedure for making a movie preference template

Note that we cannot directly apply Nguyen et al’s technique[11] to generate chaff points because they are generated from the counterfeit movies. The proposed system makes the finding collision (i.e., polynomial) difficult by using the cryptographic hash function for checksum instead of using cyclic redundancy check (CRC) as many fuzzy vault-based biometrics systems do.

4.3 How to find people

To find people who have similar preference, Bob inputs his favorite movies M = {m_i ′}_i∈[1..v] to the matchmaker system. Given a preference template 〈{(B_i ,w_i)}_{i = [1..v′]} ^,Z,S,U〉, the system searches each movie mi ′ in all buckets {B₁,⋯,B_v′} and finds out the corresponding weight w_i ′. If the system cannot find m_i′ in any bucket, it removes mi′ from M (i.e., M = M-{m_i′}). For each m_i′ with w_i′, the matchmaker computes x-coordinates such that

\(X_{i}^{\prime}= \begin{cases}\left\{h\left(m_{i}^{\prime} \|_{x}\right) \mid 1 \leq x \leq \Theta\left(w_{i}^{\prime}\right)\right\} & \text { if } m_{i}^{\prime} \in M \\ \varnothing & \text { if } m_{i}^{\prime} \notin M\end{cases}\)       (8)

And then, for each x-coordinate in X'=X₁'∪⋯∪X_u'' , the system collects a corresponding point in Z (i.e., the points in Z whose x-coordinates are identical to the x-coordinates in X′).

If the number of collected points is greater than k-1 and less than (n+e +1), the system tries to reconstruct secret polynomial P(x) by using BerlekampWelch algorithm. If the Berlekamp-Welch algorithm returns P′(x), it extracts the coefficients s′ = (s₀′, s₁′,⋯,s_k-1′) and computes S′ = h(s′). If S = S′, the system notifies user’s information of current preference template to Bob after decrypting U such that Dec(s′,U). And then, the system continues the searching procedure to the next user’s preference template. This procedure is shown in Fig.3.

Fig. 3. Procedure for searching people who have similar movie preference

4.4 Security Parameters

In the fuzzy vault scheme[1], an attacker who wants to reveal the locked secret (as a corresponding polynomial) is mainly concerned. To guarantee the sufficient security level against that attacker, the matchmaker system should carefully choose the parameters and distributions.

If the attacker can choose k or more genuine points from Z, it can reconstruct the secret polynomial. This probability p₁ is equal to C(|Z|,k)^-1 and the total number of points in Z is slightly less or equal to \(\sum_{i=1}^{v^{\prime}}\left|B_{i}\right| \times \Theta\left(w_{i}\right)\) . On the other hand, the number of elements in bucket B_i is equal to Γ(w_i) +1. Therefore,

\(\begin{aligned} p_{1} &=C(\mid Z, k)^{-1} \\ & \approx C\left(\min \left(q, \sum_{i=1}^{v^{\prime}} \Gamma(\Omega(i)) \Theta(\Omega(i))\right), k\right)^{-1} \end{aligned}\).       (9)

Since each element is linked to the points in O, the attacker may reconstruct the secret polynomial by choosing v or less elements (e.g., movies) in the buckets. If Γ(i) is linear distribution, the attacker must choose elements (e.g., movies) from higher weighted buckets (one element in one bucket) so that the number of linked points in Z is greater than (k-1) and less than (n+e +1). Let τ be the minimum number of elements that the attacker should choose. Then, τ≤v′ and (n+e +1) > (w_v′ +w_v′-1 +⋯+w_v′-τ-1 ) ≥ k. The probability of this attack (= p₂) is equal to \(1 / \prod_{i=v^{\prime}-\tau-1}^{v^{\prime}}\left|B_{i}\right|\) . Therefore,

\(p_{2} \approx\left(\prod_{i=v^{\prime}-\tau-1}^{v^{\prime}} \Gamma(\Omega(i))\right)^{-1}\).       (10)

Obviously, p₁ < p₂ in most cases. Due to the variety of definitions of distributions, in this paper, we offer a few parameter instances with its security level. Note that q is not deeply related to security strength except hash collision problem.

Example 1) If v = v′ = 10, k = 31, q = 104729, Ω(i) = i, Γ(i) = a₁i+b₁, and Θ(i) = a₂i+b₂, then n = 55 and e ≤ 12. In addition, if we set a₂ = 1 and b₂ = 0, then τ = 4 (∵Θ(10) +Θ(9) +Θ(8) +Θ(7) ≥ k = 31). In this case, the probabilities p₁ and p₂ are approximately close to

\(p_{1} \approx 1 / C\left(\sum_{i=1}^{10} \Gamma(i), 31\right) \text { and }\)       (11)

p2≈1/(Γ(10)Γ(9)Γ(8)Γ(7))       (12)

If a₁ = 100 and b₁ = 100, p₁ ≈ 2^-280 and p₂ ≈ 2^-40.

Example 2) If v = v′ = 5, k = 31, q = 104729, Ω(i) = i, Γ(i) = 1000i+1000, and Θ(i) = 3i +3, then n = 60, e ≤ 14, and τ = 2 (∵Θ(5) +Θ(4)≥ k = 31). In this case, p₁ ≈ 1/C(q,31) ≈ 2^-404 and p₂ ≈ 1/(Γ(5)Γ(4)) ≈ 2^-28. As shown in the above examples, when v is relatively small, it is difficult to achieve higher level of security even with the huge number of counterfeits.

As shown in the above examples, when is relatively small, it is difficult to achieve
higher level of security even with the huge number of counterfeits.

V. Experiments

5.1 Experiment environment

To confirm the overall performance of our proposal, we implemented the movie matchmaker as illustrated in Section 4. For experiments, we implemented a server program using Python 2.7.3 on Ubuntu 12.04.4 x64 Server running on Intel Xeon E5-2620@2.00GHz CPU with 64GB RAM and a user interface program using HTML5 (with JavaScript) as shown in Fig.4. We collected 266,263 movies (i.e., title, director, release date, etc.) from Freebase database powered by Google and stored them using MongoDB 2.4.14. We applied two type of hash functions: Python built-in hash function for mapping movies to x-coordinates and SHA-1 for computing the hash value of secret polynomial.

Fig. 4. User interface of movie matchmaker

We performed experiments of two parameter examples as described in Section 4.4. In each parameter, we measured times for making a template and searching people. Specifically, in searching people, we stored only one template in database and measured the various cases that made different code word size*. Table 2 shows the number of elements in B and Z. Each experiment was repeated in 100 times.

Table 2. Number of elements in B and Z

5.2 Experiment results

Fig.5 shows the response time for making a template. 4.841s and 9.735s respectively took in example 1 and 2 on median. The number of hash operations to map movies to x-coordinates is equal to 44,055 in example 1 and 870,060 in example 2. On the other hand, the number of polynomial evaluations is exactly same with the size of Z; 44,055 in example 1 and 104,729 in example 2. The gaps between example 1 and 2 are about 20 times in hash operations and about 2 times in polynomial evaluations. Therefore, we can conclude that most significant time consuming occurs when the system evaluates the secret polynomial for computing points in Z.

Fig. 5. Response times for making a template

Fig.6 shows the average response times for finding people who have similar movie preference. In our experiments, the response times are lied between 360ms and 625ms in example 1 and between 904ms and 1,742ms in example 2. As the size of code word (generated according to user’s inputs) increases, the overall time also increases. When the size of code word meets the condition, which is described in Section 4.3, the system runs Berlekamp-Welch algorithm. Note that there is no big difference of response times between when Berlekamp-Welch algorithm returns fail and secret polynomial’s coefficients. When Berlekamp-Welch algorithm runs, the response times slightly increase (about 50~100ms) even though its time complexity is O(n³). Moreover, the number of hash operations for mapping movies to x-coordinates is the same to the size of code word; the time consumption for hashing is not that much. Therefore, the most significant time consuming occurs due to searching movies in buckets.

Fig. 6. Average response times for finding people who have similar movie preference. Blue areas mean the matchmaker additionally runs Berlekamp-Welch algorithm.

In the experiments, the server program utilizes ‘in’ operation of Python to search movies in buckets. This operation is known to have O(n) time complexity. However, if we use the tree mechanism, we can reduce the searching time to O(lgn) time. In addition, the matchmaker system includes a lots of parts that the parallel processing can be applied to. For example, the hash operations for mapping movies to x-coordinates and the polynomial evaluation can be independently proceeded.

VI. Other issues

6.1 Polynomial reconstruction by adversary

RS error correction provides the way to reconstruct the secret polynomial even with some errors. The capability of error correction is proportioned to the gap between the size of code word and original message such that e < (n-k+1)/2. However, e is almost half of (n-k). In other words, to correct e errors, additional e genuine points are required. Therefore, as described in Section 4.4, the attacker who chooses only k points takes more advantage than who chooses more k points unless the probability of which it chooses genuine points exceeds 0.5.

6.2 Preference similarity

In this paper, we simply assume that the preference similarity is close to k/n as the fuzzy vault does. However, defining of similarity is more complicated than our intuition. In many areas such as biometrics, the similarity is checked by using geometric distances, but people’s preferences are difficult to be represented as vectors due to various reasons such as ignorance and disliking. People may not even know most movies’ names or may dislike (or hate) some movies. Even though the favorite movies of Alice and Bob are exactly same, but the most favorite movies may be different. We think the weighted matching method is much better than simple matching method, but the former still does not even consider the above situation.

We remain this issue as our further works. To do this, we should deeply consider what preference is and develop (or research) suitable methods of comparing preferences. After that, we will try to implement advanced matchmaker system dealing with dynamic user preferences in terms of the number of favorites and their weights.

6.3 Personal entropy system

In the fuzzy vault scheme, the personal entropy system is mentioned as one of useful applications. The personal entropy system provides system users to recover their secrets[18]. In the personal entropy system, a secret is divided into several partial secrets (by using the secret sharing scheme) and a trusted third party stores the partial secrets with personal questions such as “When is your mother’s birthday?” If a user can answer sufficient questions, she or he can recover their secret.

The matchmaker can be easily converted to the personal entropy system. Instead of answering personal questions, users are required to input their preferences. As time goes on, users’ preferences may change, but highly weighted items perhaps remain in their preferences.

However, to convert the matchmaker to the personal entropy system, k, the degree of secret polynomial, and n, the size of code word, should be reduced to the reasonable level. In example 1 described in Section 4.4, for instance, the system must attempt up to 4.65 × 10¹⁷ (≈C(n+e,k)) cases (i.e., secret recovering in secret sharing scheme) in order to reconstruct the polynomial if RS decoding fails. Instead of reducing k and n, much more counterfeits are required. It will cause the increase of time consumption for making templates. Fortunately, the procedure for making template is required only one time for each user, and thus, it is not a big problem to consider.

6.4 Setting for ordinary fuzzy vault

As we mentioned in Section 4, the matchmaker generalizes the fuzzy vault. We can implement the ordinary fuzzy vault based on the matchmaker by adjusting distributions as Ω(i) = 1, Γ(i) = b₂, and Θ(i) = 1 where b₂ denotes the number of chaffs in a bucket. In the template, there is only one bucket and all chaffs and preferences are located in that bucket. If q is large enough, mapping from an element in B to a point in Z is almost bijective (one-to-one correspondent).

VII. Conclusion

In this paper, we eliminate the geometric distance measurement in the fuzzy face vault scheme and generalize the fuzzy vault scheme for various applications. As one of applications, we introduce the matchmaker. By adopting the bucket concept and three different distributions (i.e., weight, chaff, and code word distributions), we let the matchmaker be able to cover not only movies but also various preferences. Though the experiments, we confirm the overall performance of the matchmaker under two different parameter settings. To use the matchmaker in the real world, various speed-up techniques are essential.

For our future works, we will develop advanced matchmaker with better performance to deal with dynamic user preferences. In addition, we want to implement the personal entropy system based on the advanced matchmaker. By performing user experiments on that system, we will try to confirm the appropriateness of our approach.

* 이 논문은 2014년도 정부(교육과학기술부)의 재원으로 한국 연구재단의 기초연구사업 지원을 받아 수행된 것임(NRF-2014R1A1A2059852)