Portal de Periódicos da CAPES

Unlinkable minutiae‐based fuzzy vault for multiple fingerprints

2015; Institution of Engineering and Technology; Volume: 5; Issue: 3 Linguagem: Inglês

10.1049/iet-bmt.2014.0093

2047-4946

Benjamin Tams,

User Authentication and Security Systems

IET BiometricsVolume 5, Issue 3 p. 170-180 Research ArticlesFree Access Unlinkable minutiae-based fuzzy vault for multiple fingerprints Benjamin Tams, Corresponding Author Benjamin Tams btams@math.uni-goettingen.de Institute for Mathematical Stochastics, University of Goettingen, Goldschmidtstr. 7, D-37077 Goettingen, GermanySearch for more papers by this author Benjamin Tams, Corresponding Author Benjamin Tams btams@math.uni-goettingen.de Institute for Mathematical Stochastics, University of Goettingen, Goldschmidtstr. 7, D-37077 Goettingen, GermanySearch for more papers by this author First published: 01 September 2016 https://doi.org/10.1049/iet-bmt.2014.0093Citations: 13AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onFacebookTwitterLinkedInRedditWechat Abstract The ‘fuzzy vault scheme’ is a cryptographic primitive being considered for storing fingerprint minutiae protected. A well-known problem of the fuzzy vault scheme is its vulnerability against correlation attack-based cross-matching thereby conflicting with the ‘unlinkability requirement’ and ‘irreversibility requirement’ of effective biometric information protection. Yet, it has been demonstrated that in principle a minutiae-based fuzzy vault can be secured against the correlation attack by passing the to-be-protected minutiae through a quantisation scheme. Unfortunately, single fingerprints seem not to be capable of providing an acceptable security level against offline attacks. To overcome the aforementioned security issues, this study shows how an implementation for multiple fingerprints can be derived on basis of the implementation for single finger thereby making use of a Guruswami–Sudan algorithm-based decoder for verification. The implementation, for which public C++ source code can be downloaded, is evaluated for single and various multi-finger settings using the MCYT-Fingerprint-100 database and provides security-enhancing features such as the possibility of combination with password and a slow-down mechanism. 1 Introduction At a glance, switching from password- to biometric-based authentication schemes can solve problems such as key management, in which strong and secure passwords may be required to be stored on a chip card which however could possibly be stolen. Similar to passwords, biometric information must be stored in a protected form to prevent them from being lost on data theft. This introduces new challenges because of the biometries’ non-deterministic nature. Properties for effective biometric information protection, by means of ‘renewable biometric references’, are requested by international standards [1]. There exist several biometric modalities such as iris, face, palm and fingerprints (see [2]) where each is related with individual challenges; these must be accounted when implementing extractors for renewable biometric reference for a specific modality or a fusion thereof. In this paper, we focus on fingerprints [3] and the generation of renewable biometric references from them with a fuzzy vault scheme [4, 5]. 1.1 Minutiae-based fuzzy vault In 2003, Clancy et al. [6] analysed the eligibility of the fuzzy vault scheme to protect fingerprint minutiae which resulted in a series of minutiae-based fuzzy vault implementations [7–11]. Basically, their functioning is as follows: Enrollment: At most tmax minutiae are encoded as a subset A of a fixed finite field F; then, a polynomial f ∊ F[X] of degree smaller than k is chosen at random and the set of ‘genuine pairs/genuine set’, G= {(a, f(a))|a ∊ A} is built; note that, if |G| ≥ k, the genuine pairs encode the minutiae as well as the secret polynomial f. Next, a large set of ‘chaff pairs/chaff set’, C= {(x, y)} is generated such that the values of x look like an encoding of a genuine minutiae and the values of y are such that y ≠ f(x). In this way, the vault V= G ∪ C is built hiding the genuine pairs by dispersing them within the chaff pairs (see Fig. 1 for a visualisation of this process). Figure 1Open in figure viewerPowerPoint Minutiae-based fuzzy vault a Genuine (black) and chaff minutiae (grey) b Each minutia is encoded on a vault point's abscissa where its ordinate binds the minutia to the secret polynomial We shall note here that it may be necessary to store a cryptographic hash value SHA(f) along with V such that the pair (V, SHA(f)) builds the vault record as a candidate for a renewable biometric reference. In fact, in [6] no such hash value is employed but a mechanism for verifying the correctness of f is used, in which it is assumed that any other polynomial hardly interpolates a sufficient number of vault pairs. Furthermore, in [8–11] a 16 bit cyclic redundancy check code is attached to the correct polynomial such that its correctness can be verified. We stress that a cryptographic hash value, as, for example, also used in [12, 13], can serve as a mechanism for verification, too, and may even be considered advantageous in view of blended substitution attacks, the details of which can be found in [14]. Verification: Given (V, SHA(f)), query minutiae are used to identify those vault pairs from V of which vault minutiae, encoded on the abscissa, agree well with the query minutiae; thereby the unlocking pairs/unlocking set U is established. If we assume that the minutiae protected by the vault and the query minutiae stem from the same finger, then the unlocking set may contain a significant proportion of genuine pairs lying on the graph of the secret polynomial, that is, (x, y) where f(x) = y. Certain Reed–Solomon decoders can then be used to recover f the correctness of which can be verified using the hash SHA(f). Pre-alignment: On genuine verification, the query minutiae must be aligned such that they agree well with the genuine vault minutiae. In a minutiae-based fuzzy vault [7, 9–11, 15], a common approach is to support this pre-alignment step using auxiliary alignment data publicly stored along with the records. It is important to note that public unprotected data do leak information about the protected fingerprint which could be exploited by an intruder attempting to forge the vault records in an attack. Attacks are discussed in the following, in which we ignore (for simplicity) the fact that an implementation has to provide a mechanism for automatic pre-alignment; however, the reader should be aware of the fact that security may be lower in presence of auxiliary alignment data. 1.2 Security 1.2.1 Brute-force security An intruder who has intercepted a vault (V, SHA(f)) can try to guess k vault pairs and hope that they are genuine; if they are, the interpolation polynomial f* will be equal to the secret polynomial f the correctness of which can be verified using SHA(f). It is important to note that recovery of f is equivalent to recovery of the genuine minutiae set protected by the vault. The difficulty that a guess of k vault pairs yields to the correct polynomial is equal to (1)where t = |G| denotes the number of genuine pairs. This yields a notion of brute-force security [16] being often used as the mere measure to assess security in a fuzzy vault to fingerprint; this measure, however, tends to be quite low. For example, in the implementation by Nandakumar et al. [10] for the parameter configuration (n, tmax, k) = (224, 24, 11) at a genuine acceptance rate of 86% brute-force security evaluates as 239. 1.2.2 False-accept security It is important to note that brute-force security tends to significantly overestimate the effective security of a minutia-based fuzzy vault system. A more realistic measure can be derived from the false acceptance rate (FAR). An attacker can iteratively simulate impostor verification attempts until he successfully unlocks the vault thereby running a false-accept attack; within each simulated attempt, he may succeed with probability equal to FAR. More precisely, if the average impostor decoding time (IDT) is known, then the attacker can expect to unlock the vault with effort (2)yielding the notion of false-accept security. For example, in [10] for (n, tmax, k) = (224, 24, 9) brute-force security results in 231 while the FAR has been evaluated as FAR = 0.01%. It has furthermore been reported that the unlocking sizes were such that on verification 33 candidate polynomials had to be tested in average. Thus, an intruder can expect to test 33 log(0.5)/(1 − 0.01%) ≃ 218 candidate polynomials before success. Compared with the brute-force security of 231, the false-accept attack clearly is the more efficient attack. Even if no false accept has been observed, the FAR still is non-zero. It may not be clear how to estimate the FAR, except coarse upper bounds (e.g. with the rule of three [17]). Yet, brute-force security cannot be used for approximating the FAR as emphasised above. One may argue that a false-accept attack is harder to conduct for an intruder since he has first to establish the attack database containing real fingerprints. However, brute-force attacks may also be accelerated by exploiting the distribution and dependency of the fingerprint features yielding statistical attacks. It is important to note that the false-accept attack does exploit the distribution and dependency of the biometric features and thus yields upper bounds for the system's overall security. At a glance, it seems reasonable to reduce the FAR to improve security, for example, by processing other features than mere minutiae [11, 12]; however, even if we can reduce the FAR to its half, which would be a tremendous improvement, false-accept security will increase only by a single bit. In view of this fact, it seems hard to believe that significant security improvements can be achieved while sticking to a certain biometric modality. We may improve biometric security with the requested significance in combinations with PIN or password or by fusing multiple biometric instances, for example, by developing fuzzy vault for multiple fingerprints, the latter being addressed in this paper. 1.2.3 Correlation attack There exist other risks than mere offline attacks. A well-known vulnerability of the fuzzy vault scheme poses the correlation attack conflicting with the unlinkability and even irreversibility requirement. Assume an attacker has intercepted two records that have been generated from the same finger. Then, we may observe that genuine minutiae correlate well as compared with chaff minutiae (Fig. 2). This can be exploited by an attacker to decide whether two records are ‘related’ or ‘non-related’, which conflicts with the unlinkability requirement. Even worse, since the attacker may be able to identify a significant number of genuine vault pairs via correlation, he may be able to fully break the records. Kholmatov and Yanikoglu [18] demonstrated that in principle, ∼60% related vault records can be broken with the correlation attack. Figure 2Open in figure viewerPowerPoint Visualisation of the correlation attack a and b Two vaults (a) and (b) with chaff minutiae (grey and light-grey) and genuine minutiae (black) c and d Genuine minutiae have a bias to be in agreement and can be identified to attack unlinkability and irreversibility of both vaults A simple, yet effective, measure to avoid the correlation attack is to round minutiae to coordinates of a grid (e.g. rectangular or hexagonal); all unoccupied grid coordinates are used to encode chaff pairs. Then there is no correlation that can be exploited. It has been demonstrated in [19] that in principle the approach can work: a genuine acceptance rate of ≃80% at no observed false accepts has been measured in combination with an automatic method for absolute fingerprint pre-alignment which removes the problem of information leakage from public auxiliary alignment data. 1.3 Contribution In this paper, on basis of the correlation attack-resistant implementation presented in [19], we design an implementation for multiple fingerprint. In particular, to make the verification process practical, we design a decoder based on a Guruswami–Sudan algorithm [20]. Furthermore, due to the fact that chaff features are not random, we can base our implementation on the improved fuzzy vault scheme by Dodis et al. [21, 22] with the positive effect of significantly more compact records. The implementation furthermore features measures for preventing other known record multiplicity attacks. Optionally, the implementation can be encrypted/decrypted with a user password and implements a configurable slow-down mechanism with which the verification time can be artificially increased in order to improve absolute security. We evaluate our implementation using the MCYT-Fingerprint-100 database [23] and provide a security estimation against a certain false-accept attack. For example, in a four-finger setting, our evaluation results in a genuine acceptance rate of 93% at an estimated false-accept security of 265. It may be worth noting that our implementation can be downloaded in the form of a C++ library called THIMBLE from http://www.stochastik.math.uni-goettingen.de/biometrics/thimble. The library is supplemented with two executable programmes that make use of Digital Persona's FingerJetFX open source edition (OSE) minutiae extractor (http://www.digitalpersona.com/fingerjetfx). With these programmes fuzzy vault-protected data can be generated from single and multiple fingerprint images; furthermore, the programmes can be used to run the verification process with single and multiple fingerprints against the protected data previously generated. Using our C++ library THIMBLE, the generated records can be read (using the classes ProtectedMinutiaeTemplate and ProtectedMinutiaeRecord; also see the documentation of THIMBLE) and then processed allowing the community to run heavy cryptanalyses with our implementation. 1.4 Related work An implementation for multiple fingerprints has been presented by Merkle et al. [13]. However, a performance evaluation for the implementation has not been given and no measures for preventing record multiplicity attacks have been implemented. Nagar et al. [24] considered different feature-level fusions between the modalities ‘fingerprint, face and iris’ using the fuzzy vault and fuzzy commitment scheme [25]. Even though verification performances were not the focus in [24], only a 75% genuine acceptance rate at a 53 bit security estimate has been achieved which can be significantly outperformed with our implementation. 2 Implementation for single fingerprint Throughout, we assume that fingerprint minutiae are absolutely pre-aligned. An example of such a method has been presented in [19] and an implementation is contained in our open-source software library THIMBLE. 2.1 Minutia quantisation We pass absolutely pre-aligned minutiae through a quantisation scheme. Therefore we use a hexagonal grid of which coordinates Λi are equidistantly spaced by ℓ pixels; the grid is centred in the region in which absolutely pre-aligned minutia can occur (see Fig. 3). Given a minutia (α, β, θ) at coordinate (α, β) and angle θ, its quantisation is computed by determining the index j of the grid coordinate Λj being closest to (α, β), that is (3)the minutia angle is quantised by s different quanta encoded by j′ = ⌊θ/2π·s⌋ such that j′ + s·j is the integer encoding the quantisation of the minutia (α, β, θ). Figure 3Open in figure viewerPowerPoint Visualisation of the minutiae quantisation process Minutiae of a minutiae template, being absolutely pre-aligned with respect to a coordinate system derived from a directed reference point estimation, are rounded to the coordinates of a hexagonal grid centred in the region in which the minutiae can occur; those coordinates to which minutiae round are used to encode genuine features (circles), whereas the others are used to encode chaff features (crosses). Note that under the assumption that a fingerprint's directed reference point estimation can occur at any place within the fingerprint image and can have any angle, the region in which absolutely pre-aligned minutiae can occur forms a circle of radius equals the length of the fingerprint image's diagonal; however, the number of genuine features can only occur within a rectangle of dimension that equals the fingerprint image's dimension, which must be accounted in a security analysis Furthermore, note that the minutiae angles are also used for minutiae quantisation but their visualisations have been omitted for simplicity We fix a finite field F where |F| ≥ r·s such that each minutia quantisation can be uniquely encoded by a finite field element; throughout, we do not necessarily distinguish between finite field elements and integers encoding them. Finally, we quantise a minutiae template by successively quantising its minutiae, preferring those attached with a higher quality estimation, and putting the quantisations in a feature set A until each minutia has been processed or A reaches a bound tmax. The quantisation process is visualised in Fig. 3. 2.2 Enrollment Assume that we are provided a feature set A ⊂ F. Then, a secret polynomial f ∊ F[X] of degree smaller than k is generated uniformly at random and bound to the feature set A by computing the polynomial (4)as an instance of the improved fuzzy vault scheme [21] (see Fig. 4 for a visualisation); as motivated in Section 1.1, we store a cryptographic hash SHA(f) of f along with V(X) such that the pair (V(X), SHA(f)) is considered as the vault record. Figure 4Open in figure viewerPowerPoint Visualisation of the construction of an improved fuzzy vault instance Feature set A is encoded by the roots of its characteristic polynomial which are obscured by addition with a secret polynomial f(X); the result is a polynomial V(X) from which it should be hard to reconstruct the feature set unless a query set of reasonable similarity to A or f(X) is known If x ∊ A, then V(x) = f(x) and thus (x, V(x)) is a genuine pair; otherwise, if x ∉ A, then V(x)≠ f(x) and (x, V(x)) is a chaff pair. Hence, we can encode an instance of the original fuzzy vault scheme by a monic polynomial of degree t = |A|. 2.3 Verification On verification, using a query feature set B ⊂ F, briefly called ‘query set’, the unlocking pairs are computed as U= {(b, V(b))|b ∊ B} which contains exactly |A ∩ B| genuine pairs. If sufficiently many genuine pairs are contained in U, then the secret polynomial f can be recovered using an algorithm for decoding Reed–Solomon codes. 2.4 Parameter configuration and randomised decoder In [19], the parameters have been selected on basis of a training using the fingerprint images contained in the Fingerprint Verification Competition (FVC) 2002 DB2-B [26] which have been scanned at a resolution of 569 dpi. We adopt the parameters by choosing: a hexagonal grid of which coordinates are equidistantly spaced by ℓ = 25 pixels; s = 6 quanta for minutiae angles; an upper bound of the genuine feature set size tmax = 44; and varying sizes k of the secret polynomial. Note that the parameter ℓ = 25 has been re-scaled for fingerprints scanned at 500 dpi. Owing to the choice of tmax = 44, the unlocking sets occurring on verification can be comparably large which may render complexity of the systematic decoding approach used in nearly all implementations of fuzzy fingerprint vaults [9–12, 15] infeasible. Consequently, in [19] a randomised decoder has been used, in which at most randomly chosen unlocking pairs are tested. Consequently, if an unlocking set U of size u = |U| contains ω = |A ∩ B| ≥ k genuine pairs, the probability of a successful verification is equal to (5) 3 Implementation for multiple fingerprints We now come to the description of our implementation for multiple fingerprints. 3.1 Fusion of multi-finger minutiae records Our aim is to achieve high security against offline attacks through the fusion of multiple fingerprint minutiae templates while linkage attacks are avoided. There exist different fusion strategies [27] that one might consider to employ and we shall briefly discuss their properties in our context of biometric template protection. For each minutiae template in the record, we could generate fuzzy vault-protected data using a method for single fingerprint (e.g. as outlined in Section 2) and store them separately. On verification, each query fingerprint template is used to unlock its corresponding fuzzy vault record. Depending on the number of positive individual verifications, we may accept the verification attempt thereby following the concept of a decision-level fusion. However, it has been argued in [28] that this fusion strategy may neither significantly improve on privacy nor security of biometric data since an attacker still has the possibility of running recovery attacks to each protected record separately. Similarly, in a score-level fusion, which can be considered as a generalisation of a decision-level fusion, as each template is protected separately, they remain vulnerable to intensive offline attack. To improve resistance to offline attacks, we may employ a feature-level fusion. Therefore, assume that the feature sets A1, …, AN have been generated from a user's N different fingers as described in Section 2.1; furthermore, assume that B1, …, BN are second acquisitions such that Bj matches with Aj. To follow the concept of a feature-level fusion, we may fuse the records (A1, …, AN) and (B1, …, BN) into new feature sets A and B, respectively, such that . In this way, the enrollment and verification procedure of our existing implementation for single finger (Section 2) can be adopted. There exist multiple equivalent ways to realise such a fusion. In our implementation, we attach the finger position code (i.e. an integer encoding a right/left thumb, right/left index finger and so on) to the elements of the feature sets that together form the fused feature set. More precisely, let L1, …, LN denote the pair-wise distinct position codes (encoded by values from 0, …, 9) of those fingers from which the feature sets A1, …, AN have been estimated. For each j = 1, …, N, … we attach the code Lj to the elements of Aj. Let a ∊ Aj denote a feature encoded as an integer; then Lj + 10·a may be used as the feature element to which the finger code Lj has been attached. Finally, we may use the union of all these attached feature elements, that is (6)as the fused feature set. It is important to note that the size of the field F must now be at least ten times larger than the minimal size required for single fingerprints. 3.2 Enrollment Analogous to the enrollment for single finger (Section 2.2), given a secret polynomial f ∊ F[X] of degree smaller than k and a feature set A encoding a quantised multi-finger minutiae record, the polynomial (7)is built. As usual (see Sections 1.1 and 2.2), we publish a cryptographic hash SHA(f) along with V(X) such that (V(X), SHA(f)) serves as the protected template. 3.3 Verification To decode the private template (V(X), SHA(f)) protecting a multi-finger record using the quantisation set B of a query record, we build the unlocking set (8)in the same way as in Section 2.3. Then, a decoding algorithm is applied to the unlocking set U returning candidates for the secret polynomial f from which the correct one can be identified using SHA(f). If a polynomial with the correct hash can be recovered on decoding, then we consider the verification attempt as successful and otherwise as unsuccessful. 3.4 Decoder for multifinger If the randomised decoder (Section 2.4) were adopted for verification, then we may have expected a low verification performance: assume we can expect that 20 out of 44 minutiae quantisations can be reproduced for two matching absolutely pre-aligned minutiae templates. For k = 10 and , the randomised decoder (e.g. see Section 2.4) will successfully decode with probability in a two-finger scenario, we may extrapolate the unlocking set to contain 2 × 44 = 88 pairs of which 2 × 20 = 40 are laying on a polynomial's graph where the degree of the polynomial is smaller than k = 20; then, the randomised decoder will recover the secret polynomial with probability only In view of this observation, we should consider alternative decoding mechanisms. 3.4.1 Guruswami–Sudan algorithm An alternative way to tackle the decoding problem on verification is to use a Guruswami–Sudan algorithm [20]. This class of algorithms can potentially recover f from U in deterministic polynomial time if it contains genuine pairs where u = |U|. Two statements have been given in [5] that led the community to believe Guruswami–Sudan algorithms were not well suited to support verification in a fingerprint-based fuzzy vault: Implementations of a classical Reed–Solomon decoder are, in general, much more efficient than implementations of the Guruswami–Sudan algorithm. For many of the parameter choices, we are likely to encounter in practice, (u + k)/2 is fairly close to . The second statement does not apply to our situation. In fact, (u + k)/2 can be much larger than . For example, if N = 3, the unlocking sets can be of size up to u = tmax·N = 132. Then, if k = 30, a classical Reed–Solomon decoder can successfully decode if ω ≥ 81; an implementation of the Guruswami–Sudan algorithm, however, requires ω ≥ 62 which is significantly smaller. Regarding the first statement, the original implementation of a Guruswami–Sudan algorithm [20] has a running time of . Even though improved to in the meantime [29], this is significantly inferior to an achievable with classical Reed–Solomon decoders [30]. On the other hand, the high complexities are worst-case complexities and hold only if we want to tolerate precisely up to errors in U. If fewer errors suffice to be tolerated, the running times can become feasible. Therefore, it may be useful to briefly consider the two steps of a Guruswami–Sudan algorithm. For further details we see [20]. In the first interpolation step a non-zero bivariate polynomial H ∊F[X, Y] of (1, k − 1)-‘weighted degree’ not too large is computed having the unlocking pairs as roots with a certain algebraic multiplicity μ ≥ 1. In the second factorisation step, all (univariate) polynomials f*∊F[X] of degree smaller than k are computed with H(X, f*(X)) = 0. One can prove that if and if μ is sufficiently large, then the candidate list {f*} contains the correct polynomial f. The bottleneck in the algorithm is the interpolation step and improving its efficiency is subject of current research [29, 31, 32], whereas the factorisation step performs comparably well [33]. Overall, the multiplicity parameter μ is a very critical parameter: the higher μ, the more errors the algorithm can tolerate; on the other hand, the higher μ, the higher is its complexity. Specifically, the interpolation step is closely an (see [34]). Consequently, if μ is small, for example, μ = 1, the Guruswami–Sudan algorithm is closely an while requiring [35] for successful recovery of f. If μ is sufficiently large, then the algorithm requires the well-known bound to be met in order to successfully recover f; however, then the decoding complexity may be unacceptable. 3.4.2 Preliminary tests It is not the purpose of the present paper to provide comprehensive analyses and evaluations of Guruswami–Sudan algorithms; therefore we see [36]. However, in order to design a decoding mechanism, we describe some experiments that we conducted. Therefore, we have implemented a Guruswami–Sudan algorithm (contained in our public C++ library THIMBLE), in which the interpolation step and the factorisation step are performed as in [31, 33], respectively. For simplicity, we consider the extremal case of using ten fingers, in which the unlocking sets can be of size up to u = 440. We consider secret polynomials of length k = 30 since this requires the unlocking sets to contain at least 25% genuine pairs (being typical for a fingerprint fuzzy vault) to be decodable with a Guruswami–Sudan algorithm. For each ω = 0, …, 440, we built an unlocking set U ⊂ F× F (where |F| = 218) of size u = 440 uniformly at random such that exactly ω unlocking pairs laid on the graph of a common polynomial f of degree smaller than k = 30. We applied our Guruswami–Sudan algorithm implementation with multiplicities μ = 1, …, 5 to U as input and determined whether the algorithm successfully discovered the correct polynomial; furthermore, we measured the times consumed by the decoding attempts that we have performed. Additionally, we applied an own implementation of a classical Reed–Solomon decoder [30] (also contained THIMBLE). The results of our tests are visualised in Fig. 5. With a multiplicity of μ = 1, 2, 3, 4, 5, it is possible to decode U if it contains ω ≥ 146, 132, 126, 123, 121 genuine pairs, respectively, whereas for a sufficiently large multiplicity the unlocking set must contain at least ω = 113 genuine pairs. Figure 5Open in figure viewerPowerPoint Computational performances of our implementation of a classical Reed–Solomon decoder and the Guruswami–Sudan algorithm for unlocking sets of size u = 440 and secret polynomials of length k = 30 over a finite field containing 218 elements Figure plots the measured com