Axel Durbet,Paul-Marie Grollemund,Kevin Thiry-Atighehchi

2024-02-21

Abstract:A biometric recognition system can operate in two distinct modes: identification or verification. In the first mode, the system recognizes an individual by searching the enrolled templates of all the users for a match. In the second mode, the system validates a user's identity claim by comparing the fresh provided template with the enrolled template. The biometric transformation schemes usually produce binary templates that are better handled by cryptographic schemes, and the comparison is based on a distance that leaks information about the similarities between two biometric templates. Both the experimentally determined false match rate and false non-match rate through recognition threshold adjustment define the recognition accuracy, and hence the security of the system. To our knowledge, few works provide a formal treatment of security in case of minimal information leakage, i.e., the binary outcome of a comparison with a threshold. In this paper, we focus on untargeted attacks that can be carried out both online and offline, and in both identification and verification modes. On the first hand, we focus our analysis on the accuracy metrics of biometric systems. We provide the complexity of untargeted attacks using the False Match Rate (FMR) and the False Positive Identification Rate (FPIR) to address the security of these systems. Studying near-collisions with these metrics allows us to estimate the maximum number of users in a database, given a chosen FMR, to preserve the security and the accuracy. These results are evaluated on systems from the literature. On the other hand, we rely on probabilistic modelling to assess the theoretical security limits of biometric systems. The study of this metric space, and system parameters (template size, threshold and database size), gives us the complexity of untargeted attacks and the probability of a near-collision.

Cryptography and Security,Computer Vision and Pattern Recognition

Marta Gomez-Barrero,Javier Galbally,Christian Rathgeb,Christoph Busch

DOI: https://doi.org/10.1109/TIFS.2017.2788000

2023-11-08

Abstract:The wide deployment of biometric recognition systems in the last two decades has raised privacy concerns regarding the storage and use of biometric data. As a consequence, the ISO/IEC 24745 international standard on biometric information protection has established two main requirements for protecting biometric templates: irreversibility and unlinkability. Numerous efforts have been directed to the development and analysis of irreversible templates. However, there is still no systematic quantitative manner to analyse the unlinkability of such templates. In this paper we address this shortcoming by proposing a new general framework for the evaluation of biometric templates' unlinkability. To illustrate the potential of the approach, it is applied to assess the unlinkability of four state-of-the-art techniques for biometric template protection: biometric salting, Bloom filters, Homomorphic Encryption and block re-mapping. For the last technique, the proposed framework is compared with other existing metrics to show its advantages.

Computer Vision and Pattern Recognition

Xingbo Dong,Jaewoo Park,Zhe Jin,Andrew Beng Jin Teoh,Massimo Tistarelli,KokSheik Wong

DOI: https://doi.org/10.48550/arXiv.1910.07770

2022-09-29

Abstract:Cancelable biometrics (CB) employs an irreversible transformation to convert the biometric features into transformed templates while preserving the relative distance between two templates for security and privacy protection. However, distance preservation invites unexpected security issues such as pre-image attacks, which are often <a class="link-external link-http" href="http://neglected.This" rel="external noopener nofollow">this http URL</a> paper presents a generalized pre-image attack method and its extension version that operates on practical CB systems. We theoretically reveal that distance preservation property is a vulnerability source in the CB schemes. We then propose an empirical information leakage estimation algorithm to access the pre-image attack risk of the CB schemes. The experiments conducted with six CB schemes designed for the face, iris and fingerprint, demonstrate that the risks originating from the distance computed from two transformed templates significantly compromise the security of CB schemes. Our work reveals the potential risk of existing CB systems theoretically and experimentally.

Computer Vision and Pattern Recognition

Simon Hanisch,Julian Todt,Jose Patino,Nicholas Evans,Thorsten Strufe

DOI: https://doi.org/10.56553/popets-2024-0008

2024-07-09

Abstract:Biometric data contains distinctive human traits such as facial features or gait patterns. The use of biometric data permits an individuation so exact that the data is utilized effectively in identification and authentication systems. But for this same reason, privacy protections become indispensably necessary. Privacy protection is extensively afforded by the technique of anonymization. Anonymization techniques protect sensitive personal data from biometrics by obfuscating or removing information that allows linking records to the generating individuals, to achieve high levels of anonymity. However, our understanding and possibility to develop effective anonymization relies, in equal parts, on the effectiveness of the methods employed to evaluate anonymization performance. In this paper, we assess the state-of-the-art methods used to evaluate the performance of anonymization techniques for facial images and for gait patterns. We demonstrate that the state-of-the-art evaluation methods have serious and frequent shortcomings. In particular, we find that the underlying assumptions of the state-of-the-art are quite unwarranted. State-of-the-art methods generally assume a difficult recognition scenario and thus a weak adversary. However, that assumption causes state-of-the-art evaluations to grossly overestimate the performance of the anonymization. Therefore, we propose a strong adversary which is aware of the anonymization in place. We improve the selection process for the evaluation dataset, and we reduce the numbers of identities contained in the dataset while ensuring that these identities remain easily distinguishable from one another. Our novel evaluation methodology surpasses the state-of-the-art because we measure worst-case performance and so deliver a highly reliable evaluation of biometric anonymization techniques.

Cryptography and Security

Dian Ding,Lanqing Yang,Yi-Chao Chen,Guangtao Xue

DOI: https://doi.org/10.1145/3494984

2021-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:AbstractThe convenience of laptops brings with it the risk of information leakage, and conventional security systems based on the password or the explicit biometric do little to alleviate this problem. Biometric identification based on anatomical features provides far stronger security; however, a lack of suitable sensors on laptops limits the applicability of this technology. In this paper, we developed a behavior-irrelevant user identification system applicable to laptops with a metal casing. The proposed scheme, referred to as LeakPrint, is based on leakage current, wherein the system uses an earphone to capture current leaking through the body and then transmits the corresponding signal to a server for identification. The user identification is achieved via denoising, dimension reduction, and feature extraction. Compared to other biometric identification methods, the proposed system is less dependent on external hardware and more robust to environmental noise. The experiments in real-world environments demonstrated that LeakPrint can verify user identity with high accuracy (93.6%), while providing effective defense against replay attacks (96.5%) and mimicry attacks (90.9%).

Tamas Bisztray,Nils Gruschka,Thirimachos Bourlai,Lothar Fritsch

DOI: https://doi.org/10.1109/BIOSIG52210.2021.9548298

2022-11-23

Abstract:Technological advancements allow biometric applications to be more omnipresent than in any other time before. This paper argues that in the current EU data protection regulation, classification applications using biometric data receive less protection compared to biometric recognition. We analyse preconditions in the regulatory language and explore how this has the potential to be the source of unique privacy risks for processing operations classifying individuals based on soft traits like emotions. This can have high impact on personal freedoms and human rights and therefore, should be subject to data protection impact assessment.

Cryptography and Security,Computers and Society

Chengcheng Liu,Huikai Shao,Dexing Zhong

DOI: https://doi.org/10.1016/j.displa.2024.102771

IF: 3.074

2024-01-01

Displays

Abstract:While existing palmprint recognition researches aim to improve accuracy in various situations, they often overlook the security implications. This paper delves into template protection in palmprint recognition. The existing template protection methods usually cannot strike a well balance between security, accuracy and usability, which reduces the applicability of the algorithms. In this work, a data-centric approach for palmprint template protection is proposed, called PalmSecMatch. Our solution extracts the key from plaintext data. It extremely reduces the dependency on third-party or independent key generation algorithms. The backbone of PalmSecMatch consists of key data extraction and encryption, order shuffling of the raw vectors, hashing code generation, shuffling basis and hashing code fading. PalmSecMatch subtly exploits the fact that biometric data are random variables and benefits from its data-centric nature. PalmSecMatch allows the same plaintext features to be encrypted into highly different ciphertexts, which greatly ensures security. At the same time, the application of data fading strategy makes it extremely difficult for an attacker to distinguish the user data from the auxiliary data. The security analysis shows that PalmSecMatch satisfies the requirements of ISO/IEC 24745. Adequate experiments on two public palmprint databases validate the effectiveness of the proposed method.

Dian Ding,Lanqing Yang,Yi-Chao Chen,Guangtao Xue

DOI: https://doi.org/10.1145/3494984

2021-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:The convenience of laptops brings with it the risk of information leakage, and conventional security systems based on the password or the explicit biometric do little to alleviate this problem. Biometric identification based on anatomical features provides far stronger security; however, a lack of suitable sensors on laptops limits the applicability of this technology. In this paper, we developed a behavior-irrelevant user identification system applicable to laptops with a metal casing. The proposed scheme, referred to as LeakPrint, is based on leakage current, wherein the system uses an earphone to capture current leaking through the body and then transmits the corresponding signal to a server for identification. The user identification is achieved via denoising, dimension reduction, and feature extraction. Compared to other biometric identification methods, the proposed system is less dependent on external hardware and more robust to environmental noise. The experiments in real-world environments demonstrated that LeakPrint can verify user identity with high accuracy (93.6%), while providing effective defense against replay attacks (96.5%) and mimicry attacks (90.9%).

Julien Bringer,Herve Chabanne,Daniel Le Metayer,Roch Lescuyer

DOI: https://doi.org/10.48550/arXiv.1702.08301

2017-03-02

Abstract:This work aims to show the applicability, and how, of privacy by design approach to biometric systems and the benefit of using formal methods to this end. Starting from a general framework that has been introduced at STM in 2014, that enables to define privacy architectures and to formally reason about their properties, we explain how it can be adapted to biometrics. The choice of particular techniques and the role of the components (central server, secure module, biometric terminal, smart card, etc.) in the architecture have a strong impact on the privacy guarantees provided by a biometric system. In the literature, some architectures have already been analysed in some way. However, the existing proposals were made on a case by case basis, which makes it difficult to compare them and to provide a rationale for the choice of specific options. In this paper, we describe, on different architectures with various levels of protection, how a general framework for the definition of privacy architectures can be used to specify the design options of a biometric systems and to reason about them in a formal way.

Cryptography and Security,Logic in Computer Science

WANG Ning,LI Qiong,NIU Xiamu

DOI: https://doi.org/10.3969/j.issn.2095-2163.2013.03.017

2013-01-01

Abstract:Some problems of unimodal biometrics can be solved by multibiometrics,and it is valuable to implement the multibiometric system based on the lower quality dual iris,thermal face images.However,the threat is higher if leakage of the template of multibiometrcs.This paper converts the real thermal face image feature to binary initially,and then generates the secure sketch and biometric via binary thermal face image feature based on the fuzzy commitment scheme.The biometric key is used to encrypt the lower quality iris binary feature for securing the multibiometric template.The experimental results show that this approach can solve the problem of larger distance of intra-class of biometric feature template.And the system not only keeps higher verification performance,but also has the higher security.Furthermore,the paper also analyzes the security based on cross matching after the leakage of the part biometric thermal face feature.Meanwhile the paper obtains the conclusion of decreasing the error tolerance capability and sacrificing verification performance to enhance the system security.

Mingming Jiang,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1016/j.tcs.2024.114552

IF: 1.002

2024-04-10

Theoretical Computer Science

Abstract:A Two-Factor Authentication (2FA) scheme can authenticate a client if the client is able to provide the possession factor (like biometric feature, smart card) and the knowledge factor (like password, secret key) simultaneously. With only one factor, it is hard for an adversary to impersonate the client to pass the authentication, and thus 2FA provides better security than single-factor authentication schemes. However, as far as we know, all existing 2FA schemes do not consider the leakage of server's database, and their authenticity may fail when the database is also compromised (in addition to one factor). Considering numerous reports of database leakage in the real world, it seems imminent to study and design 2FA schemes resilient to database leakage. In this paper, we formalize security models for 2FA schemes by taking database leakage into account. Our security models consider malicious adversaries who can obtain both the client's one authentication factor and the server's database, and have two requirements, authenticity and zero-knowledge . Authenticity ensures that such malicious adversaries cannot impersonate the client to pass the authentication, while zero-knowledge guarantees that such malicious adversaries obtain no information about the client's the other factor. Zero-knowledge is especially important for biometric features (like faces, fingerprints), which are inherent to human beings and can hardly be changed. Then we propose a biometric-based 2FA scheme with biometric feature and secret key serving as the two authentication factors. Our 2FA scheme has three rounds, and we prove its authenticity and zero-knowledge under database leakage in the random oracle model. Notably, our construction makes a novel use of a recent technical advance called robust property-preserving hashing (Boyle et al., ITCS 2019) together with fully homomorphic encryption, to recognize or discern clients by their biometric samplings in a homomorphic and secure way.

computer science, theory & methods

H. Kalluri,Pavani Chitrapu

DOI: https://doi.org/10.1109/SCEECS57921.2023.10062968

2023-02-18

Abstract:Recent years have seen increased interest in research on biometric template protection due to the widespread use of biometric authentication systems. For providing security to biometric templates, there is a procedure known as Fully Homomorphic Encryption that protects biometric templates from the malicious server environment. Users have more customization options with a biometric authentication system than a password or token. The most popular biometric modalities include fingerprints, iris scans, facial images, etc. Biometric modalities offer security on IoMT -based systems. Face recognition is one of the most often utilized biometric authentication methods in societal structure. Face recognition technology has made enormous strides in recent years. Here, we examine the viability of securing a database of iris templates using a methodology based on fully homomorphic Encryption. By directly matching templates in the encrypted domain, this framework is designed to protect confidentiality and restrict information from leaking from the templates while preserving their utility. We also investigate various classification techniques on machine learning models to achieve improved accuracy with shorter execution times. The aggregate verification vector assists in confirming the accuracy of the computed classification result, and the CKKS technique ensures confidentiality for the biometric templates. This study provides a plethora of information on fully homomorphic biometric authentication, containing a wide assortment of algorithms that satisfy homomorphic Encryption and various methods for extracting the biometric-related template.

Computer Science

Manabu Inuma,Akira Otsuka,Hideki Imai

DOI: https://doi.org/10.48550/arXiv.0904.1284

2009-04-08

Abstract:In this paper, we propose a theoretical framework to construct matching algorithms for any biometric authentication systems. Conventional matching algorithms are not necessarily secure against strong intentional impersonation attacks such as wolf attacks. The wolf attack is an attempt to impersonate a genuine user by presenting a "wolf" to a biometric authentication system without the knowledge of a genuine user's biometric sample. A wolf is a sample which can be accepted as a match with multiple templates. The wolf attack probability (WAP) is the maximum success probability of the wolf attack, which was proposed by Une, Otsuka, Imai as a measure for evaluating security of biometric authentication systems. We present a principle for construction of secure matching algorithms against the wolf attack for any biometric authentication systems. The ideal matching algorithm determines a threshold for each input value depending on the entropy of the probability distribution of the (Hamming) distances. Then we show that if the information about the probability distribution for each input value is perfectly given, then our matching algorithm is secure against the wolf attack. Our generalized matching algorithm gives a theoretical framework to construct secure matching algorithms. How lower WAP is achievable depends on how accurately the entropy is estimated. Then there is a trade-off between the efficiency and the achievable WAP. Almost every conventional matching algorithm employs a fixed threshold and hence it can be regarded as an efficient but insecure instance of our theoretical framework. Daugman's IrisCode recognition algorithm proposed can also be regarded as a non-optimal instance of our framework.

Cryptography and Security,Data Structures and Algorithms

Babak Poorebrahim Gilkalaye,Shubhabrata Mukherjee,Reza Derakhshani

2024-08-12

Abstract:Generative AI has revolutionized modern machine learning by providing unprecedented realism, diversity, and efficiency in data generation. This technology holds immense potential for biometrics, including for securing sensitive and personally identifiable information. Given the irrevocability of biometric samples and mounting privacy concerns, biometric template security and secure matching are among the most sought-after features of modern biometric systems. This paper proposes a novel obfuscation method using Generative AI to enhance biometric template security. Our approach utilizes synthetic facial images generated by a Generative Adversarial Network (GAN) as "random chaff points" within a secure vault system. Our method creates n sub-templates from the original template, each obfuscated with m GAN chaff points. During verification, s closest vectors to the biometric query are retrieved from each vault and combined to generate hash values, which are then compared with the stored hash value. Thus, our method safeguards user identities during the training and deployment phases by employing the GAN-generated synthetic images. Our protocol was tested using the AT&T, GT, and LFW face datasets, achieving ROC areas under the curve of 0.99, 0.99, and 0.90, respectively. Our results demonstrate that the proposed method can maintain high accuracy and reasonable computational complexity comparable to those unprotected template methods while significantly enhancing security and privacy, underscoring the potential of Generative AI in developing proactive defensive strategies for biometric systems.

Computer Vision and Pattern Recognition

Chun-Fu Chen,Bill Moriarty,Shaohan Hu,Sean Moran,Marco Pistoia,Vincenzo Piuri,Pierangela Samarati

2024-05-24

Abstract:The recent rapid advancements in both sensing and machine learning technologies have given rise to the universal collection and utilization of people's biometrics, such as fingerprints, voices, retina/facial scans, or gait/motion/gestures data, enabling a wide range of applications including authentication, health monitoring, or much more sophisticated analytics. While providing better user experiences and deeper business insights, the use of biometrics has raised serious privacy concerns due to their intrinsic sensitive nature and the accompanying high risk of leaking sensitive information such as identity or medical conditions.

Machine Learning

Joep Peeters,Andreas Peter,Raymond N.J. Veldhuis

DOI: https://doi.org/10.48550/arXiv.1705.09936

2017-05-28

Abstract:As applications of biometric verification proliferate, users become more vulnerable to privacy infringement. Biometric data is very privacy sensitive as it may contain information as gender, ethnicity and health conditions which should not be shared with third parties during the verification process. Moreover, biometric data that has fallen into the wrong hands often leads to identity theft. Secure biometric verification schemes try to overcome such privacy threats. Unfortunately, existing secure solutions either introduce a heavy computational or communication overhead or have to accept a high loss in accuracy; both of which make them impractical in real-world settings. This paper presents a novel approach to secure biometric verification aiming at a practical trade-off between efficiency and accuracy, while guaranteeing full security against honest-but-curious adversaries. The system performs verification in the encrypted domain using elliptic curve based homomorphic ElGamal encryption for high efficiency. Classification is based on a log-likelihood ratio classifier which has proven to be very accurate. No private information is leaked during the verification process using a two-party secure protocol. Initial tests show highly accurate results that have been computed within milliseconds range.

Cryptography and Security

Andreas Nautsch,Sergey Isadskiy,Jascha Kolberg,Marta Gomez-Barrero,Christoph Busch

DOI: https://doi.org/10.21437/Odyssey.2018-3

2018-03-09

Abstract:Data privacy is crucial when dealing with biometric data. Accounting for the latest European data privacy regulation and payment service directive, biometric template protection is essential for any commercial application. Ensuring unlinkability across biometric service operators, irreversibility of leaked encrypted templates, and renewability of e.g., voice models following the i-vector paradigm, biometric voice-based systems are prepared for the latest EU data privacy legislation. Employing Paillier cryptosystems, Euclidean and cosine comparators are known to ensure data privacy demands, without loss of discrimination nor calibration performance. Bridging gaps from template protection to speaker recognition, two architectures are proposed for the two-covariance comparator, serving as a generative model in this study. The first architecture preserves privacy of biometric data capture subjects. In the second architecture, model parameters of the comparator are encrypted as well, such that biometric service providers can supply the same comparison modules employing different key pairs to multiple biometric service operators. An experimental proof-of-concept and complexity analysis is carried out on the data from the 2013-2014 NIST i-vector machine learning challenge.

Cryptography and Security,Sound,Audio and Speech Processing

Liwei Song,Prateek Mittal

DOI: https://doi.org/10.48550/arXiv.2003.10595

2020-03-24

Cryptography and Security

Abstract:Machine learning models are prone to memorizing sensitive data, making them vulnerable to membership inference attacks in which an adversary aims to guess if an input sample was used to train the model. In this paper, we show that prior work on membership inference attacks may severely underestimate the privacy risks by relying solely on training custom neural network classifiers to perform attacks and focusing only on the aggregate results over data samples, such as the attack accuracy. To overcome these limitations, we first propose to benchmark membership inference privacy risks by improving existing non-neural network based inference attacks and proposing a new inference attack method based on a modification of prediction entropy. We also propose benchmarks for defense mechanisms by accounting for adaptive adversaries with knowledge of the defense and also accounting for the trade-off between model accuracy and privacy risks. Using our benchmark attacks, we demonstrate that existing defense approaches are not as effective as previously reported. Next, we introduce a new approach for fine-grained privacy analysis by formulating and deriving a new metric called the privacy risk score. Our privacy risk score metric measures an individual sample's likelihood of being a training member, which allows an adversary to identify samples with high privacy risks and perform attacks with high confidence. We experimentally validate the effectiveness of the privacy risk score and demonstrate that the distribution of privacy risk score across individual samples is heterogeneous. Finally, we perform an in-depth investigation for understanding why certain samples have high privacy risks, including correlations with model sensitivity, generalization error, and feature embeddings. Our work emphasizes the importance of a systematic and rigorous evaluation of privacy risks of machine learning models.

Ning Wang,Qiong Li,Ahmed A. Abd El-Latif,Jialiang Peng,Xuehu Yan,Xiamu Niu

DOI: https://doi.org/10.1007/s11760-014-0663-2

2014-01-01

Abstract:In recent years, biometrics template protection has been extensively studied and lots of schemes have been proposed. However, most of them have not considered the forgery, large difference of intra-class and the security of unimodal biometrics leakage. And there is no multibiometrics template scheme based on the fusion of dual iris, thermal and visible face images. In this paper, a novel multibiometrics template protection scheme based on fuzzy commitment and chaotic system, and the security analysis approach for unimodal biometrics leakage are proposed. Firstly, the thermal face images are captured to overcome the forgery. Then, the fuzzy commitment is generated from the corporation of error correcting code (ECC) and the fusion binary features. Additionally, the dual iris feature vectors are encrypted via the chaotic system, and the score level fusion based on Aczél-Alsina triangular-norm (AA T-norm) is implemented to acquire the final verification performance. Finally, the entropy of both mutlibiometrics and unimodal information leakage is analyzed to show the security of the proposed approach. The experimental tests are conducted on a virtual multibiometrics database, which merges the challenging CASIA-Iris-Thousand and the NVIE face database. The verification performance decreases from EER of 3 × 10^-2 to 1.163 × 10^-1

Shuang Wang,Xiaoqian Jiang,Lucila Ohno-Machado,Lijuan Cui,Samuel Cheng,Hongkai Xiong

DOI: https://doi.org/10.1109/hisb.2012.53

2012-01-01

Abstract:Privacy is an important concern when biometrics are used in authentication systems for accessing Electronic Health Records (EHR) or other biomedical research data repositories involving human subjects. Biometrics of individuals deserve careful protection because they contain sensitive information closely related to personal privacy (e.g., personal health, ethnic group, etc.) and the leakage of such information can be used to re-identify individuals. More importantly, biometrics are unique and they are not easily revocable. Existing secure biometric systems prevent attackers from collecting unprotected biometrics in databases, however, they cannot guarantee confidentiality in probing and transmitting biometrics.