Biometrics

4. Challenges and Countermeasures

4.2.1. Secure Multiparty Computation in Biometric Authentication

Cryptographic primitives that are often employed in SMPC include homomorphic encryption, oblivious transfer, and garbled circuits, which will be presented shortly, and are often combined to obtain privacy-preserving BAS. From a theoretical point of view, SMPC techniques allow to maximise the utility of information without compromising the user privacy. A more formal intuition on how SMPC works is given in Box 1.

Box 1
The general setting for \mathrm{SMPC} is the following. The system is made up of N entities p_{1}, p_{2}, \ldots, p_{N} that jointly compute some public function f based on some individually secret data d_{1}, d_{2}, \ldots, d_{N}, without revealing their private inputs to one another. In other words, SMPC allows the interactive computation among multiple parties in such a way that at the end of the process no participant p_{i} can learn more from f and the result D=f\left(d_{1}, d_{2}, \ldots, d_{N}\right), than what p_{i} could learn from her own secret data d_{i}, i=1,2, \ldots, N. It is easy to see that \operatorname{SMPC} can be very useful in privacy-preserving biometric authentication especially in the distributed scenario, where multiple entities are involved in the authentication process (e.g.., a database \mathscr{D} \mathscr{B}, an authentication server \mathscr{A} \mathcal{A} and a matcher \mathscr{C} \mathcal{S}). In this case, the function f could be the distance between the fresh and the stored biometric template and the goal would be to guarantee the secrecy of the biometric templates (fresh and stored).

Box 2
Bloom Filters in Biometric Authentication. This method is the main alternative to the employment of leaking distances Intuitively, a Bloom filter \mathrm{F}_{A} is an \mathrm{N} -bit string which represents a set A \subseteq D(\mathrm{e} \cdot
                \mathrm{g} ., A the acceptance area, and D is the space of all biometric templates). The encoding of A into \mathrm{F}_{A} is done using k independent hash functions h_{1}, h_{2}, \ldots, h_{k}: D \rightarrow[0, N-1] in the following way. For each element b \in A, and for each 1 \leq i \leq k, the bits at positions h_{i}(b) of the Bloom filter \mathrm{F}_{\mathrm{A}} are set to 1 (the other bits are set to 0 ). To test if an element b^{\prime} is in A using the bloom filter, it is sufficient to check whether the bits of \mathrm{F}_{A} at positions h_{i}\left(b^{\prime}\right) are 1, equal to for all 1 \leq i \leq k. If this is the case, one can deduce that b^{\prime} is in A with high probability, otherwise it holds b^{\prime} \notin A It is immediate to see that the employment of Bloom filters in the matching process directly mitigates any centre-search attack for template recovery.

It is understood that SMPC is an incredibly useful tool for the design of privacy-preserving biometric authentication protocols. Multiple existing schemes, indeed, rely on SMPC.

Homomorphic encryption (HE) is perhaps the most suitable cryptographic primitive (inside the SMPC framework) that can be successfully employed for privacy-preserving biometric authentication. Homomorphic encryption can be applied in a bit-by-bit mode making it possible to perform the matching process in the encrypted domain directly. More formally, HE allows translating operations on the encrypted data (ciphertext) to some useful operations on the corresponding plaintexts. In formulas,

\operatorname{Enc}_{k}\left(m_{1}\right) \circ \operatorname{Enc}_{k}\left(m_{2}\right)=\operatorname{Enc}_{k}\left(m_{1} \times m_{2}\right)

where m_{1}, m_{2} are plaintext messages and Enc _{k} corresponds to a homomorphic encryption function under a public key k. If we consider that m_{1}=b^{\prime} is the fresh template of a user ID and m_{2}=b is the stored template of the same user, then homomorphic encryption gives us the possibility of performing operations on the encrypted templates and compute the distance (e.g., Hamming distance) between them. While HE protects biometric templates from user traceability attacks (HE prevents user traceability given that different databases store different/independent encryptions of the same reference template), it does not directly protect from other privacy attacks. For instance, Abidin et al. exploit exactly the homomorphic property to show that the claimed privacy-preserving BAS in is actually vulnerable to the biometric template attack. Another limitation to the employment of HE schemes is their computational cost, and there are limitations on the number of multiplications that can be performed between ciphertexts. Nevertheless, some recently proposed schemes show promise regarding the efficiency of HE.

Oblivious transfer (OT) (1-out-of-N) enables one party the sender \mathcal{S} to send one element out of N, to a receiver \mathscr{R} in such a way that the sender does not know which element is received by \mathscr{R}. Furthermore, \mathscr{R} does not find out anything about the other $N-1$ elements. If we consider the elements to be the stored (encrypted) biometric templates, we see that OT essentially allows one to search in the database, without revealing which item (i.e., biometric template) is selected for the matching process. This is a very useful tool for privacy-preservation and assures perfect resistance against user traceability and distinguishability. Similarly to HE, however, OT alone cannot prevent some template recovery attacks, since the best known strategy is based solely on the value returned by the BAS (essentially the acceptance/rejection message) which is not affected by the OT technique.

Garbled circuits are a cryptographic technique that enables two parties to compute a function (represented as a binary circuit) and learn only the output of the function and nothing else (e.g., the other party's input). This approach combines OT and SMPC between two entities and thus is quite relevant for achieving a privacy-preserving matching process in biometric authentication. Up to now, garbled circuits constitute the most promising cryptographic tool to prevent template recovery attacks. A detailed description of OT and garbled circuits in BAS can be found in.