Privacy Preserving Biometric Authentication for Fingerprints and Beyond
Pages 367 - 378
Abstract
Biometric authentication eliminates the need for users to remember secrets and serves as a convenient mechanism for user authentication. Traditional implementations of biometric-based authentication store sensitive user biometry on the server and the server becomes an attractive target of attack and a source of large-scale unintended disclosure of biometric data. To mitigate the problem, we can resort to privacy-preserving computation and store only protected biometrics on the server. While a variety of secure computation techniques is available, our analysis of privacy-preserving biometric authentication constructions revealed that available solutions fall short of addressing the challenges of privacy-preserving biometric authentication. Thus, in this work we put forward new constructions to address the challenges.
Our solutions employ a helper server and use strong threat models, where a client is always assumed to be malicious, while the helper server can be semi-honest or malicious. We also determined that standard secure multi-party computation definitions are insufficient to properly demonstrate security in the two-phase (enrollment and authentication) entity authentication application. We thus extend the model and formally show security in the multi-phase setting, where information can flow from one phase to another and the set of participants can change between the phases. We implement our constructions and show that they exhibit practical performance for authentication in real time.
References
[1]
S. Agrawal, S. Badrinarayanan, P. Mohassel, P. Mukherjee, and S. Patranabis. BETA: Biometric-enabled threshold authentication. In Public-Key Cryptography (PKC), pages 290--318, 2021.
[2]
S. Agrawal, S. Badrinarayanan, P. Mukherjee, and P. Rindal. Game-Set-MATCH: Using mobile devices for seamless external-facing biometric matching. In ACM Conference on Computer and Communications Security, pages 1351--1370, 2020.
[3]
S. Agrawal, P. Miao, P. Mohassel, and P. Mukherjee. Pasta: PASsword-based Threshold Authentication. In ACM SIGSAC Conference on Computer and Communications Security (CCS), page 2042--2059, 2018.
[4]
M. Aliasgari, M. Blanton, and F. Bayatbabolghani. Secure computation of hidden Markov models and secure floating-point arithmetic in the malicious model. International Journal of Information Security, 16:577--601, 2017.
[5]
G. Asharov, Y. Lindell, T. Schneider, and M. Zohner. More efficient oblivious transfer and extensions for faster secure computation. In ACM Conference on Computer and Communications Security (CCS), pages 535--548, 2013.
[6]
G. Asharov, Y. Lindell, T. Schneider, and M. Zohner. More efficient oblivious transfer extensions with security for malicious adversaries. Cryptology ePrint Archive, Report 2015/061, 2015.
[7]
M. Barni, T. Bianchi, D. Catalano, M. Di Raimondo, R. Donida Labati, P. Failla, D. Fiore, R. Lazzeretti, V. Piuri, F. Scotti, and A. Piva. Privacy-preserving fingercode authentication. In ACM Workshop on Multimedia and Security, pages 231--240, 2010.
[8]
F. Bayatbabolghani, M. Blanton, M. Aliasgari, and M. Goodrich. Secure fingerprint alignment and matching protocols. arXiv Report 1702.03379, 2017.
[9]
M. Bellare, V. T. Hoang, S. Keelveedhi, and P. Rogaway. Efficient garbling from a fixed-key blockcipher. In IEEE S&P, pages 478--492, 2013.
[10]
M. Blanton and M. Aliasgari. On the (non-)reusability of fuzzy sketches and extractors and security in the computational setting. In International Conference on Security and Cryptography (SECRYPT), pages 68--77, 2011.
[11]
M. Blanton and M. Aliasgari. Secure outsourced computation of iris matching. Journal of Computer Security, 20(2--3):259--305, 2012.
[12]
M. Blanton and P. Gasti. Secure and efficient protocols for iris and fingerprint identification. In ESORICS, pages 190--209, 2011.
[13]
M. Blanton and D. Murphy. Privacy preserving biometric authentication for fingerprints and beyond. Cryptology ePrint Archive Report 2024/525, 2024.
[14]
M. Blanton and S. Saraph. Oblivious maximum bipartite matching size algorithm with applications to secure fingerprint identification. In European Symposium on Research in Computer Security (ESORICS), pages 384--406, 2015.
[15]
V. Boddeti. Secure face matching using fully homomorphic encryption. In IEEE International Conference on Biometrics Theory, Applications and Systems (BTAS), pages 1--10, 2018.
[16]
F. Catak, S. Yildirim Yayilgan, and M. Abomhara. A privacy-preserving fully homomorphic encryption and parallel computation based biometric data matching. Preprints manuscript 2020070658, 2020.
[17]
J. Cheon, H. Chung, M. Kim, and K.-W. Lee. Ghostshell: Secure biometric authentication using integrity-based homomorphic evaluations. IACR Cryptology ePrint Archive Report 2016/484, 2016.
[18]
J. Engelsma, K. Cao, and A. Jain. Learning a fixed-length fingerprint representation. IEEE Transactions on Pattern Analysis and Machine Intelligence, 43(6):1981-- 1997, 2021.
[19]
J. Engelsma, A. Jain, and V. Boddeti. HERS: Homomorphically encrypted representation search. IEEE Transactions on Biometrics, Behavior, and Identity Science, 4(3):349--360, 2022.
[20]
Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, and T. Toft. Privacypreserving face recognition. In Privacy Enhancing Technologies Symposiym (PETS), pages 235--253, 2009.
[21]
J. Ernst and A. Mitrokotsa. A framework for UC secure privacy preserving biometric authentication using efficient functional encryption. In Applied Cryptography and Network Security (ACNS), pages 167--196. 2023.
[22]
J.-K. Im, S.-Y. Jeon, and M.-K. Lee. Practical privacy-preserving face authentication for smartphones secure against malicious clients. IEEE Transactions on Information Forensics and Security (TIFS), 15:2386--2401, 2020.
[23]
Y. Ishai, J. Kilian, K. Nissim, and E. Petrank. Extending oblivious transfers efficiently. In Advances in Cryptology -- CRYPTO, pages 145--161, 2003.
[24]
A. Juels and M. Sudan. A fuzzy vault scheme. Design, Codes and Cryptography, 38:237--257, 2006.
[25]
B. Karmakar, N. Koti, A. Patra, S. Patranabis, P. Paul, and D. Ravi. Asterisk: Super-fast MPC with a friend. In IEEE Symposium on Security and Privacy (S&P), pages 127--127, 2024.
[26]
V. Kolesnikov and T. Schneider. Improved garbled circuit: Free XOR gates and applications. In Automata, Languages and Programming, pages 486--498, 2008.
[27]
S. Kumar, D. Culler, and R. Popa. MAGE: Nearly zero-cost virtual memory for secure computation. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 367--385, 2021.
[28]
Y. J. Lee, K. R. Park, S. J. Lee, K. Bae, and J. Kim. A new method for generating an invariant iris private key based on the fuzzy vault system. IEEE Transactions on Systems, Man and Cybernetics. Part B, Cybernetics, 38(5):1302--1313, 2008.
[29]
M. Morampudi, M. Prasad, and U. Raju. Privacy-preserving iris authentication using fully homomorphic encryption. Multimedia Tools and Applications, 79:19215--19237, 2020.
[30]
K. Nandakumar, A. Nagar, and A. Jain. Hardening fingerprint fuzzy vault using password. In International Conference on Advances in Biometrics (ICB), pages 927--937, 2007.
[31]
M. Osadchy, B. Pinkas, A. Jarrous, and B. Moskovich. SCiFI - a system for secure face identification. In IEEE Symposium on Security and Privacy, pages 239--254, 2010.
[32]
P. Pullonen and S. Siim. Combining secret sharing and garbled circuits for efficient private IEEE 754 floating-point computations. In Financial Cryptography and Data Security, pages 172--183, 2015.
[33]
A.-R. Sadeghi, T. Schneider, and I. Wehrenberg. Efficient privacy-preserving face recognition. In International Conference on Information Security and Cryptology (ICISC), pages 229--244, 2010.
[34]
J. Sedenka, S. Govindarajan, P. Gasti, and K. Balagani. Secure outsourced biometric authentication with performance evaluation on smartphones. IEEE Transactions on Information Forensics and Security (TIFS), 10(2):384--396, 2015.
[35]
U. Uludag, S. Pankanti, and A. Jain. Fuzzy vault for fingerprints. In Audio and Video Based Biometric Person Authentication (AVBPA), pages 310--319, 2005.
[36]
A. C. Yao. Protocols for secure computations. In Annual Symposium on Foundations of Computer Science (SFCS), pages 160--164, 1982.
[37]
H. Zhu, Q. Wei, X. Yang, R. Lu, and H. Li. Efficient and privacy-preserving online fingerprint authentication scheme over outsourced data. IEEE Transactions on Cloud Computing, 9(2):576--586, 2018.
Index Terms
- Privacy Preserving Biometric Authentication for Fingerprints and Beyond
Recommendations
Privacy-preserving iris authentication using fully homomorphic encryption
AbstractRapid advancement in technology has led to the use of biometric authentication in every field. In particular, from the past few years, iris recognition systems has gained overwhelming advancement over other biometric traits due to its stability ...
Outsourceable two-party privacy-preserving biometric authentication
ASIA CCS '14: Proceedings of the 9th ACM symposium on Information, computer and communications securityBiometric authentication, a key component for many secure protocols and applications, is a process of authenticating a user by matching her biometric data against a biometric database stored at a server managed by an entity. If there is a match, the ...
An effective iris biometric privacy protection scheme with renewability
AbstractIris is considered a unique, robust biometric that can be used as an authentication factor. Privacy protection of individuals’ iris templates is an essential requirement. The essential attributes needed to ensure privacy of biometrics are ...
Comments
Information & Contributors
Information
Published In
June 2024
429 pages
ISBN:9798400704215
DOI:10.1145/3626232
- General Chair:
- João P. Vilela,
- Program Chairs:
- Haya Schulmann,
- Ninghui Li
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 19 June 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
CODASPY '24
Sponsor:
CODASPY '24: Fourteenth ACM Conference on Data and Application Security and Privacy
June 19 - 21, 2024
Porto, Portugal
Acceptance Rates
Overall Acceptance Rate 149 of 789 submissions, 19%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 46Total Downloads
- Downloads (Last 12 months)46
- Downloads (Last 6 weeks)13
Reflects downloads up to 09 Nov 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in