Efficient Verifiable Computation of XOR for Biometric Authentication

Abstract

This work addresses the security and privacy issues in remote biometric authentication by proposing an efficient mechanism to verify the correctness of the outsourced computation in such protocols. In particular, we propose an efficient verifiable computation of XORing encrypted messages using an XOR linear message authentication code (MAC) and we employ the proposed scheme to build a biometric authentication protocol. The proposed authentication protocol is both secure and privacy-preserving against malicious (as opposed to honest-but-curious) adversaries. Specifically, the use of the verifiable computation scheme together with an homomorphic encryption protects the privacy of biometric templates against malicious adversaries. Furthermore, in order to achieve unlinkability of authentication attempts, while keeping a low communication overhead, we show how to apply Oblivious RAM and biohashing to our protocol. We also provide a proof of security for the proposed solution. Our simulation results show that the proposed authentication protocol is efficient.

A    Proof of Theorem 1

Proof

Let \(\varPi \) be the PPBA-HE-MAC protocol. The security of \(\varPi \) against a malicious adversary \(\mathcal {A}\) (i.e., \(\mathcal {CS}\)) is defined via the following game.

where \(\textsf {MAC}.K\) is the key space for the employed MAC. The adversary’s advantage is defined as \(\textsf {Adv}_{\varPi ,\mathcal {A}}^{\textsf {Priv}} = \big |2\Pr \{\textsf {Exp}_{\varPi ,\mathcal {A}}^\textsf {Priv}(\lambda ,\textsf {ID}_i)=1\} - 1\big |.\) If the advantage is \(\le \textsf {negl}(\lambda )\), we say that \(\varPi \) is secure (and preserves the privacy of biometric templates) against \(\mathcal {A}\).

The details of \(\textsf {Authen}\big (\textsf {ID}_i,\textsf {Enc}(b'_{i_\beta }),\textsf {Enc}(t'_{i_\beta })\big )\) are given below.

The proof is based on the following two hybrid games.

\(\mathbf{game}~0\) : This is the original game. Let \(S_0\) be the event that \(\beta '=\beta \).

\(\mathbf{game}~1\) : This is the same as \(\mathbf{game}~0\), except that now \(\mathcal {CS}\) always performs the correct computation. Let \(S_1\) be the event that \(\beta '=\beta \) in \(\mathbf{game}~1\).

Since providing a different index \(i'\) than the correct one i always results in \(\bot \) output, it does not help the adversary (i.e., the cloud) to win any of the games. So we assume that \(\mathcal {CS}\) always provides the correct index i.

Claim 1: \(|\Pr \{S_0\}-\Pr \{S_1\}|\) is negligible. This follows from the \(\epsilon \)-security of the MAC scheme. Precisely, the difference between the two games is that in game 0, \(\textsf {VRFY}(b_i\oplus b'_{i_\beta }, t_i\oplus t'_{i_\beta },\textsf {k}_i)==0\) if \(\mathcal {CS}\) does not perform the computation correctly, except for probability \(\epsilon \), while in game 1, that does not happen as it performs the computation correctly. So the difference between the winning probabilities in game 0 and game 1 is negligible.

Claim 2: The adversary has negligible advantage in \(\mathbf{game}~1\), i.e., \(\big |2\Pr \{S_1\}-1\big |\le \textsf {negl}(\lambda )\). This follows from the \(\textsf {IND-CPA}\)-security of the employed HE scheme. Since otherwise, we can use the adversary \(\mathcal {A}\) as a blackbox to construct another PPT adversary \(\mathcal {A}'\) that can win the \(\textsf {IND-CPA}\) game against the HE scheme with non-negligible probability in a straightforward fashion. More precisely, the adversary \(\mathcal {A}'\) can use the challenge ciphertext in the \(\textsf {IND-CPA}\) game to simulate the \(\varPi \) for \(\mathcal {A}\), and use \(\mathcal {A}\)’s guess to win the \(\textsf {IND-CPA}\) game against the HE scheme. Hence, combining the two claims, we have that \(\textsf {Adv}_{\varPi ,\mathcal {A}}^{\textsf {Priv}}\) is negligible.