Secret rate - Privacy leakage in biometric systems

Ahlswede and Csiszár [1993] introduced the concept of secret sharing. In their source model two terminals observe two correlated sequences. It is the objective of the terminals to form a common secret by interchanging a public message (helper data) in such a way that the secrecy leakage is negligible. In a biometric setting, where the sequences correspond to the enrollment and authentication data, respectively, it is crucial that the public message leaks as little information as possible about the biometric data, since compromised biometric data cannot be replaced. We investigated the fundamental trade-offs for four biometric settings. The first one is the standard (Ahlswede Csiszár) secret generation setting, for which we determined the secret-key vs, privacy-leakage rate region. Here leakage corresponds to the mutual information between helper data and biometric enrollment sequence. In the second setting the secret is not generated by the terminals but independently chosen, and transmitted using a public message. Again we determined the region of achievable rate-leakage pairs. In setting three and four we consider zero-leakage, i.e. the public message contains only a negligible amount of information about the secret and about the biometric enrollment sequence. To achieve this a private key is needed, which can be observed only by the terminals. We considered again both secret generation and secret transmission and determined for both cases the region of achievable secret-key vs. private-key rate pairs. © 2009 IEEE

THRIVE: Threshold Homomorphic encryption based secure and privacy preserving bIometric VErification system

In this paper, we propose a new biometric verification and template protection system which we call the THRIVE system. The system includes novel enrollment and authentication protocols based on threshold homomorphic cryptosystem where the private key is shared between a user and the verifier. In the THRIVE system, only encrypted binary biometric templates are stored in the database and verification is performed via homomorphically randomized templates, thus, original templates are never revealed during the authentication stage. The THRIVE system is designed for the malicious model where the cheating party may arbitrarily deviate from the protocol specification. Since threshold homomorphic encryption scheme is used, a malicious database owner cannot perform decryption on encrypted templates of the users in the database. Therefore, security of the THRIVE system is enhanced using a two-factor authentication scheme involving the user's private key and the biometric data. We prove security and privacy preservation capability of the proposed system in the simulation-based model with no assumption. The proposed system is suitable for applications where the user does not want to reveal her biometrics to the verifier in plain form but she needs to proof her physical presence by using biometrics. The system can be used with any biometric modality and biometric feature extraction scheme whose output templates can be binarized. The overall connection time for the proposed THRIVE system is estimated to be 336 ms on average for 256-bit biohash vectors on a desktop PC running with quad-core 3.2 GHz CPUs at 10 Mbit/s up/down link connection speed. Consequently, the proposed system can be efficiently used in real life applications

Privacy leakage in fuzzy commitment schemes

Abstract In 1999 Juels and Wattenberg introduced the fuzzy commitment scheme. Fuzzy commitment is a particular realization of a binary biometric secrecy system with a chosen secret key. Three cases of biometric sources are considered, i.e. memoryless and totally-symmetric biometric sources, memoryless and input-symmetric biometric sources, and memoryless biometric sources. It is shown that fuzzy commitment is only optimal for memoryless totally-symmetric biometric sources and only at the maximum secret-key rate. Moreover, it is demonstrated that for memoryless biometric sources, which are not input-symmetric, the fuzzy commitment scheme leaks information on both the secret key and the biometric data

Improved security and privacy preservation for biometric hashing

We address improving verification performance, as well as security and privacy aspects of biohashing methods in this thesis. We propose various methods to increase the verification performance of the random projection based biohashing systems. First, we introduce a new biohashing method based on optimal linear transform which seeks to find a better projection matrix. Second, we propose another biohashing method based on a discriminative projection selection technique that selects the rows of the random projection matrix by using the Fisher criterion. Third, we introduce a new quantization method that attempts to optimize biohashes using the ideas from diversification of error-correcting output codes classifiers. Simulation results show that introduced methods improve the verification performance of biohashing. We consider various security and privacy attack scenarios for biohashing methods. We propose new attack methods based on minimum l1 and l2 norm reconstructions. The results of these attacks show that biohashing is vulnerable to such attacks and better template protection methods are necessary. Therefore, we propose an identity verification system which has new enrollment and authentication protocols based on threshold homomorphic encryption. The system can be used with any biometric modality and feature extraction method whose output templates can be binarized, therefore it is not limited to biohashing. Our analysis shows that the introduced system is robust against most security and privacy attacks conceived in the literature. In addition, a straightforward implementation of its authentication protocol is su ciently fast enough to be used in real applications

Secret rate - Privacy leakage in biometric systems

Ahlswede and Csiszár [1993] introduced the concept of secret sharing. In their source model two terminals observe two correlated sequences. It is the objective of the terminals to form a common secret by interchanging a public message (helper data) in such a way that the secrecy leakage is negligible. In a biometric setting, where the sequences correspond to the enrollment and authentication data, respectively, it is crucial that the public message leaks as little information as possible about the biometric data, since compromised biometric data cannot be replaced. We investigated the fundamental trade-offs for four biometric settings. The first one is the standard (Ahlswede Csiszár) secret generation setting, for which we determined the secret-key vs, privacy-leakage rate region. Here leakage corresponds to the mutual information between helper data and biometric enrollment sequence. In the second setting the secret is not generated by the terminals but independently chosen, and transmitted using a public message. Again we determined the region of achievable rate-leakage pairs. In setting three and four we consider zero-leakage, i.e. the public message contains only a negligible amount of information about the secret and about the biometric enrollment sequence. To achieve this a private key is needed, which can be observed only by the terminals. We considered again both secret generation and secret transmission and determined for both cases the region of achievable secret-key vs. private-key rate pairs. © 2009 IEEE