Privacy-Preserving Biometric-Based Remote User Authentication with Leakage Resilience

  • Yangguang Tian
  • Yingjiu Li
  • Rongmao Chen
  • Nan Li
  • Ximeng Liu
  • Bing Chang
  • Xingjie Yu
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 254)


Biometric-based remote user authentication is a useful primitive that allows an authorized user to authenticate to a remote server using his biometrics. Leakage attacks, such as side-channel attacks, allow an attacker to learn partial knowledge of secrets (e.g., biometrics) stored on any physical medium. Leakage attacks can be potentially launched to any existing biometric-based remote user authentication systems. Furthermore, applying plain biometrics is an efficient and straightforward approach when designing remote user authentication schemes. However, this approach jeopardises user’s biometrics privacy. To address these issues, we propose a novel leakage-resilient and privacy-preserving biometric-based remote user authentication framework, such that registered users securely and privately authenticate to an honest-but-curious remote server in the cloud. In particular, the proposed generic framework provides optimal efficiency using lightweight symmetric-key cryptography, and it remains secure under leakage attacks. We formalize several new security models, including leakage-resilient user authenticity and leakage-resilient biometrics privacy, for biometric-based remote user authentication, and prove the security of proposed framework under standard assumptions.


Remote user authentication Leakage-resilient Biometrics privacy Generic framework 



This work is supported by the Singapore National Research Foundation under NCR Award Number NRF2014NCR-NCR001-012, the National Natural Science Foundation of China (Grant No. 61702541,61702105), the Young Elite Scientists Sponsorship Program by CAST (Grant No. 2017QNRC001) and the Science Research Plan Program by NUDT (Grant No. ZK17-03-46).


  1. 1.
    Fido alliance (2017).
  2. 2.
    Atallah, M.J., Frikken, K.B., Goodrich, M.T., Tamassia, R.: Secure biometric authentication for weak computational devices. In: Patrick, A.S., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, pp. 357–371. Springer, Heidelberg (2005). Scholar
  3. 3.
    Barni, M., et al.: Privacy-preserving fingercode authentication. In: Proceedings of the 12th ACM Workshop on Multimedia and Security, pp. 231–240 (2010)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). Scholar
  5. 5.
    Boyen, X.: Reusable cryptographic fuzzy extractors. In: ACM CCS, pp. 82–91 (2004)Google Scholar
  6. 6.
    Boyen, X., Dodis, Y., Katz, J., Ostrovsky, R., Smith, A.: Secure remote authentication using biometric data. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 147–163. Springer, Heidelberg (2005). Scholar
  7. 7.
    Bringer, J., Chabanne, H., Izabachène, M., Pointcheval, D., Tang, Q., Zimmer, S.: An application of the goldwasser-micali cryptosystem to biometric authentication. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 96–106. Springer, Heidelberg (2007). Scholar
  8. 8.
    Canetti, R., Fuller, B., Paneth, O., Reyzin, L., Smith, A.: Reusable fuzzy extractors for low-entropy distributions. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 117–146. Springer, Heidelberg (2016). Scholar
  9. 9.
    Castiglione, A., Choo, K.-K.R., Nappi, M., Narducci, F.: Biometrics in the cloud: challenges and research opportunities. IEEE Cloud Comput. 4(4), 12–17 (2017)CrossRefGoogle Scholar
  10. 10.
    Chen, R., Mu, Y., Yang, G., Susilo, W., Guo, F.: Strongly leakage-resilient authenticated key exchange. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 19–36. Springer, Cham (2016). Scholar
  11. 11.
    Daugman, J.: How iris recognition works. In: The Essential Guide to Image Processing, pp. 715–739 (2009)CrossRefGoogle Scholar
  12. 12.
    Dodis, Y., Kalai, Y.T., Lovett, S.: On cryptography with auxiliary input. In: STOC, pp. 621–630 (2009)Google Scholar
  13. 13.
    Dodis, Y., Kanukurthi, B., Katz, J., Reyzin, L., Smith, A.: Robust fuzzy extractors and authenticated key agreement from close secrets. IEEE Trans. Inf. Theory 58(9), 6207–6222 (2012)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.D.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Fan, C., Lin, Y.: Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics. IEEE Trans. Inf. Forensics Secur. 4(4), 933–945 (2009)CrossRefGoogle Scholar
  16. 16.
    Huang, X., Xiang, Y., Bertino, E., Zhou, J., Xu, L.: Robust multi-factor authentication for fragile communications. IEEE Trans. Dependable Secur. Comput. 11(6), 568–581 (2014)CrossRefGoogle Scholar
  17. 17.
    Huang, X., Xiang, Y., Chonka, A., Zhou, J., Deng, R.H.: A generic framework for three-factor authentication: preserving security and privacy in distributed systems. IEEE Trans. Parallel Distrib. Syst. 22(8), 1390–1397 (2011)CrossRefGoogle Scholar
  18. 18.
    Huang, Y., Malka, L., Evans, D., Katz, J.: Efficient privacy-preserving biometric identification. In: NDSS (2011)Google Scholar
  19. 19.
    Jain, A.K., Prabhakar, S., Hong, L., Pankanti, S.: Fingercode: a filterbank for fingerprint representation and matching. In: 1999 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 2, pp. 187–193 (1999)Google Scholar
  20. 20.
    Juels, A., Sudan, M.: A fuzzy vault scheme. Des. Codes Cryptogr. 38(2), 237–257 (2006)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: ACM CCS, pp. 28–36 (1999)Google Scholar
  22. 22.
    Kanade, S.G., Petrovska-Delacrétaz, D., Dorizzi, B.: Enhancing Information Security and Privacy by Combining Biometrics with Cryptography. Synthesis Lectures on Information Security, Privacy, and Trust. Morgan & Claypool Publishers, San Rafael (2012)CrossRefGoogle Scholar
  23. 23.
    Li, N., Guo, F., Mu, Y., Susilo, W., Nepal, S.: Fuzzy extractors for biometric identification. In: ICDCS, pp. 667–677 (2017)Google Scholar
  24. 24.
    Li, Y., Li, Y., Yan, Q., Kong, H., Deng, R.H.: Seeing your face is not enough: an inertial sensor-based liveness detection for face authentication. In: ACM CCS, pp. 1558–1569 (2015)Google Scholar
  25. 25.
    Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004). Scholar
  26. 26.
    Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 18–35. Springer, Heidelberg (2009). Scholar
  27. 27.
    Schoenmakers, B., Tuyls, P.: Efficient binary conversion for paillier encrypted values. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 522–537. Springer, Heidelberg (2006). Scholar
  28. 28.
    Tang, Q., Bringer, J., Chabanne, H., Pointcheval, D.: A formal study of the privacy concerns in biometric-based remote authentication schemes. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 56–70. Springer, Heidelberg (2008). Scholar
  29. 29.
    Wang, Q., Hu, S., Ren, K., He, M., Du, M., Wang, Z.: CloudBI: practical privacy-preserving outsourcing of biometric identification in the cloud. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 186–205. Springer, Cham (2015). Scholar
  30. 30.
    Yang, G., Mu, Y., Susilo, W., Wong, D.S.: Leakage resilient authenticated key exchange secure in the auxiliary input model. In: Deng, R.H., Feng, T. (eds.) ISPEC 2013. LNCS, vol. 7863, pp. 204–217. Springer, Heidelberg (2013). Scholar
  31. 31.
    Yuen, T.H., Zhang, Y., Yiu, S.M., Liu, J.K.: Identity-based encryption with post-challenge auxiliary inputs for secure cloud applications and sensor networks. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 130–147. Springer, Cham (2014). Scholar
  32. 32.
    Zhang, L., Tan, S., Yang, J., Chen, Y.: Voicelive: a phoneme localization based liveness detection for voice authentication on smartphones. In: ACM CCS, pp. 1080–1091 (2016)Google Scholar
  33. 33.
    Zhao, W., Chellappa, R., Phillips, P.J., Rosenfeld, A.: Face recognition: a literature survey. ACM Comput. Surv. (CSUR) 35(4), 399–458 (2003)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Yangguang Tian
    • 1
  • Yingjiu Li
    • 1
  • Rongmao Chen
    • 2
  • Nan Li
    • 3
  • Ximeng Liu
    • 1
  • Bing Chang
    • 1
  • Xingjie Yu
    • 1
  1. 1.School of Information SystemsSingapore Management UniversitySingaporeSingapore
  2. 2.College of ComputerNational University of Defense TechnologyChangshaChina
  3. 3.School of Electrical Engineering and ComputingUniversity of NewcastleCallaghanAustralia

Personalised recommendations