Privacy-Preserving Authentication: A Homomorphic Encryption Approach

The importance of privacy for individuals has become increasingly evident in recent years as the amount of personal data being collected, stored and used by both private companies and government institutions has grown exponentially. The potential for this data to be misused or mishandled has led to widespread concern among individuals about the protection of their personal information. In response to these concerns, there has been a rise in the development of privacy-preserving technologies, which aim to protect personal data while still allowing it to be used for legitimate purposes. These technologies are necessary not only to address the concerns of individuals, but also to meet the legal requirements of institutions that handle personal information. Many applications using personal information as a commodity can benefit from privacy-preserving technologies. The research presented in this thesis targets a commonly used Internet application in which privacy-enhancing technologies can play a key role: biometric-based authentication. Authentication is the establishment of one party’s identity to the other. Biometric data, such as faces, fingerprints or iris, are used more and more commonly as a means of providing personal identification and authentication. However, authentication protocols using biometric data face serious privacy concerns, as the data involved is sensitive or personally-identifiable, which makes it necessary for data holders to protect its privacy. The widespread use of this application, and the need to protect user privacy, motivated us to examine how homomorphic encryption, a privacy-preserving technology, can be used and deployed to enhance privacy in such an application. Homomorphic encryption is a form of encryption that allows arbitrary computations to be performed on encrypted data, resulting in an encrypted result that, when decrypted, is the same as if the computation had been performed on the corresponding cleartext data. This means that entire computational processes can be executed on encrypted data without requiring the decryption key, thereby maintaining the privacy of the data involved. This can address both concerns from individuals regarding the protection of their personal and sensitive data, and legal requirements that institutions must meet. Homomorphic encryption can be used in an authentication protocol to allow a server to verify the authenticity of a client’s credentials without having access to the cleartext values of the credentials. In this thesis, we describe and prove secure two novel biometric-based authentication protocols that use homomorphic encryption to preserve the confidentiality of the biometric data both in storage and during use. These protocols ensure the privacy of the biometric information, while still allowing it to be used for authentication purposes. Users of the protocols encrypt their own biometric data and send it to a remote server that performs computations, including the biometric matching, solely on encrypted data. One of the protocols is designed to protect biometric data privacy against a honest-but-curious server and the other against a malicious server. Additionally, in both cases the user is securely authenticated by the server. For both the protocols, implementation and performance results using public homomorphic encryption libraries are presented along with a security and usability assessment, including an evaluation analysis against industry-standard biometric-based authentication schemes. In the most efficient implementation, the active authentication phase takes no more than three seconds to complete