# Reasoning about Privacy Properties of Biometric Systems Architectures in the Presence of Information Leakage

## Abstract

Motivated by the need for precise definitions of privacy requirements, foundations for formal reasoning, and tools for justifying privacy-preserving design choices, a recent work introduces a formal model for the description of system architectures and the formal verification of their privacy properties. A subsequent work uses this framework to reason about privacy properties of biometric system architectures. In these studies, the description of an architecture specifies each component, their computations and the communications between them. This static approach makes it possible to reason about design choices at the very architectural level, leaving aside the implementation details. Although it is important to express privacy properties at this level, this approach fails to catch some leakage which may result from the system runtime. In particular, in the case of biometric systems, known attacks allow to recover some biometric information following a black-box approach, without breaking any part of the system. In this paper, we extend the existing formal model in order to deal with such side-channel attacks and we apply the extended model to analyse biometric information leakage in several variants of a biometric system architecture.

## Keywords

Formal methods Biometric systems Privacy by design## Notes

### Acknowledgements

This work has been partially funded by the French ANR-12-INSE-0013 project BIOPRIV and the European FP7-ICT-2013-1.5 project PRIPARE.

## References

- 1.Antignac, T., Le Métayer, D.: Privacy architectures: reasoning about data minimisation and integrity. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 17–32. Springer, Heidelberg (2014) Google Scholar
- 2.Antignac, T., Le Métayer, D.: Trust driven strategies for privacy by design. In: Damsgaard Jensen, C., Marsh, S., Dimitrakos, T., Murayama, Y. (eds.) IFIPTM 2015. IFIP AICT, vol. 454, pp. 60–75. Springer, Heidelberg (2015) Google Scholar
- 3.Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: framework and applications. In: IEEE Symposium on Security and Privacy, S&P 2006, pp. 184–198. IEEE Computer Society (2006)Google Scholar
- 4.Becker, M.Y., Alexander, M., Laurent, B.: S4P: A generic language for specifying privacy preferences and policies. Technical report, Microsoft Research/IMDEA Software/EMIC (2010)Google Scholar
- 5.Bringer, J., Chabanne, H., Kevenaar, T.A.M., Kindarji, B.: Extending match-on-card to local biometric identification. In: Fierrez, J., Ortega-Garcia, J., Esposito, A., Drygajlo, A., Faundez-Zanuy, M. (eds.) BioID MultiComm2009. LNCS, vol. 5707, pp. 178–186. Springer, Heidelberg (2009) CrossRefGoogle Scholar
- 6.Bringer, J., Chabanne, H., Le Métayer, D., Lescuyer, R.: Privacy by design in practice: reasoning about privacy properties of biometric system architectures. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 90–107. Springer, Heidelberg (2015) CrossRefGoogle Scholar
- 7.Bringer, J., Chabanne, H., Simoens, K.: Blackbox security of biometrics (invited paper). In: Conference on Intelligent Information Hiding and Multimedia Signal Processing, IIH-MSP 2010, pp. 337–340. IEEE Computer Society (2010)Google Scholar
- 8.Delaune, S., Kremer, S., Ryan, M.: Verifying privacy-type properties of electronic voting protocols: a taster. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 289–309. Springer, Heidelberg (2010) CrossRefGoogle Scholar
- 9.Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 10.Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006) CrossRefGoogle Scholar
- 11.European Parliament. European parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. General data protection regulation, ordinary legislative procedure: first reading (2014)Google Scholar
- 12.Fagin, R., Halpern, J., Moses, Y., Vardi, M.: Reasoning about Knowledge. MIT Press, Cambridge (2004) MATHGoogle Scholar
- 13.Fournet, C., Kohlweiss, M., Danezis, G., Luo, Z.: ZQL: a compiler for privacy-preserving data processing. In: USENIX 2013 Security Symposium, pp. 163–178. USENIX Association (2013)Google Scholar
- 14.Govan, M., Buggy, T.: A computationally efficient fingerprint matching algorithm for implementation on smartcards. In: Biometrics: Theory, Applications, and Systems, BTAS 2007, pp. 1–6. IEEE Computer Society (2007)Google Scholar
- 15.Gürses, S., Troncoso, C., Díaz, C.: Engineering privacy by design. In: Privacy and Data Protection Conference, Presented at the Computers (2011)Google Scholar
- 16.Halpern, J.Y., Pucella, R.: Dealing with logical omniscience. In: Conference on Theoretical Aspects of Rationality and Knowledge, TARK 2007, pp. 169–176 (2007)Google Scholar
- 17.Juels, A., Sudan, M.: A fuzzy vault scheme. Des. Codes Crypt.
**38**(2), 237–257 (2006)MathSciNetCrossRefMATHGoogle Scholar - 18.Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: ACM Conference on Computer and Communications Security, CCS 1999, pp. 28–36. ACM Press (1999)Google Scholar
- 19.Kanak, A., Sogukpinar, I.: BioPSTM: a formal model for privacy, security, and trust in template-protecting biometric authentication. Secur. Commun. Netw.
**7**(1), 123–138 (2014)CrossRefGoogle Scholar - 20.Kerschbaum, F.: Privacy-preserving computation. In: Preneel, B., Ikonomou, D. (eds.) APF 2012. LNCS, vol. 8319, pp. 41–54. Springer, Heidelberg (2014) CrossRefGoogle Scholar
- 21.Lai, L., Ho, S.-W., Vincent Poor, H.: Privacy-security trade-offs in biometric security systems - part I: single use case. IEEE Trans. Inf. Forensics Secur.
**6**(1), 122–139 (2011)CrossRefGoogle Scholar - 22.Li, L., Ho, S.-W., Vincent Poor, H.: Privacy-security trade-offs in biometric security systems - part II: multiple use case. IEEE Trans. Inf. Forensics Secur.
**6**(1), 140–151 (2011)CrossRefGoogle Scholar - 23.Li, H., Pang, L.: A novel biometric-based authentication scheme with privacy protection. In: Conference on Information Assurance and Security, IAS 2009, pp. 295–298. IEEE Computer Society (2009)Google Scholar
- 24.Maffei, M., Pecina, K., Reinert, M.: Security and privacy by declarative design. In: IEEE Symposium on Computer Security Foundations, CSF 2013, pp. 81–96. IEEE Computer Society (2013)Google Scholar
- 25.McSherry, F.: Privacy integrated queries: an extensible platform for privacy-preserving data analysis. In: ACM Conference on Management of Data, SIGMOD 2009, pp. 19–30. ACM Press (2009)Google Scholar
- 26.Le Métayer, D.: Privacy by design: a formal framework for the analysis of architectural choices. In: ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 95–104. ACM Press (2013)Google Scholar
- 27.Mulligan, D.K., King, J.: Bridging the gap between privacy and design. Univ. Pennsylvania J. Const. Law
**14**, 989–1034 (2012)Google Scholar - 28.National Institute of Standards and Technology (NIST). MINEXII - an assessment of match-on-card technology (2011). http://www.nist.gov/itl/iad/ig/minexii.cfm
- 29.International Standard Organization. International standard ISO/IEC 24787:2010, information technology - identification cards - on-card biometric comparison (2010)Google Scholar
- 30.Pagnin, E., Dimitrakakis, C., Abidin, A., Mitrokotsa, A.: On the leakage of information in biometric authentication. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. Lecture Notes in Computer Science, vol. 8885, pp. 265–280. Springer, LNCS (2014) Google Scholar
- 31.Pucella, R.: Deductive algorithmic knowledge. J. Log. Comput.
**16**(2), 287–309 (2006)MathSciNetCrossRefMATHGoogle Scholar - 32.Simoens, K., Bringer, J., Chabanne, H., Seys, S.: A framework for analyzing template security and privacy in biometric authentication systems. IEEE Trans. Inf. Forensics Secur.
**7**(2), 833–841 (2012)CrossRefGoogle Scholar - 33.Spiekermann, S., Faith Cranor, L.: Engineering privacy. IEEE Trans. Softw. Eng.
**35**(1), 67–82 (2009)CrossRefGoogle Scholar - 34.Tang, Q., Bringer, J., Chabanne, H., Pointcheval, D.: A formal study of the privacy concerns in biometric-based remote authentication schemes. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 56–70. Springer, Heidelberg (2008) CrossRefGoogle Scholar
- 35.Uludag, U., Pankanti, S., Jain, A.K.: Fuzzy vault for fingerprints. In: Kanade, T., Jain, A., Ratha, N.K. (eds.) AVBPA 2005. LNCS, vol. 3546, pp. 310–319. Springer, Heidelberg (2005) CrossRefGoogle Scholar