WO2021167534A1 - Biometric template recognition system - Google Patents

Biometric template recognition system Download PDF

Info

Publication number
WO2021167534A1
WO2021167534A1 PCT/SG2021/050081 SG2021050081W WO2021167534A1 WO 2021167534 A1 WO2021167534 A1 WO 2021167534A1 SG 2021050081 W SG2021050081 W SG 2021050081W WO 2021167534 A1 WO2021167534 A1 WO 2021167534A1
Authority
WO
WIPO (PCT)
Prior art keywords
template
encrypted
biometric template
biometric
trusted
Prior art date
Application number
PCT/SG2021/050081
Other languages
French (fr)
Inventor
Jia Chng LOH
Hwei Ming Jason YING
Geong Sen POH
Hoon Wei Lim
Jia Xu
Original Assignee
Singapore Telecommunications Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Singapore Telecommunications Limited filed Critical Singapore Telecommunications Limited
Publication of WO2021167534A1 publication Critical patent/WO2021167534A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina

Definitions

  • the present invention relates to a biometric template recognition system which performs authentication using encrypted biometric templates.
  • biometric information such as fingerprint, face and iris
  • providing organizations access to a collection of comprehensive biometric templates hosted by a trusted organization will enable more effective authentication of an individual, instead of relying only on documentation carried by the individual.
  • the benefits are twofold. Firstly, it allows organizations that currently have no access or require lengthy administrative and legal processes to have direct access to a readily available database. Secondly, these agencies and private entities do not need to invest in infrastructure to register users and constmct a biometric database of their own. This also reduces potential breaches of the templates, especially if there are many different copies residing in each of the organizations.
  • a biometric template recognition system comprising an authentication module configured to receive, from a device, identity details of a user requesting authentication, the device having a captured encrypted biometric template from the user; retrieve a trusted encrypted biometric template associated to the user through the received identity details, wherein the encryption used in the captured encrypted biometric template and the trusted encrypted biometric template is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved, one of the two encrypted data points being a feature vector from the trusted encrypted biometric template and the other being a corresponding feature vector from the captured encrypted biometric template, with the two plaintext data points being the two encrypted data points before encryption; and receive the authentication result returned from determining a similarity match score, the determination being based on at least: computation performed at the authentication module with the trusted encrypted biometric template as input; and computation performed at the device with the captured encrypted biometric template as input.
  • a biometric template recognition system comprising a data repository configured to provide a trusted encrypted biometric template associated to a user, wherein the encryption used in the trusted encrypted biometric template is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved, one of the two encrypted data points being a feature vector from the trusted encrypted biometric template and the other being a corresponding feature vector from a captured encrypted biometric template associated to the user, with the two plaintext data points being the two encrypted data points before encryption, whereby authentication of the user occurs from determining whether a similarity match score is below a threshold value, the determination being based on at least: computation performed with the trusted encrypted biometric template as input; and computation performed with the captured encrypted biometric template as input.
  • Figure 1 shows a schematic of a biometric template recognition system in which authentication is performed using encrypted biometric complete templates.
  • Figure 2 shows a schematic of a biometric template recognition system in which authentication is performed using encrypted biometric partial templates, in which a raw biometric complete template is split before being encrypted.
  • Figures 3 and 4 show a schematic of a biometric template recognition system in which authentication is performed using encrypted biometric partial templates, in which a raw biometric complete template is encrypted before being split.
  • Figure 3 shows the biometric template recognition system during setup and registration phases, while Figure 4 shows the system during authentication phase.
  • the present application finds relevance for trusted organisations in possession of a raw biometric database whose data is to be shared to enable other organisations to provide authentication services without these other organizations learning the underlying biometric information. These organisations do not need to collect user biometric data or always connect to the central raw biometric database, thus reducing the number of potential attack points.
  • biometric template recognition system has features drawn from the two broad categories of biometric authentication systems and biometric identification systems.
  • An identification system refers to the claiming of an identity and an authentication system refers to the act of verifying or proving the claimed identity.
  • the disclosed biometric template recognition system performs authentication using a distance-preserving encryption scheme and secure distance computation.
  • the other organisations only hold a derived, encrypted biometric dataset and need not be fully trusted.
  • the disclosed system is secure even when the other organisations collude.
  • An overview of the disclosed system is discussed below.
  • the biometric datasets used by the disclosed system are arranged in templates, with each biometric template resulting from raw biometric data having undergone a feature extraction process.
  • the features extracted into the template depends on the biometric data being processed, e.g. fingerprint, facial and speech data are treated differently.
  • the disclosed system is tasked to determine whether it can recognise an encrypted biometric template, held in a device (such as a mobile or a laptop), against a stored encrypted biometric template.
  • the system comprises an authentication module that facilitates this recognition.
  • the authentication module refers to any computer terminal or group of computer terminals with server capability. Such a computer terminal or group of computer terminals have components that include a processor and memory arrangement that perform the necessary arithmetic and logic operations to execute coding instructions, the coding instructions being in respect of biometric authentication in accordance with various embodiments of the present invention. Examples of the authentication module include a data subscriber and a cloud provider (also referred to as a cloud), both described in greater detail below.
  • Authentication is initiated by the device capturing raw biometric data, followed by feature extraction and encryption, so that the device has a captured encrypted biometric template of the user requesting authentication.
  • captured encrypted biometric template in this disclosure refers to the template that is to be verified or authenticated.
  • the authentication module does not receive the captured encrypted biometric template, since interception of the captured encrypted biometric template, if transmitted, poses a vulnerability; although recreation of the raw biometric data from the captured encrypted biometric template is difficult. As such, the disclosed system reduces potential attack points, while maintaining privacy preservation.
  • the authentication module For the authentication module to retrieve a trusted encrypted biometric template associated to the user, the authentication module receives identity details of this user.
  • the retrieved encrypted biometric template is trusted because it is obtained from a trusted source, e.g. a government agency repository or a database containing verified biometric data.
  • the distance-preserving encryption scheme and secure distance computation mechanism used by the disclosed biometric template recognition system requires for the encryption used in the captured encrypted biometric template and the trusted encrypted biometric template to be based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved.
  • One of these two encrypted data points is a feature vector from the trusted encrypted biometric template and the other encrypted data point is a corresponding feature vector from the captured encrypted biometric template, with the two plaintext data points being the two encrypted data points before encryption.
  • the authentication module obtains the authentication result (i.e. whether the captured encrypted biometric template is recognised) by receiving the computation of a similarity match score, the similarity match score being a measure of the difference between the captured encrypted biometric template and the trusted encrypted biometric template.
  • the similarity match score is a distance between corresponding feature vectors from the captured encrypted biometric template and the trusted encrypted biometric template, with authentication occurring when the distance is below or equal to a threshold value. Non-limiting examples of this distance include a Hamming distance or an Euclidean distance. In such an implementation, if the similarity match score is less than or equal to a threshold value, an affirmative authentication result is returned to the authentication module.
  • the similarity match score is returned from an outcome of computation performed at least two different terminals, including the terminal on which the authentication module is hosted. That is, each of these terminals perform a partial computation of the similarity match score, based on their respective inputs.
  • One computation is performed at the authentication module with the trusted encrypted biometric template as input; and another computation performed at the device with the captured encrypted biometric template as input.
  • Each of the two separately performed computations provides an intermediate value to obtaining the similarity match score.
  • An encrypt-then-split mechanism or split-then-encrypt mechanism may also be used, where each of the entities to the biometric template recognition system holds encrypted biometric partial templates.
  • One copy is given to one or more organisations that subscribe to the authentication service, so as to determine whether access to their facilities can be granted to the holder of a device with captured biometric data; and the other copies to organisations that support the computation to obtain the similarity match score. That is, the biometric template recognition system is also configured to perform authentication on partial or complete templates.
  • the term “trusted encrypted biometric template” refers to a complete template derived from trusted raw biometric data
  • the term “captured encrypted biometric template” refers to a complete template derived from captured raw biometric data.
  • the term “trusted encrypted biometric partial template” refers to a partial template derived from trusted raw biometric data
  • the term “trusted encrypted biometric complete template” refers to a complete template derived from the same trusted raw biometric data.
  • the term “captured encrypted biometric partial template” refers to a partial template derived from captured raw biometric data
  • the term “captured encrypted biometric complete template” refers to a complete template derived from the same captured raw biometric data.
  • the trusted encrypted biometric partial template has corresponding feature vectors to the captured encrypted biometric partial template.
  • This encrypt-then-split or split-then-encrypt mechanism enables faster verification for nonmatch instances in early rejection setting and reduces risk of template reconstruction in the event that an encrypted partial template database and its encryption key are leaked.
  • the tmsted encrypted biometric template and the captured encrypted biometric template used for computation of the similarity match score in the encrypt-then-split or split-then- encrypt mechanism are partial templates of their respective complete templates, with the trusted encrypted biometric partial template and the captured encrypted biometric partial template having corresponding feature vectors.
  • an entity to the biometric template recognition system such as a data subscriber can already bar access to a facility from a negative partial result returned from the computation performed at the data subscriber with the trusted encrypted biometric partial template as input and the computation performed at the device with the captured encrypted biometric partial template as input, because the negative partial result indicates the lack of a match between these two partial templates.
  • the determination of the similarity match score is further based on computation performed at another entity of the biometric template recognition system with a remainder of the tmsted encrypted biometric complete template as input; and computation performed at the device with a remainder of the captured encrypted biometric complete template as input.
  • This other entity of the biometric template recognition system refers to a separate computer network, such as a cloud.
  • the remainder of the tmsted encrypted biometric complete template and the remainder of the captured encrypted biometric complete template is each a partial template of its respective complete template.
  • the encrypt-then-split or split-then-encrypt mechanism may also use more than two partial templates for each of the tmsted encrypted biometric template and the captured encrypted biometric template.
  • the remainder of the tmsted encrypted biometric complete template and the remainder of the captured encrypted biometric complete template may each be split into further partial templates, wherein the determination of the similarity match score is obtained from the computation performed on each of these further partial templates.
  • FIG. 1 Each of Figures 1 to 4 shows a biometric template recognition system 100, 200, 300 in which privacy -preserving authentication is performed in accordance with one implementation of the present invention.
  • the biometric template recognition system 100, 200, 300 has four entities:
  • Data Owner 102 A fully tmsted party, e.g. a government agency, which owns biometric templates and outsources an encrypted biometric database.
  • Service Provider This is an honest-but-curious party, e.g. a cloud 104, which stores encrypted biometric database and helps to verify an individual without the need of decrypting an encrypted template.
  • Data Subscriber/s) 106 This is(are) an honest-but-curious party (parties), e.g. a bank(s) or mall(s), which subscribe(s) to the system 100 to authenticate a user.
  • User 108 A user, e.g. client(s) of a bank or customers of a mall, who submit(s) their biometric information for authentication. Users are not trusted but we assume there exists a tamperproof device that extracts and encrypts the user’s biometric information into an encrypted template.
  • the implementations of Figures 1 to 4 employ a common cryptographic protocol, where authentication is determined from computation performed with a trusted encrypted biometric template as input; and computation performed with captured encrypted biometric template as input. Each computation is performed at a different terminal, namely the terminal having the respective biometric template.
  • the encryption used in the captured encrypted biometric template and the trusted encrypted biometric template is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved, one of the two encrypted data points being a feature vector from the trusted encrypted biometric template and the other being a corresponding feature vector from the captured encrypted biometric template, with the two plaintext data points being the two encrypted data points before encryption.
  • the common cryptographic protocol allows for secure two-party computation, where two parties, each with private vector inputs, securely decide if the private vector inputs are sufficiently similar (such as an Euclidean distance or a Hamming distance between their respective private vector inputs being smaller than a given threshold) without leaking extra information.
  • the biometric template recognition system 100 of Figure 1 authenticates based on complete biometric templates.
  • the biometric template recognition system 200 of Figure 2 along with the biometric template recognition system 300 of Figures 3 and 4, authenticate based on partial biometric templates.
  • the biometric template recognition system 200 of Figure 2 splits a complete biometric template, then encrypts the partial biometric templates.
  • the biometric template recognition system 300 of Figures 3 and 4 encrypts a complete biometric template, then splits the encrypted complete biometric template into encrypted partial biometric templates. Operation of the biometric template recognition systems 100 and 200 is first discussed with reference to Figures 1 and 2.
  • the data owner 102 is assumed to pre-compute their existing trusted biometric templates 112, i.e. the data owner 102 enrols the users 108.
  • matching 118 is based on a tmsted encrypted biometric template 110 hosted by the cloud provider 104 against a captured encrypted biometric template 130 hosted by the user device 124.
  • the authentication result 120 is determined by the matching 118 result and returned to the data subscriber 106, so that the user 108 can, for example, access a facility belonging to the data subscriber 106.
  • the biometric template recognition system 200 of Figure 2 is an extended setting, where the data owner 102 splits 202, then encrypts 206, 204 trusted biometric templates 212 into two parts.
  • the biometric template recognition system 200 authenticates based on encrypted partial templates (for both trusted and captured biometric data).
  • the split-then-encrypt approach allows the data owner 102 to give a partial copy 208 of a trusted encrypted biometric template to the data subscriber 106 and another partial copy 210 to the cloud provider 104 (which corresponds to the remainder of the trusted biometric template 212), thus reducing risk of leakage of the trusted encrypted biometric complete template (208 and 210) if one of the data subscriber 106 or the cloud provider 104 trusted encrypted biometric partial templates 208, 210 is compromised.
  • the trusted encrypted biometric complete template (208 and 210) computed 216 for authentication, by performing matching 218 based on the trusted encrypted biometric partial template 210 hosted by the cloud provider 104 against a captured encrypted biometric partial template 226 having corresponding feature vectors, hosted by the user device 124.
  • the final authentication result 220 is determined by both the matching partial results 214 and 218 and returned to the data subscriber 106, so that the user 108 can, for example, access a facility belonging to the data subscriber 106.
  • every secret key to encrypt the trusted biometric template for every user 108 is derived from a master secret key owned by the data owner 102.
  • the encrypted biometric templates 110 are stored by the cloud 104 or the data subscriber 106. We assume the cloud 104 and the data subscriber 106 are honest-and-curious where both follow the protocol, but try to guess the trusted encrypted biometric templates (in both complete and partial forms in Figures 1 and 2 respectively).
  • - Passive Attack-I (Ciphertext Only Attack): The adversary knows the encrypted biometric database and the encrypted queries.
  • - Passive Attack-II (Known-Sample Attack): In addition to Passive Attack-I, the adversary learns some plain biometric templates but do not know the corresponding encrypted one. For example, the adversary observes the encrypted database as well as obtaining sample templates collected by the other parly. The adversary then knows the values of several records in the plaintext database.
  • the biometric template recognition systems 100, 200 should allow their cloud 104 to determine the similarity of the stored trusted encrypted biometric template (complete version 110 for Figure 1; partial versions 208 and 210 for Figure 2) and given captured encrypted biometric template (complete version 130 for Figure 1; partial versions 222 and 226 for Figure 2). However, it is infeasible to recover the plaintext biometric template and feature.
  • the security against Passive Attack-I is defined as the following game between an adversary and a simulator S.
  • S generates keypairs sk i ID for n -users ID and i data subscribers.
  • S encrypts the user biometric templates and returns the encrypted templates to
  • the P2BA (privacy preserving and outsourced biometric authentication scheme underlying the biometric template recognition systems 100, 200) is secure against Passive Attack-I if no PPT adversary can have success probability more than in its game.
  • the security against Active Attack is defined as the following game between an adversary and a simulator S.
  • - Query I is allowed to make queries for authentication with any biometric feature.
  • Query II can still make queries as in Query I with the restriction that (m 0 , m 1 ) is not allowed.
  • - ReEnc On input . it computes a re-encrypted vector .
  • the order of the encryption affects the equivalence e.g. - Ver: On input PM, a tuple of encrypted vectors (which is encrypted with the same sk, and authenticated threshold value t, it computes their distance d.
  • the output is “1” if d ⁇ t and "0" if otherwise (e.g. d > t or authentication failure).
  • biometric template recognition systems 100, 200 The building blocks used in the biometric template recognition systems 100, 200 is described below.
  • a biometric recognition scheme to extract features and construct templates from raw biometric information e.g. fingerprint, face, iris
  • a distance-recoverable encryption is used to encrypt these templates.
  • a secure distance computation mechanism is used for authentication.
  • the biometric template recognition systems 100, 200 uses feature extraction to transform raw biometric traits (e.g., fingerprints, voice patterns, facial patterns, etc.) into templates.
  • the extracted features are then called feature vectors with n elements.
  • the authentication result is based on the Euclidean distance that is compared with the defined threshold t.
  • t the Euclidean distance that is compared with the defined threshold t.
  • This adopted biometric recognition scheme has the biometric template recognition systems 100, 200 using the same encryption in the captured encrypted biometric template (complete version 130 for Figure 1; partial versions 222 and 226 for Figure 2) and the trusted encrypted biometric template (complete version 110 for Figure 1; partial versions 208 and 210 for Figure 2), which is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved.
  • One of the two encrypted data points is a feature vector from the trusted encrypted biometric template, with the other encrypted data point being a corresponding feature vector from the captured encrypted biometric template.
  • the two plaintext data points refer to the two encrypted data points before encryption. The distance recoverable transformation is discussed in greater detail below.
  • the biometric template recognition systems 100, 200 utilises distance-recoverable encryption (DRE) to calculate the distance between two encrypted data points such that the distance between the plain data points is equal to the two encrypted data points,
  • DRE distance-recoverable encryption
  • the DRE used in the biometric template recognition systems 100, 200 may, for example, be based on a distance-preserving transformation (DPT) constructed using an orthogonal matrix, which can preserve Euclidean distance.
  • DPT distance-preserving transformation
  • M M 0 M 1 , if M 0 and M 1 are orthogonal matrices, M is also an orthogonal matrix.
  • E ( ⁇ , ⁇ ) be an encryption function with the input of n -dimension vector and secret key that outputs an encrypted vector as follows: such that M is an n x n orthogonal matrix and v is a random vector.
  • the distance between two encrypted vectors is as follows: 3.2.3 Security of DPT
  • DPT may be insecure under Passive Attack-II if the adversary has access to the encrypted database and knows a few samples in plain. The adversary can then perform known-sample attack to recover the database entirely, see “An attacker's view of distance preserving maps for privacy preserving data mining” by Liu, K., Giannella, C, Kargupta, H, European Conference on Principles of Data Mining and Knowledge Discovery, pp. 297-308, Springer (2006). As shown in “Secure knn computation on encrypted databases” by Wong, W.K., Cheung, D.W.I., Kao, B., Mamoulis, N, Proceedings of the 2009 ACM SIGMOD International Conference on Management of data, pp. 139- 152 (2009), such DPT scheme can resist Passive Attack-I as the adversary does not know sk.
  • Theorem 1 A DPT scheme is secure under Passive Attack-I if the adversary is not able to recover the plaintext.
  • the biometric template recognition systems 100, 200 is based on a protocol (see “GShade: faster privacy-preserving distance computation and biometric identification” by Bringer et al, Proceedings of the 2nd ACM workshop on Information hiding and multimedia security, pp. 187-198 (2014)) which allows two parties, a sender S and a verifier V, to securely compute the distance of two biometric features.
  • This oblivious transfer scheme GSHADE guarantees one party does not get more information about the other party’s inputs than what can be deduced from its own inputs and outputs.
  • Theorem 2 Security is proven by simulation in the OT-hybrid setting, where OT s are simulated by a trusted oracle. We recall that each simulator is provided with the input and output of the corrupted party. Case 1: V is corrupted. Since V receives no messages beyond those in OT, its view can be perfectly simulated. Case 2: S is corrupted. Given V ' s output T and input x, S’s view can be perfectly simulated by sending random values in the OT s.
  • the senders refers to the device 124 using the captured encrypted biometric template (complete version 130 for Figure 1; partial versions 222 and 226 for Figure 2), while the verifier V refers to the host of an authentication module (the cloud 104 for Figure 1; for Figure 2: the data subscriber 106 when it is sufficient to only consider the partial template 208, and the data subscriber 106 in communication with the cloud 104 when both the partial templates 208 and 210 need to be considered) using the trusted encrypted biometric template (complete version 110 for Figure 1; partial versions 208 and 210 for Figure 2).
  • the verifier V refers to the host of an authentication module (the cloud 104 for Figure 1; for Figure 2: the data subscriber 106 when it is sufficient to only consider the partial template 208, and the data subscriber 106 in communication with the cloud 104 when both the partial templates 208 and 210 need to be considered) using the trusted encrypted biometric template (complete version 110 for Figure 1; partial versions 208 and 210 for Figure 2).
  • the authentication module receives the authentication result returned from determining a similarity match score between the captured encrypted biometric template and the trusted encrypted biometric template, the determination being based on at least: computation performed at the authentication module with the trusted encrypted biometric template as input; and computation performed at the device 124 with the captured encrypted biometric template as input.
  • the cloud provider 104 hosts the tmsted encrypted biometric template 110 provided by the data owner.
  • the cloud provider 104 and the data subscriber 106 each hosts a partial copy (210 and 208 respectively) of the tmsted encrypted biometric template.
  • Our P2BA scheme consists of a tuple ⁇ Setup, MKGen, KeyGen, Enc, ReEnc, Ver ⁇ as follows. It generates pseudorandom orthogonal function pseudorandom vector function , and pseudorandom permutation function PRP( ⁇ , ⁇ ) which reorders the given vector based on the given secret and ID. The final output is a system parameter
  • This algorithm runs It then runs and the encrypted vector is then generated such that This algorithm runs It then runs and the encrypted vector is then generated such that An interactive protocol that is run by party A and B where A on input and B on input to GSHADE. At the end of the protocol, either one party can receive the distance d and run BR. Match(t, d) to return “1” or “0” which indicates the authentication result.
  • the data owner 102 runs setup and the master key generation functions to generate system parameter Setup(1 k ) ⁇ PM and master secret key MKGen(PM ) ⁇ msk.
  • the data owner 102 applies a biometrics recognition scheme BR (e.g. fingercode for fingerprints) to extract the biometric featme and stores the biometric template
  • a biometrics recognition scheme BR e.g. fingercode for fingerprints
  • the data owner 102 runs key generation to generate a long term keypair KeyGen(PM , msk, i) ⁇ ( sk i .pk i ) for i.
  • the data owner 102 stores (i,sk i ,pk i ' ) in a table.
  • the data owner 102 For every user biometric template where k is the total number of users, the data owner 102 generates the encrypted database by running for i, resulting in storage of a plurality of trusted encrypted biometric templates 110.
  • the encrypted database is outsourced to a cloud 104 and the key sk i is embedded into a tamper-proof device 124.
  • the tamper-proof device 124 is passed to the data subscriber 106.
  • the tamper-proof device 124 may be a mobile phone belonging to the user 108, where the key sk i may be embedded into the mobile device through the installation of an application.
  • the device 124 is used to extract and encrypt user biometric to obtain a captured encrypted biometric template 130.
  • the data owner 102 thus acts as a data repository configured to provide a trusted encrypted biometric template 110 associated to a user 108.
  • the encryption used in the trusted encrypted biometric template 110 is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved.
  • One of the two encrypted data points is a feature vector from the trusted encrypted biometric template 110 and the other is a corresponding feature vector from a captured encrypted biometric template 130 associated to the user 108, with the two plaintext data points being the two encrypted data points before encryption.
  • authentication of the user 108 occurs from determining whether a similarity match score is below a threshold value, the determination being based on at least: computation performed with the trusted encrypted biometric template 110 as input; and computation performed with the captured encrypted biometric template 130 as input.
  • the user 108 scans his biometric image Bio u with the tamper-proof device 124.
  • the device 124 runs to extract the feature vector and runs to generate the captured encrypted biometric template 130.
  • the same encryption scheme is used for both captured encrypted biometric template 130 and the trusted encrypted biometric template 110.
  • This encryption scheme has the captured encrypted biometric template 130 and the trusted encrypted biometric template 110 generated based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved.
  • One of the two encrypted data points is a feature vector from the trusted encrypted biometric template 110, with the other encrypted data point being a corresponding feature vector from the captured encrypted biometric template 130.
  • the two plaintext data points refer to the two encrypted data points before encryption.
  • the device 124 also provides identity details of the user 108 requesting authentication, so that the trusted encrypted biometric template 110 associated to the user can be retrieved.
  • the device 124 on input runs the verification protocol with the cloud 104 which has input . That is, one computation is performed at the device 124 with the captured encrypted biometric template 130 as input; and another computation is performed at the cloud 104 with the trusted encrypted biometric template 110 as input. At the end of the protocol, the cloud 104 computes distance d based on the two computation results. The distance d which determines the authentication result. The computation performed at the device 124 with the captured encrypted biometric template 130 as input is transmitted to the cloud 104, so that the cloud 104 can compute this similarity match score.
  • the data subscriber 106 receives either “1” or “0” from the cloud 104, which indicates the authentication result. That is, the cloud 104 transmits the authentication result to the data subscriber 106.
  • P2BA-II Split-then-Encrvpt Setting [060] As compared to P2BA-I described in Section 4.1, P2BA-II deals with a different setting by splitting 202 trusted encrypted biometric templates 212 into two (see the dotted lines connecting the trusted encrypted biometric template 212 to the trusted encrypted biometric partial template 208 and the trusted encrypted biometric partial template 210).
  • Step 1-3 are the same as in the registration phase in Section 4.1.
  • Step 4 in Section 4.1 the data owner 102 splits 202 the encrypted database into two parts, where , so as to obtain a plurality of trusted biometric partial templates.
  • the tamper-proof device 124 with key s/c is passed to the data subscriber 106.
  • the tamper-proof device 124 may be a mobile phone belonging to the user 108, where the key sk i may be embedded into the mobile device through the installation of an application.
  • Step 1 is similar to the authentication phase in Section 4.1 but additionally the device 124 splits the captured encrypted biometric features into two captured encrypted biometric partial templates 222 and 226,
  • the device 124 then runs the verification protocol to authenticate the user 108 with the data subscriber 106 and the cloud 104 respectively.
  • the protocol is run as follows:
  • the first partial distance d Q is run with the data subscriber 106 where the device 124 has input and the data subscriber 106 has input That is, one computation is performed at the device 124 with the captured encrypted biometric partial template 222 as input. Another computation is performed at the data subscriber 106 with the trusted encrypted biometric partial template 208 as input, the data subscriber 106 having retrieved the trusted encrypted biometric partial template 208 from the data owner 102 as discussed under item 3 of the “Registration Phase” section.
  • the captured encrypted biometric partial template 222 and the trusted encrypted biometric partial template 208 have corresponding feature vectors.
  • the data subscriber 106 verifies the first part of authentication, which provides a partial result, and proceeds to effect the calculation of a second partial distance d t if and only if d 0 ⁇ t.
  • a negative partial result stops the process and causes the return of the lack of a match between the trusted encrypted biometric partial template 208 and the captured encrypted biometric partial template 222, so that the authentication is deemed to be invalid.
  • the second partial distance d 1 is run with the cloud 104 where the device 124 has input c yl . ⁇ and the cloud 104 has input c xli ID . That is, one computation is performed at the cloud 104 with the trusted encrypted biometric partial template 210 as input, the tmsted encrypted biometric partial template 210 being a remainder of the tmsted encrypted biometric complete template (i.e. the trusted biometric template 212 after encryption, less the tmsted encrypted biometric partial template 208). Another computation is performed at the device 124 with the captured encrypted biometric partial template 226 as input, the captured encrypted biometric partial template 226 being a remainder of the captured encrypted biometric complete template (i.e. the captured biometric template after encryption, less the captured encrypted biometric partial template 222). These two additional computations seek to determine the similarity between the tmsted encrypted biometric partial template 210 and the captured encrypted biometric partial template 226.
  • the cloud 104 computes d by receiving d 0 from the data subscriber 106, where the cloud 104 receives the result of the computation performed using the tmsted encrypted biometric partial template 208 and the captured encrypted biometric partial template 222.
  • the data subscriber 106 outputs either the authentication result of “1” or “0” from having received a similarity match score determined from the computations performed using the respective inputs of the captured encrypted biometric partial template 222 and the tmsted encrypted biometric partial template 208; and the computations performed using the respective inputs of the captured encrypted biometric partial template 226 and the tmsted encrypted biometric partial template 210, which indicates the authentication result.
  • the proposed P2BA applies the distance-preserving transformation (DPT) scheme in Section 3.2.2 and secure distance computation protocol (GSHADE) in Section 3.3, hence its security depends on the security of these underlying schemes.
  • DPT distance-preserving transformation
  • GSHADE secure distance computation protocol
  • the data owner 102 encrypts the trusted biometric templates 212 with DPT scheme. This should ensure that the encrypted biometric templates stored by the cloud 104 (and the data subscriber 106) will not leak the plaintext biometric templates. P2BA thus should also ensure that the fresh submitted biometric features 140 used during authentication will not leak the biometric feature in plain.
  • Theorem 3 The proposed P2BA is secure against Passive Attack-I (PA-I) if the underlying DPT scheme is secure against PA-I.
  • PA-I Passive Attack-I
  • the challenger runs MKGen(PM) to generate master secret key msk . then runs KeyGen(PM, msk, i ) to generate a secret key sk i for DPT encryption.
  • the adversary may gather some users' biometric templates that previously stored somewhere. Our P2BA should not allow the adversary to learn any extra information. For instance, although the adversary has some users' biometric templates and the encrypted biometric templates where the adversary should not be able to learn its corresponding secret key sk i ID and other users' biometric templates x in the set of .
  • Theorem 4 Our P2BA is secure against Passive Attack II (PA-II) if each of the user biometric template is encrypted with unique secret key sk i ID and the underlying DPT scheme is secure against PA-I.
  • PA-II Passive Attack II
  • Our P2BA should be secure against the adversary being able to collude with both the data subscriber 106 and the cloud 104.
  • the adversary can access the trusted device as a trusted oracle to submit the encrypted biometric features. Since the adversary is colluded with both the data subscriber 106 and the cloud 104, the adversary has the knowledge of the encrypted biometric templates and observes the encrypted biometric features being exchanged.
  • Our P2BA should not allow the adversary to gain any extra information even with the access of the oracle.
  • Theorem 5 Our P2BA is secure against Active Attack (AA) if the underlying secure distance computation protocol (GSHADE) leaks no information other than the distance between the encrypted biometric features.
  • GSHADE secure distance computation protocol
  • the fingerprint biometric template applies the Fingercode feature extractor described in “A multichannel approach to fingerprint classification” by Jain, A.K., Prabhakar, S., Hong, L, IEEE transactions on pattern analysis and machine intelligence 21(4), 348-359 (1999); and “Filterbank-based fingerprint matching” by Jain, A.K., Prabhakar, S., Hong, L., Pankanti, S, IEEE transactions on Image Processing 9(5), 846-859 (2000).
  • Each template is of dimension 640, with each component consisting of a single byte.
  • Table 1 are based on the split-then-encrypt approach along with the Euclidean distance metric for authentication.
  • biometric template recognition system 300 Similar to the biometric template recognition system 200 of Figure 2, the biometric template recognition system 300 of Figure 3 authenticates based on encrypted partial biometric templates. However, as mentioned above, the biometric template recognition system 300 uses an encrypt-then-split construction. Each of the derived and encrypted biometric templates 312 are split into two or more copies 308, 310 where one copy 310 is given to a cloud service provider 104 and the other copy 308 to organisations that subscribe (such as the data subscribers 106) to the authentication services. During verification, captured encrypted biometric partial templates, derived from a captured biometric feature 140, can be tested with corresponding trusted encrypted biometric partial templates 308 hosted by the data subscribers 106.
  • the second advantage is to ensure no single entity has in possession the full raw biometric template of any user, addressing the risk of original features or images being reconstructed from raw biometric templates.
  • encryption circumvents reconstructing a user's features, should there be leakage of an encrypted biometric partial template.
  • FIG. 3 illustrates the operation of the biometric template recognition system 300 during setup and registration phase.
  • four tasks are performed: ⁇ generate cryptography keys; ⁇ encrypt-then-split the raw biometric templates; ⁇ generate subscriber template for every subscriber; and ⁇ deliver user key for every registered user device.
  • the first task ® sees the data owner 102 perform key generation to obtain a master key 330.
  • the data owner 102 uses the master key 330 to derive secret keys 332, one for each m of users 108.
  • the second task ⁇ sees the data owner 102 encrypt a stored raw biometric template with the secret key 332, followed by splitting into two partial copies.
  • One partial copy of the encrypted output is provided to the cloud 104 as a trusted encrypted biometric partial template 310.
  • the data subscriber 106 Before the other partial copy (i.e. the remainder) of the encrypted output is provided to the data subscriber 106, it is encrypted again with a data subscriber key 334 derived from the secret key 332, during the third task (3).
  • the data subscriber 106 thus receives a trusted encrypted biometric partial template 308, which when compared to the trusted encrypted biometric partial template 310 received by the cloud 104, has a further layer of encryption attributable to the data subscriber key 334. That is, for every i data subscriber 106, the data owner 102 encrypts again a portion of output from its encrypt and split operation using a respective data subscriber key 334 that is derived from the user key 332.
  • PBio biometric template recognition system 300 of Figures 3 and 4
  • This section provides an overview of algorithms used in PBio:
  • This algorithm is ran by a data owner. On input security parameter l k . it outputs system parameter PM.
  • biometric template recognition system 300 The building blocks used in the biometric template recognition system 300 is described below.
  • a biometric recognition scheme to extract features and construct templates from raw biometric information e.g. fingerprint, face, iris
  • a distance-recoverable encryption is used to encrypt these templates.
  • a secure distance computation mechanism is used for authentication.
  • the biometric template recognition system 300 uses feature extraction to transform raw biometric traits (e.g., fingerprints, voice patterns, facial patterns, iris, etc.) into templates.
  • the extracted features are then called feature vectors with n elements.
  • the authentication result is based on the Squared Euclidean distance in relation to the defined threshold t.
  • t the defined threshold
  • a lower value of t means the system requires higher similarity to pass.
  • This adopted biometric recognition scheme has the biometric template recognition system 300 using the same encryption for the captured encrypted biometric template (partial versions 422 and 426, see Figure 4) and the trusted encrypted biometric template (partial versions 308 and 310, see Figure 3), which is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved.
  • One of the two encrypted data points is a feature vector from the trusted encrypted biometric template, with the other encrypted data point being a corresponding feature vector from the captured encrypted biometric template.
  • the two plaintext data points refer to the two encrypted data points before encryption. The distance recoverable transformation is discussed in greater detail below.
  • DRE distance-recoverable encryption
  • the DRE used in the biometric template recognition system 300 may, for example, be based on a distance-preserving transformation instantiated with orthogonal matrices.
  • M M 0 M 1 , if M 0 and M 1 are orthogonal matrices, M is also an orthogonal matrix.
  • DPT Distance-Preserving Transformation
  • E ( ⁇ , ⁇ ) be an encryption function with the input of n -dimension vector and secret key that outputs an encrypted vector such that M is an n x n orthogonal matrix, is a random vector, and w is a scale factor.
  • M is an n x n orthogonal matrix
  • w is a scale factor.
  • Proposition 1 E is collision-free under the same secret key. Security of DPT
  • DPT may be broken by solving a large linear equation system, if an adversary obtains sufficient pairs of plaintexts and ciphertexts (see “An attacker's view of distance preserving maps for privacy preserving data mining” by Liu, K., Giannella, C., Kargupta, H, European Conference on Principles of Data Mining and Knowledge Discovery pp. 297-308, Springer (2006)). As shown in “Secure kNN computation on encrypted databases” by Wong, W.K., Cheung, D.W.I., Kao, B., Mamoulis, N, Proceedings of the 2009 ACM SIGMOD International Conference on Management of data, pp. 139-152 (2009), such DPT scheme can resist ciphertext-only attack.
  • Theorem 6 (Security of our DPT): Let and denote two points in the plaintext domain, and c is any valid ciphertext generated using our DRE where the encryption key is randomly chosen from its domain. We have which means a single ciphertext leaks no information of the plaintext.
  • the biometric template recognition system 300 is based on a protocol (see “GShade: faster privacy-preserving distance computation and biometric identification” by Bringer et al, Proceedings of the 2nd ACM workshop on Information hiding and multimedia security, pp. 187-198 (2014)) which allows two parties, a sender s and a verifier V , to securely compute the distance of two biometric features. It guarantees one party does not get more information about the other party's inputs than what can be deduced from its own inputs and outputs.
  • a central building block for the secure distance computation of GSHADE is oblivious transfer (OT). Oblivious transfer is an interactive protocol whereby the sender has a number of messages, and the receiver wishes to obtain a specific one, without the sender knowing which it is, while also ensuring that the receiver gets no information about the other messages which the sender holds.
  • n k x 1-bit integer vectors.
  • j 1, ⁇ ,1.
  • Vs selection bit is x t
  • Theorem 8 Security is proven by simulation in the OT-hybrid setting, where OT s are simulated by a trusted oracle. We recall that each simulator is provided with the input and output of the corrupted parly. Case 1: V is corrupted. Since V receives no messages beyond those in OT, its view can be perfectly simulated. Case 2: S is corrupted. Given Vs output T and input , S' s view can be perfectly simulated by sending random values and to S in the OT s.
  • the sender S refers to the device 124 using the captured encrypted biometric template (partial versions 422 and 426, see Figure 4), while the verifier V refers to the host of an authentication module (the data subscriber 106 when it is sufficient to only consider the partial template 308, and the data subscriber 106 in communication with the cloud 104 when both the partial templates 308 and 310 need to be considered) using the trusted encrypted biometric template (partial versions 308 and 310).
  • the authentication module receives the authentication result returned from determining a similarity match score between the captured encrypted biometric template and the trusted encrypted biometric template, the determination being based on at least: computation performed at the authentication module with the trusted encrypted biometric template as input; and computation performed at the device 124 with the captured encrypted biometric template as input.
  • GSHADE( ⁇ , ⁇ ) ⁇ d a secure distance computation protocol that on input two vectors, outputs the distance d.
  • PRP( ⁇ , ⁇ ) which is run during the encryption Enc( ⁇ ).
  • PRP( ⁇ , ⁇ ) allows the data owner to reorder the user biometric templates where n is the dimension of vector.
  • the proposed scheme consists of a tuple [Setup, MSKGen, KeyGen, Enc, EncT, ReEnc, Ver ⁇ as follows.
  • the distance recoverable transformation comprises one or more of a pseudorandom orthogonal function; a pseudorandom vector function; a pseudorandom scale function; and a pseudorandom permutation function.
  • This algorithms nm> a keyed-hash message authentication code HMAC with the input of msk, user unique identity ID, and a timestamp time to generate a user secret key sk ID .
  • the secret key sk ID depends on any one or more of: the one or more pseudorandom functions used in the distance recoverable transformation; the biometric template dimension; and the user identity details.
  • This algorithm runs and . It then runs and the encrypted vector is then generated such that : This algorithm runs and It then runs .and the encrypted vector is then generated such that This algorithm runs where i is optional.
  • the data owner 102 has a set of biometric templates, which is pre-collected from all the users 108, such that the users 108 have registered their identity id u along with their raw biometric Bio u (e.g. fingerprints, face) with the data owner 102.
  • biometric Bio u e.g. fingerprints, face
  • the data owner 102 then applies a biometric recognition scheme BR (e.g. fingercode for fingerprints) to extract the biometric feature and stores the biometric template BR(Biou) ⁇
  • a biometric recognition scheme BR e.g. fingercode for fingerprints
  • the data owner 102 runs key generation to generate user secret key KeyGen(PM, msk, ID) ⁇ sk ID (see the secret key 332 in Figure 3).
  • the data owner 102 stores (sk ID ,W, time) in a user table Table, j .
  • the data owner 102 For every user biometric template where m is the total number of users 108, the data owner 102 generates the encrypted database by running , resulting in storage of a plurality of trusted encrypted biometric templates 312 (in complete form). [092] The data owner 102 splits the encrypted database into two parts e.g. The first part will be applied during the registration phase, where the data owner 102 transmits one of the partial templates to the data subscriber 106 (namely the trusted encrypted biometric partial template 308, see Figure 3). The second part is outsourced to the cloud 104, where the data owner 102 transmits the other partial template to the cloud 104 (namely the trusted encrypted biometric partial template 310, see Figure 3).
  • the registration phase involves: (a) subscriber registration and (b) user registration.
  • a new data subscriber 106 may register and receive the trusted encrypted biometric partial template 308, while a new user 108 may register a device 124 to install the secret key 332 for authentication service.
  • the details of the registration protocol are described below.
  • the data owner 102 inputs the encrypted partial database and the user table Table u
  • Subscriber i obtains the subscriber i encrypted template
  • the protocol can be initiated by the data subscriber 106 in (a) or the user 108 in (b): a.
  • the data subscriber 106 contacts the data owner 102 to request a copy of encrypted template. We assume the data subscriber 106 will proof the subscription in a secure manner.
  • the user 108 request the user key sk ID by giving a proof of identity.
  • the data owner 102 Upon receiving the request from either (a) or (b), the data owner 102 performs the following steps respectively: a. The data owner 102 verifies the provided subscription and generates the subscriber i encrypted template by running using every user secret key sk ID (see the secret key 332) and encrypted partial templatec This results in the data subscriber 106 retrieving a plurality of trusted encrypted biometric partial templates 308, each having a layer of encryption attributable to the data subscriber key 334, each of the data subscriber keys 334 being derived from a secret key 332. b. The data owner 102 verifies the user 108 identity and embeds sk ID (see the secret key 332 in Figure 3 at the user 108 end) into the user registered device 124. In the case where the device 124 is a mobile phone, the secret key 332 may be embedded through the installation of an application.
  • the data owner 102 thus acts as a data repository configured to provide a trusted encrypted biometric template associated to a user 108, provided to the cloud 104 as the trusted encrypted biometric partial template 310 and to the data subscriber 106 as the trusted encrypted biometric partial template 308.
  • the encryption used in the trusted encrypted biometric template (in complete form) is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved.
  • One of the two encrypted data points is a feature vector from the trusted encrypted biometric template and the other is a corresponding feature vector from a captured encrypted biometric template associated to the user 108, with the two plaintext data points being the two encrypted data points before encryption.
  • the captured encrypted biometric template is a complete template from which the captured encrypted biometric partial template 426 and the captured encrypted biometric partial template 422 are derived.
  • authentication of the user 108 occurs from determining whether a similarity match score is below a threshold value, the determination being based on at least: computation performed with the trusted encrypted biometric template as input (specifically the captured encrypted biometric partial template 422 and the captured encrypted biometric partial template 426); and computation performed with the captured encrypted biometric template the captured encrypted biometric partial template 422 as input (specifically the trusted encrypted biometric partial template 308 and the trusted encrypted biometric partial template 310) as input.
  • FIG. 4 illustrates the operation of the biometric template recognition system 300 during the authentication phase.
  • six tasks are performed: ⁇ encrypt-then-split freshly submitted biometric features to produce two sets of partial features; ⁇ generate subscriber encrypted features on the set of partial features intended for the data subscriber, the generated subscriber encrypted features being further encrypted using a data subscriber encryption key; ⁇ verily the subscriber encrypted features from task ⁇ ; ⁇ reject if the verification of task ⁇ returns an invalid result; ⁇ proceed to verify the remaining set of partial features from task ®; ⁇ combine the final authentication result from task ⁇ , if the verification of task ⁇ returns a valid result, and task ⁇ .
  • the building blocks described in section 7 are used to perform authentication in a secure manner.
  • the user device 124 obtains a one-bit authentication result. The details of the authentication protocol is described below.
  • Subscriber i inputs the subscriber i encrypted template that belongs to the user ID
  • the user 108 scans his biometric image Bio u with the provided tamper-proof device 124. The device then runs BR.Ext(Bio u ' ) ⁇ y ID to extract the feature vector and runs to generate the captured encrypted biometric template (in complete form).
  • the same encryption scheme is used for both the captured encrypted biometric complete template and the trusted encrypted biometric complete template 312.
  • This encryption scheme has the captured encrypted biometric complete template and the trusted encrypted biometric complete template 312 generated based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved.
  • One of the two encrypted data points is a feature vector from the trusted encrypted biometric complete template 312, with the other encrypted data point being a corresponding feature vector from the captured encrypted biometric complete template.
  • the two plaintext data points refer to the two encrypted data points before encryption.
  • the device 124 also provides identity details of the user 108 requesting authentication, so that matching against the correct trusted encrypted biometric complete template 312 associated to the user can be performed (through the data subscriber 106 retrieving the trusted encrypted biometric partial template 308 and the cloud 104 retrieving the trusted encrypted biometric partial template 422.
  • the device 124 splits the captured encrypted biometric features into two parts 440 and 426, where .
  • the device re-encrypts (i.e. the partial template 440) by miming to generate a captured encrypted biometric partial template 422.
  • the device 124 runs the verification protocol to authenticate the user 108 with the data subscriber 106 to compute the first partial distance d o where the device 124 has input (i.e. the captured encrypted biometric partial template 422) and the data subscriber 106 has input (the trusted encrypted biometric partial template 308). That is, one computation is performed at the device 124 with the captured encrypted biometric partial template 422 as input.
  • Another computation is performed at the data subscriber 106 with the trusted encrypted biometric partial template 308 as input, the data subscriber 106 having retrieved the trusted encrypted biometric partial template 208 from the data owner 102 as discussed under item 1 above.
  • the captured encrypted biometric partial template 422 and the trusted encrypted biometric partial template 308 have corresponding feature vectors.
  • the device 124 verifies the first part of authentication, which provides a partial result, and proceeds if and only if . For the device 124 to compute this partial result, the computation performed at the data subscriber 106 with the trusted encrypted biometric partial template 308 as input is transmitted to the device 124.
  • a negative partial result stops the process and causes the return of the lack of a match between the trusted encrypted biometric partial template 308 and the captured encrypted biometric partial template 422 through the device 124 returning the authentication result as "0" to the data subscriber 106.
  • the second partial distance d 1 is run with the cloud 104 where the device has input and the cloud 104 has input . That is, one computation is performed at the cloud 104 with the trusted encrypted biometric partial template 310 as input, the trusted encrypted biometric partial template 310 being a remainder of the trusted encrypted biometric complete template (i.e. the trusted biometric templates 312 after encryption, less the trusted encrypted biometric partial template 308).
  • Another computation is performed at the device 124 with the captured encrypted biometric partial template 426 as input, the captured encrypted biometric partial template 426 being a remainder of the captured encrypted biometric complete template (i.e. the captured biometric template after encryption, less the captured encrypted biometric partial template 422).
  • These two additional computations seek to determine the similarity between the trusted encrypted biometric partial template 310 and the captured encrypted biometric partial template 426.
  • the device 124 obtains from the cloud 104 transmitting the result of its computation performed with the trusted encrypted biometric partial template 310 as input,
  • the device 124 replies the authentication result "1" or "0" to the data subscriber 106.
  • every secret key sk ID (see reference numeral 332 in Figure 3) used to encrypt the biometric templates obtained from the biometric features 140 captured for every user 108 is derived from a master secret key msk owned by the data owner 102.
  • the trusted encrypted biometric templates (in partial form) are stored by the cloud provider 104 or the data subscribers 106. We allow collusion between the cloud 104 and the data subscribers 106. The goal of the adversary is to masquerade a victim user and be accepted by the authentication solution under the victim's name (i.e. breaking soundness property), or to leam some secret information of victim's raw biometric feature via our authentication system (i.e. breaking the zero- knowledge property).
  • the proposed PBio schemes apply the distance-preserving transformation (DPT) scheme in Section 7.2 and secure distance computation protocol (GSHADE) in Section 7.3. Hence, its security depends on the security of these underlying schemes.
  • DPT distance-preserving transformation
  • GSHADE secure distance computation protocol
  • splitting arrangement is public information
  • splitting arrangement is secret
  • splitting arrangement is secret and dummy dimensions are added to raw biometric template templates.
  • Proposition 2 [Correctness]: Our authentication solution is proposed correct, i.e. any legitimate user who is following our authentication solution exactly, will be accepted, except a small probability (i.e. the false negative rate of biometric feature). This proposition follows directly from the property of DRE and correctness of GSHADE.
  • Theorem 7 (Zero Knowledge Proof): After interacting with a user Alice by executing our protocol for many times, both the cloud provider 104 and the subscriber i (i.e. the data subscriber 106) learn nothing about the user's 108 biometric raw data, beyond the ciphertext.
  • Theorem 8 (Soundness): Probabilistic polynomial time adversary (even colluded with some subscribers 106 and the cloud provider 104), cannot pass our authentication with non-negligible probability.
  • the adversary may collude with both the cloud provider 104 and subscriber i, and thus is able to find the DRE ciphertext ct of user's bio template vector x, and observe any network communications of GSHADE.
  • the authentication server learns only one bit information — accepting or rejecting this user 108.
  • the result of implementing the biometric template recognition system 300 with four machines to represent the data owner 102, the data subscriber 106, the cloud provider 104, and the user device 124 respectively are discussed below.
  • the four machines are with the same hardware specification, which is Intel Core i7-8700 CPU @3.20GHz with 8GB RAM and two cores.
  • a face recognition python library as the biometrics recognition scheme, which enables us to detects a face in a raw image, extracts the feature vectors, and matches the similarity later.
  • numpy library https://pypi.org/project/numpy/
  • a master secret key msk was randomly selected in a 256 bits domain.
  • the template database was then encrypted following our encryption scheme.
  • the data owner 102 generated a set of encrypted database c x which is then split into two parts , where is stored by the cloud 104.
  • the encryption time is for the first layer encryption only. We require additional encryption for every subscriber in half of the dimension. For example, if we apply face recognition scheme that consists of 128-n dimension for a template, the encryption time took approximate 1.14 ms per user. In the biometric template recognition system 300, we split n into half after the first layer encryption and we re-encrypt the second layer encryption in 64-n dimension. Hence, there is an additional 0.61ms required for every user, which indicates that the biometric template recognition system 300 requires 1.74ms encryption time. We summarise the encryption time per user in Table 3. We notice that the encryption time increases with the dimensional size of a template. [109] Table 4 summarises the various sizes of biometric templates. The size of the original database and the encrypted database are the same because our encryption technique transforms an original value into a random value, e.g. a biometric template in 128-n dimension and its encrypted template are both in 1024 bytes (B).
  • Both biometric template recognition systems 200 and 300 first compute a partial result (see item 2 under “Authentication Phase” of Section 4.2 for the biometric template recognition system 200; and item 2 under Section 9.3.1 for the biometric template recognition system 300; hereafter referred to as “Part I”) and proceeds to perform complete verification (see item 2 under “Authentication Phase” of Section 4.2 for the biometric template recognition system 200; and item 3 under Section 9.3.1 for the biometric template recognition system 300; hereafter referred to as “Part II”) if and only if Part I is successfully passed. Since split-then-encrypt approach performs encryption in half of the n-dimension, we see that split-then-encrypt approach achieves faster early rejection as the encryption needed for Part I and II can be done separately. However, the encrypt-then-split approach results in an overall faster verification time.
  • E (1) (x) and E (2) (x) to be disjoint halves of encryption E(x). Let the initial encrypted template of U i held by the cloud 104 and the data subscriber 106 to be and respectively.
  • the device 124 receives Y i , Z i from the cloud 104 and data subscriber 106 respectively.
  • the device 124 updates the encrypted template of user U t by performing E ki, 1 Yi) and E ki , 1 Z i ) which are subsequently transmitted to the cloud 104 and data subscriber 106 respectively. Consequently, E kii (Yi ) is the encrypted template of U t with the updated key held by the cloud 104 while E kii (Z i ) is the encrypted template of U t with the updated key held by the data subscriber 106.
  • a potential limitation of this method is that the device 124 is required to fetch encrypted templates of the associated users 108 from the data subscriber 106 and cloud 104 whenever a key update process is called upon.
  • This key server can be continuously online and in one implementation is hosted in a separate terminal (not shown in Figure 3). In another implementation, the key server is hosted by the data owner 102. [121] The main role of this key server is to issue new keys whenever a key update process is initiated. When the key update for the user is initialized, the key server fetches from the cloud 104 and data subscribers 106 respectively.
  • the key management server in response to receipt of a command to update the secret key 332, receives the trusted encrypted biometric template that is stored by the cloud 104 (in the form of the trusted encrypted biometric partial template 310) and the data subscriber 106 (in the trusted encrypted biometric partial template 308).
  • the key management server decrypts these encrypted templates to obtain x ; , so as to retrieve a trusted raw biometric template from which the trusted encrypted biometric template is derived.
  • the trusted raw biometric template is constituted by a sum of the raw partial biometric templates that is retrieved from the trusted encrypted biometric partial templates 308 and 310 respectively.
  • New keys are generated to perform a re-encryption of x ; , which results from the key management server generating an updated secret key and encrypting the trusted raw biometric template with the updated secret key to obtain the new tmsted encrypted biometric template.
  • the new keys are sent to the tmsted device 124, so that the tmsted device 124 receives the updated secret key.
  • the key management server transmits the new tmsted encrypted biometric template to the cloud 104 and the data subscriber 106. Since the cloud and the data subscriber 106 operate on partial templates, the new tmsted encrypted biometric template is split and sent as encrypted templates and to the cloud 104 and data subscribers 106 respectively which represent the updated tmsted encrypted partial templates. Summarising, in an event of an update of the secret key 332, each of the cloud 104 and the data subscribers 106 will retrieve a new tmsted encrypted biometric template, encrypted with the updated secret key.
  • biometric template recognition systems 100, 200 and 300 discussed above uses a protocol that provides security against collusion between two or more entities.
  • no collusion of entities can derive the full raw biometric template of any user without the secret key of the encryption.
  • the encryption employed to obtain encrypted biometric templates is lightweight, collision-free and compatible with our splitting mechanism.

Abstract

According to an aspect of the present invention, there is provided a biometric template recognition system comprising an authentication module configured to receive, from a device, identity details of a user requesting authentication, the device having a captured encrypted biometric template from the user; retrieve a trusted encrypted biometric template associated to the user through the received identity details, wherein the encryption used in the captured encrypted biometric template and the trusted encrypted biometric template is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved, one of the two encrypted data points being a feature vector from the trusted encrypted biometric template and the other being a corresponding feature vector from the captured encrypted biometric template, with the two plaintext data points being the two encrypted data points before encryption; and receive the authentication result returned from determining a similarity match score, the determination being based on at least: computation performed at the authentication module with the trusted encrypted biometric template as input; and computation performed at the device with the captured encrypted biometric template as input. There is also provided a biometric template recognition system comprising a data repository configured to provide such a trusted encrypted biometric template associated to the user to an authentication module.

Description

Biometric template recognition system
FIELD
[001] The present invention relates to a biometric template recognition system which performs authentication using encrypted biometric templates.
BACKGROUND
[002] With increasing widespread usage of biometric information such as fingerprint, face and iris for authentication purpose, providing organizations access to a collection of comprehensive biometric templates hosted by a trusted organization will enable more effective authentication of an individual, instead of relying only on documentation carried by the individual. The benefits are twofold. Firstly, it allows organizations that currently have no access or require lengthy administrative and legal processes to have direct access to a readily available database. Secondly, these agencies and private entities do not need to invest in infrastructure to register users and constmct a biometric database of their own. This also reduces potential breaches of the templates, especially if there are many different copies residing in each of the organizations.
[003] However, having many different agencies and private entities directly access a central database increases possibility of breaches that may cause the templates to be leaked. A straightforward solution is to share the template database to these agencies. There was a general assumption that raw biometric templates are secure. For instance, it was believed that a binary template (e.g. Iriscode) does not contain sufficient information to enable its reconstruction, see “Generating Images from Templates” by International Biometric Group, 2002, White paper. However, significant progress has been made recently in the domain of biometric template reconstruction, e.g. “Learning fingerprint reconstruction: From minutiae to image” by Kai Cao and Anil K. Jain, 2014, IEEE Transactions on information forensics and security 10, 1 (2014), 104-117; and “Fingerprint image reconstruction from standard templates” by Raffaele Cappelli, Dario Maio, Alessandra Lumini, and Davide Maltoni, 2007, IEEE transactions on pattern analysis and machine intelligence 29, 9 (2007), 1489-1503. This is a major privacy concern since the reconstructed biometric templates can be used to identify or impersonate an individual.
[004] There is thus a need for a more viable approach to share a derivation (e.g. via encryption) of the database that would enable other agencies and private organisations to authenticate the said individuals, but in such a way that the agencies and organisations are not able to learn any biometric information from the derived database. Raw biometric templates should remain at trusted organization premises (such as a government body) and is isolated from being accessed by other parties. SUMMARY OF THE INVENTION
[005] According to an aspect of the present invention, there is provided a biometric template recognition system comprising an authentication module configured to receive, from a device, identity details of a user requesting authentication, the device having a captured encrypted biometric template from the user; retrieve a trusted encrypted biometric template associated to the user through the received identity details, wherein the encryption used in the captured encrypted biometric template and the trusted encrypted biometric template is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved, one of the two encrypted data points being a feature vector from the trusted encrypted biometric template and the other being a corresponding feature vector from the captured encrypted biometric template, with the two plaintext data points being the two encrypted data points before encryption; and receive the authentication result returned from determining a similarity match score, the determination being based on at least: computation performed at the authentication module with the trusted encrypted biometric template as input; and computation performed at the device with the captured encrypted biometric template as input.
[006] According to another aspect of the present invention, there is provided a biometric template recognition system comprising a data repository configured to provide a trusted encrypted biometric template associated to a user, wherein the encryption used in the trusted encrypted biometric template is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved, one of the two encrypted data points being a feature vector from the trusted encrypted biometric template and the other being a corresponding feature vector from a captured encrypted biometric template associated to the user, with the two plaintext data points being the two encrypted data points before encryption, whereby authentication of the user occurs from determining whether a similarity match score is below a threshold value, the determination being based on at least: computation performed with the trusted encrypted biometric template as input; and computation performed with the captured encrypted biometric template as input.
BRIEF DESCRIPTION OF THE DRAWINGS
[007] Representative embodiments of the present invention are herein described, by way of example only, with reference to the accompanying drawings, wherein:
[008] Figure 1 shows a schematic of a biometric template recognition system in which authentication is performed using encrypted biometric complete templates. [009] Figure 2 shows a schematic of a biometric template recognition system in which authentication is performed using encrypted biometric partial templates, in which a raw biometric complete template is split before being encrypted.
[010] Figures 3 and 4 show a schematic of a biometric template recognition system in which authentication is performed using encrypted biometric partial templates, in which a raw biometric complete template is encrypted before being split. Figure 3 shows the biometric template recognition system during setup and registration phases, while Figure 4 shows the system during authentication phase.
DETAILED DESCRIPTION
[Oil] In the following description, various embodiments are described with reference to the drawings, where like reference characters generally refer to the same parts throughout the different views.
[012] The present application finds relevance for trusted organisations in possession of a raw biometric database whose data is to be shared to enable other organisations to provide authentication services without these other organizations learning the underlying biometric information. These organisations do not need to collect user biometric data or always connect to the central raw biometric database, thus reducing the number of potential attack points.
[013] Herein disclosed is a privacy -preserving biometric authentication system (also interchangeably referred to as a biometric template recognition system) that achieves the above objective. The biometric template recognition system has features drawn from the two broad categories of biometric authentication systems and biometric identification systems. An identification system refers to the claiming of an identity and an authentication system refers to the act of verifying or proving the claimed identity. There are two phases, enrolment and query. During enrolment, end users register their biometric template via a feature extraction process with a service provider. The service provider then stores these registered biometric templates together with the respective end user identity (ID) details in its database. In the query phase, the service provider checks the similarity between the stored template and the submitted template by an end user via an ID match. Due to the inherent fuzzy nature of biometrics, biometric authentication typically requires a similar match as opposed to an exact match.
[014] At its core, the disclosed biometric template recognition system performs authentication using a distance-preserving encryption scheme and secure distance computation. The other organisations only hold a derived, encrypted biometric dataset and need not be fully trusted. The disclosed system is secure even when the other organisations collude. An overview of the disclosed system is discussed below. [015] The biometric datasets used by the disclosed system are arranged in templates, with each biometric template resulting from raw biometric data having undergone a feature extraction process. The features extracted into the template depends on the biometric data being processed, e.g. fingerprint, facial and speech data are treated differently. The disclosed system is tasked to determine whether it can recognise an encrypted biometric template, held in a device (such as a mobile or a laptop), against a stored encrypted biometric template. The system comprises an authentication module that facilitates this recognition. The authentication module refers to any computer terminal or group of computer terminals with server capability. Such a computer terminal or group of computer terminals have components that include a processor and memory arrangement that perform the necessary arithmetic and logic operations to execute coding instructions, the coding instructions being in respect of biometric authentication in accordance with various embodiments of the present invention. Examples of the authentication module include a data subscriber and a cloud provider (also referred to as a cloud), both described in greater detail below.
[016] Authentication is initiated by the device capturing raw biometric data, followed by feature extraction and encryption, so that the device has a captured encrypted biometric template of the user requesting authentication. As such, “captured encrypted biometric template” in this disclosure refers to the template that is to be verified or authenticated. The authentication module does not receive the captured encrypted biometric template, since interception of the captured encrypted biometric template, if transmitted, poses a vulnerability; although recreation of the raw biometric data from the captured encrypted biometric template is difficult. As such, the disclosed system reduces potential attack points, while maintaining privacy preservation.
[017] For the authentication module to retrieve a trusted encrypted biometric template associated to the user, the authentication module receives identity details of this user. The retrieved encrypted biometric template is trusted because it is obtained from a trusted source, e.g. a government agency repository or a database containing verified biometric data.
[018] The distance-preserving encryption scheme and secure distance computation mechanism used by the disclosed biometric template recognition system requires for the encryption used in the captured encrypted biometric template and the trusted encrypted biometric template to be based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved. One of these two encrypted data points is a feature vector from the trusted encrypted biometric template and the other encrypted data point is a corresponding feature vector from the captured encrypted biometric template, with the two plaintext data points being the two encrypted data points before encryption.
[019] The authentication module obtains the authentication result (i.e. whether the captured encrypted biometric template is recognised) by receiving the computation of a similarity match score, the similarity match score being a measure of the difference between the captured encrypted biometric template and the trusted encrypted biometric template. In one implementation, the similarity match score is a distance between corresponding feature vectors from the captured encrypted biometric template and the trusted encrypted biometric template, with authentication occurring when the distance is below or equal to a threshold value. Non-limiting examples of this distance include a Hamming distance or an Euclidean distance. In such an implementation, if the similarity match score is less than or equal to a threshold value, an affirmative authentication result is returned to the authentication module.
[020] The similarity match score is returned from an outcome of computation performed at least two different terminals, including the terminal on which the authentication module is hosted. That is, each of these terminals perform a partial computation of the similarity match score, based on their respective inputs. One computation is performed at the authentication module with the trusted encrypted biometric template as input; and another computation performed at the device with the captured encrypted biometric template as input. Each of the two separately performed computations provides an intermediate value to obtaining the similarity match score.
[021] An encrypt-then-split mechanism or split-then-encrypt mechanism may also be used, where each of the entities to the biometric template recognition system holds encrypted biometric partial templates. One copy is given to one or more organisations that subscribe to the authentication service, so as to determine whether access to their facilities can be granted to the holder of a device with captured biometric data; and the other copies to organisations that support the computation to obtain the similarity match score. That is, the biometric template recognition system is also configured to perform authentication on partial or complete templates. In the configuration where complete templates are used, the term “trusted encrypted biometric template” refers to a complete template derived from trusted raw biometric data, while the term “captured encrypted biometric template” refers to a complete template derived from captured raw biometric data. In the configuration where partial templates are used, the term “trusted encrypted biometric partial template” refers to a partial template derived from trusted raw biometric data, while the term “trusted encrypted biometric complete template” refers to a complete template derived from the same trusted raw biometric data. The term “captured encrypted biometric partial template” refers to a partial template derived from captured raw biometric data, while the term “captured encrypted biometric complete template” refers to a complete template derived from the same captured raw biometric data. The trusted encrypted biometric partial template has corresponding feature vectors to the captured encrypted biometric partial template.
[022] This encrypt-then-split or split-then-encrypt mechanism enables faster verification for nonmatch instances in early rejection setting and reduces risk of template reconstruction in the event that an encrypted partial template database and its encryption key are leaked. In contrast to the complete template approach, the tmsted encrypted biometric template and the captured encrypted biometric template used for computation of the similarity match score in the encrypt-then-split or split-then- encrypt mechanism are partial templates of their respective complete templates, with the trusted encrypted biometric partial template and the captured encrypted biometric partial template having corresponding feature vectors. Under this mechanism, an entity to the biometric template recognition system, such as a data subscriber can already bar access to a facility from a negative partial result returned from the computation performed at the data subscriber with the trusted encrypted biometric partial template as input and the computation performed at the device with the captured encrypted biometric partial template as input, because the negative partial result indicates the lack of a match between these two partial templates. There is no requirement to perform computation on the remainder of the tmsted encrypted biometric complete template nor the remainder of the captured encrypted biometric complete template.
[023] In response to a positive partial result being returned under the encrypt-then-split or split- then-encrypt approach, the determination of the similarity match score is further based on computation performed at another entity of the biometric template recognition system with a remainder of the tmsted encrypted biometric complete template as input; and computation performed at the device with a remainder of the captured encrypted biometric complete template as input. This other entity of the biometric template recognition system refers to a separate computer network, such as a cloud. The remainder of the tmsted encrypted biometric complete template and the remainder of the captured encrypted biometric complete template is each a partial template of its respective complete template. The encrypt-then-split or split-then-encrypt mechanism may also use more than two partial templates for each of the tmsted encrypted biometric template and the captured encrypted biometric template. In such an implementation, the remainder of the tmsted encrypted biometric complete template and the remainder of the captured encrypted biometric complete template may each be split into further partial templates, wherein the determination of the similarity match score is obtained from the computation performed on each of these further partial templates.
[024] The biometric template recognition system is described in greater detail below, with reference to Figures 1 to 4.
[025] Each of Figures 1 to 4 shows a biometric template recognition system 100, 200, 300 in which privacy -preserving authentication is performed in accordance with one implementation of the present invention. The biometric template recognition system 100, 200, 300 has four entities:
[026] Data Owner 102: A fully tmsted party, e.g. a government agency, which owns biometric templates and outsources an encrypted biometric database.
[027] Service Provider: This is an honest-but-curious party, e.g. a cloud 104, which stores encrypted biometric database and helps to verify an individual without the need of decrypting an encrypted template. [028] Data Subscriber/s) 106: This is(are) an honest-but-curious party (parties), e.g. a bank(s) or mall(s), which subscribe(s) to the system 100 to authenticate a user.
[029] User 108: A user, e.g. client(s) of a bank or customers of a mall, who submit(s) their biometric information for authentication. Users are not trusted but we assume there exists a tamperproof device that extracts and encrypts the user’s biometric information into an encrypted template. [030] The implementations of Figures 1 to 4 employ a common cryptographic protocol, where authentication is determined from computation performed with a trusted encrypted biometric template as input; and computation performed with captured encrypted biometric template as input. Each computation is performed at a different terminal, namely the terminal having the respective biometric template. The encryption used in the captured encrypted biometric template and the trusted encrypted biometric template is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved, one of the two encrypted data points being a feature vector from the trusted encrypted biometric template and the other being a corresponding feature vector from the captured encrypted biometric template, with the two plaintext data points being the two encrypted data points before encryption. The common cryptographic protocol allows for secure two-party computation, where two parties, each with private vector inputs, securely decide if the private vector inputs are sufficiently similar (such as an Euclidean distance or a Hamming distance between their respective private vector inputs being smaller than a given threshold) without leaking extra information.
[031] This common cryptographic protocol is coded into an authentication module, which is hosted in either the cloud 104 or the data subscriber 106, explained in greater detail below when the operation of Figures 1 to 4 is discussed. The biometric template recognition system 100 of Figure 1 authenticates based on complete biometric templates. The biometric template recognition system 200 of Figure 2, along with the biometric template recognition system 300 of Figures 3 and 4, authenticate based on partial biometric templates. The biometric template recognition system 200 of Figure 2 splits a complete biometric template, then encrypts the partial biometric templates. The biometric template recognition system 300 of Figures 3 and 4 encrypts a complete biometric template, then splits the encrypted complete biometric template into encrypted partial biometric templates. Operation of the biometric template recognition systems 100 and 200 is first discussed with reference to Figures 1 and 2.
[032] In Figure 1, the data owner 102 is assumed to pre-compute their existing trusted biometric templates 112, i.e. the data owner 102 enrols the users 108. In brief, matching 118 is based on a tmsted encrypted biometric template 110 hosted by the cloud provider 104 against a captured encrypted biometric template 130 hosted by the user device 124. The authentication result 120 is determined by the matching 118 result and returned to the data subscriber 106, so that the user 108 can, for example, access a facility belonging to the data subscriber 106. [033] The biometric template recognition system 200 of Figure 2 is an extended setting, where the data owner 102 splits 202, then encrypts 206, 204 trusted biometric templates 212 into two parts. That is, in Figure 2, the biometric template recognition system 200 authenticates based on encrypted partial templates (for both trusted and captured biometric data). In brief, the split-then-encrypt approach allows the data owner 102 to give a partial copy 208 of a trusted encrypted biometric template to the data subscriber 106 and another partial copy 210 to the cloud provider 104 (which corresponds to the remainder of the trusted biometric template 212), thus reducing risk of leakage of the trusted encrypted biometric complete template (208 and 210) if one of the data subscriber 106 or the cloud provider 104 trusted encrypted biometric partial templates 208, 210 is compromised.
[034] By doing so, it is possible to first perform matching 214 based on the trusted encrypted biometric partial template 208 hosted by the data subscriber 106 against a captured encrypted biometric partial template 222 having corresponding feature vectors, hosted by the user device 124, thereby reducing the computation and communication cost. Only when the outcome is not conclusive is the trusted encrypted biometric complete template (208 and 210) computed 216 for authentication, by performing matching 218 based on the trusted encrypted biometric partial template 210 hosted by the cloud provider 104 against a captured encrypted biometric partial template 226 having corresponding feature vectors, hosted by the user device 124. The final authentication result 220 is determined by both the matching partial results 214 and 218 and returned to the data subscriber 106, so that the user 108 can, for example, access a facility belonging to the data subscriber 106.
1. Security Models
[035] In the biometric template recognition systems 100, 200 of Figures 1 and 2, every secret key to encrypt the trusted biometric template for every user 108 is derived from a master secret key owned by the data owner 102. The encrypted biometric templates 110 are stored by the cloud 104 or the data subscriber 106. We assume the cloud 104 and the data subscriber 106 are honest-and-curious where both follow the protocol, but try to guess the trusted encrypted biometric templates (in both complete and partial forms in Figures 1 and 2 respectively).
[036] We allow collusion between the cloud 104 and the data subscriber 106. Through the collusion, either of the parties 104 and 106 can generate encrypted biometric templates of extracted features of a user 108. The goal of an adversary in the biometric template recognition systems 100, 200 is to reveal either trusted biometric templates 112, 212 that are provided by the data owner 102, or the fresh biometric features 140 that are submitted during the authentication.
[037] The following security models describe the ability of the adversary:
- Passive Attack-I (Ciphertext Only Attack): The adversary knows the encrypted biometric database and the encrypted queries. - Passive Attack-II (Known-Sample Attack): In addition to Passive Attack-I, the adversary learns some plain biometric templates but do not know the corresponding encrypted one. For example, the adversary observes the encrypted database as well as obtaining sample templates collected by the other parly. The adversary then knows the values of several records in the plaintext database.
- Active Attack (Chosen Plaintext Attack): In addition to Passive Attack-I and Attack-II, the adversary knows the submitted query in plain or encrypted form. Besides, the adversary can submit the biometrics by accessing the oracle. The outputs of the oracle are leamt. Considering this attack model is also necessary in some cases. For example, it is possible for the cloud service provider 104 to act as a user to submit biometric information for authentication, so it can observe and even control the content of user’s candidate biometrics.
[038] The biometric template recognition systems 100, 200 should allow their cloud 104 to determine the similarity of the stored trusted encrypted biometric template (complete version 110 for Figure 1; partial versions 208 and 210 for Figure 2) and given captured encrypted biometric template (complete version 130 for Figure 1; partial versions 222 and 226 for Figure 2). However, it is infeasible to recover the plaintext biometric template and feature.
Security Against Passive Attack-I
[039] The security against Passive Attack-I is defined as the following game between an adversary and a simulator S.
- Setup: S generates keypairs ski ID for n -users ID and i data subscribers. S encrypts the user biometric templates and returns the encrypted templates to
Figure imgf000011_0002
- Challenge:
Figure imgf000011_0001
randomly chooses and sends two challenge biometric templates (m0,m1) of a challenge user ID* to S. S randomly selects b ∈ {0,1} and encrypts mb to
Figure imgf000011_0003
. Finally,
Figure imgf000011_0004
outputs its guess b' . wins the game if b' = b. The advantage of
Figure imgf000011_0005
in the game is defined as Adv(
Figure imgf000011_0006
) =
Figure imgf000011_0007
Definition 1: The P2BA (privacy preserving and outsourced biometric authentication scheme underlying the biometric template recognition systems 100, 200) is secure against Passive Attack-I if no PPT adversary
Figure imgf000011_0008
can have success probability more than in its game.
Figure imgf000011_0009
Security Against Passive Attack-II
[040] The security definition against Passive Attack-II follows that of Passive Attack-I, except that the adversary
Figure imgf000011_0010
has knowledge of some user plain biometric templates in the encrypted database. Definition 2: The proposed P2BA is secure against Passive Attack-II if no PPT adversary
Figure imgf000012_0002
can have success probability more than in its game.
Figure imgf000012_0003
Security Against Active Attack
[041] The security against Active Attack is defined as the following game between an adversary
Figure imgf000012_0004
and a simulator S.
- Setup: generates keypairs ski ID for n -users ID and i data subscribers.
Figure imgf000012_0005
encrypts the user biometric templates and returns the encrypted templates to
Figure imgf000012_0006
- Query I: is allowed to make queries for authentication with any biometric feature.
- Challenge I:
Figure imgf000012_0007
then outputs two challenge biometric features (m0, m1) of a challenge user ID* to S. randomly selects b ∈ {0,1} and encrypts mb to
Figure imgf000012_0008
.
- Query II: can still make queries as in Query I with the restriction that (m0, m1 ) is not allowed.
- Challenge II: Finally,
Figure imgf000012_0009
outputs its guess b'.
Figure imgf000012_0010
wins the game if b' = b. The advantage of
Figure imgf000012_0011
in the game is defined
Figure imgf000012_0001
Definition 3: The proposed P2BA is secure against Active Attack if no PPT adversary
Figure imgf000012_0018
can have success probability more than in its game.
Figure imgf000012_0012
2. P2BA scheme definitions
[042] This section provides an overview of algorithms used in our P2B A:
- Setup: This algorithm is run by the data owned". On input security parameter 1k. it outputs system parameter PM.
- MKGen : On input PM, it generates a master secret key msk for data owner.
- KeyGen: On input (PM, msk ) and the identifier of the data subscriber i, it generates a long term key ski for i·
- Enc: On input (PM, ski), user identity ID, and user biometric templates in n-dimension of vector it computes an encrypted vector in n-dimension
Figure imgf000012_0014
.
Figure imgf000012_0013
- ReEnc : On input . it computes a re-encrypted vector . The order of the
Figure imgf000012_0015
Figure imgf000012_0016
encryption affects the equivalence e.g.
Figure imgf000012_0017
- Ver: On input PM, a tuple of encrypted vectors ( which is encrypted with the same sk, and authenticated threshold value t, it computes their distance d. The output is “1" if d < t and "0" if otherwise (e.g. d > t or authentication failure).
3. P2BA Building Blocks
[043] The building blocks used in the biometric template recognition systems 100, 200 is described below. A biometric recognition scheme to extract features and construct templates from raw biometric information (e.g. fingerprint, face, iris) is deployed. A distance-recoverable encryption is used to encrypt these templates. For authentication, a secure distance computation mechanism is used.
3 , 1 Biometrics Recognition based on Euclidean Distance
[044] The biometric template recognition systems 100, 200 uses feature extraction to transform raw biometric traits (e.g., fingerprints, voice patterns, facial patterns, etc.) into templates. The extracted features are then called feature vectors with n elements.
[045] Given two feature vectors
Figure imgf000013_0001
, one approach to perform biometric matching is to find the squared Euclidean distance, which is defined as:
Figure imgf000013_0002
The authentication result is based on the Euclidean distance that is compared with the defined threshold t. We consider the given
Figure imgf000013_0003
and
Figure imgf000013_0004
belong to the same person if and only if
Figure imgf000013_0005
which indicates a match. A lower value of t means the system requires higher similarity to pass. We define a biometric recognition scheme as consists of the following algorithms:
- Ext: On input a raw biometric trait, it outputs a feature vector x
- Dist: On input two feature vectors it outputs a distance
Figure imgf000013_0006
Figure imgf000013_0007
- Match: On input a threshold t and d, it outputs “1” if d ≤ t and “0” otherwise.
[046] This adopted biometric recognition scheme has the biometric template recognition systems 100, 200 using the same encryption in the captured encrypted biometric template (complete version 130 for Figure 1; partial versions 222 and 226 for Figure 2) and the trusted encrypted biometric template (complete version 110 for Figure 1; partial versions 208 and 210 for Figure 2), which is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved. One of the two encrypted data points is a feature vector from the trusted encrypted biometric template, with the other encrypted data point being a corresponding feature vector from the captured encrypted biometric template. The two plaintext data points refer to the two encrypted data points before encryption. The distance recoverable transformation is discussed in greater detail below.
3,2 Distance-Recoverable Encryption
[047] The biometric template recognition systems 100, 200 utilises distance-recoverable encryption (DRE) to calculate the distance between two encrypted data points such that the distance between the plain data points is equal to the two encrypted data points,
Figure imgf000014_0001
[048] The DRE used in the biometric template recognition systems 100, 200 may, for example, be based on a distance-preserving transformation (DPT) constructed using an orthogonal matrix, which can preserve Euclidean distance.
3.2.1 Ortho gonal Matrix
[049] An orthogonal matrix M is a square matrix that consists of n x n -dimension such that its inverse and transpose are equivalent M-1 = MT and satisfy the following properties:
- Identity transformation: Given M, the identity matrix / can be computed such that MTM = MMT
/
- Product transformation: Given M = M0M1 , if M0 and M1 are orthogonal matrices, M is also an orthogonal matrix.
- Preservation of length: Given two pairs of vector their Euclidean distance is
Figure imgf000014_0002
equivalent such that
Figure imgf000014_0003
3.2.2 Distance-Preserving Transformation (DPT)
[050] Let E (·,·) be an encryption function with the input of n -dimension vector and
Figure imgf000014_0004
secret key
Figure imgf000014_0005
that outputs an encrypted vector
Figure imgf000014_0006
as follows:
Figure imgf000014_0007
such that M is an n x n orthogonal matrix and v is a random vector. The distance between two encrypted vectors
Figure imgf000014_0008
is as follows:
Figure imgf000014_0009
3.2.3 Security of DPT
[051] DPT may be insecure under Passive Attack-II if the adversary has access to the encrypted database and knows a few samples in plain. The adversary can then perform known-sample attack to recover the database entirely, see “An attacker's view of distance preserving maps for privacy preserving data mining” by Liu, K., Giannella, C, Kargupta, H, European Conference on Principles of Data Mining and Knowledge Discovery, pp. 297-308, Springer (2006). As shown in “Secure knn computation on encrypted databases” by Wong, W.K., Cheung, D.W.I., Kao, B., Mamoulis, N, Proceedings of the 2009 ACM SIGMOD International Conference on Management of data, pp. 139- 152 (2009), such DPT scheme can resist Passive Attack-I as the adversary does not know sk.
Theorem 1 : A DPT scheme is secure under Passive Attack-I if the adversary is not able to recover the plaintext.
3.3 Secure Distance Computation
[052] The biometric template recognition systems 100, 200 is based on a protocol (see “GShade: faster privacy-preserving distance computation and biometric identification” by Bringer et al, Proceedings of the 2nd ACM workshop on Information hiding and multimedia security, pp. 187-198 (2014)) which allows two parties, a sender S and a verifier V, to securely compute the distance of two biometric features. This oblivious transfer scheme GSHADE guarantees one party does not get more information about the other party’s inputs than what can be deduced from its own inputs and outputs. [053] Let
Figure imgf000015_0008
integer vectors. Three functions are defined where
Figure imgf000015_0001
Figure imgf000015_0009
[054] S and V run the protocol as follows:
- S and V on input
Figure imgf000015_0002
and
Figure imgf000015_0003
respectively
- S chooses n random values
Figure imgf000015_0004
- For each
Figure imgf000015_0005
and C engage in a where
Figure imgf000015_0006
- V's selection bit is xi
- S' s input is
- The output obtained
- V computes and outputs
- S computes and outputs
Figure imgf000015_0007
- At the end, either S or V learns the distance by computing
Figure imgf000016_0002
Theorem 2: Security is proven by simulation in the OT-hybrid setting, where OT s are simulated by a trusted oracle. We recall that each simulator is provided with the input and output of the corrupted party. Case 1: V is corrupted. Since V receives no messages beyond those in OT, its view can be perfectly simulated. Case 2: S is corrupted. Given V's output T and input x, S’s view can be perfectly simulated by sending random values in the OT s.
Figure imgf000016_0003
[055] In the case of the biometric template recognition systems 100, 200, the senders refers to the device 124 using the captured encrypted biometric template (complete version 130 for Figure 1; partial versions 222 and 226 for Figure 2), while the verifier V refers to the host of an authentication module (the cloud 104 for Figure 1; for Figure 2: the data subscriber 106 when it is sufficient to only consider the partial template 208, and the data subscriber 106 in communication with the cloud 104 when both the partial templates 208 and 210 need to be considered) using the trusted encrypted biometric template (complete version 110 for Figure 1; partial versions 208 and 210 for Figure 2). The authentication module receives the authentication result returned from determining a similarity match score between the captured encrypted biometric template and the trusted encrypted biometric template, the determination being based on at least: computation performed at the authentication module with the trusted encrypted biometric template as input; and computation performed at the device 124 with the captured encrypted biometric template as input.
4. P2BA protocol
[056] In the basic setting P2BA-I, see Figure 1, the cloud provider 104 hosts the tmsted encrypted biometric template 110 provided by the data owner. We extend this basic setting in P2BA-II, see Figure 2, where the cloud provider 104 and the data subscriber 106 each hosts a partial copy (210 and 208 respectively) of the tmsted encrypted biometric template.
[057] We first define BR = { Ext.Dist } to be any biometrics recognition scheme based on Euclidean distance where a raw biometric image from ID is provided to BR to extract a vector, such that (see section 3.3 above) be a secure distance
Figure imgf000016_0004
computation protocol that on input two vectors, outputs the distance d. Our P2BA scheme consists of a tuple {Setup, MKGen, KeyGen, Enc, ReEnc, Ver } as follows.
Figure imgf000016_0001
It generates pseudorandom orthogonal function
Figure imgf000016_0005
pseudorandom vector function
Figure imgf000016_0006
, and pseudorandom permutation function PRP(·,·) which reorders the given vector based on the given secret and ID. The final output is a system parameter
Figure imgf000017_0001
- MKGen(PM ) : It outputs a master secret key
Figure imgf000017_0002
- KeyGen(PM, msk, i ) : It generates a long term key
Figure imgf000017_0003
and public key pk i = gski for i.
- This algorithm runs It
Figure imgf000017_0004
Figure imgf000017_0005
then runs and the encrypted vector is then generated such that
Figure imgf000017_0006
Figure imgf000017_0007
Figure imgf000017_0008
This algorithm runs
Figure imgf000017_0009
Figure imgf000017_0010
It then runs and the encrypted vector is then generated such that
Figure imgf000017_0011
Figure imgf000017_0012
An interactive protocol that is run by party A and B where A on input
Figure imgf000017_0015
and B on input to GSHADE. At the end of the protocol, either one party can receive the
Figure imgf000017_0013
distance d and run BR. Match(t, d) to return “1” or “0” which indicates the authentication result.
Correctness: Given the same system parameter PM, the following verification always holds:
Figure imgf000017_0014
Figure imgf000018_0002
4.1 P2BA-I: Basic Setting
[058] We first assume that a user 108 has registered his identity idu along with his biometrics Biou (e.g. fingerprints) with a data owner 102. In addition, we define a pseudorandom permutation function PRP (·,·), which is run during the encryption Enc(-).PRP (·,·) allows the data owner 102 to reorder the user biometric templates
Figure imgf000018_0001
where n is the dimension of vector.
Registration Phase
1. The data owner 102 runs setup and the master key generation functions to generate system parameter Setup(1k) → PM and master secret key MKGen(PM ) → msk.
2. The data owner 102 applies a biometrics recognition scheme BR (e.g. fingercode for fingerprints) to extract the biometric featme and stores the biometric template
Figure imgf000018_0006
3. For every data subscriber i, the data owner 102 runs key generation to generate a long term keypair KeyGen(PM , msk, i) → ( ski .pki ) for i. The data owner 102 stores (i,ski,pki ') in a table.
4. For every user biometric template
Figure imgf000018_0003
where k is the total number of users, the data owner 102 generates the encrypted database by running
Figure imgf000018_0004
for i, resulting in storage of a plurality of trusted encrypted biometric templates 110.
5. Finally, the encrypted database
Figure imgf000018_0005
is outsourced to a cloud 104 and the key ski is embedded into a tamper-proof device 124. The tamper-proof device 124 is passed to the data subscriber 106. In another approach, the tamper-proof device 124 may be a mobile phone belonging to the user 108, where the key ski may be embedded into the mobile device through the installation of an application. The device 124 is used to extract and encrypt user biometric to obtain a captured encrypted biometric template 130.
[059] The data owner 102 thus acts as a data repository configured to provide a trusted encrypted biometric template 110 associated to a user 108. The encryption used in the trusted encrypted biometric template 110 is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved. One of the two encrypted data points is a feature vector from the trusted encrypted biometric template 110 and the other is a corresponding feature vector from a captured encrypted biometric template 130 associated to the user 108, with the two plaintext data points being the two encrypted data points before encryption. With the trusted encrypted biometric template 110 and the captured encrypted biometric template 130 having the same encryption, authentication of the user 108 occurs from determining whether a similarity match score is below a threshold value, the determination being based on at least: computation performed with the trusted encrypted biometric template 110 as input; and computation performed with the captured encrypted biometric template 130 as input.
Authentication Phase
1. During authentication, the user 108 scans his biometric image Biou with the tamper-proof device 124. The device 124 runs to extract the feature vector and runs
Figure imgf000019_0005
to generate the captured encrypted biometric template 130.
Figure imgf000019_0004
With reference to item 4 under the earlier section “Registration Phase”, the same encryption scheme is used for both captured encrypted biometric template 130 and the trusted encrypted biometric template 110. This encryption scheme has the captured encrypted biometric template 130 and the trusted encrypted biometric template 110 generated based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved. One of the two encrypted data points is a feature vector from the trusted encrypted biometric template 110, with the other encrypted data point being a corresponding feature vector from the captured encrypted biometric template 130. The two plaintext data points refer to the two encrypted data points before encryption. The device 124 also provides identity details of the user 108 requesting authentication, so that the trusted encrypted biometric template 110 associated to the user can be retrieved.
2. The device 124 on input runs the verification protocol with the cloud 104 which has
Figure imgf000019_0002
input . That is, one computation is performed at the device 124 with the captured
Figure imgf000019_0003
encrypted biometric template 130 as input; and another computation is performed at the cloud 104 with the trusted encrypted biometric template 110 as input. At the end of the protocol, the cloud 104 computes distance d based on the two computation results. The distance d which determines the authentication result. The
Figure imgf000019_0001
computation performed at the device 124 with the captured encrypted biometric template 130 as input is transmitted to the cloud 104, so that the cloud 104 can compute this similarity match score.
3. Finally, the data subscriber 106 receives either “1” or “0” from the cloud 104, which indicates the authentication result. That is, the cloud 104 transmits the authentication result to the data subscriber 106.
4,2 P2BA-II: Split-then-Encrvpt Setting [060] As compared to P2BA-I described in Section 4.1, P2BA-II deals with a different setting by splitting 202 trusted encrypted biometric templates 212 into two (see the dotted lines connecting the trusted encrypted biometric template 212 to the trusted encrypted biometric partial template 208 and the trusted encrypted biometric partial template 210).
Registration Phase
1. Step 1-3 are the same as in the registration phase in Section 4.1.
2. In addition to Step 4 in Section 4.1, the data owner 102 splits 202 the encrypted database into two parts, where , so as to obtain a plurality of trusted biometric partial
Figure imgf000020_0002
templates.
3. Finally, both
Figure imgf000020_0003
and
Figure imgf000020_0004
are outsourced to a data subscriber 106 and a cloud 104 respectively, i.e. the data owner 102 transmits one of the partial templates from step 2 above to the data subscriber 106 (namely the trusted encrypted biometric partial template 208 in Figure 2) and transmits the other partial template to the cloud 104 (namely the trusted encrypted biometric partial template 210 in Figure 2). The tamper-proof device 124 with key s/c; is passed to the data subscriber 106. In another approach, the tamper-proof device 124 may be a mobile phone belonging to the user 108, where the key ski may be embedded into the mobile device through the installation of an application.
Authentication Phase
1. Step 1 is similar to the authentication phase in Section 4.1 but additionally the device 124 splits the captured encrypted biometric features into two captured encrypted biometric partial templates 222 and 226,
Figure imgf000020_0001
2. The device 124 then runs the verification protocol to authenticate the user 108 with the data subscriber 106 and the cloud 104 respectively. The protocol is run as follows:
- The first partial distance dQ is run with the data subscriber 106 where the device 124 has input and the data subscriber 106 has input That is, one computation is
Figure imgf000020_0006
Figure imgf000020_0005
performed at the device 124 with the captured encrypted biometric partial template 222 as input. Another computation is performed at the data subscriber 106 with the trusted encrypted biometric partial template 208 as input, the data subscriber 106 having retrieved the trusted encrypted biometric partial template 208 from the data owner 102 as discussed under item 3 of the “Registration Phase” section. The captured encrypted biometric partial template 222 and the trusted encrypted biometric partial template 208 have corresponding feature vectors. The data subscriber 106 verifies the first part of authentication, which provides a partial result, and proceeds to effect the calculation of a second partial distance dt if and only if d0 < t. A negative partial result stops the process and causes the return of the lack of a match between the trusted encrypted biometric partial template 208 and the captured encrypted biometric partial template 222, so that the authentication is deemed to be invalid.
- In response to a positive partial result being returned, the second partial distance d1 is run with the cloud 104 where the device 124 has input cyl . ^ and the cloud 104 has input cxli ID. That is, one computation is performed at the cloud 104 with the trusted encrypted biometric partial template 210 as input, the tmsted encrypted biometric partial template 210 being a remainder of the tmsted encrypted biometric complete template (i.e. the trusted biometric template 212 after encryption, less the tmsted encrypted biometric partial template 208). Another computation is performed at the device 124 with the captured encrypted biometric partial template 226 as input, the captured encrypted biometric partial template 226 being a remainder of the captured encrypted biometric complete template (i.e. the captured biometric template after encryption, less the captured encrypted biometric partial template 222). These two additional computations seek to determine the similarity between the tmsted encrypted biometric partial template 210 and the captured encrypted biometric partial template 226.
3. Next, the data subscriber 106 computes the full distance d = dQ + d1 by receiving d1 from the cloud 104, where the data subscriber 106 receives the result of the computation performed using the tmsted encrypted biometric partial template 210 and the captured encrypted biometric partial template 226. Alternatively, the cloud 104 computes d by receiving d0 from the data subscriber 106, where the cloud 104 receives the result of the computation performed using the tmsted encrypted biometric partial template 208 and the captured encrypted biometric partial template 222.
4. Finally, the data subscriber 106 outputs either the authentication result of “1” or “0” from having received a similarity match score determined from the computations performed using the respective inputs of the captured encrypted biometric partial template 222 and the tmsted encrypted biometric partial template 208; and the computations performed using the respective inputs of the captured encrypted biometric partial template 226 and the tmsted encrypted biometric partial template 210, which indicates the authentication result.
4 3 Security Analysis
[061] The proposed P2BA applies the distance-preserving transformation (DPT) scheme in Section 3.2.2 and secure distance computation protocol (GSHADE) in Section 3.3, hence its security depends on the security of these underlying schemes. Security against Passive Attack-I
[062] In our P2BA, the data owner 102 encrypts the trusted biometric templates 212 with DPT scheme. This should ensure that the encrypted biometric templates stored by the cloud 104 (and the data subscriber 106) will not leak the plaintext biometric templates. P2BA thus should also ensure that the fresh submitted biometric features 140 used during authentication will not leak the biometric feature in plain.
Theorem 3: The proposed P2BA is secure against Passive Attack-I (PA-I) if the underlying DPT scheme is secure against PA-I.
Proof Sketch: The proof follows the similar approach as described in “Passbio: Privacy-preserving user-centric biometric authentication” by Zhou, K. and Ren, J, IEEE Transactions on Information Forensics and Security 13(12), 3050-3063 (2018). Suppose there exists an algorithm that can reveal the biometric features, then there is an adversary
Figure imgf000022_0014
who can use the algorithm to have the advantage in its game.
1. Given a system parameter"· PM,
Figure imgf000022_0004
first generates two random biometric features
Figure imgf000022_0006
and
Figure imgf000022_0005
. which are both in the same n-dimension vector.
2. The challenger
Figure imgf000022_0016
runs MKGen(PM) to generate master secret key msk .
Figure imgf000022_0017
then runs KeyGen(PM, msk, i ) to generate a secret key ski for DPT encryption.
3. C randomly chooses a bit b ∈ {0,1} and computes the encrypted biometric features
Figure imgf000022_0001
Figure imgf000022_0002
returns
Figure imgf000022_0003
4. outputs a bit b'. wins the game if b' = b. The advantage of
Figure imgf000022_0018
has in the above game is defined as
Figure imgf000022_0015
which indicates
Figure imgf000022_0013
has the ability to reveal belongs to
Figure imgf000022_0008
or
Figure imgf000022_0009
. so
Figure imgf000022_0011
can
Figure imgf000022_0012
Figure imgf000022_0010
break the DPT scheme.
Security against Passive Attack-II
[063] In practice, the adversary may gather some users' biometric templates that previously stored somewhere. Our P2BA should not allow the adversary to learn any extra information. For instance, although the adversary has some users' biometric templates and the encrypted
Figure imgf000022_0007
biometric templates where the adversary should not be able to
Figure imgf000023_0001
Figure imgf000023_0002
learn its corresponding secret key ski ID and other users' biometric templates x in the set of .
Figure imgf000023_0003
Figure imgf000023_0004
Theorem 4: Our P2BA is secure against Passive Attack II (PA-II) if each of the user biometric template is encrypted with unique secret key ski ID and the underlying DPT scheme is secure against PA-I.
Proof Sketch: The proof follows the security proof against PA-I. Besides, each of the user biometric template is encrypted using unique secret key ski ID. which prevents the successful attacks described in Section 3.2.3.
Security against Active Attack
[064] Our P2BA should be secure against the adversary being able to collude with both the data subscriber 106 and the cloud 104. In practical, the adversary can access the trusted device as a trusted oracle to submit the encrypted biometric features. Since the adversary is colluded with both the data subscriber 106 and the cloud 104, the adversary has the knowledge of the encrypted biometric templates and observes the encrypted biometric features being exchanged. Our P2BA should not allow the adversary to gain any extra information even with the access of the oracle.
Theorem 5: Our P2BA is secure against Active Attack (AA) if the underlying secure distance computation protocol (GSHADE) leaks no information other than the distance between the encrypted biometric features.
Proof sketch: The proof follows the security of GSHADE as in Theorem 2. The adversary on input biometrics to the oracle and outputs the encrypted biometric features can be perfectly simulated
Figure imgf000023_0005
by sending random values. If there exists an algorithm that can recover it means the algorithm
Figure imgf000023_0006
can break the security of GSHADE, which contradicts Theorem 2.
5. Evaluation and Implementation
[065] We provide performance analysis using the biometric template recognition systems 100, 200 of Figures 1 and 2 for both facial and fingerprint biometric authentication. Both analyses were conducted on an Intel Core i7-8700 CPU @3.20GHz with 8GB RAM. The facial biometric template is of dimension 128, with each component a real number between -1 and 1. The fingerprint biometric template applies the Fingercode feature extractor described in “A multichannel approach to fingerprint classification” by Jain, A.K., Prabhakar, S., Hong, L, IEEE transactions on pattern analysis and machine intelligence 21(4), 348-359 (1999); and “Filterbank-based fingerprint matching” by Jain, A.K., Prabhakar, S., Hong, L., Pankanti, S, IEEE transactions on Image Processing 9(5), 846-859 (2000). Each template is of dimension 640, with each component consisting of a single byte. The experimental results in Table 1 are based on the split-then-encrypt approach along with the Euclidean distance metric for authentication.
Figure imgf000024_0001
[066] Operation of the biometric template recognition system 300 is next discussed below with reference to Figures 3 and 4. Similar to the biometric template recognition system 200 of Figure 2, the biometric template recognition system 300 of Figure 3 authenticates based on encrypted partial biometric templates. However, as mentioned above, the biometric template recognition system 300 uses an encrypt-then-split construction. Each of the derived and encrypted biometric templates 312 are split into two or more copies 308, 310 where one copy 310 is given to a cloud service provider 104 and the other copy 308 to organisations that subscribe (such as the data subscribers 106) to the authentication services. During verification, captured encrypted biometric partial templates, derived from a captured biometric feature 140, can be tested with corresponding trusted encrypted biometric partial templates 308 hosted by the data subscribers 106. Our common cryptography protocol (also adopted in the biometric template recognition systems 100 and 200 of Figures 1 and 2, where two parties, each with private vector inputs, securely compute if the private vector inputs are sufficiently similar) computes a partial result where if the computed distance is over a predefined threshold, the result is a no match. Only when the result is ambiguous will a second computation involving the cloud provider 104 be required to perform authentication. The advantages of splitting the encrypted biometric complete template 312 is two-fold. The first is that each split portion 308, 310 of a biometric template has a smaller dimension compared to its entirety. As such, this enables early rejection of non-matching biometrics during the authentication phase. The second advantage is to ensure no single entity has in possession the full raw biometric template of any user, addressing the risk of original features or images being reconstructed from raw biometric templates. On the other hand, encryption circumvents reconstructing a user's features, should there be leakage of an encrypted biometric partial template.
[067] Figure 3 illustrates the operation of the biometric template recognition system 300 during setup and registration phase. In this phase, four tasks are performed: ©generate cryptography keys; ©encrypt-then-split the raw biometric templates; ©generate subscriber template for every subscriber; and © deliver user key for every registered user device. [068] The first task ®sees the data owner 102 perform key generation to obtain a master key 330. The data owner 102 uses the master key 330 to derive secret keys 332, one for each m of users 108. The second task © sees the data owner 102 encrypt a stored raw biometric template with the secret key 332, followed by splitting into two partial copies. One partial copy of the encrypted output is provided to the cloud 104 as a trusted encrypted biometric partial template 310.
[069] Before the other partial copy (i.e. the remainder) of the encrypted output is provided to the data subscriber 106, it is encrypted again with a data subscriber key 334 derived from the secret key 332, during the third task (3). The data subscriber 106 thus receives a trusted encrypted biometric partial template 308, which when compared to the trusted encrypted biometric partial template 310 received by the cloud 104, has a further layer of encryption attributable to the data subscriber key 334. That is, for every i data subscriber 106, the data owner 102 encrypts again a portion of output from its encrypt and split operation using a respective data subscriber key 334 that is derived from the user key 332. This reduces risk of leakage of full templates if one parly's (i.e. either the data subscriber 106 or the cloud 104) trusted encrypted biometric partial templates are compromised. Furthermore by doing so, it is possible to first perform matching based on the trusted encrypted biometric partial template 308 hosted by the data subscriber i, reducing the computation and communication cost during the authentication phase in the event of an early rejection. The implementation is discussed in Section 11. [070] In the fourth task 4, user devices 124 obtain the secret key 332.
6. PBio scheme definitions
[071] The biometric template recognition system 300 of Figures 3 and 4 is hereafter interchangeably referred to as “PBio”. This section provides an overview of algorithms used in PBio:
- Setup: This algorithm is ran by a data owner. On input security parameter lk. it outputs system parameter PM.
- MKGen : On input PM, it generates a master secret key msk, for the data owner.
- KeyGen: On input (PM, msk ) and the user unique identity ID, it generates a user secret key sklD.
- Enc: On input (PM, s/c;D) and user biometric templates inn-dimension of vector x; = {xj, ··· , x„}. it computes an encrypted vector in n-dimension cID .
- ReEnc: On input (PM, skID, cID) and subscriber identity i, it computes a re-encrypted vector cID i .
- EncT On input (PM, skID, i ) where i is optional, and a threshold t that serves to authenticate a person, it computes an encrypted threshold tID i .
- Ver: On input PM, a tuple of encrypted vectors (c0, cy) which is encrypted with the same sk, and authenticated threshold value t, it computes their distance d. The output is "1" if d < t and "0" if otherwise (e.g .d > t or authentication failure). 7. PBio Building Blocks
[072] The building blocks used in the biometric template recognition system 300 is described below. A biometric recognition scheme to extract features and construct templates from raw biometric information (e.g. fingerprint, face, iris) is deployed. A distance-recoverable encryption is used to encrypt these templates. For authentication, a secure distance computation mechanism is used.
7 1 Biometrics Recognition Scheme
[073] The biometric template recognition system 300 uses feature extraction to transform raw biometric traits (e.g., fingerprints, voice patterns, facial patterns, iris, etc.) into templates. The extracted features are then called feature vectors with n elements.
[074] Given two feature vectors x = ( 1 , · · · , xn ) and , one metric of matching is the
Figure imgf000026_0002
squared Euclidean distance, which is defined as:
Figure imgf000026_0001
The authentication result is based on the Squared Euclidean distance in relation to the defined threshold t. In particular,
Figure imgf000026_0003
and belong to the same person if and only if
Figure imgf000026_0004
Figure imgf000026_0005
which indicates a match. A lower value of t means the system requires higher similarity to pass. We define a biometric recognition scheme as consists of the following components:
- Ext: On input a raw biometric trait, it outputs a feature vector x
- Dist: On input two feature vectors
Figure imgf000026_0006
. it outputs a distance
Figure imgf000026_0007
- Match: On input a threshold t and d, it outputs “1” if d < t2 and “0” otherwise.
[075] This adopted biometric recognition scheme has the biometric template recognition system 300 using the same encryption for the captured encrypted biometric template (partial versions 422 and 426, see Figure 4) and the trusted encrypted biometric template (partial versions 308 and 310, see Figure 3), which is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved. One of the two encrypted data points is a feature vector from the trusted encrypted biometric template, with the other encrypted data point being a corresponding feature vector from the captured encrypted biometric template. The two plaintext data points refer to the two encrypted data points before encryption. The distance recoverable transformation is discussed in greater detail below.
7,2 Distance-Recoverable Encryption
[076] The biometric template recognition system 300 utilises distance-recoverable encryption (DRE) to calculate the distance between two encrypted data points such that the distance between two plain data points is equal to the distance between the corresponding two encrypted data points, i.e. Dist(x,y ) = Dist(E(x),E(y )).
[077] The DRE used in the biometric template recognition system 300 may, for example, be based on a distance-preserving transformation instantiated with orthogonal matrices.
Orthogonal Matrix
[078] An orthogonal matrix M is an x n square matrix such that its inverse and transpose are equal, i.e. M-1 = MT. M satisfies the following properties:
- Identity transformation: M and MT commute such that MTM = MMT = /, where / is the identity matrix.
- Product transformation: Given M = M0M1 , if M0 and M1 are orthogonal matrices, M is also an orthogonal matrix.
- Preservation of length: Given two pairs of vector and , their respective Euclidean
Figure imgf000027_0007
Figure imgf000027_0008
distances are equal as given by
Figure imgf000027_0006
Distance-Preserving Transformation (DPT)
[079] Let E (·,·) be an encryption function with the input of n -dimension vector
Figure imgf000027_0005
and secret key
Figure imgf000027_0004
that outputs an encrypted vector
Figure imgf000027_0003
such that M is an n x n orthogonal matrix,
Figure imgf000027_0009
is a random vector, and w is a scale factor. The distance between two encrypted vectors
Figure imgf000027_0002
is as follows:
Figure imgf000027_0001
Proposition 1: E is collision-free under the same secret key.
Figure imgf000028_0011
Security of DPT
[080] DPT may be broken by solving a large linear equation system, if an adversary obtains sufficient pairs of plaintexts and ciphertexts (see “An attacker's view of distance preserving maps for privacy preserving data mining” by Liu, K., Giannella, C., Kargupta, H, European Conference on Principles of Data Mining and Knowledge Discovery pp. 297-308, Springer (2006)). As shown in “Secure kNN computation on encrypted databases” by Wong, W.K., Cheung, D.W.I., Kao, B., Mamoulis, N, Proceedings of the 2009 ACM SIGMOD International Conference on Management of data, pp. 139-152 (2009), such DPT scheme can resist ciphertext-only attack. To overcome the weakness of DPT, we ensure that every user will use different encryption key sk. Furthermore, different fingerprints (e.g. thumb finger and index finger) of the same person may also be encrypted with different keys. Basically, we use DPT like “OneTime Pad". In legitimate usage, the encryption key will never be re-used for different objects.
Theorem 6 (Security of our DPT): Let and
Figure imgf000028_0002
denote two points in the plaintext domain, and c is any
Figure imgf000028_0001
valid ciphertext generated using our DRE where the encryption key is randomly chosen from its domain. We have
Figure imgf000028_0003
which means a single ciphertext leaks no information of the plaintext.
Let real number t e (0,1) be the threshold. Given a ciphertext, there are at least l/t” number of possible plaintexts under distinct encryption keys, such that the distance between every two plaintexts is at least 2 t.
Proof:
Part I.
Recall that our DRE is
Figure imgf000028_0004
where and w is a scale factor. Let encryption key and ciphertext
Figure imgf000028_0005
Figure imgf000028_0006
Figure imgf000028_0007
Figure imgf000028_0008
we have
Figure imgf000028_0012
Therefore, we show that the conditional probability
Figure imgf000028_0009
is independent on x:
Figure imgf000028_0010
Figure imgf000029_0001
where #w denotes total number of possible scaling factor, #M denotes total number of possible orthogonal matrix of dimension as indicated in our DPT scheme, and #sk denotes the total number of possible encryption keys in our scheme. As a result, for any two distinct plaintexts x and y, we have
Figure imgf000029_0002
Part II.
Figure imgf000029_0004
Let t be the threshold. We request the distance between the two points x and y to be larger than 21, so they cannot represent the same bio-object. Then we count how many such distinct points with pairwise distance > 2t . Within the n -dimension cube [-1.0, 1.0]” , each person's biometric measurement could be treated as a n-dimension sphere with center u and radius t, where u is the measurement of the dimension during the registration phases. So, the total number N of such n- dimension sphere is
Figure imgf000029_0003
For example, in our experiment, t = 0.6.
7 3 Secure Distance Computation
[081] The biometric template recognition system 300 is based on a protocol (see “GShade: faster privacy-preserving distance computation and biometric identification” by Bringer et al, Proceedings of the 2nd ACM workshop on Information hiding and multimedia security, pp. 187-198 (2014)) which allows two parties, a sender s and a verifier V , to securely compute the distance of two biometric features. It guarantees one party does not get more information about the other party's inputs than what can be deduced from its own inputs and outputs. A central building block for the secure distance computation of GSHADE is oblivious transfer (OT). Oblivious transfer is an interactive protocol whereby the sender has a number of messages, and the receiver wishes to obtain a specific one, without the sender knowing which it is, while also ensuring that the receiver gets no information about the other messages which the sender holds.
[082] In brief, let and with
Figure imgf000029_0005
Figure imgf000029_0006
are n = k x 1-bit integer vectors. Three functions are defined where
Figure imgf000029_0007
Figure imgf000029_0008
and j = 1, ··· ,1.
S and V run the protocol as follows: - S and V on input
Figure imgf000030_0008
and
Figure imgf000030_0009
respectively
- S chooses n random values
Figure imgf000030_0007
For each i = 1, ··· , n, S and V engage in a where
Figure imgf000030_0010
- Vs selection bit is xt
- S' s input is
Figure imgf000030_0001
- The output obtained by
Figure imgf000030_0002
- V computes and outputs
- S computes and outputs
Figure imgf000030_0003
- At the end, either S or V leams the distance by computing Dist(x, y) = T - R = d
Secure Comparison Protocol
[083] GSHADE allows one to add on GMW protocol (see “How to play any mental game, or a completeness theorem for protocols with an honest majority” by Shafi Goldwasser. 1987, Proc. the Nineteenth Annual ACM STOC’87 (1987), 218-229), which on input the partial results T, R and a threshold t, to compute T — R = d and check if d ≤ t2 in a secure manner where one does not leam the distance.
Theorem 8 Security is proven by simulation in the OT-hybrid setting, where OT s are simulated by a trusted oracle. We recall that each simulator is provided with the input and output of the corrupted parly. Case 1: V is corrupted. Since V receives no messages beyond those in OT, its view can be perfectly simulated. Case 2: S is corrupted. Given Vs output T and input
Figure imgf000030_0006
, S' s view can be perfectly simulated by sending random values
Figure imgf000030_0004
and
Figure imgf000030_0005
to S in the OT s.
[084] In the case of the biometric template recognition system 300, the sender S refers to the device 124 using the captured encrypted biometric template (partial versions 422 and 426, see Figure 4), while the verifier V refers to the host of an authentication module (the data subscriber 106 when it is sufficient to only consider the partial template 308, and the data subscriber 106 in communication with the cloud 104 when both the partial templates 308 and 310 need to be considered) using the trusted encrypted biometric template (partial versions 308 and 310). The authentication module receives the authentication result returned from determining a similarity match score between the captured encrypted biometric template and the trusted encrypted biometric template, the determination being based on at least: computation performed at the authentication module with the trusted encrypted biometric template as input; and computation performed at the device 124 with the captured encrypted biometric template as input. 8. PBio: Construction
[085] We first define BR = {Ext, Dist} to be any biometric recognition scheme based on Euclidean distance where a raw biometric image from ID is provided to BR to extract a vector, such that , and GSHADE(·,·) → d (see section 7.3 above) be a secure distance
Figure imgf000031_0001
computation protocol that on input two vectors, outputs the distance d. In addition, we define a pseudorandom permutation function PRP(·,·), which is run during the encryption Enc(·). PRP(·,·) allows the data owner to reorder the user biometric templates where n is the
Figure imgf000031_0002
dimension of vector. The proposed scheme consists of a tuple [Setup, MSKGen, KeyGen, Enc, EncT, ReEnc, Ver} as follows.
- Setup(lk): It uses DRE to generate pseudorandom orthogonal function
Figure imgf000031_0003
pseudorandom vector function pseudorandom scale function PRFW(·) → w ∈
Figure imgf000031_0004
[1.0, 2.0], and pseudorandom permutation function PRP(·,·) which reorders the given vector based on the given secret and ID. The three PRF functions should have the same common input such as a secret key and ID, and PRP function should have an additional input such as a vector. The final output is a system parameter
Figure imgf000031_0017
As such, the distance recoverable transformation comprises one or more of a pseudorandom orthogonal function; a pseudorandom vector function; a pseudorandom scale function; and a pseudorandom permutation function.
- MSKGen(PM): It randomly returns a master secret key
Figure imgf000031_0016
- KeyGen(PM , msk, ID) : This algorithms nm> a keyed-hash message authentication code HMAC with the input of msk, user unique identity ID, and a timestamp time to generate a user secret key skID. As such, the secret key skID depends on any one or more of: the one or more pseudorandom functions used in the distance recoverable transformation; the biometric template dimension; and the user identity details.
Figure imgf000031_0014
This algorithm runs
Figure imgf000031_0015
and
Figure imgf000031_0013
. It then runs
Figure imgf000031_0012
and the encrypted vector is then generated such that
Figure imgf000031_0018
Figure imgf000031_0007
: This algorithm runs
Figure imgf000031_0008
and It then runs .and the encrypted vector is then
Figure imgf000031_0006
Figure imgf000031_0005
generated such that
Figure imgf000031_0019
Figure imgf000031_0011
This algorithm runs where i
Figure imgf000031_0009
is optional. It then encrypts a threshold
Figure imgf000031_0010
: An interactive protocol GSHADE that is run by party A and B where A on
Figure imgf000032_0002
input and B on input At the end of the protocol, either one party can receive the "1"
Figure imgf000032_0003
Figure imgf000032_0004
or "0" which indicates the authentication result, such that BR. Match(tID, d) = "1" or "0".
Correctness: Given the same system parameter PM, the following verification always holds:
Figure imgf000032_0005
9. PBio System
[086] There are three phases in the operation of the biometric template recognition system 300: (1) setup phase, (2) registration phase, and (3) authentication phase.
9.1 Setup Phase
[087] In the setup phase, the data owner 102 has a set of biometric templates, which is pre-collected from all the users 108, such that the users 108 have registered their identity idu along with their raw biometric Biou (e.g. fingerprints, face) with the data owner 102.
[088] Firstly, the data owner 102 runs setup and the master key generation functions to generate system parameter Setup
Figure imgf000032_0001
1 → PM and master secret key MSKGen(PM) → msk (see the master key 330 in Figure 3).
[089] The data owner 102 then applies a biometric recognition scheme BR (e.g. fingercode for fingerprints) to extract the biometric feature and stores the biometric template BR(Biou) →
Figure imgf000032_0006
[090] For every user 108 with unique identity ID, the data owner 102 runs key generation to generate user secret key KeyGen(PM, msk, ID) → skID (see the secret key 332 in Figure 3). The data owner 102 stores (skID,W, time) in a user table Table,j.
[091] For every user biometric template
Figure imgf000032_0007
where m is the total number of users 108, the data owner 102 generates the encrypted database by running ,
Figure imgf000032_0008
resulting in storage of a plurality of trusted encrypted biometric templates 312 (in complete form). [092] The data owner 102 splits the encrypted database into two parts e.g.
Figure imgf000032_0009
The first part will be applied during the registration phase, where the data owner 102 transmits
Figure imgf000032_0010
one of the partial templates to the data subscriber 106 (namely the trusted encrypted biometric partial template 308, see Figure 3). The second part is outsourced to the cloud 104, where the data owner 102 transmits the other partial template to the cloud 104 (namely the trusted encrypted biometric partial template 310, see Figure 3).
9.2 Registration Phase
[093] The registration phase involves: (a) subscriber registration and (b) user registration. In precise, a new data subscriber 106 may register and receive the trusted encrypted biometric partial template 308, while a new user 108 may register a device 124 to install the secret key 332 for authentication service. The details of the registration protocol are described below.
9.2.1 Registration Protocol Input:
- The data owner 102 inputs the encrypted partial database and the user table Table
Figure imgf000033_0001
u
- Subscriber i (one of the data subscribers 106) inputs the proof of identity
- User 108 inputs the unique identity ID along with the proof
Output:
- Subscriber i obtains the subscriber i encrypted template
Figure imgf000033_0002
- User obtains the user key skID
Protocol:
1. The protocol can be initiated by the data subscriber 106 in (a) or the user 108 in (b): a. The data subscriber 106 contacts the data owner 102 to request a copy of encrypted template. We assume the data subscriber 106 will proof the subscription in a secure manner. b. The user 108 request the user key skID by giving a proof of identity.
2. Upon receiving the request from either (a) or (b), the data owner 102 performs the following steps respectively: a. The data owner 102 verifies the provided subscription and generates the subscriber i encrypted template by running
Figure imgf000033_0003
using every user
Figure imgf000033_0004
secret key skID (see the secret key 332) and encrypted partial templatec
Figure imgf000033_0005
This results in the data subscriber 106 retrieving a plurality of trusted encrypted biometric partial templates 308, each having a layer of encryption attributable to the data subscriber key 334, each of the data subscriber keys 334 being derived from a secret key 332. b. The data owner 102 verifies the user 108 identity and embeds skID (see the secret key 332 in Figure 3 at the user 108 end) into the user registered device 124. In the case where the device 124 is a mobile phone, the secret key 332 may be embedded through the installation of an application.
[094] The data owner 102 thus acts as a data repository configured to provide a trusted encrypted biometric template associated to a user 108, provided to the cloud 104 as the trusted encrypted biometric partial template 310 and to the data subscriber 106 as the trusted encrypted biometric partial template 308. The encryption used in the trusted encrypted biometric template (in complete form) is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved. One of the two encrypted data points is a feature vector from the trusted encrypted biometric template and the other is a corresponding feature vector from a captured encrypted biometric template associated to the user 108, with the two plaintext data points being the two encrypted data points before encryption. With reference to Figure 4, the captured encrypted biometric template is a complete template from which the captured encrypted biometric partial template 426 and the captured encrypted biometric partial template 422 are derived.
[095] With the trusted encrypted biometric template and the captured encrypted biometric template having the same encryption, authentication of the user 108 occurs from determining whether a similarity match score is below a threshold value, the determination being based on at least: computation performed with the trusted encrypted biometric template as input (specifically the captured encrypted biometric partial template 422 and the captured encrypted biometric partial template 426); and computation performed with the captured encrypted biometric template the captured encrypted biometric partial template 422 as input (specifically the trusted encrypted biometric partial template 308 and the trusted encrypted biometric partial template 310) as input.
9.3 Authentication Phase
[096] Figure 4 illustrates the operation of the biometric template recognition system 300 during the authentication phase. In this phase, six tasks are performed: © encrypt-then-split freshly submitted biometric features to produce two sets of partial features; © generate subscriber encrypted features on the set of partial features intended for the data subscriber, the generated subscriber encrypted features being further encrypted using a data subscriber encryption key; © verily the subscriber encrypted features from task ©; © reject if the verification of task © returns an invalid result; © proceed to verify the remaining set of partial features from task ®; © combine the final authentication result from task ©, if the verification of task © returns a valid result, and task ©. [097] In the authentication phase, the building blocks described in section 7 are used to perform authentication in a secure manner. At the end of the protocol, the user device 124 obtains a one-bit authentication result. The details of the authentication protocol is described below.
9.3.1 Authentication protocol
Input:
- User inputs freshly captured biometric image Biou along with his ID and skID
- Subscriber i inputs the subscriber i encrypted template that belongs to the user ID
Figure imgf000035_0001
- Cloud inputs the encrypted partial template
Figure imgf000035_0002
that belongs to user ID
Output:
- Both the user and subscriber obtain the authentication result
Protocol:
1. The user 108 scans his biometric image Biou with the provided tamper-proof device 124. The device then runs BR.Ext(Biou ') → yID to extract the feature vector and runs to generate the captured encrypted biometric template (in
Figure imgf000035_0003
complete form). With reference to section 9.1 above (Setup Phase), the same encryption scheme is used for both the captured encrypted biometric complete template and the trusted encrypted biometric complete template 312. This encryption scheme has the captured encrypted biometric complete template and the trusted encrypted biometric complete template 312 generated based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved. One of the two encrypted data points is a feature vector from the trusted encrypted biometric complete template 312, with the other encrypted data point being a corresponding feature vector from the captured encrypted biometric complete template. The two plaintext data points refer to the two encrypted data points before encryption. The device 124 also provides identity details of the user 108 requesting authentication, so that matching against the correct trusted encrypted biometric complete template 312 associated to the user can be performed (through the data subscriber 106 retrieving the trusted encrypted biometric partial template 308 and the cloud 104 retrieving the trusted encrypted biometric partial template 422.
Additionally, the device 124 splits the captured encrypted biometric features into two parts 440 and 426, where . The device re-encrypts (i.e. the partial
Figure imgf000035_0004
Figure imgf000035_0005
template 440) by miming to generate a captured
Figure imgf000036_0001
encrypted biometric partial template 422. The device 124 then runs the verification protocol to authenticate the user 108 with the data subscriber 106 to compute the first partial distance do where the device 124 has input
Figure imgf000036_0002
(i.e. the captured encrypted biometric partial template 422) and the data subscriber 106 has input (the trusted encrypted biometric partial template 308). That is, one computation
Figure imgf000036_0003
is performed at the device 124 with the captured encrypted biometric partial template 422 as input. Another computation is performed at the data subscriber 106 with the trusted encrypted biometric partial template 308 as input, the data subscriber 106 having retrieved the trusted encrypted biometric partial template 208 from the data owner 102 as discussed under item 1 above. The captured encrypted biometric partial template 422 and the trusted encrypted biometric partial template 308 have corresponding feature vectors. The device 124 verifies the first part of authentication, which provides a partial result, and proceeds if and only if . For the device 124 to compute this
Figure imgf000036_0007
partial result, the computation performed at the data subscriber 106 with the trusted encrypted biometric partial template 308 as input is transmitted to the device 124. A negative partial result stops the process and causes the return of the lack of a match between the trusted encrypted biometric partial template 308 and the captured encrypted biometric partial template 422 through the device 124 returning the authentication result as "0" to the data subscriber 106. In response to a positive partial result being returned, the second partial distance d1 is run with the cloud 104 where the device has input and the cloud 104 has input .
Figure imgf000036_0004
Figure imgf000036_0005
That is, one computation is performed at the cloud 104 with the trusted encrypted biometric partial template 310 as input, the trusted encrypted biometric partial template 310 being a remainder of the trusted encrypted biometric complete template (i.e. the trusted biometric templates 312 after encryption, less the trusted encrypted biometric partial template 308). Another computation is performed at the device 124 with the captured encrypted biometric partial template 426 as input, the captured encrypted biometric partial template 426 being a remainder of the captured encrypted biometric complete template (i.e. the captured biometric template after encryption, less the captured encrypted biometric partial template 422). These two additional computations seek to determine the similarity between the trusted encrypted biometric partial template 310 and the captured encrypted biometric partial template 426. The device 124 obtains from the cloud 104 transmitting the result of its
Figure imgf000036_0006
computation performed with the trusted encrypted biometric partial template 310 as input,
Figure imgf000037_0001
4. Finally, the device 124 replies the authentication result "1" or "0" to the data subscriber 106.
10. Security of PBio
10.1 Security Models
[098] We follow classical security formulation in “Efficient Zero-Knowledge Authentication Based on a Linear Algebra Problem MinRank” by Nicolas T. Courtois, 2001, ASIACRYPT. 402-421 for an authentication scheme, which includes correctness, soundness, and optionally, zero-knowledge. We remark that the correctness definition for biometric authentication is slightly different from transitional definition, since a legitimate user might be rejected with a small probability - the definition of false rejection rate or false negative rate, due to the noise in measurements of biometric feature. In real world scenarios, the user may re-try after some adjustment (e.g. adjust face angle, clean the finger).
[099] In the biometric template recognition systems 300, every secret key skID (see reference numeral 332 in Figure 3) used to encrypt the biometric templates obtained from the biometric features 140 captured for every user 108 is derived from a master secret key msk owned by the data owner 102. The trusted encrypted biometric templates (in partial form) are stored by the cloud provider 104 or the data subscribers 106. We allow collusion between the cloud 104 and the data subscribers 106. The goal of the adversary is to masquerade a victim user and be accepted by the authentication solution under the victim's name (i.e. breaking soundness property), or to leam some secret information of victim's raw biometric feature via our authentication system (i.e. breaking the zero- knowledge property).
[100] We emphasize that an authentication scheme will suffer from online brute-force attack, since it always leaks at least 1 bit information — accepting or rejecting a user, even if a matching scheme contains some cryptography primitive (e.g. “Privacy-Preserving Face Recognition with Outsourced Computation” by Can Xiang, Chunming Tang, Yunlu Cai, and Qiuxia Xu, 2016, Soft Comput. 20, 9 (Sept. 2016), 3735-3744), which is semantic secure. In other words, semantic secure building blocks in authentication scheme may be an overkill.
10.2 Security Analysis
[101] The proposed PBio schemes apply the distance-preserving transformation (DPT) scheme in Section 7.2 and secure distance computation protocol (GSHADE) in Section 7.3. Hence, its security depends on the security of these underlying schemes. [102] Besides, we also provide the insight of security analysis to different forms of splitting, such as splitting arrangement is public information, splitting arrangement is secret, and splitting arrangement is secret and dummy dimensions are added to raw biometric template templates.
Proposition 2 [Correctness]: Our authentication solution is proposed correct, i.e. any legitimate user who is following our authentication solution exactly, will be accepted, except a small probability (i.e. the false negative rate of biometric feature). This proposition follows directly from the property of DRE and correctness of GSHADE.
Theorem 7 (Zero Knowledge Proof): After interacting with a user Alice by executing our protocol for many times, both the cloud provider 104 and the subscriber i (i.e. the data subscriber 106) learn nothing about the user's 108 biometric raw data, beyond the ciphertext.
Sketch Proof of Theorem 7: The two-party secure computation GSHADE does not leak useful information to Cloud/Subscriber. This security guarantee is derived from the privacy of the underlying oblivious transfer protocol as there is no other message being exchanged during the protocol. The proof follows from Theorem 8.
Theorem 8 (Soundness): Probabilistic polynomial time adversary (even colluded with some subscribers 106 and the cloud provider 104), cannot pass our authentication with non-negligible probability.
Sketch Proof of Theorem 8: We remark that the authentication client software in user's device 124 is trusted (e.g. ARM TrustZone enabled program), and is verified by the authentication server every time, before user 108 starts to authenticate to the server. Thus, our official authentication client software is the only way to authenticate to the server, and third party authentication client software can be easily detected and rejected by authentication server.
The adversary may collude with both the cloud provider 104 and subscriber i, and thus is able to find the DRE ciphertext ct of user's bio template vector x, and observe any network communications of GSHADE.
Note that in our invocation of GSHADE protocol between authentication client software and cloud 104 (or subscriber 106), the authentication server learns only one bit information — accepting or rejecting this user 108.
Furthermore, due to Theorem 6, a single ciphertext ct does not leak any information of plaintext, i.e. the user's bio template vector x. Consequently, the adversary is unable to find an estimation
Figure imgf000039_0001
such that Dist
Figure imgf000039_0002
is smaller than the given threshold, and thus cannot pass our authentication scheme.
11. Implementation and Evaluation
11.1 Prototype Implementation
[103] The result of implementing the biometric template recognition system 300 with four machines to represent the data owner 102, the data subscriber 106, the cloud provider 104, and the user device 124 respectively are discussed below. The four machines are with the same hardware specification, which is Intel Core i7-8700 CPU @3.20GHz with 8GB RAM and two cores. We then applied a face recognition python library as the biometrics recognition scheme, which enables us to detects a face in a raw image, extracts the feature vectors, and matches the similarity later. We also applied numpy library (https://pypi.org/project/numpy/) to generate vectors and matrices and perform mathematics operation.
[104] During the setup phase, a master secret key msk was randomly selected in a 256 bits domain. We then extracted a face template database with the respective user identity based on the collected raw images from our colleagues. The template database was then encrypted following our encryption scheme. The data owner 102 generated a set of encrypted database cx which is then split into two parts , where
Figure imgf000039_0004
is stored by the cloud 104. We then generated the subscriber i
Figure imgf000039_0003
encrypted template and passed it to the subscriber 106. We also forwarded each user secret key
Figure imgf000039_0009
skID to the respective user device 124.
[105] During the authentication phase, we assumed that a user 108 would like to prove himself to an organisation of one or more of the data subscribers 106. The user 108 used his registered device 124, e.g. a laptop or a smartphone, to capture his face. The device 124 then runs a face recognition scheme to generate feature vectors
Figure imgf000039_0007
and ran our encryption scheme to generate Lastly, our matching
Figure imgf000039_0006
protocol based on GSHADE was ran between the device 124 and the cloud 104, where the device on input and the cloud 104 on input
Figure imgf000039_0005
The output of the matching protocol indicates that the similarity of the two encrypted ciphertexts are smaller than or equal to the encrypted threshold ti ID such that . The cloud 104 then forwards "1" or "0" to the organisation
Figure imgf000039_0008
to show the authentication is accepted or rejected. The organization followed the result.
11.2 Evaluation
[106] For performance evaluation purpose, we follow a similar approach, which has been commonly applied in evaluating the performance of biometric encryption, such as “Outsourceable Two-Party Privacy-Preserving Biometric Authentication” by Hu Chun, Yousef Elmehdwi, Feng Li, Prabir Bhattacharya, and Wei Jiang, 2014, Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS Ί4), Association for Computing Machinery, New York, NY, USA, 401-412; “Outsourced biometric identification with privacy” by Shengshan Hu, Minghui Li, Qian Wang, Sherman SM Chow, and Minxin Du, 2018, IEEE Transactions on Information Forensics and Security 13, 10 (2018), 2448-2463; and“Passbio: Privacy -preserving usercentric biometric authentication” by Kai Zhou and Jian Ren, 2018, IEEE Transactions on Information Forensics and Security 13, 12 (2018), 3050-3063. Firstly, a set of random vectors was generated to represent the original biometric template database because one can apply any biometric recognition schemes to extract the feature vectors in practice, hence we do not consider the time required for feature extraction in the experiment. For the remainder of this section, we denote 64-n, 128-n, 320 -n, 640-n to represent dimensions of 64, 128, 320 and 640 respectively.
[107] We randomly generated m x n vectors. This means there are m number of user in the database with n dimension of biometric feature vector. The experimental results in Table 2 show the encryption time required for m x n biometric template database.
Figure imgf000040_0001
[108] Note that the encryption time is for the first layer encryption only. We require additional encryption for every subscriber in half of the dimension. For example, if we apply face recognition scheme that consists of 128-n dimension for a template, the encryption time took approximate 1.14 ms per user. In the biometric template recognition system 300, we split n into half after the first layer encryption and we re-encrypt the second layer encryption in 64-n dimension. Hence, there is an additional 0.61ms required for every user, which indicates that the biometric template recognition system 300 requires 1.74ms encryption time. We summarise the encryption time per user in Table 3. We notice that the encryption time increases with the dimensional size of a template.
Figure imgf000040_0002
[109] Table 4 summarises the various sizes of biometric templates. The size of the original database and the encrypted database are the same because our encryption technique transforms an original value into a random value, e.g. a biometric template in 128-n dimension and its encrypted template are both in 1024 bytes (B).
Figure imgf000041_0001
[110] We then analyse the verification time of PBio in Table 5. In the experiment, the fresh submitted biometric features with 128-n was first encrypted into a subscriber encrypted features, which is two layers encryption in 128-n and 64-n, and then we applied GSHADE for the secure distance computation. PBio took approximate 3.26 ms + 21 in total for the verification where f is the network latency for GSHADE. We noticed that f is very dependent on the network itself. In our environment, we first tested in our local machine which achieved the result in Table 5. We then connected the machines over the internet and estimated that f is 59ms in our internet environment.
Figure imgf000041_0002
[111] One of the merits with the partial verification is to achieve early rejection. For example, in the situation where a negative partial result is obtained (see item 2 under Section 9.3.1), the verification process can terminate without proceeding to perform complete verification (see item 3 under Section 9.3.1). This reduces cost of the communication and network latency f. A LFW dataset with the test case in http://vis-www.cs.umass.edu/lfw/pairsDevTest.txt was extracted, which consists of 409 pairs are true positive and 444 pairs are true negative. In the plain manner, we first set the threshold as 0.6 and we noted that 402 out of 409, which shows 98.29% of them is true positive, and 442 out of 444, which shows 99.55% is true negative. With the biometric template recognition system 300, we also had the same accuracy in both the true positive and true negative result, and we achieve the early rejection with 190 out of 442, which is 42.99% in the non-matched results.
11.3 Comparison
[112] As shown in Table 6, we compare the encryption performance for 128-n dimension among the previous works“Outsourceable Two-Party Privacy-Preserving Biometric Authentication” by Hu Chun, Yousef Elmehdwi, Feng Li, Prabir Bhattacharya, and Wei Jiang, 2014, Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS Ί4), Association for Computing Machinery, New York, NY, USA, 401-412; “Outsourced biometric identification with privacy” by Shengshan Hu, Minghui Li, Qian Wang, Sherman SM Chow, and Minxin Du, 2018, IEEE Transactions on Information Forensics and Security 13, 10 (2018), 2448- 2463; and “Passbio: Privacy -preserving user-centric biometric authentication” by Kai Zhou and Jian Ren, 2018, IEEE Transactions on Information Forensics and Security 13, 12 (2018), 3050-3063.
Table 6: Comparison of Encryption Performance
Figure imgf000042_0001
[113] Note that “Outsourceable Two-Party Privacy -Preserving Biometric Authentication” by Hu Chun, Yousef Elmehdwi, Feng Li, Prabir Bhattacharya, and Wei Jiang, 2014, Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS Ί4), Association for Computing Machinery, New York, NY, USA, 401-412 was implemented using the Paillier encryption scheme (“Public-key cryptosystems based on composite degree residuosity classes” by Pascal Paillier. 1999, International conference on the theory and applications of cryptographic techniques, Springer, 223-238) with 1024-bit modulus, while “Outsourced biometric identification with privacy” by Shengshan Hu, Minghui Li, Qian Wang, Sherman SM Chow, and Minxin Du, 2018, IEEE Transactions on Information Forensics and Security 13, 10 (2018), 2448-2463; and “Passbio: Privacy-preserving user-centric biometric authentication” by Kai Zhou and Jian Ren, 2018, IEEE Transactions on Information Forensics and Security 13, 12 (2018), 3050-3063 uses an encryption scheme similar to ours. We notice that our scheme is 0.42x slower than “Passbio: Privacy -preserving user-centric biometric authentication” by Kai Zhou and Jian Ren, 2018, IEEE Transactions on Information Forensics and Security 13, 12 (2018), 3050-3063, but the ciphertext size is much lesser than them, which preserves the same database size as in the original database. Table 7 shows the comparison of the encrypted database size. The verification for each scheme is summarized in Table 8. Table 7: Comparison of Encrypted Database Size
Figure imgf000043_0001
Table 8: Comparison of Verification Performance
Figure imgf000043_0002
12. Discussion
[114] We adopt a number of additional measures in our biometric system to further enhance its security. Firstly upon registration, the data owner 102 assigns a unique key to each end-user 108. This ensures that the resulting encryption applied to each raw biometric template will be distinct for different end-users 108. Secondly, our biometric system is enabled to refresh the partial encrypted database held by the data subscriber and the cloud provider either periodically or when is it necessary. For instance, in the event a user's device 124 is lost and requires a replacement. For the remainder of this section, we provide a comparison between two feasible mechanisms for template encryption as well as a detailed discussion on the key update process.
12.1 Encrypt-then-split vs Split-then-encrypt
[115] We compare the verification performance results from our two different approaches to perform encryption of the raw biometric template: encrypt then split (the approach used in the biometric template recognition system 300 of Figures 3 and 4) and split then encrypt (the approach used in the biometric template recognition system 200 of Figure 2), n Table 9. The encrypt then split approach first encrypts the raw biometric template, then splits them into two. For the latter approach, the raw biometric template is first split and each individual split portion is subsequently encrypted.
[116] Both biometric template recognition systems 200 and 300 first compute a partial result (see item 2 under “Authentication Phase” of Section 4.2 for the biometric template recognition system 200; and item 2 under Section 9.3.1 for the biometric template recognition system 300; hereafter referred to as “Part I”) and proceeds to perform complete verification (see item 2 under “Authentication Phase” of Section 4.2 for the biometric template recognition system 200; and item 3 under Section 9.3.1 for the biometric template recognition system 300; hereafter referred to as “Part II”) if and only if Part I is successfully passed. Since split-then-encrypt approach performs encryption in half of the n-dimension, we see that split-then-encrypt approach achieves faster early rejection as the encryption needed for Part I and II can be done separately. However, the encrypt-then-split approach results in an overall faster verification time.
Table 9: Comparison of Verification Performance under Encrypt-then-split and Split-then-encrypt. f denotes the network latency
Figure imgf000044_0001
12.2 Key Update
[117] Periodic key updates of existing database help to safeguard against potential keys leakage or exposure. In addition, should a group of users' keys be compromised, a timely key update process ensure that their biometric templates are still protected. Our biometric template recognition system 300 uses an efficient key update methodology which is discussed below.
[118] Suppose a raw biometric template x; corresponds to user Ui, with initial key ki,o. Denote
E(1)(x) and E(2)(x) to be disjoint halves of encryption E(x). Let the initial encrypted template of Ui held by the cloud 104 and the data subscriber 106 to be and respectively.
Figure imgf000044_0002
Figure imgf000044_0003
When the key update for user Ui is initialized, the device 124 receives Yi, Zi from the cloud 104 and data subscriber 106 respectively. The device 124 updates the encrypted template of user Ut by performing Eki, 1Yi) and Eki , 1Zi) which are subsequently transmitted to the cloud 104 and data subscriber 106 respectively. Consequently, Ekii(Yi ) is the encrypted template of Ut with the updated key held by the cloud 104 while Ekii(Zi) is the encrypted template of Ut with the updated key held by the data subscriber 106. A potential limitation of this method is that the device 124 is required to fetch encrypted templates of the associated users 108 from the data subscriber 106 and cloud 104 whenever a key update process is called upon.
[119] One other feasible way is for the data owner 102 to be involved in the key update process. In this way, whenever a key update process is called upon for a group of users 108, the data owner 102 can simply generate new keys and send the corresponding new encrypted templates of these users 108 to the cloud 104 and data subscribers 106. The device 124 will also be notified of the generation and values of these new keys. However, this requires the data owner 102 to be online during every key update process.
[120] To overcome the above issues and limitations, we introduce a trusted key management server to be involved in the key update process. This key server can be continuously online and in one implementation is hosted in a separate terminal (not shown in Figure 3). In another implementation, the key server is hosted by the data owner 102. [121] The main role of this key server is to issue new keys whenever a key update process is initiated. When the key update for the user is initialized, the key server fetches
Figure imgf000045_0001
from the cloud 104 and data subscribers 106 respectively. With reference to Figure 3, the
Figure imgf000045_0002
key management server (not shown), in response to receipt of a command to update the secret key 332, receives the trusted encrypted biometric template that is stored by the cloud 104 (in the form of the trusted encrypted biometric partial template 310) and the data subscriber 106 (in the trusted encrypted biometric partial template 308). The key management server decrypts these encrypted templates to obtain x; , so as to retrieve a trusted raw biometric template from which the trusted encrypted biometric template is derived. Specifically, the trusted raw biometric template is constituted by a sum of the raw partial biometric templates that is retrieved from the trusted encrypted biometric partial templates 308 and 310 respectively. New keys are generated to perform a re-encryption of x; , which results from the key management server generating an updated secret key and encrypting the trusted raw biometric template with the updated secret key to obtain the new tmsted encrypted biometric template. The new keys are sent to the tmsted device 124, so that the tmsted device 124 receives the updated secret key. Additionally, the key management server transmits the new tmsted encrypted biometric template to the cloud 104 and the data subscriber 106. Since the cloud and the data subscriber 106 operate on partial templates, the new tmsted encrypted biometric template is split and sent as encrypted templates and to the cloud 104 and data subscribers 106
Figure imgf000045_0003
Figure imgf000045_0004
respectively which represent the updated tmsted encrypted partial templates. Summarising, in an event of an update of the secret key 332, each of the cloud 104 and the data subscribers 106 will retrieve a new tmsted encrypted biometric template, encrypted with the updated secret key.
13. Conclusion
[122] The biometric template recognition systems 100, 200 and 300 discussed above uses a protocol that provides security against collusion between two or more entities. For the biometric template recognition system 200 and 300, no collusion of entities can derive the full raw biometric template of any user without the secret key of the encryption. The encryption employed to obtain encrypted biometric templates is lightweight, collision-free and compatible with our splitting mechanism.
[123] While this invention has been described with reference to exemplary embodiments, it will be understood by those skilled in the art that various changes can be made and equivalents may be substituted for elements thereof, without departing from the spirit and scope of the invention. In addition, modification may be made to adapt the teachings of the invention to situations and materials, without departing from the essential scope of the invention. Thus, the invention is not limited to the examples that are disclosed in this specification, but encompasses all embodiments falling within the scope of the appended claims.

Claims

1. A biometric template recognition system comprising: an authentication module configured to: receive, from a device, identity details of a user requesting authentication, the device having a captured encrypted biometric template from the user; retrieve a trusted encrypted biometric template associated to the user through the received identity details, wherein the encryption used in the captured encrypted biometric template and the trusted encrypted biometric template is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved, one of the two encrypted data points being a feature vector from the trusted encrypted biometric template and the other being a corresponding feature vector from the captured encrypted biometric template, with the two plaintext data points being the two encrypted data points before encryption; and receive the authentication result returned from determining a similarity match score, the determination being based on at least: computation performed at the authentication module with the trusted encrypted biometric template as input; and computation performed at the device with the captured encrypted biometric template as input.
2. The biometric template recognition system of claim 1, wherein the authentication module is hosted in a cloud, and wherein the computation performed with the captured encrypted biometric template is transmitted to the cloud, so that the cloud can compute the similarity match score.
3. The biometric template recognition system of claim 2, wherein the cloud is further configured to transmit the authentication result to a data subscriber.
4. The biometric template recognition system of claim 1, wherein the authentication module is hosted in a data subscriber; wherein the trusted encrypted biometric template and the captured encrypted biometric template are partial templates of their respective complete templates, with the trusted encrypted biometric partial template and the captured encrypted biometric partial template having corresponding feature vectors; and wherein the computation performed at the data subscriber with the trusted encrypted biometric partial template as input and the computation performed at the device with the captured encrypted biometric partial template as input provide a partial result, with a negative partial result causing the return of the lack of a match.
5. The biometric template recognition system of claim 4, wherein, in response to a positive partial result being returned, the determination of the similarity match score is further based on: computation performed at a cloud with a remainder of the trusted encrypted biometric complete template as input; and computation performed at the device with a remainder of the captured encrypted biometric complete template as input.
6. The biometric template recognition system of claim 5, wherein the computation performed with the remainder of the trusted encrypted biometric complete template as input is transmitted to the device, so that the device can compute the similarity match score.
7. The biometric template recognition system of any one of the claims 4 to 6, wherein the computation performed with the trusted encrypted biometric partial template as input is transmitted to the device, so that the device can compute the partial result.
8. The biometric template recognition system of any one of the claims 4 to 7, wherein the trusted encrypted biometric partial template has a further layer of encryption compared to its complete template, the further layer of encryption attributed to a data subscriber key, wherein the data subscriber key is derived from a secret key used to generate the trusted encrypted biometric complete template.
9. The biometric template recognition system of any one of the preceding claims, wherein the distance recoverable transformation comprises one or more of a pseudorandom orthogonal function; a pseudorandom vector function; a pseudorandom scale function; and a pseudorandom permutation function.
10. The biometric template recognition system of claim 9, wherein a secret key used for the encryption depends on any one or more of: the one or more pseudorandom functions used in the distance recoverable transformation; the biometric template dimension; and the user identity details.
11. The biometric template recognition system of claim 10, wherein in an event of a secret key update, the authentication module is further configured to: retrieve a new trusted encrypted biometric template, encrypted with the updated secret key
12. The biometric template recognition system of claim 11, further comprising: a key management server configured to: transmit the new trusted encrypted biometric template to the authentication module; and transmit the updated secret key to the device.
13. The biometric template recognition system of claim 12, wherein the key management server is further configured to, before the transmission of the new trusted encrypted biometric template to the authentication module: receive the trusted encrypted biometric template, in response to receipt of a command to update the secret key; retrieve a trusted raw biometric template from which the trusted encrypted biometric template is derived; generate the updated secret key; and encrypt the trusted raw biometric template with the updated secret key to obtain the new trusted encrypted biometric template.
14. A biometric template recognition system comprising: a data repository configured to: provide a tmsted encrypted biometric template associated to a user, wherein the encryption used in the tmsted encrypted biometric template is based on a distance recoverable transformation ensuring that the distance between two encrypted data points and the distance between two corresponding plaintext data points is preserved, one of the two encrypted data points being a feature vector from the tmsted encrypted biometric template and the other being a corresponding feature vector from a captured encrypted biometric template associated to the user, with the two plaintext data points being the two encrypted data points before encryption, whereby authentication of the user occurs from determining whether a similarity match score is below a threshold value, the determination being based on at least: computation performed with the tmsted encrypted biometric template as input; and computation performed with the captured encrypted biometric template as input.
15. The biometric template recognition system of claim 14, wherein the trusted encrypted biometric template is split into two partial templates and wherein the data repository is further configured to: transmit one of the partial templates to a data subscriber; and transmit the other partial template to a cloud.
16. The biometric template recognition system of claim 15, wherein the partial template for the data subscriber has an further layer of encryption compared to the partial template for the cloud, the further layer of encryption performed at the data repository using a data subscriber key before transmission, the data subscriber key being derived from a secret key used to generate the trusted encrypted biometric template.
17. The biometric template recognition system of claim 15, wherein the splitting is performed before encryption of the raw biometric template.
18. The biometric template recognition system of claim 15 or 16, wherein the distance recoverable transformation comprises one or more of a pseudorandom orthogonal function; a pseudorandom vector function; a pseudorandom scale function; and a pseudorandom permutation function.
19. The biometric template recognition system of claim 18, wherein a secret key used for the encryption depends on any one or more of: the one or more pseudorandom functions used in the distance recoverable transformation; the biometric template dimension; and the user identity details.
20. The biometric template recognition system of claim 19, wherein the data repository is further configured to transmit the secret key for embedding into a device used to obtain the captured encrypted biometric template.
21. The biometric template recognition system of any one of the preceding claims, wherein the similarity match score is a Hamming distance or Euclidean distance between corresponding feature vectors from the captured encrypted biometric template and the trusted encrypted biometric template, with authentication occurring when the Hamming distance or the Euclidean distance is below or equal to a threshold value.
PCT/SG2021/050081 2020-02-20 2021-02-19 Biometric template recognition system WO2021167534A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
SG10202001527V 2020-02-20
SG10202001527V 2020-02-20
SG10202006187R 2020-06-26
SG10202006187R 2020-06-26

Publications (1)

Publication Number Publication Date
WO2021167534A1 true WO2021167534A1 (en) 2021-08-26

Family

ID=77391113

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2021/050081 WO2021167534A1 (en) 2020-02-20 2021-02-19 Biometric template recognition system

Country Status (1)

Country Link
WO (1) WO2021167534A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4262138A1 (en) * 2022-04-14 2023-10-18 Thales Dis France SAS Method for securing a biometric recognition of a user

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150341349A1 (en) * 2014-05-23 2015-11-26 Fujitsu Limited Privacy-preserving biometric authentication
CN106951865A (en) * 2017-03-21 2017-07-14 东莞理工学院 A kind of secret protection biometric discrimination method based on Hamming distances
US20200050794A1 (en) * 2018-08-07 2020-02-13 Microsoft Technology Licensing, Llc Securing sensitive data using distance-preserving transformations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150341349A1 (en) * 2014-05-23 2015-11-26 Fujitsu Limited Privacy-preserving biometric authentication
CN106951865A (en) * 2017-03-21 2017-07-14 东莞理工学院 A kind of secret protection biometric discrimination method based on Hamming distances
US20200050794A1 (en) * 2018-08-07 2020-02-13 Microsoft Technology Licensing, Llc Securing sensitive data using distance-preserving transformations

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHOU KAI; REN JIAN: "PassBio: Privacy-Preserving User-Centric Biometric Authentication", IEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, vol. 13, no. 12, 1 December 2018 (2018-12-01), US, pages 3050 - 3063, XP011684668, ISSN: 1556-6013, DOI: 10.1109/TIFS.2018.2838540 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4262138A1 (en) * 2022-04-14 2023-10-18 Thales Dis France SAS Method for securing a biometric recognition of a user
WO2023198495A1 (en) * 2022-04-14 2023-10-19 Thales Dis France Sas Method for securing a biometric recognition of a user

Similar Documents

Publication Publication Date Title
Bringer et al. Identification with encrypted biometric data
Morampudi et al. Privacy-preserving iris authentication using fully homomorphic encryption
Barman et al. Fingerprint-based crypto-biometric system for network security
JP7127543B2 (en) Matching system, method, device and program
Hu et al. Outsourced biometric identification with privacy
Šeděnka et al. Secure outsourced biometric authentication with performance evaluation on smartphones
Karabat et al. THRIVE: threshold homomorphic encryption based secure and privacy preserving biometric verification system
Zhu et al. Efficient and privacy-preserving online fingerprint authentication scheme over outsourced data
Cui et al. Enabling secure and effective near-duplicate detection over encrypted in-network storage
CN112329519A (en) Safe online fingerprint matching method
Torres et al. Effectiveness of fully homomorphic encryption to preserve the privacy of biometric data
KR102008101B1 (en) Secure biometric authentication method using functional encryption
Abidin On privacy-preserving biometric authentication
Barman et al. A novel secure key-exchange protocol using biometrics of the sender and receiver
Adjedj et al. Biometric identification over encrypted data made feasible
Tian et al. Pribioauth: Privacy-preserving biometric-based remote user authentication
Liu et al. Secure and efficient online fingerprint authentication scheme based on cloud computing
Panchal et al. Designing Secure and Efficient Biometric-Based Access Mechanism for Cloud Services
Agrawal et al. Game-set-MATCH: Using mobile devices for seamless external-facing biometric matching
Babamir et al. A multibiometric cryptosystem for user authentication in client-server networks
Ernst et al. A Framework for UC Secure Privacy Preserving Biometric Authentication Using Efficient Functional Encryption
Verma et al. A novel model to enhance the data security in cloud environment
WO2021167534A1 (en) Biometric template recognition system
Al-Hussain et al. A biometric-based authentication system for web services mobile user
CN116775755A (en) Privacy protection fingerprint identification method based on blockchain

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21758018

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21758018

Country of ref document: EP

Kind code of ref document: A1