Keywords

1 Introduction

Background. Traditionally, ID/passwords and tokens including cards are widely used as a means of authentication. However, they are at risk of being forgot or stolen. In contrast, biometric characteristics including fingerprint, face, palm veins, palm print, iris, and retina cannot be forgot or stolen. Therefore, biometric authentication has an advantage compared to traditional authentication means.

Biometric authentication makes use of the similarity of biometric features extracted from the same biometric characteristic. If a biometric feature presented by a client is similar enough to an enrolled biometric feature in some distance metrics, the client is successfully authenticated by the server. Since biometric features are unchangeable private information, it is required to prevent them from being leaked. Moreover, impersonation should also be prevented.

Related Works. For protecting biometric features from being leaked and preventing impersonation, many schemes have been proposed [16, 18]. Some of them exploit secret information (i.e., helper data) that is remembered [6, 12, 13, 15] or tokens (e.g., smart cards or devices) brought along [5, 14] by the clients in addition to their biometric characteristics. However, to exploit the advantage of biometric characteristics that there is no risk of them being forgotten or stolen, it is preferable not to use other secret information that has such risks.

Without additional secrets, some schemes [1, 3, 4, 10, 11] employ a third entity called a decryptor that manages a secret key to protect biometric features from being leaked and prevent impersonation. In the schemes in [1, 3, 4, 10, 11], the decryptor computes the distance between the enrolled and authenticated biometric features and compares them with a predetermined threshold. However, it is known that the distances are useful for hill-climbing attacks [19] in which the attacker guesses the enrolled biometric feature by observing the change in the distance from multiple authentication trials.

In ACISP 2012, Shahandashti, Safavi-Naini, and Ogunbona [17] proposed a fingerprint matching scheme using minutiae. Minutiae are feature points in fingerprints and are widely used for fingerprint matching. Their scheme makes use of polynomials that are evaluated to be 0 or 1 in accordance with the correspondence of the two input fingerprints. Since the polynomials are evaluated to be binary values, the scheme prevents the distances from being leaked. However, the scheme requires the server to store the enrolled fingerprint itself (i.e., not an encrypted version) while the scheme hides the biometric features during the authentication due to leveraging homomorphic encryption.

Contributions of this Paper. The main contribution of this paper is proposing a secure biometric authentication scheme that uses fingerprint minutiae. The proposed scheme is designed for hiding information of enrolled and authenticated minutiae and the distance between them, and preventing impersonation. The comparison of the minutiae is done in accordance with their locations and orientations, which is the well-known method as in [14, 17]. In the proposed scheme, enrolled minutiae are represented in the form of polynomials that are evaluated to be 1 or a random value in accordance with whether the input minutia is considered to be the same as the enrolled one. The scheme utilizes the modified Elgamal cryptosystem to evaluate the polynomials without leaking information of minutiae and distance [8, 17]. Similar to the previous schemes [1, 3, 4, 10, 11], the decryptor is employed in addition to the server and clients, and it manages the secret key of the homomorphic encryption scheme. Since the operations handled by the decryptor are only decryption and comparison of plaintexts, the decryptor of our scheme can be implemented by hardware security modules (HSM). Therefore, it seems that utilization of the decryptor is realistic with respect to the proposed scheme.

To analyze the security of the proposed scheme, we formally model a secure biometric authentication scheme. The model is a generalization of the previous schemes [1, 3, 4, 10, 11] and the proposed one. That is, three types of entities, the server, clients, and decryptor, are employed. We formalize the following four security requirements: (a) hide biometric features from the server (which we call template protection against server), (b) hide biometric features from the decryptor (which we call template protection against decryptor), (c) prevent impersonation (which we call security for authentication), and (d) hide distances from the decryptor (which we call security against hill-climbing attacks). Requirements (a) and (c) are defined by generalizing the security definition provided by Hirano et al. [11] while we newly define requirement (b) and (d). We prove that the proposed scheme satisfies all requirements under standard cryptographic assumptions. In particular, we prove that the proposed scheme satisfies all requirements under the decisional Diffie-Hellman (DDH) assumption.

Table 1. Comparison with previous schemes.
Full size table

We compare the related works and our work in Table 1. Shahandashti et al.’s scheme [17] is performed by a server and a client (a decryptor is not included) and hides authenticated biometric features. The template is the information of minutiae in the enrolled fingerprint itself and is not concealed. Therefore, it does not satisfy the requirements for template protection. On the other hand, the scheme satisfies the other two notions. Due to employing a third party, our scheme makes it possible to protect the information of both the enrolled and authenticated biometric features and the distance between them. As mentioned above, the decryptor in Hirano et al.’s scheme [11] does not hide the distance from the decryptor. Also, the scheme makes use of a special type of homomorphic encryption scheme with which evaluation of 2-DNF formulas is feasible when performed on ciphertext introduced by Boneh et al. [2].

2 Preliminaries

In this section, we describe preliminaries that are used in the proposed scheme.

2.1 Homomorphic Encryption Scheme

The homomorphic encryption scheme is a type of public key encryption scheme that has a special property. The property is that from ciphertexts, a new ciphertext corresponding to a result of some operation on the plaintexts can be generated without knowledge of the secret key. We focus on addition as the operation. That is, by using two ciphertexts \(c_1 = \mathsf {Enc}(m_1)\) and \(c_2 = \mathsf {Enc}(m_2)\), a ciphertext of \(m_1 + m_2\) is computable. Such schemes are called additive homomorphic encryption schemes.

We utilize the modified (or lifted) Elgamal cryptosystem [7] in the proposed scheme. The modified Elgamal cryptosystem is an additive homomorphic encryption scheme where algorithms \((\mathsf {Gen}, \mathsf {Enc}, \mathsf {Dec})\) run as follows:

  • \(( pk , sk ) :=((p, g, y), (g, x)) \leftarrow \mathsf {Gen}(1^\kappa )\) where G is a group of prime order p, g is a generator of G, \(x \in \mathbb {Z}_p\), and \(y :=g^x\).

  • \((c_1, c_2) :=(g^r, y^r g^m) \leftarrow \mathsf {Enc}( pk , m)\) where message m is in \(\mathbb {Z}_p\) and \(r \in \mathbb {Z}_p\) is chosen randomly.

  • \(m' :=\log _{g} c_2/c_1^x = \mathsf {Dec}( sk , (c_1, c_2))\).

To divide \(\mathsf {Dec}\) into two subalgorithms, we define two algorithms as \(c_2/c_1^x = \mathsf {Dec}_1(x, (c_1, c_2))\) and \(log_{g} z = \mathsf {Dec}_2(g, z)\). Apparently \(\mathsf {Dec}( sk , (c_1, c_2)) = \mathsf {Dec}_2(g, \mathsf {Dec}_1(x, (c_1, c_2)))\) holds. The first algorithm \(\mathsf {Dec}_1\) is computable for any ciphertext while the second \(\mathsf {Dec}_2\) is not always feasible since it requires computing of the discrete logarithm, which is assumed to be hard in general. However, in the proposed scheme, we just check if the plaintext is equal to 0, which is feasible by verifying the result of \(\mathsf {Dec}_1\) is 1 or not.

The modified Elgamal cryptosystem has been proved to be IND-CPA secure under the decisional Diffie-Hellman (DDH) assumption that states that solving the DDH problem is hard. It is easy to see that the modified Elgamal cryptosystem has the homomorphic property. From two ciphertexts \(c = (c_1, c_2) \leftarrow \mathsf {Enc}(m)\) and \(c' = (c'_1, c'_2) \leftarrow \mathsf {Enc}(m')\), it holds that \(c {\cdot } c' :=(c_1 c'_1, c_2 c'_2) = (g^{r + r'}, y^{r + r'} g^{m + m'})\) which is a ciphertext of \(m+m'\).

This property is applicable in evaluating polynomials. An n-th degree polynomial F(X) can be represented in the form of \(F(X) = \sum _{i = 0}^{n} a_i \cdot X^i\). As explained above, \(\mathsf {Enc}(a_i \cdot x^i) = \mathsf {Enc}(a_i)^{x^i}\) holds for any x, i, and \(a_i\). Therefore, from encrypted coefficients \(\mathsf {Enc}(a_0), \cdots , \mathsf {Enc}(a_i)\) and any x, a ciphertext of the evaluated value F(x) is computable by just multiplying \(\mathsf {Enc}(a_i \cdot x^i)\) for every i, since it holds that \(\mathsf {Enc}(F(x)) = \mathsf {Enc}( \sum _{i = 0}^{n} a_i \cdot x^i ) = \prod _{i = 0}^{n} \mathsf {Enc}( a_i \cdot x^i )\).

2.2 Biometric Authentication and Fingerprint Minutiae

Biometric authentication is a technique that uses biometric characteristics such as fingerprints for authenticating individuals. Two biometric features extracted from the same biometric characteristic are, in most cases, different but close in some metric. Therefore, to verify if two biometric features are derived from the same individual, it is sufficient to check if they are close under that metric.

A client who would like to enroll himself extracts a biometric feature from his biometric characteristics using some devices such as sensors and cameras. The server stores a template that is generated from the biometric feature. To make the server authenticate a client, the client extracts a biometric feature again. Then, the server estimates the distance between the biometric feature to be authenticated and the biometric feature that has been generated and stored in a template to check if they have originated from the same biometric characteristic.

A fingerprint contains a number of ridges. Some of them abruptly end (called ridge endings), and others are divided into two ridges (called ridge bifurcations). Feature points such as ridge endings and ridge bifurcations are called minutiae. In general, a minutia is represented by its location (xy) and orientation t. Different types (e.g., ridge endings or ridge bifurcations) are also used in some cases. We assume that the coordinate system is aligned every time biometric characteristics are captured. We refer the readers to [14] and its references for information on pre-alignment techniques.

In authenticating an individual with minutiae, a set of minutiae is extracted from the fingerprint. Two fingerprints are considered to match if they have more than a threshold number of pairs of corresponding minutiae.

Two minutiae are said to correspond if their locations and orientations are close enough. That is, two minutiae ((xy), t) and \(((x', y'), t')\) correspond if both \( d_2 ((x,y), (x', y')) :=\sqrt{(x-x')^2 + (y-y')^2} \le \varDelta _d\) and \( d_1 (t,t') :=| t-t' | \le \varDelta _t\) hold where \(\varDelta _d\) and \(\varDelta _t\) are predetermined thresholds, and \(d_1\) and \(d_2\) stand for the Euclidean distance in one and two dimensions, respectively. In this paper, each location and orientation are assumed to be represented by integers.

3 Secure Biometric Authentication Schemes

We provide formal definitions of the secure biometric authentication scheme in this section. First, the components and procedures of the scheme are explained. After that, we define its security in accordance with Hirano et al.’s definition [11].

3.1 Algorithms and Procedures

There are three kinds of entities, a server, clients, and a decryptor, in the model of secure biometric authentication scheme. A client uses his own biometric feature to enroll or authenticate himself. Clients are not required to have any secret information other than their own biometric characteristics. The enrolled information is stored by the server. Authentication is performed with the aid of the decryptor who has the secret key. The server decides the authentication result in accordance with whether the enrolled and authenticated biometric features are considered to have originated from the same biometric characteristic.

The procedures of the secure biometric authentication scheme include three phases, setup, enrollment, and authentication. The setup phase is done only once, and afterward the enrollment phase and the authentication phase are executed repeatedly by the clients in an arbitrary order. We now describe the procedures of each phase in detail (Fig. 1).

Fig. 1.
figure 1figure 1

Algorithms and procedures of secure biometric authentication scheme.

Full size image

In the setup phase, the decryptor executes the setup algorithm. It takes as input the security parameter and a tuple of parameters, which includes information about the metrics for evaluating distance and the thresholds of acceptance to generate a public parameter and a secret key. The public parameter is published while the secret key is kept secret from other entities.

In the enrollment phase, a client who would like to register himself on the system runs the pseudonymous identifier encoder (PIE). It generates a protected template from the client’s biometric feature. The protected template is sent to the server. The server sets identification data for the client, and the client is informed of the identification data. The protected template with the identification data is stored by the server. Depending on the application, the identification data is decided by the client and the client notifies the client of it.

At the beginning of the authentication phase, a client who would like to be authenticated by the server shows his/her identification data to the server. The server selects the protected template that is associated with the identification data and interacts with the client through the pseudonymous identifier recoder (PIR) (for simplicity, we divide the PIR into three algorithms in the definition below). Finally, the server sends a verification query to the decryptor who runs the pseudonymous identifier comparator (PIC) with its secret key to determine the authentication result.

As mentioned in Sect. 2.2, the PIE and the PIR take as input a pre-aligned biometric feature extracted from a biometric characteristic. In Fig. 1, we denote the feature extraction algorithm by \(\mathsf {FE}\). This algorithm captures a biometric characteristic and outputs an appropriately aligned biometric feature. Since the pre-alignment technique is out of the range of the secure biometric authentication scheme, the feature extraction algorithm is not included in the tuple of the secure biometric authentication scheme.

The secure biometric authentication scheme is defined as follows. Note that the previous schemes [1, 3, 4, 10, 11] can be adapted to the formalization.

Definition 1

A secure biometric authentication scheme is a tuple of six algorithms \((\mathsf {SU}, \mathsf {PIE}, \mathsf {PIR}_{S,1}, \mathsf {PIR}_C, \mathsf {PIR}_{S,2}, \mathsf {PIC})\) that satisfy the following:

  • \(( pp , sk ) \leftarrow \mathsf {SU}(1^\kappa , param )\) on input security parameter \(\kappa \) and parameter \( param \), outputs public parameter \( pp \) and secret key \( sk \).

  • \( PT \leftarrow \mathsf {PIE}( pp , BF )\) on input public parameter \( pp \) and biometric feature \( BF \), outputs protected template \( PT \).

  • \(( CH , AD ) \leftarrow \mathsf {PIR}_{S,1}( pp , PT )\) on input public parameter \( pp \) and protected template \( pp \), outputs challenge \( CH \) and auxiliary data \( AD \).

  • \( AQ \leftarrow \mathsf {PIR}_C( pp , BF , CH )\) on input public parameter \( pp \), biometric feature \( BF \), and challenge \( CH \), outputs authentication query \( AQ \).

  • \( VQ \leftarrow \mathsf {PIR}_{S,2}( pp , AQ , AD )\) on input public parameter \( pp \), authentication query \( AQ \), and auxiliary data \( AD \), outputs verification query \( VQ \).

  • \( res \leftarrow \mathsf {PIC}( sk , VQ )\) on inputs secret key \( sk \) and verification query \( VQ \), outputs authentication result \( res \in \{ Accept , Reject \}\).

When it is obvious from the context, we omit \( pp \) from the input of the algorithms.

For \(( pp , sk ) \leftarrow \mathsf {SU}(1^\kappa )\) and two biometric features \( BF _e\) and \( BF _a\), let \(( CH , AD ) \leftarrow \mathsf {PIR}_{S,1}(\mathsf {PIE}( BF _e)), AQ \leftarrow \mathsf {PIR}_C( BF _a, CH )\), \(( VQ ) \leftarrow \mathsf {PIR}_{S,2}( pp , AQ , AD )\), and \( res \leftarrow \mathsf {PIC}( sk , VQ )\). For correctness, we assume that if \( BF _e\) and \( BF _a\) are extracted from the same biometric characteristic, then \( res = Accept \) holds; otherwise \( res = Reject \).

3.2 Security

Adversarial clients may try to impersonate a legitimate user while an adversarial server and decryptor aim to obtain some information about the enrolled biometric features. We define these properties under the proposed framework described in the previous section. Note that the decryptor is assumed not to collude with any other entity. We formalize the following four security requirements: (a) hide biometric features from the server (which we call template protection against server), (b) hide biometric features from the decryptor (template protection against decryptor), (c) prevent impersonation (security for authentication), and (d) hide the distances between the enrolled and authenticated biometric features from the decryptor (security against hill-climbing attacks).

Hirano et al. [11] defined security that is specific to their scheme in the semi-honest model where the adversary is considered to corrupt some clients. We follow the definition of [11] about requirements (a) and (c) but we slightly modify the definitions to make them applicable to the proposed framework.

The major difference between the definitions in [11] and ours is to consider the security against an adversarial decryptor. Since the decryptor possesses the secret key, the decryptor is so powerful in the proposed framework that it can even obtain the biometric feature itself by mounting hill-climbing attack in some schemes (e.g., [11]). To capture such attacks by the decryptor, we newly define requirements (b) and (d). Here requirement (b) is defined in the semi-honest model similar to the definition of requirement (a). On the other hand, we newly define requirement (d) as the inability of the decryptor to obtain any information other than the authentication results.

Note that the definitions of requirements (a), (b), and (c) are in the semi-honest model similar to the definitions in [11] while we consider malicious adversaries in the definition of requirement (d). Below, let \((\mathsf {SU}, \mathsf {PIE}, \mathsf {PIR}_{S,1}, \mathsf {PIR}_C, \mathsf {PIR}_{S,2}, \mathsf {PIC})\) be a tuple that satisfies Definition 1.

Template protection against server. This security requirement captures an adversarial server that has templates and authentication queries from clients and try to obtain enrolled biometric features. We introduce a security game between challenger \(\mathcal {C}\) and attacker \(\mathcal {A}\) as follows (Fig. 2).

Fig. 2.
figure 2figure 2

Game for template protection against server.

Full size image

  • Setup: \(\mathcal {C}\) runs the setup algorithm to obtain \(( pp , sk )\) and chooses bit \(\beta \) randomly. \( pp \) is sent to \(\mathcal {A}\).

  • Enrollment: As for the i-th query, \(\mathcal {A}\) chooses and sends two biometric features \( BF _{i,0}\) and \( BF _{i,1}\) to \(\mathcal {C}\). \(\mathcal {C}\) runs \( PT _{i,0} \leftarrow \mathsf {PIE}( BF _{i,0})\) and \( PT _{i,1} \leftarrow \mathsf {PIE}( BF _{i,1})\) and selects two identification data \( ID _{i,0}\) and \( ID _{i,1}\) from \(\mathcal {ID}\). \(\mathcal {C}\) stores two pairs \(( PT _{i,0}, ID _{i,0})\) and \(( PT _{i,1}, ID _{i,1})\) and returns \(( PT _{i,\beta }, ID _{i,\beta })\) to \(\mathcal {A}\).

  • Authentication: For identification data \( ID _i\) from \(\mathcal {A}\), \(\mathcal {C}\) executes \(( CH _{i,0}, AD _{i,0}) \leftarrow \mathsf {PIR}_{S,1}( PT _{i,0})\) and \(( CH _{i,1}, AD _{i,1}) \leftarrow \mathsf {PIR}_{S,1}( PT _{i,1})\). Given \( CH _{i,\beta }\) from \(\mathcal {C}\), \(\mathcal {A}\) chooses and sends to \(\mathcal {C}\) two biometric features \( BF '_{i,0}\) and \( BF '_{i,1}\). Then, \(\mathcal {C}\) runs \( AQ _{i,0} \leftarrow \mathsf {PIR}_C( BF '_{i,0}, CH _i)\), \( AQ _{i,1} \leftarrow \mathsf {PIR}_C( BF '_{i,1}, CH _i)\), \( VQ _{i,0} \leftarrow \mathsf {PIR}_{S,2}( AQ _{i,0}, AD _i)\), \( VQ _{i,1} \leftarrow \mathsf {PIR}_{S,2}( AQ _{i,1}, AD _i)\), \( res _{i,0} \leftarrow \mathsf {PIC}( VQ _{i,0})\), and \( res _{i,1} \leftarrow \mathsf {PIC}( VQ _{i,1})\), sequentially. \(\mathcal {C}\) returns \(( AQ _{i,\beta }, res _{i,\beta })\) to \(\mathcal {A}\) if \( res _{i,0} = res _{i,1}\) and \(\bot \) otherwise.

  • Output: Finally, \(\mathcal {A}\) outputs \(\beta ^*\).

Note that the enrollment and authentication phases can be repeated in an arbitrary order.

The advantage of \(\mathcal {A}\) is defined as \(\mathsf {Adv}^{\mathsf {TP,S}}_{\mathcal {A}} (\kappa ) :=\Pr [\beta = \beta ^*] - 1/2\). With this advantage, the security property is defined as follows.

Definition 2

We say that a biometric authentication scheme satisfies template protection against server if for any PPT \(\mathcal {A}\), \(\mathsf {Adv}^{\mathsf {TP,S}}_{\mathcal {A}} (\kappa ) \le negl (\kappa )\).

Template protection against decryptor. As in Fig. 3, to capture an adversarial decryptor obtaining enrolled biometric features, we slightly modify the game for template protection against server.

Fig. 3.
figure 3figure 3

Game for template protection against decryptor.

Full size image

Definition 3

We say that a biometric authentication scheme satisfies template protection against decryptor if for any PPT \(\mathcal {A}\), \(\mathsf {Adv}^{\mathsf {TP,D}}_{\mathcal {A}} (\kappa ) \le negl (\kappa )\).

Security for authentication. To capture an illegitimate client generating a valid authentication query, we define the following game (Fig. 4).

Fig. 4.
figure 4figure 4

Game for security for authentication.

Full size image

  • Setup: \(\mathcal {C}\) runs the setup algorithm to obtain \(( pp , sk )\), and \( pp \) is sent to \(\mathcal {A}\).

  • Enrollment: On the i-th request from \(\mathcal {A}\), \(\mathcal {C}\) chooses a biometric characteristic \(\mathbb {B}_i\) and extracts a biometric feature \( BF _i \leftarrow \mathbb {B}_i\). Also, \(\mathcal {C}\) chooses identification data \( ID _i \in \mathcal {ID}\). Then, \(\mathcal {C}\) stores the pair \(( PT _i, ID _i)\) and also returns it to \(\mathcal {A}\).

  • Authentication: For identification data \( ID _i\) from \(\mathcal {A}\), \(\mathcal {C}\) extracts a biometric feature from the i-th biometric characteristic \( BF '_i \leftarrow \mathbb {B}_i\). With the protected template \( PT _i\) that is stored with \( ID _i\), \(\mathcal {C}\) executes \(( CH _i, AD _i) \leftarrow \mathsf {PIR}_{S,1}( PT _i)\), \( AQ _i \leftarrow \mathsf {PIR}_C( BF '_i, CH _i)\), \( VQ _i \leftarrow \mathsf {PIR}_{S,2}( AQ _i, AD _i)\), and \( res _i \leftarrow \mathsf {PIC}( VQ _i)\), sequentially, and returns \(( CH _i, AQ _i, res _i)\) to \(\mathcal {A}\).

  • Output: For identification data \( ID _i\) from \(\mathcal {A}\), \(\mathcal {C}\) executes \(( CH ^*, AD ^*) \leftarrow \mathsf {PIR}_{S,1}( PT _i)\) and returns \( CH ^*\). Finally, \(\mathcal {A}\) outputs \( AQ ^*_i\).

Note that the enrollment and authentication phases can be repeated in an arbitrary order.

The advantage of \(\mathcal {A}\) is defined as \(\mathsf {Adv}^{\mathsf {Auth}}_{\mathcal {A}} (\kappa ) :=\Pr [\mathsf {PIC}(\mathsf {PIR}_{S,2}( AQ ^*, AD ^*)) = Accept ]\). With this advantage, security for authentication is defined as follows.

Definition 4

We say that a biometric authentication scheme is secure in the sense of authentication if for any PPT \(\mathcal {A}\), \(\mathsf {Adv}^{\mathsf {Auth}}_{\mathcal {A}} (\kappa ) \le negl (\kappa )\).

Security against hill-climbing attacks. It is preferable that the decryptor obtains as little information as possible. For example, distance is useful in guessing the enrolled biometric feature. Such guessing attacks are called hill-climbing attacks [19]. In the attacks, an attacker casts two queries and learns the distances between the queried biometric features and the enrolled one. From the distances, the attacker is able to learn which query is nearer to the enrolled one. Repeating this approach, he will successfully obtain some accepted queries. Therefore, it is preferable that the schemes do not to give out any information other than the authentication result (acceptance or rejection) to the decryptor. We define the following game (Fig. 5).

Fig. 5.
figure 5figure 5

Game for security against hill-climbing attacks.

Full size image

  • Setup: \(\mathcal {C}\) runs the setup algorithm to obtain \(( pp , sk )\) and chooses \(\beta \in \{ 0,1 \}\) randomly. \(( pp , sk )\) is sent to \(\mathcal {A}\).

  • Enrollment: On the i-th request from \(\mathcal {A}\) for biometric feature \( BF _i\), C runs \( PT _i \leftarrow \mathsf {PIE}( pp , BF _i)\) and chooses index \( ID _i \in \mathcal {ID}\). \(\mathcal {C}\) stores pair \(( PT _i, ID _i)\) and returns \( ID _{i}\) to \(\mathcal {A}\).

  • Authentication: For identification data \( ID _i\) from \(\mathcal {A}\), \(\mathcal {C}\) executes \(( CH _{i}, AD _{i}) \leftarrow \mathsf {PIR}_{S,1}( PT _{i})\) where \( PT _{i}\) is the protected templates that are stored with \( ID _i\). Given \( CH _{i}\), \(\mathcal {A}\) chooses and sends to \(\mathcal {C}\) an authentication query \( AQ _{i}\). Then, \(\mathcal {C}\) runs \( VQ _{i} \leftarrow \mathsf {PIR}_{S,2}( AQ _{i}, AD _{i})\) and returns \( VQ _i\) to \(\mathcal {A}\).

  • Output: For identification data \( ID _i\) and two biometric features \( BF ^*_0\) and \( BF ^*_1\) from \(\mathcal {A}\), \(\mathcal {C}\) executes \(( CH ^*, AD ^*) \leftarrow \mathsf {PIR}_{S,1}( PT _i)\), \( AQ _0^* \leftarrow \mathsf {PIR}_C( BF ^*_0, CH ^*)\), \( AQ _1^* \leftarrow \mathsf {PIR}_C( BF ^*_1, CH ^*)\), \( VQ _0^* \leftarrow \mathsf {PIR}_{S,2}( AQ _0^*, AD ^*)\), \( VQ _1^* \leftarrow \mathsf {PIR}_{S,2}( AQ _1^*, AD ^*)\), \( res _0^* \leftarrow \mathsf {PIC}( VQ _0^*)\), and \( res _1^* \leftarrow \mathsf {PIC}( VQ _1^*)\), sequentially. Then, \(\mathcal {C}\) chooses \(\beta \in \{ 0,1 \}\) randomly and returns \( VQ _{\beta }^*\) to \(\mathcal {A}\) if \( res _{0}^* = res _1^*\) and returns \(\bot \) otherwise. Finally, \(\mathcal {A}\) outputs \(\beta ^*\).

Note that the enrollment and authentication phases can be repeated in an arbitrary order.

The advantage of \(\mathcal {A}\) is defined as \(\mathsf {Adv}^{\mathsf {Dist}}_{\mathcal {A}} (\kappa ) :=\Pr [\beta = \beta ^*] - 1/2\). With this advantage, security against hill-climbing attacks is defined as follows.

Definition 5

We say that a biometric authentication scheme is secure against hill-climbing attacks if for any PPT \(\mathcal {A}\), \(\mathsf {Adv}^{\mathsf {Dist}}_{\mathcal {A}} (\kappa ) \le negl (\kappa )\).

4 Proposed Scheme

We propose a secure biometric authentication scheme that uses fingerprint minutiae. That is, the biometric features that the proposed scheme deals with consist of a set of minutiae. Acceptance is decided by the closeness of the minutiae as explained in Sect. 2.2. Note that it is easy to extend the scheme to deal with the types of minutiae.

4.1 Construction

Here, we propose a secure biometric authentication scheme. Prior to the in-depth description, we give an outline of the scheme.

In the enrollment phase, two polynomials are generated in accordance with the location and orientation of each minutia in the enrolled fingerprint. The polynomials are generated to satisfy the following condition: if a minutia that is close to the enrolled minutia is input into the polynomials, both of them result in 1. The template is a tuple of encrypted coefficients of the polynomials.

Later in the authentication phase, the polynomials are evaluated for every minutia of the fingerprint to be authenticated in the ciphertext domain. Then, the decryptor with the secret key checks to find out if the evaluated values of polynomials are 1 to determine if the authenticated minutia and the enrolled minutia are close enough to be corresponding minutiae.

As explained above, the proposed scheme proceeds in the same way for every pair of minutiae in the enrolled and authenticated fingerprints. Therefore, for simplicity, we explain the proposed scheme for matching a pair of minutiae. By just doing the same for every minutia pair, it is easy to extend the scheme to deal with fingerprints that consist of multiple minutiae.

Now we describe the algorithms of the proposed scheme \((\mathsf {SU}, \mathsf {PIE}, \mathsf {PIR}_{S,1}, \mathsf {PIR}_C, \mathsf {PIR}_{S,2}, \mathsf {PIC})\). In the following algorithms, \(\mathsf {PKE}=(\mathsf {Gen}, \mathsf {Enc}, \mathsf {Dec})\) represents the modified Elgamal cryptosystem of which the plaintext domain is denoted by \(\mathbb {Z}_p\). For simplicity, the homomorphic operations are described as \(\mathsf {Enc}(m_1+m_2) = \mathsf {Enc}(m_1) \mathsf {Enc}(m_2)\) and \(\mathsf {Enc}(m)^i = \mathsf {Enc}(im)\). In addition, we define a ciphertext transformation function \(\mathsf {Trans}\) by \(\mathsf {Trans}(r; (c_1, c_2)) = (c_1^r, c_2)\) where \(r \in \mathbb {Z}_p\) and \((c_1, c_2)\) is a ciphertext. Informally, without r, the decryptor cannot decrypt the transformed ciphertexts. It is easy to see that the additive homomorphic property also holds for transformed ciphertexts.

  • \(\mathsf {SU}(1^\kappa , param )\) where \( param \) includes the thresholds \(\varDelta _d\) and \(\varDelta _t\):

    1. 1.

      Generates a public/secret key pair of the homomorphic encryption scheme as \(( pk , sk ) \leftarrow \mathsf {Gen}(1^\kappa )\).

    2. 2.

      Outputs public parameter \( pp :=( pk , param )\) and the secret key \( sk \).

  • \(\mathsf {PIE}( BF =((x,y),t ))\):    

    1. 1.

      Generates two polynomials

      $$\begin{aligned} F(X,Y)= & {} \sum _{i} \sum _{j} a_{i,j} \cdot X^i \cdot Y^j\text {, and} \end{aligned}$$
      (1)
      $$\begin{aligned} G(T)= & {} \sum _{k} b_{k} \cdot T^k \end{aligned}$$
      (2)

      that satisfy \(F(X,Y) = 1\) if \(d_2((X,Y),(x,y)) \le \varDelta _d\) and \(G(T) = 1\) if \(d_1 (T,t) \le \varDelta _t\) (the details of the polynomials including the values i, j, and k are provided below).

    2. 2.

      Encrypts \(A_{i,j} \leftarrow \mathsf {Enc}(a_{i,j})\) and \(B_{k} \leftarrow \mathsf {Enc}(b_{k})\), and outputs the protected template \( PT :=\left( \{ A_{i,j} \}_{i,j}, \{ B_{k} \}_k \right) \).

  • \(\mathsf {PIR}_{S,1}( PT = \left( \{ A_{i,j} \}_{i,j} , \{ B_{k} \}_k \right) )\):    

    1. 1.

      Chooses \(r_{F}\), \(r_{G}\), and r randomly from \(\mathbb {Z}_p\) and computes \(A'_{i,j} :=\mathsf {Trans}(r;A_{i,j}^{r_{F}})\), \(B'_{k} :=\mathsf {Trans}(r; B_{k}^{r_{G}})\) for every i, j, and k.

    2. 2.

      Encrypts \(R \leftarrow \mathsf {Enc}(- r_{F} - r_{G})\).

    3. 3.

      Lets \( CH :=( \{ A'_{i,j} \}_{i,j}, \{ B'_{k} \}_{k} )\) and \( AD :=(R, r)\) and outputs \(( CH , AD )\).

  • \(\mathsf {PIR}_C( CH = ( \{ A'_{i,j} \}_{i,j} , \{ B'_{k} \}_{k}), BF ^* = (( x^*, y^* ), t^* ))\):    

    1. 1.

      Outputs \( AQ :=\prod _i \prod _j \left( A'^{(x^*)^i (y^*)^j}_{i,j} \right) \cdot \prod _k B'^{(t^*)^k}_{k}\).

  • \(\mathsf {PIR}_{S,2}( AQ , AD = (R, r))\):    

    1. 1.

      Chooses \(r' \in \mathbb {Z}_p\) randomly and outputs \( VQ :=(\mathsf {Trans}(1/r; AQ ) \cdot R)^{r'}\).

  • \(\mathsf {PIC}( VQ )\):    

    1. 1.

      If \(\mathsf {Dec}_1( VQ ) = 1\) then outputs \( Accept \); otherwise outputs \( Reject \).

Before explaining the details of the construction of the polynomials, let us confirm the correctness of the proposed scheme. Since it holds that \( A'_{i,j} = (\mathsf {Enc}(a_{i,j}) )^{r_F} = \mathsf {Enc}(r_F \cdot a_{i,j})\) and \( B'_k = (\mathsf {Enc}(b_k))^{r_G} = \mathsf {Enc}(r_G \cdot b_k)\) for any i, j, and k, the challenge from the server is a tuple of encrypted coefficients of randomized polynomials \(F'(X,Y) = r_F \cdot F(X,Y) = \sum _{i} \sum _{j} (r_F \cdot a_{i,j}) \cdot X^i \cdot Y^j\) and \(G'(T) = r_G \cdot G(T) = \sum _{k} (r_G \cdot b_{k}) \cdot T^k\). They satisfy \(F'(X,Y) = r_F\) and \(G'(T) = r_G\) if minutiae ((xy), t) and ((XY), T) correspond. The authentication query is a ciphertext of the sum of the evaluated value of the polynomials for the authenticated minutia as

$$\begin{aligned} \mathsf {Trans}(1/r; AQ )= & {} \prod _i \prod _j \mathsf {Enc}(r_F \cdot a_{i,j})^{(x^*)^i (y^*)^j} \cdot \prod _k \mathsf {Enc}(r_G \cdot b_k)^{(t^*)^k} \\= & {} \mathsf {Enc}\left( F'(x^*,y^*) + G'(t^*) \right) . \end{aligned}$$

Therefore, the verification query computed by the server is

$$\begin{aligned} VQ= & {} \left( \mathsf {Enc}\left( F'(x^*,y^*) + G'(t^*) \right) \cdot \mathsf {Enc}\left( - r_{F} - r_{G} \right) \right) ^{r'} \\= & {} \mathsf {Enc}\left( r' \left( r_{F} \left( F(x^*,y^*) - 1 \right) + r_G \left( G(t^*) - 1 \right) \right) \right) . \end{aligned}$$

Thus, if the enrolled and authenticated minutiae correspond, \( VQ \) is a ciphertext of 0 that is \(\mathsf {Dec}_1( VQ ) = 1\) holds.

Description of polynomials. In the above scheme, polynomials F(XY) and G(T) that satisfy \(F(X,Y) = 1\) if \(d_2((X,Y),(x,y)) \le \varDelta _d\) and \(G(T) = 1\) if \(d_1 (T,t) \le \varDelta _t\), respectively, are generated in accordance with enrolled minutia \(\{ ((x,y),t) \}\). Such polynomials are constructible as

$$\begin{aligned} F(X,Y)= & {} R_F \prod _{\ell \in L} \left\{ (X-x)^2 + (Y - y)^2 - \ell \right\} + 1\text {, and} \end{aligned}$$
(3)
$$\begin{aligned} G(T)= & {} R_G \prod _{\ell = - \varDelta _t}^{\varDelta _t} \left\{ (T - t) - \ell \right\} + 1, \end{aligned}$$
(4)

where \(R_F\) and \(R_G\) are randomly chosen and the set \(L :=\{ d^2_2((X,Y),(X', Y')) \le \varDelta _d^2 \mid X,X',Y,Y' \in \mathbb {Z}\}\) consists of the possible values of the squared Euclidean distance that are smaller than the squared threshold \(\varDelta _d^2\). In the above scheme, we describe the functions as an expanded form as \(F(X,Y) = \sum _{i=0}^{2|L|} \sum _{j=0}^{2|L|} a_{i,j} \cdot X^i \cdot Y^j\) and \(G(T)= \sum _{k=0}^{2\varDelta _t+1} b_{k} \cdot T^k\).

It is easy to see that they satisfy the required properties. \(F(X, Y) - 1 = R_F \prod _{\ell \in L} \left\{ (X-x)^2 + (Y - y)^2 - \ell \right\} = 0\) holds for all (XY) that satisfy \(d_2^2((X,Y), (x,y)) = (X-x)^2 + (Y - y)^2 = \ell \) for some \(\ell \in L\). \(G(T) - 1 = R_G \prod _{\ell = - \varDelta _t}^{\varDelta _t} \left\{ (T - t) - \ell \right\} = 0\) holds for all T that satisfy \(d_1(T, t) = T - t = \ell \) for some \(\ell \in \{ -\varDelta _t, \cdots , \varDelta _t\}\).

Recall that all locations are integers, the set L is a subset of and is smaller than the set \(\{ 0, 1, \cdots , \varDelta _d^2 \}\). For example, there exists no tuple \((X,X',Y,Y')\) that satisfies \(d^2_2((X,Y),(X', Y') = 3\). Therefore, \(3 \notin L\) holds. Set L is determined by \(\varDelta _d\), for example, \(L = \{0,1,2,4,5,8,9,10,13,16,17,18,20,25 \} \) when \(\varDelta _d= 5\). The number of terms in the derived polynomial F is computed to be \(2 |L|^2 + 3 |L| + 1\).

4.2 Security

We show that the proposed scheme satisfies the security notions defined in Sect. 3.2. Detailed proofs are provided in Appendix A.

Template protection against server and template protection against decryptor. Under the IND-CPA security of the modified Elgamal cryptosystem, the proposed scheme can be proved to satisfy template protection against server and template protection against decryptor.

Theorem 1

Under the IND-CPA security of the modified Elgamal cryptosystem, the proposed scheme satisfies template protection against server.

Theorem 2

Under the IND-CPA security of the modified Elgamal cryptosystem, the proposed scheme satisfies template protection against decryptor.

Security for authentication. Under Assumption 1, we can prove Theorem 3.

Assumption 1

For any PPT algorithm \(\mathcal {A}\), it holds that

$$\begin{aligned} \Pr \left[ t = \mathsf {Dec}(t^*) \left| \begin{array}{l} ( pk , sk ) \leftarrow \mathsf {Gen}(1^\kappa ); s,t \leftarrow \{ 0,1 \}^\kappa ;\\ t^* \leftarrow \mathcal {A}( pk , \mathsf {Enc}(s), \mathsf {Enc}(st)); \end{array} \right. \right] \le negl (\kappa ). \end{aligned}$$

Theorem 3

Provided that the modified Elgamal cryptosystem satisfies Assumption 1, the proposed scheme satisfies security for authentication.

Security against hill-climbing attacks. In the authentication phase, the decryptor checks if the decrypted value of the verification query is equal to 0. 0 implies that the distance does not exceed the threshold. Since non-0 values, which mean that the distance is greater than the threshold, are determined by the random values which the server chooses in every authentication, it looks random from the decryptor. Therefore, the decryptor can only know the authentication result but cannot guess the distance.

Theorem 4

The proposed scheme satisfies security against hill-climbing attacks.

5 Conclusion

We have defined the model of secure biometric authentication. A third party called a decryptor is employed in our model in addition to the normal entities in biometric authentication. Also, we have formally defined its security by adapting the security definition provided by Hirano et al. [11] to our model.

In the defined model, we have proposed a scheme that hides biometric features from the server and the decryptor. Moreover, no entity is able to obtain the distance between the enrolled and authenticated biometric features. Therefore, the proposed scheme is resistant to hill-climbing attacks [19]. Since the operations of the decryptor, key generation, and decryption are light enough, they can be implemented by hardware security modules (HSM). By utilizing the modified Elgamal cryptosystem [7], we have showed the security of the proposed scheme under the decisional Diffie-Hellman assumption.