Paper 2022/1030

Oblivious Extractors and Improved Security in Biometric-based Authentication Systems

Ivan De Oliveira Nunes, Rochester Institute of Technology
Peter Rindal, Visa Research
Maliheh Shirvanian, Visa Research

We study the problem of biometric-based authentication with template confidentiality. Typical schemes addressing this problem, such as Fuzzy Vaults (FV) and Fuzzy Extractors (FE), allow a server, aka Authenticator, to store “random looking” Helper Data (HD) instead of biometric templates in clear. HD hides information about the corresponding biometric while still enabling secure biometric-based authentication. Even though these schemes reduce the risk of storing biometric data, their correspondent authentication procedures typically require sending the HD (stored by the Authenticator) to a client who claims a given identity. The premise here is that only the identity owner - i.e., the person whose biometric was sampled to originally generate the HD - is able to provide the same biometric to reconstruct the proper cryptographic key from HD. As a side effect, the ability to freely retrieve HD, by simply claiming a given identity, allows invested adversaries to perform offline statistical attacks (a biometric analog for dictionary attacks on hashed passwords) or re-usability attacks (if the FE scheme is not reusable) on the HD to eventually recover the user’s biometric. In this work we develop Oblivious Extractors: a new construction that allows an Authenticator to authenticate a user without requiring neither the user to send a biometric to the Authenticator, nor the server to send the HD to the client. Oblivious Extractors provide concrete security advantages for biometric-based authentication systems. From the perspective of secure storage, an oblivious extractor is as secure as its non-oblivious fuzzy extractor counterpart. In addition, it enhances security against aforementioned statistical and re-usability attacks. To demonstrate the construction’s practicality, we implement and evaluate a biometric-based authentication prototype using Oblivious Extractors.

Available format(s)
Cryptographic protocols
Publication info
Biometrics Authentication Fuzzy Extractors Fuzzy Vault
Contact author(s)
ivanoliv @ mail rit edu
perindal @ visa com
mshirvan @ visa com
2022-08-11: approved
2022-08-09: received
See all versions
Short URL
Creative Commons Attribution-NonCommercial


      author = {Ivan De Oliveira Nunes and Peter Rindal and Maliheh Shirvanian},
      title = {Oblivious Extractors and Improved Security in Biometric-based Authentication Systems},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1030},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.