Private minutia-based fingerprint matching

HAL Id: hal-01442553

https://hal.inria.fr/hal-01442553

Submitted on 20 Jan 2017

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

Distributed under a Creative Commons Attribution| 4.0 International License

Private Minutia-Based Fingerprint Matching

Neyire Sarier

To cite this version:

Neyire Sarier. Private Minutia-Based Fingerprint Matching. Raja Naeem Akram; Sushil Jajodia.

9th Workshop on Information Security Theory and Practice (WISTP), Aug 2015, Heraklion, Crete,

Greece. Springer, Lecture Notes in Computer Science, LNCS-9311, pp.52-67, 2015, Information

Secu-rity Theory and Practice. <10.1007/978-3-319-24018-3_4>. <hal-01442553>

NeyireDenizSarier MEFUniversity,

DepartmentofComputerEngineering Istanbul,Turkey

sarierdmef.edu.tr

Abstra t. Inthispaper,wepropose ane ient biometri authenti a-tion proto ol for ngerprintsparti ularly suited for the minutia-based representation.Thenoveltyoftheproto olisthatweintegratethemost e ient(linear omplexity)privatesetinterse tion ardinality proto ol ofCristofaroetal.andasuitablehelperdatasystemforbiometri sin or-dertoimprovethea ura yofthesystem.Weanalyzethese urityofour s hemeinthestandardmodelbasedonwell-exploitedassumptions, on-sideringmali iousparties,whi hisessentialtoeliminatespe i atta ks onbiometri authenti ations hemesdesignedforsemi-honestadversaries only.Finally,the omplexityis omparedtotheexistingprovablyse ure s hemes for ngerprint mat hing, whi h shows that the new proposal outperformsthembothinsemi-honestandmali iousse uritymodels. Keywords: Se ureRemote Authenti ation,Biometri s, Setdieren e, PrivateSetInterse tion,Standardmodel

1 Introdu tion

Overthelast de ade,it hasbeenshownthat biometri shavesomeadvantages in authenti ation systems ompared to password-based systems, aspasswords anbeeasilylost,forgottenor ompromisedusingvariousatta ks.

However,biometri sissensitivedata,thus,biometri data,either storedon a entral databaseoron atamper-proofsmart ard, should be prote tedusing ryptographi te hniques.Forinstan e, biometri ryptosystemssu h asfuzzy extra tors,fuzzy vaultand bipartitebiotokens areused for biometri key gen-eration, key binding and key release, respe tively. Juels and Wattenberg [20℄ introdu ethefuzzy ommitments heme asa ryptographi primitive,whi h is is appli able for biometri s that an be represented as an ordered set of fea-tures. However, biometri s an be ae ted from two types of noise, i.e. white noise that represents the slight perturbation of ea h feature and the repla e-mentnoise ausedbytherepla ementofsomefeatures.Thus,JuelsandSudan havedeveloped thefuzzy vault [19℄,whi h assumesthat biometri s onsists of anunorderedsetoffeaturesandisdesignedforthesetdieren emetri . Spe if-i ally, fuzzy vault [19℄ is a key binding system that hides an en oded se ret among some ha points,where these retkeyis en oded asthe oe ientsof a polynomial that is evaluated at the biometri feature lo ations su h as

n-from the high urvature pointsof the ngerprintminutia, whi h doesnot leak anyinformationabouttheminutialo ationsandusedfor easingthealignment ofthequeryngerprinttotheoriginaltemplate.

However,the implementation of biometri ryptosystems ome along with various atta ksthat questionthese urityofthem [28,27℄.Infa t,therst pa-perthat onsiders provablese urity in biometri remote authenti ation is the workofBringeretal.[6℄thatproposedahybridproto oldistributingtheserver sidefun tionalityinordertodeta hthebiometri datastoragefromthe authen-ti ationserver.The ommonpointofthisworkandthefollowingpapersdesigned forse urityagainstsemi-honestadversaries-wherese urityisguaranteedifea h party followsthe proto ol- isthat theyare allimplementedfor biometri data representedasabinarystringsu hasIris.Hen e,theydependonthehamming distan emetri forthemat hingoperationoftheveri ationproto ol.Forthis parti ularmetri ,ane ientfa e-identi ationproto olbetweena lient

C

and server

S

aredes ribedin[22℄thatisbasedonSe ureFun tionEvaluation(SFE) -aspe ial aseofSe ureMultipartyComputation-.Withinthesameframework, biometri identi ation[3,2℄andauthenti ation[29℄proto olsaredes ribedfor irisandngerprint(inparti ularnger ode),allofwhi harebasedoneu lidean distan emetri .

Finally,oneshouldnotethatthemostpopularandwidelyusedte hniquesin ngerprintidenti ationextra t informationaboutminutiae from angerprint and storethat information as a set of points in the two-dimensional plane as in fuzzy vault. Fingerprint mat hing an also be performed using a dierent typeofinformationextra tedfromngerprintimage,i.e.FingerCode,thatuses texture information from angerprints an to form ngerprintrepresentation. AlthoughFingerCodesarenotasdistin tiveasminutiae-basedrepresentations, [3,2℄ des ribepriva y-preservingproto ols forFingerCodes dueto the e ient implementationwithintheeu lideandistan e.

2 Related Work

Itisquitesurprisingthatdespitethevariouspapersonminutia-basedbiometri ryptosystems[19,8,33,32,30,31℄designedforthesetdieren emetri ,theonly paperthatdes ribesaprivateminutia-basedngerprintauthenti ationproto ol basedonSFEandsetdieren emetri is[12℄.Inparti ular,theauthorsof[12℄ design an e ient minutia-basedbiometri authenti ation s heme for a lient serverar hite turebasedon thePrivate SetInterse tion (PSI) proto ol of [13℄ that isse ure againstsemi-honestpartiesin thestandardmodel andmali ious adversaries in the random ora le model (ROM). This PSI proto ol is based onhomomorphi en ryption andpolynomialinterpolationand its omputation omplexity is quadrati ,although the numberof modular exponantiations an beredu edto

O(n

loglog

m)

. Here,

m

denotes thesize ofthe lientset and

n

denotesthesizeoftheserversetwith

m

≈ n

intheauthenti ationmode.Besides,

onlyinasystembasedongarbled ir uitevaluation.Thelatterisalsobasedon polynomialinterpolationideaof[13℄ butitismu hmore omplex ompared to theoriginals hemeasit anbededu edfromthe omputation omplexitythat is

O(nmwh)

forthe semi-honest ase,where

w

and

h

denote thepixel sizes of thengerprintimage.

Asone an noti e, urrentminutia-based biometri authenti ations hemes, whose se urity is proven against semi-honest atta kers are based on PSI, in parti ularthe ombinationofhomomorphi en ryptionandpolynomial interpo-lation.Anaturalquestioniswhetherthereexistsmoree ient onstru tionsof PSI that is appli able to input sets that anbe representedasan unorderded setofelementssu hasngerprintminutia.Toanswerthis,weneedto inversti-gateseveralte hniquesthatrealizePSIproto olssu hasPubli -Key-BasedPSI, Cir uit-Based PSI, OT-BasedPSI and Third Party-Based PSI assummerized in[23℄.Spe i ally,therstPSIproto olbasedontheDie-Hellman(DH)key agreements hemewaspresentedin[16℄withoutanyse urityanalysis.This pro-to olis basedon the ommutativepropertiesof theDHfun tionand wasused forprivatepreferen e mat hing,whi h allowstwopartiestoverifyiftheir pref-eren esmat htosomedegree.TheDie-Hellman-basedproto olof[16℄,whi h wasthe rst PSI proto ol,is a tually the most e ient w.r.t. ommuni ation (whenimplementedusingellipti - urve rypto)[23℄.Thereforeitissuitablefor settingswithdistantpartieswhi hhavelimited onne tivity.Lastly,itis possi-ble toin orporate arelativelye ientzero-knowledgeproofand authenti ated inputsthatea hpartyisfollowingtheproto olhonestly,sothata tive heating byeitherpartywillbedete ted.Inthis ontext,[10℄extendstheproto olof[16℄ formali iousserverandsemi-honest lientbyin orporatingzero-knowlegeproofs andtwoadditional ommuni ationroundsandprovidesasimulationbasedproof inROMinordertobuildaPrivateSetInterse tionCardinality(PSI-CA) proto- ol.Similarly,[18℄alsoextendstheproto olof[16℄sothatse urityisguaranteed formali iousparties(both

C

and

S

)inROM.Theproto olsin [10,18℄provide linear omplexity in the sizes of thetwo input sets, however thePSI proto ol in[18℄ annotbe onvertedtoaPSI-CAs hemeduetoitsROM basedse urity proof that reveals the ommon elements of the interse tion set to one of the parties(

C

or

S

).

2.1 Motivationand Contributions

When onfrontedwith thePSIproblem, mostnovi es omeupwithasolution where both parties apply a ryptographi hash fun tion to their inputs and then omparetheresultinghashes.Althoughthisproto olisverye ient,itis inse ure ifthe input domain is notlarge ordoesnot have high entropy, sin e one party ould easily run abrute for e atta k that applies thehash fun tion to all items that are likely to be in the input set and ompare the results to there eivedhashes.Thisisexa tlythe aseforminutiabasedngerprintdata. To avoid this atta k, our solution is to in orporate a mali ious-se ure PSI to

should onsider three major points: The mat hing should be performed pri-vately for both sides, namely, for the two parties, a lient

C

and a server

S

whojointly omputeafun tion oftheirprivateinputs,the partiesshould only learntheoutputofthemat hingandnothingelse.Se ondly,theproto olshould onsider bothhonest-but uriousadversariesandmali iousadversaries.This is requiredforase urebiometri systemin orderto prote tagainsttheatta kof [1℄,whi hregenaratestheenrolledbiometri imagefromarandomtemplatewith ahill limbing atta k, that depends on themat hing s ore. However,are ent publi ation[15℄ showsthatwithmali iousbehaviouragainstthe ryptographi identi ation proto ol S iFI [22℄ designed for thesemi-honest adversaries,one an re onstru t a full fa e image with the help of omputer vision te hniques althoughS iFIdoesnotoutputanymat hings ore.Theatta kreliesonthefa t thatadishonestadversaryisableto inputve torsofanyform,notjustve tors that areproperlyformatted[15℄.Theatta klearnsthe lient'sfa e odebit-by bitthroughtheoutputof

′

_match

′

or

′

_nomatch

′

de ision.Thus,thenewproto ol should bedesignedin themali iousse uritymodelsothat neitherlearningthe mat hing s orenor the a ept/reje t de ision ould help a mali ious party to learnadditional information about theprivate data ofthe other party in lud-ingthe ommonelementsoftheinterse tionsetasinPSIs hemes.Finally,the proto olshouldbepra ti alande ientlyimplementable withlinear omplex-ity(in termsof omputationand ommuni ation ost)anditshoulddependon widelyadoptedrepresentationsofbiometri data.

Withthesegoalsinmind,wepresentanewminutia-basedngerprint authen-ti ationproto olforsetdieren emetri betweena lientandaserverbasedon PSIte hniques.Inparti ular,the onlywork within thisframeworkisthework of[12℄,that depends onthePSIs hemeof[13℄.

Spe i ally, ourproto olis inspiredbythePSI-CAs hemeof[10℄ although ours hemeisdenedonanellipti urvegroupthatsimpliesthePSI-CA pro-to olof[10℄slightlybyremovingthelaststepoftheproto ol(i.e.hashing),but moreimportantly,theneedforarandomora lewhi hquestionsthese urityof thesystemswhentheROMisrepla edbyarealhashfun tion.Infa t, ertain arti ialsignatureanden ryptions hemesareknownwhi hareprovense urein theROM,butwhi haretriviallyinse urewhenanyrealfun tionissubstituted for the random ora le [7℄. This way, we also redu e the ommuni ation om-plexity sin e the ommuni ation overhead of [10℄ amountsto

2(m + 1) |p|

-bit values with

|p| = 1024

or

|p| = 2048

,whereas our proto ol requires

2(m + 1)

|q|

-bit values with

|q| = 160

or

|q| = 224

. Thus, our s heme is a s alable and e ientproto olwithlinear omplexityanditsse urityrelies onwellexploited ryptographi assumptions(DDHand

l

-DDHI)inthestandardmodel.Besides, ourproto olrevealsneitherthe servernorthe lienttheelementsofthe inter-se tion set

S

, but only the size of the interse tion set

d

= |S|

is learned by a singleparty(

C

or

S

).Similartothes hemeof[12℄,the omputation omplexity of [29℄ is also quadrati , i.e.

O(nmwh)

for the semi-honest ase,where

w

and

that arebasedonObliviousPolynomialEvaluation(OPE) of[13℄.

Furthermore, we dis uss the se urity of our s heme in mali ious model in order to prevent the atta ks presented in [1,15℄. Unfortunately, the PSI-CA s hemeof[10℄ anonlya hieveone-sidedsimulatibilityinROM,i.e.thes heme onlyprovidespriva yoftheserveragainstasemi-honest lient.Thus,weextend these urityofourproto olsothatbothparties anbe orruptedbyamali ious adversaryinstandardmodel.

Tothebestofourknowledge,theproposeds hemeistherstprivate minutia-basedngerprintauthenti ationproto ol forsetdieren emetri thata hieves omplexitieslinearinthesizeofinputsets,i.e.setofuser'sminutiathatisse ure in thestandardmodelbothforsemi-honestandmali iousadversaries.

3 Building Blo ks

3.1 Fingerprint data

Theapproa hthatforms thebasisforthebiometri datarepresentationofour s heme is the Minutiae Fuzzy Vault Implementation of Uludag et al. [33,32℄. Oursystemoperatesonthengerprintminutiae that aregenerallyrepresented as

(x

i

, y

i

, θ

i

)

triplets, denotingtheir row indi es

(x

i

)

, olumn indi es

(y

i

)

and angle of the asso iated ridge,respe tively. Next,we on atenate

x

i

and

y

i

o-ordinates ofa minutia as[

x

i

|y

i

℄ to arriveat thedata unit

b

i

for

i

∈ [1, m]

. To a ount for slight variations in minutiae data (due to ngerprint distortions), rawminutiaedata arerstquantized.Werequireanalignmentstepwherethe queryminutiaetemplates arealignedtotheregisteredtemplatebasedonusing auxiliaryalignmentdata

aux

,i.e. helperdataderivedfromtheorientationeld of ngerprints.Naturally, itis requiredthat thehelperdata doesnotleak any information about the minutiae-based ngerprinttemplate. Another approa h ouldbetheuseofalignment-freefeatures,i.e. featuresthat donotdepend on the nger's rotationor displa ement. The reader is referred to [33,32℄ for the detailsof thisrepresentation.

3.2 Cryptographi tools

Sin e our system works in set dieren e metri , we need to ompare/mat h alignedquerytemplate tothe registeredtemplate in aprivatemanner. In par-ti ular, our proto ol is inspired by the (reversed) PSI-CA s heme of [10℄ that enables two parties, i.e. a lient

C

whi h has aset

B

′

_{= (b}

′

1

, ..., b

′

m

)

of size

m

and aserverS whi hhas aset

B

= (b

1

, ..., b

n

)

of size

n

to omputethesize of theinterse tion oftheirrespe tivesetswithoutdis losinganythingabouttheir inputsin ludingthe ommonelementsoftheinterse tionset.Afterthe ompu-tationthe serverhasobtainedthesizeof theinterse tion

d

= |B ∩ B

′

_|

andthe lienthaslearntnothing otherthanthea ept/reje tnoti ationbasedonthe systemthreshold

t

.

Random Fun tions (OPRF) [17℄, Bloom lters [11℄ and blind signatures [10℄, where the latter is the primitive we require in our proto ol to a hieve linear omplexity.Asdierentfromthes hemeofPSI-CAof[10℄weeliminatethelast stepoftheproto ol,namelyhashingtheresultoftheveri ationand omputing the size of the interse tion on these hashes. Besides, we swap the roles of the serverand the lientin [10℄,thus, the biometri server obtainsasignature on its input without dis losing it. This simpli ation is aused by des ribing our proto ol on a suitably hosen ellipti urve group where DDH (and

l

-DDHI) assumption holds, whereas PSI-CA of [10℄ works on groups where DDH (and One-More-Gap-DH) assumption holds. Thus, the lientperforms

2(m + 1)

ex-ponentiations and server omputes

(m + n)

modular exponentiations modulo

p

-bit prime with

p

= 1024 or

p

= 2048, whereasin our s heme the same op-erations are performed modulo

q

-bit prime with

q

= 160 or

q

= 224. In [10℄, ommuni ationoverheadamountsto

2(m + 1) p

-bit valuesand

n κ

-bit values, where

κ

is ase urity parameterof H

′

:

{0.1}

∗

_{→ {0.1}}

κ

.Sin e, weeliminateH

′

and work onanellipti urvegroup,the ommuni ation omplexityisredu ed from

p

-bit valuesto

q

-bit values. Toprovide lient and server priva y against mali ious adversaries,weemploystandard te hniques of ryptographysu h as zeroknowledgeproofofknowledge(PoK).

3.3 Se urity Model

Weprovidee ientbiometri authenti ationproto olswithse urityinthe pres-en e of bothsemi-honest and mali ious adversaries.Here, the term adversary referstoinsiders, i.e.,proto olparti ipants.Outsideadversariesarenot onsid-ered, sin e theira tions an bemitigated viastandard network se urity te h-niques.Informally,wehavethefollowinggoalsforourproto ols.

ClientPriva y:Noinformationisleakedabout lient

C

biometri s,ex ept anupperboundonitssize

m

andthemat hings ore,i.e.thenumberof ommon elementsbetweenthebiometri templateregisteredattheserverandthe lient's freshtemplate.

Server Priva y:

C

learns no informationbeyond anupperbound on the sizeofhisregisteredfeatureset

n

attheserverandthea ept/reje tnoti ation. Unlinkability:Neitherparty andetermineifanytwoinstan esofthe pro-to olarerelated,i.e.,exe utedonthesameinputby lientorserver,unlessthis an beinferredfromthea tualproto ol output[10℄.

Ourrstproto olsforauthenti ationarepresentedinthesemi-honestmodel, i.e.adversariesthatarehonest-but- urious,whofollowtheproto olsandtryto gainmoreinformationthantheyshouldontheotherparties'inputs.An honest-but- urious party is a party that follows the instru tions of the proto ol,but may re ord the ommuni ations it re eives and try to infer extra information using su h re ordings. In this ase, the traditional real-versus-ideal denition is applied in the se urity proof. Basi ally, the proto ol privately omputes a fun tion for an honest-but- urious Client

C

(resp. Server

S

) if there exists a PPTalgorithmSIMthat isabletosimulatetheviewof

C

(resp.

S

),givenonly

variablerepresentingtheviewofClient(resp.Server)duringanexe utionofthe proto olwithClient'sprivateinput

B

′

_{= {b}

′

i

}

,Server'sprivateinput

B

= {b

i

}

isdenoted hereby

V iew

S

(B, B

′

_{, P}

₎

(resp.

V iew

C

(B, B

′

_{, P}

₎

). Denition1. (Priva y against Honest-but- uriousAdversaries). Let

V iew

S

(B, B

′

₎

bearandomvariablerepresentingserver'sviewduring exe u-tion of PSI-CA with inputs

B, B

′

_{, P}

.There existsa PPT algorithm

SIM

that is able to simulate the view of Server(resp. Client), given only Server's (resp. Client's) respe tive (privateandpubli )inputandoutput;i.e.,

∀(B, B

′

_{, P}

₎

:

V iew

S

(B, B

′

, P

)

≡ SIM

S

(B, P, |B ∩ B

′

|)

) (resp.

V iew

C

(B, B

′

_{, P}

₎

≡ SIM

C

(B

′

, P

)

)

These urityofourproto olsreliesonthefollowingassumptions.

Denition2. De isionalDie-Hellman(DDH).Let

x, y, z

R

← Z

∗

q

and

g

∈ G

be arandom generator ofthe prime ordergroup

G

.Given

(g, g

x

_{, g}

y

₎

distinguishing between the distributions

(g, g

x

_{, g}

y

_{, g}

xy

₎

and

(g, g

x

_{, g}

y

_{, g}

z

₎

ishard.

Denition3.

l

-Die-Hellman inversion problem (

l

-DHI). Let

l

∈ Z

,

z

R

← Z

∗

q

and

g

∈ G

asabove.Given

(g, g

z

_{, g}

z

2

, ..., g

z

l

)

omputing

g

1

z

ishard.

Denition4.

l

-De isionalDie-Hellmaninversionproblem (

l

-DDHI).Let

l

∈

Z

,

z

R

← Z

∗

q

,

g

∈ G

.Given

(g, g

z

_{, g}

z

2

, ..., g

z

l

, v)

de iding whether

v

= g

1

z

ishard. Inse tion7,wepresentourlastproto olforauthenti ationinmali iousmodel, where amali ious adversaryuses any kindof strategy to learninformation. A mali iouspartyisapartthatdoesnotne essarilyfollowtheinstru tionsofthe proto ol.Finally,thenumberofminutiaeusedintheproto ol,namely

n

and

m

, are onsideredto bepubli .Ifpriva yofthenumberof minutiaeisrequired,

C

and

S

an simplyagree onasize(ortwosizes)beforehandandthenadjustthe numberofminutiaetheyuseasinputbyeither omittinganumberofminutiae or addinganumberof haminutiae totheirset.

4 The new Proto ol

Asawarmup,thisse tionpresentsourrst onstru tioninauthenti ationmode, se ure in the presen eof semi-honestadversariesin theROM.An overview of thes hemeisgiveninFig.1.Althoughours hemeintegratesthePSI-CAof[10℄, its se urityisbasedon adierentassumption. Besides, weworkonagroup

G

implementedusingagroupofpointsona ertainellipti urvewithgenerator

g

ofprimeorder

q

andrequireaMaptoPointhashfun tion(modeledasarandom ora le)H:

{0.1}

∗

_{→ G}

togetherwithtworandompermutations

P

and

P

′

. The lient

C

registershisbiometri features

b

i

for

i

∈ [1, n]

attheserver

S

as des ribedinse tion3.1andstoresthehelperdata

aux

publi ly.Forveri ation,

C

presentshisfreshbiometri s,alignsitwiththehelpof

aux

,andobtains

{b

′

i

}

for

i

∈ [1, m]

.Next,

C

makesanauthenti ationrequestandtheserver

S

replies by maskingthe hashedbiometri featureset items orrespondingto the lient

C

witharandomexponent

k

∈ Z

q

andsendsresulting

w

′

i

sto

C

, whi h blindly exponentiatesthem with itsownrandom value

α

∈ Z

q

. Next,

C

shues these

v

′

i

sandsendsto

S

theresulting

u

′

i

stogetherwiththeexponentiationsof lient's items H

(b

′

j

)

′

s to randomness

α

∈ Z

q

as

x

′

j

s. Finally,

S

tries to mat h these

x

′

j

values re eived from

C

with the shued

u

i

values, stripped of the initial randomness

k

∈ Z

q

.

S

learnstheset interse tion ardinality(andnothingelse) by ounting the number of su h mat hes and noties

C

based on the system threshold

t

withana ept/reje tde ision.

Fig.1.Proto olinROM:

m

≈ n

Lemma1. Theproposeds heme a hieves lient priva yagainst asemi-honest server basedonthe

l

-DDHIassumptionin the random ora le model.

Lemma2. Theproposeds heme a hievesserverpriva y againstasemi-honest lient basedonthe DDHassumption inthe random ora lemodel.

Dueto pagelimitations,theproofswillappearinthefullversionofthepaper. Bydesigning theproto ol for anellipti urvegroup

G

, wedo not require ase ond hashfun tion H

′

,hen eours heme isless omplex ompared to [10℄, sin ethe elementsof

G

arealready160or224-bitsinsteadof 1024or2048-bit asin[10℄.Hen e,the omparisonperformedovertheH

′

valuesasin[10℄, anbe performedon

x

′

j

sand

y

′

i

sdire tly.Sin etheproto olisdesignedforsemi-honest adversaries,theatta kof[1℄doesnotworksin ethepartiesarepassiveatta kers

for eatta kagainstthepriva yofthe lientortheopposite,namely,amali ious lient trying to impersonate a user. In other words, this information is only helpful as in the ase of mali ious behaviour by one of the parties. However, to preventmali ious behaviouras presented in [1,15℄, where the latter atta k isableto breakthese urefa e identi ations hemeS iFI evenifnomat hing s oreordistan e informationis outputby theproto ol,oneshould extendthe se urityofthenews hemeformali iousadversaries.

5 Se urity in Standard model

Asdes ribedabove,ourproto olrequires onehashfun tion thatisassumed as a random ora le. However, by slightly modifying the proto ol,weare able to provethe se urityof our s heme in thestandard model. Inparti ular, instead of extra ting the input set of ea h party via the random ora le queries asin [10℄,weusetheProofofKnowledge(PoK)toextra ttherandomness

k

usedby ea h partyand determine theinput set asin [17,18℄. Hen e,weuse theinput set of the semi-honest (resp. mali ious) party dire tly in the simulation due to the extra tion of sender'sinputs given thisrandomness that is obtainedby runningtheextra toralgorithmforPoKwith thesemi-honestpartyto extra t

k

, su hthat it satisesthe ommitment

g

k

sentbythat semi-honestparty. As anexampleappli ation,we anrepla ethehashfun tionwiththeMapToPoint hashfun tionof[14,4℄,weareabletoprovethese urityinthestandardmodel. Forinstan e, [14℄reliesonavariantofDodis-Yampolskiy'sPseudo-Random Fun tion (PRF) based on the Boneh-Boyen unpredi table fun tion [17℄. The Boneh-Boyenfun tion is

f

y

(x) = g

1/(y+x)

where

g

∈ G

generatesagroup

G

of prime order

q

,and

y

is arandomelementin

Z

∗

q

.Thisfun tion isunpredi table under the omputational

l

-DHI assumption on

G

[17℄. Thus, the de isional

l

-DHI assumptionongroup

G

impliesthat the Boneh-Boyenfun tion is aPRF. Besides, theOPRF onstru tionof[17℄ isalsobasedontheBoneh-BoyenPRF withthesolemodi ationbeingasubstitutionofaprime-ordergroup

G

witha groupwhose orderisasafeRSAmodulus.

Lemma3. Theproposeds heme a hieves lient priva yagainst asemi-honest server inthe standardmodel.

Proof.Weshowthat server'sview anbe e ientlysimulatedbya probabilis-ti polynomialtime algorithm

SIM

S

. Theserver'sviewin ludes his inputs

B

, randomnesses he uses, and messageshe re eives.The serverhas inputs of the registeredfeatureset

B

= {b

i

}

andrandomness

k

∈ Z

q

.Wefollowasimilarproof te hniquethat ispresentedin[17℄.Thesimulatoris onstru tedasfollows:

1. Upon re eiving

g

k

_{, π}

1

and

w

1

, ..., w

n

from the server,iftheserversu eeds in the proof

π

1

, then

SIM

S

runs the extra tor algorithm for

π

1

with the servertoextra t

k

.Thenwhengettingtherandomness

k

fromS,

SIM

S

tries

Fig.2.Proto olinstandardmodel:

m

≈ n

theBoneh-BoyenPRF-to re onstru ttheset

B

asinOPRF proofof [17℄. This anbeperformedduetothefa tthatthedomainofthishash/PRFis polynomially-sized[17℄.

2.

SIM

S

pi ks at random

α

← Z

q

, omputes

g

α

, omputes

π

2

and adds dis-tin t pairs (H

(b

i

), x

i

)=

(h

i

, x

i

)

, where

x

i

=

H

(b

i

)

α

and

b

i

s (i.e. the set

B

) are omputed asin thepreviousstep.

SIM

S

omputes

v

i

= w

α

i

and sends

P

′

_(v

1

, ..., v

n

) = (u

1

, ..., u

n

)

and

(x

1

, ..., x

m

)

to the server.Here,

(x

1

, ..., x

d

)

denotesthe interse tion of the lientand server'sinput set onstru tedby sele tingarandomsubsetof

x

i

=

H

(b

i

)

α

valueswithsize

|d|

.Forthe remain-ing

m

− d

elements,thesimulatorpaddstheset withrandomvalues,i.e.

c

α

i

for

i

∈ [d + 1, m]

.

Serverlearns nothingeither intera ting with the real world lient or inter-a ting with

SIM

S

, therefore, theenvironment (distinguisher)D's views in the realworldandidealworldareindistinguishable.Nowweshowthat this

SIM

S

doesasu essfulsimulation.Considerthefollowingseriesofgames:

1. Intherstgame,thepubli parametersaregeneratedasinthedenitionof theproto ol, andthen theadversary

A

intera ts with therealworldparty asdenedabove.

2. Inthese ondgame,theparametersaregeneratedthesameway,butnow

A

intera tswitha

SIM

whi hbehavesastherealproto olforstep1,butthen behavesas

SIM

S

forstep2.Theonlydieren ethenisthat thissimulator paddsthesetwithrandomvalues,i.e.

c

α

i

for

i

∈ [d + 1, m]

fortheremaining

m

− d

elements.This diers from therst gameonly in that the elements not ommonwiththeset

B

andthesimulatedset

B

′

annotbeequalto theregisteredbiometri set

B

totallydueto thenature of biometri s. Thus, this is indistinguishable from the rst game by the randomnessofthesepadded elements hosenfromtheunderlyinggroup. 3. In the last game, the publi parameters are generated the sameway, and

thenadversary

A

intera ts with

SIM

S

. This diersfrom the se ond game onlyin that

SIM

S

extra ts

k

from theproof, and uses this

k

to form the registeredbiometri setoftheauthenti ating lientattheserver.Notethat if the proof is sound, then this set will be identi al to that used in the previousgame.Thusthisisindistinguishablefromthepreviousgamebythe extra tionpropertyoftheZKproofsystem.

Sin etherstgameisindistinguishablefromthethird,theprobabilitythatthe adversary

A

andete t thesimulation in ea h game andier onlynegligibly. Thus,thesimulationissu essful.

Lemma4. Theproposeds heme a hievesserverpriva y againstasemi-honest lient inthe standardmodel.

Dueto pagelimitations,theproofwillappearinthefullversionofthepaper.

6 Use of multi-modal biometri s for high-entropy inputs

Onefa torlimitingthese urityofbiometri ryptosystemsistheentropyofthe biometri featuredata.Toin reasetheentropyofbiometri dataandtoa hieve higherpriva y levelsinbiometri ryptosystems,one ombinestheinformation of several biometri traits (e.g. ngerprintswith nger vein, orfa e with iris) or several instan es of the same biometri trait, denoted as multi-biometri s systems.Comparedtotraditional(uni)biometri authenti ation,multibiometri systemsoer severaladvantagessu h asbetter re ognitiona ura y,in reased population overage,greaterse urity,exibilityanduser onvenien e.Forthese systems,dierentfusionapproa hesexist,andin[21℄,fusionatthefeaturelevel is performed forboth multi-modal andmulti-instan esthat thekeyentropyin the biometri ryptosystemis in reasedto su ientlevels requiredin se urity appli ations. In [26,25,24℄, another fusion at the feature level is des ribed in the ontextofbiometri IBEin ordertoavoidthe ollusionatta ksinherentin fuzzyIBEsystems.Consideringourbiometri mat hingsystem,one anfollowa similarstrategyasdes ribedin[28℄.Spe i ally,2048bitsIris ode

b

hasinherent entropyof249bits.IfweimplementtheIrisfuzzy ommitments hemeof[5℄,we anseethisIris odeas

z

= b ⊕ c

,where

c

isa odewordthat isstoredinform of

H

(c)

asahelperdatatogetherwith

z

. Ifwe on atanetedto ea hbiometri feature(forinstan engerprintminutiavalue)this

c

,ea hofthebiometri data hasenoughinputentropyfor thehashfun tion. Tofurther in reasethe input-entropy,a lientpassword anbe on atanatedto thebiometri inputs, where

Consideramali ious lient(oranadversarytryingtoimpersonateauser)that implementsoneoftheatta kspresentedin[1,15℄againstthebiometri authen-ti ationsystem.Topreventthis, these urityshouldbeguaranteed onsidering mali iousbehaviourof bothparties.We notethat the PSI-CAproto ol of [10℄ providesse urityagainstsemi-honestserverandmali ious lient,whentheroles ofserverand lientareswapped,namelytheproto olprovidesone-sided simu-latibilityinROM.

Toupgradeours heme presentedinFig.2to mali iousparties inthe stan-dardmodel, weaddoneadditionalzero-knowledgeproof

π

3

asin[10℄,where

π

3

= PoK

{α|(

Q

m

i=1

w

i

)

α

=

Q

m

i=1

u

i

}

sin e aproof oflogi al andof

n

separate statements

w

α

i

= u

i

would reveal the relationship betweenea h index

i

of

w

i

and orresponding index

j

of

u

j

with

w

α

i

= u

j

after permutation

P

′

allow-ing the server to determine whi h elements belong to the interse tion, rather than just how many [10℄. We note that onsidering our proto ol in a group equipped with abilinear map doesnot solvethe problem sin ethe server an he k

e(w

ˆ

i

, g

α

_{) = ˆ}

_e(u

j

, g)

for ea h

u

j

until he determinesall the ommon ele-mentsinsteadofjust their ardinality.

The ommitments

g

k

,

g

α

togetherwith the proofs of knowledge allowsthe simulator to extra t the mali ious party's input and may help to ensure that theinputsare onsistentand thatthesamevaluesareusedalongtheproto ol. However,sin e anylogi al andof

n

separate PoK asin theabovesense would reveal the ommon elements themselves instead of just their total number, a hallenge/response me hanismsimilartotheone in[10℄ isneededtoguarantee thatthesame

α

isusedonea h

w

i

.Anoverviewoftheproto olispresentedin Fig.3.

Lemma5. The proposed s heme a hieves lient priva y against a mali ious server inthe standardmodel.

Sket hof the Proof.Amali iousserveragainstahonest lient anbehave arbi-trarlyasin thefollowingways.

Case1

: A mali ious server anpi k a random set of inputs instead of the registered user information

B

or does not apply the same random exponent

k

that is ommitted in

w

i

=

H

(b

i

)

k

and

g

k

. To avoid this, one an in lude a zero knowledge proof in order to prove thehonest lient that the mali ious server knows the underlying registered biometri feature hashes and another zero knowledge proof to prove that the ommitted value in

g

k

is onsistently used in all

w

i

s.However, asit isproven in [18℄,the server(i.e. there eiverof the PSI s heme of [18℄) annot hange its input set

B

after sending the

w

i

s sin etheserver'sinputset is ommittedintherstandonlymessagehesends regarding the biometri data. With this behaviour, the server does not gain anyadvantagesin ethe honest lient andete tthemali ious behaviourfrom the authenti ationresult (i.e. a reje t de ision for a honest lient that should

Fig.3.Proto olinmali iousmodel:

m

≈ n

returnsarandoma ept/reje tnoti ation oraborts theproto ol withoutany noti ation.Wenotethatana eptde isionofthatserverforahonest lientthat shouldbeauthenti atedremainsundete ted.Hen e,toprovethatthe ommitted inputsetoftheserverbelongstotheparti ular lientthattriestoauthenti ateto thesystem,authorizationofserverinputmustbeenfor ed.This anbea hieved viathesignatureofthesensorontheinputsoftheserverduringtheregistration phaseofea h lienttotheserver,sin ethesensor,whi h apturesthebiometri dataofea h lientisfullytrustedinanybiometri authenti ationsystem[6℄.An example appli ation in adierent ontext is presented in the Authorized PSI-CA s heme of [10℄,whi h we anintegrate into our onstru tionwith the sole modi ationofsubstitutiontheprime-ordergroup

G

withagroupwhoseorder is asafeRSA modulus

N

. It isshown thatprime-ordergroupsalsoimply that theBoneh-Boyenfun tion in a omposite-ordergroup

N

remainsaPRFunder the

l

-DDHIassumptiononsu hgroups(andhardnessoffa toring)andthesame generi -groupargumentwhi hmotivatedtrustinthe

l

-DDHIassumptiononthe prime-ordergroups arriesto omposite-ordergroupsaswell [17℄.Hen e,ifwe usetheMapToPointhash fun tionof [14℄that isidenti al to theBoneh-Boyen PRF, we anintegrateauthorization ofserverinputs viathe signaturesof the trustedsensorattheregistration.

Case2

:Hen e,theonlymisbehaviourleftforthemali iousserveristoabort withoutsendingthenalde isionalthough it omputedthe( orre t)mat hing s ore.This anbeeliminatedbyprovidingfairnessviaintegratinganoptimisti fairnessproto ol,i.e.asemi-trustedoinethirdpartyarbiter.Fairnessisoutof

lient inthe standardmodel.

Dueto pagelimitations,theproofswillappearinthefullversionofthepaper.

8 Comparison

Asitisnotedin[23℄,theDie-Hellman-basedprivatemat hingproto olof[16℄, whi hwastherstPSIproto ol,isa tuallythemoste ientw.r.t. ommuni a-tion(whenimplementedusingellipti - urve rypto).Besides,thePSIs hemeof [18℄,PSI-CAs hemeof[10℄andours hemearebasedonsmallvariationsofthe proto olin [16℄,this proto olis suitableforsettingswithdistantpartieswhi h havelimited onne tivity.Tothebest ofourknowledge,theonlys hemes that provideprivatengerprintmat hingproto olswith a on retese urityanalysis basedonngerprintminutiarepresentationaredes ribedin[3℄,[29℄,[12℄,where thelatter onsiderssetdieren emetri ,whereastheothersimplementthe pro-to olsforeu lideandistan e. Allthreeoftheproto olsprovidese urityagainst semi-honest adversaries, although the s heme of [29℄ in ludes an extention of hissemi-honestproto olformali iousadversarieswithoutanyse urityanalysis. Thus, the omparisonis basedonthe proto ols forsemi-honestadversariesfor onsisten yand we assume

m

≈ n

forthe authenti ation mode sin ethetotal numberofminutia

m

registeredattheserverand aptured atthe lientside

n

willbe losetoea hotherasopposed totheidenti ationmodeasin [3℄.

Table 1.Comparisonoftime omplexity

ComplexityEstimate,i.e. Underlying Numberofexponentiations Method Blantonetal.

∗

quadrati in

m

Homomorphi en ryption [3℄ +

m

OTproto ols andGarbledCir uits Shahandashtietal.[29℄ quadrati in

m

OPE

Fengetal.

†

[12℄ quadrati in

m

OPE OurConstru tion

‡

linearin

m

PSI-CA

∗

:inauthenti ationmode;

†

:[13℄redu esthenumberofexponentiationsto

O(n

loglog

m)

usingHorner'sruleand hashingforbu ketallo ation;

‡

m ≈ n

with

20 < m < 40

;

Therefore,our onstru tionis themoste ientauthenti ationproto ol for minutia-basedngerprintauthenti ationbasedonPSIte hniques,inparti ular the OPE of [13℄. In addition, our proto ol is more e ient ompared to the garbled ir uit-based onstru tionof[3℄,asitisshownin[9℄,thePSIand PSI-CA onstru tions of [10℄ are more e ient ompared to garbled- ir uit based onstru tions. Finally, theonly s heme that onsiders mali iousparties is [29℄

PoKs at ea h stepof the proto ol whi h is already omplex enough for semi-honestmodel.

9 Con lusion

In this paper, we design an e ient biometri authenti ation proto ol for a lient-serverar hite ture basedononeof themoste ientPSI-CAte hnique. Our s heme is suitable for any type of biometri s that an be represented as an unordered set of features similar to the onstru tions of fuzzy vault. We providethese urityinstandardmodelbasedonthewell-exploitedassumptions and onsider mali ious parties, whi h is essential to eliminate spe i atta ks onbiometri s hemes.Afuturework ouldbeintegrationoffairnessproto olto preventamali iousabortoftheserver.

Referen es

1. A. Adler. Vulnerabilities inbiometri en ryption systems. In AVBPA'05, pages 11001109, 2005.

2. M.Barni,T.Bian hi,D.Catalano,M.DiRaimondo,R.DonidaLabati,P.Failla, D. Fiore,R. Lazzeretti,V. Piuri,F.S otti, andA. Piva. Priva y-preserving n-ger odeauthenti ation. InMMSe '10,pages231240.ACM,2010.

3. M. Blanton and P. Gasti. Se ure and e ient proto ols for iris and ngerprint identi ation. InESORICS'11, volume6879 of LNCS, pages 190209.Springer, 2011.

4. D. Boneh and M. Franklin. Identity-baseden ryption fromthe weilpairing. In CRYPTO'01,volume2139ofLNCS,pages213229.Springer,2001.

5. J.Bringer,H.Chabanne,G.Cohen,B.Kindarji,andG.Zemor.Optimalirisfuzzy sket hes. InBTAS'07,pages16. IEEE,2007.

6. J.Bringer,H.Chabanne,M.Izaba hène,D.Point heval,Q.Tang,andS.Zimmer. Anappli ationofthegoldwasser-mi ali ryptosystemtobiometri authenti ation. InACISP'07,volume4586ofLNCS,pages96106.Springer,2007.

7. R.Canetti,O.Goldrei h,andS.Halevi.Therandomora lemethodology,revisited. J.ACM,51(4):557594,2004.

8. T. C. Clan y, N. Kiyavash, and D. J. Lin. Se ure smart ard based ngerprint authenti ation.InWBMA'03,pages4552.ACM,2003.

9. E.DeCristofaroandG.Tsudik. Experimentingwithfastprivatesetinterse tion. InTrustandTrustworthyComputing,volume7344ofLNCS,pages5573.Springer, 2012.

10. E.D. Cristofaro,P.Gasti, and G.Tsudik. Fast and private omputation of ar-dinalityofsetinterse tion andunion. InCANS'12, volume7712ofLNCS, pages 218231.Springer,2012.

11. C.Dong,L.Chen,andZ.Wen. Whenprivatesetinterse tionmeetsbigdata:an e ientands alableproto ol. InACMCCS'13,pages789800.ACM,2013. 12. Q.Feng, F.Su,and A.Cai. Priva y-preservingauthenti ationusingngerprint.

interse tion. In EUROCRYPT'04,volume 3027 of LNCS, pages 119. Springer, 2004.

14. V. Goyal, A. O'Neill, and V. Rao. Correlated-input se ure hash fun tions. In TCC'11,volume6597 ofLNCS,pages182200.Springer,2011.

15. K.Grauman,M.Gerbush,A.Luong,andB.Waters.Re onstru tingafragmented fa e from a ryptographi identi ationproto ol. InWACV'13, pages 238245. IEEE,2013.

16. B. A. Huberman, M. Franklin, and T. Hogg. Enhan ing priva y and trust in ele troni ommunities. InPro eedings ofthe 1stACM Conferen e onEle troni Commer e,EC'99,pages7886.ACM,1999.

17. S.Jare kiandX.Liu.E ientobliviouspseudorandomfun tionwithappli ations toadaptiveotandse ure omputationofsetinterse tion.InTCC'09,volume5444 ofLNCS,pages577594.Springer,2009.

18. S.Jare ki and X. Liu. Fast se ure omputation of set interse tion. In SCN'10, volume6280ofLNCS,pages418435.Springer,2010.

19. A.JuelsandM.Sudan.Afuzzyvaults heme.Des.CodesCryptography,38(2):237 257,2006.

20. A. Juels and M. Wattenberg. A fuzzy ommitment s heme. In ACM CCS'99, pages2836,1999.

21. S.Kanade,D.Petrovska-Dela re'taz,andB.Dorizzi. Multi-biometri sbased ryp-tographi keyregenerations heme. InBiometri s:Theory,Appli ations,and Sys-tems,2009. BTAS'09.IEEE3rdInternationalConferen eon,pages17, 2009. 22. M. Osad hy,B. Pinkas,A.Jarrous,andB.Moskovi h. S i-asystemforse ure

fa e identi ation. InIEEE SymposiumonSe urity andPriva y,pages239254, 2010.

23. B.Pinkas,T.S hneider,andM. Zohner. Fasterprivatesetinterse tionbasedon OTextension. InUsenix'04,pages797812.USENIXAsso iation, 2014.

24. N.D.Sarier.ANewBiometri IdentityBasedEn ryptionS heme.InInternational SymposiumonTrusted Computing-TrustCom'08,pages20612066. IEEE,2008. 25. N.D. Sarier. AnewBiometri IdentityBasedEn ryptionS hemese ureagainst

DoSatta ks. Se urityandCommuni ationNetworks,3(1):268274,2010.

26. N.D. Sarier. Generi Constru tionsofBiometri IdentityBasedEn ryption Sys-tems. InWISTP'10,volume6033ofLNCS,pages90105.Springer,2010. 27. N.D.Sarier. Se urityNotionsofBiometri RemoteAuthenti ationRevisited. In

STM'11,volume7170ofLNCS,pages7289.Springer,2011.

28. N.D.Sarier. Biometri Cryptosystems:Authenti ation,En ryption andSignature forBiometri Identities. PhDthesis,BonnUniversity,Germany,2013.

29. S.F.Shahandashti,R.Safavi-Naini,andP.Ogunbona. Privatengerprint mat h-ing. InACISP'12,volume7372ofLNCS,pages426433.Springer,2012.

30. B.Tams. Absolutengerprintpre-alignmentinminutiae-based ryptosystems. In BIOSIG'13,pages112.IEEE,2013.

31. B.Tams. Atta ksand ountermeasuresinngerprintbasedbiometri ryptosys-tems. CoRR,abs/1304.7386, 2013.

32. U. Uludag and A. Jain. Se uring ngerprint template: Fuzzy vault with helper data. InCVPRW'06.IEEE,2006.

33. U.Uludag,S.Pankanti,andA.K.Jain.Fuzzyvaultforngerprints.InAVBPA'05, volume3546ofLNCS,pages310319.Springer,2005.