Paper 2022/1030
Oblivious Extractors and Improved Security in Biometric-based Authentication Systems
Abstract
We study the problem of biometric-based authentication with template confidentiality. Typical schemes addressing this problem, such as Fuzzy Vaults (FV) and Fuzzy Extractors (FE), allow a server, aka Authenticator, to store “random looking” Helper Data (HD) instead of biometric templates in clear. HD hides information about the corresponding biometric while still enabling secure biometric-based authentication. Even though these schemes reduce the risk of storing biometric data, their correspondent authentication procedures typically require sending the HD (stored by the Authenticator) to a client who claims a given identity. The premise here is that only the identity owner - i.e., the person whose biometric was sampled to originally generate the HD - is able to provide the same biometric to reconstruct the proper cryptographic key from HD. As a side effect, the ability to freely retrieve HD, by simply claiming a given identity, allows invested adversaries to perform offline statistical attacks (a biometric analog for dictionary attacks on hashed passwords) or re-usability attacks (if the FE scheme is not reusable) on the HD to eventually recover the user’s biometric. In this work we develop Oblivious Extractors: a new construction that allows an Authenticator to authenticate a user without requiring neither the user to send a biometric to the Authenticator, nor the server to send the HD to the client. Oblivious Extractors provide concrete security advantages for biometric-based authentication systems. From the perspective of secure storage, an oblivious extractor is as secure as its non-oblivious fuzzy extractor counterpart. In addition, it enhances security against aforementioned statistical and re-usability attacks. To demonstrate the construction’s practicality, we implement and evaluate a biometric-based authentication prototype using Oblivious Extractors.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Preprint.
- Keywords
- Biometrics Authentication Fuzzy Extractors Fuzzy Vault
- Contact author(s)
-
ivanoliv @ mail rit edu
perindal @ visa com
mshirvan @ visa com - History
- 2022-08-11: approved
- 2022-08-09: received
- See all versions
- Short URL
- https://ia.cr/2022/1030
- License
-
CC BY-NC
BibTeX
@misc{cryptoeprint:2022/1030, author = {Ivan De Oliveira Nunes and Peter Rindal and Maliheh Shirvanian}, title = {Oblivious Extractors and Improved Security in Biometric-based Authentication Systems}, howpublished = {Cryptology {ePrint} Archive, Paper 2022/1030}, year = {2022}, url = {https://eprint.iacr.org/2022/1030} }