Reasoning about Privacy Properties of Biometric Systems Architectures in the Presence of Information Leakage

  • Julien Bringer
  • Hervé Chabanne
  • Daniel Le Métayer
  • Roch LescuyerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9290)


Motivated by the need for precise definitions of privacy requirements, foundations for formal reasoning, and tools for justifying privacy-preserving design choices, a recent work introduces a formal model for the description of system architectures and the formal verification of their privacy properties. A subsequent work uses this framework to reason about privacy properties of biometric system architectures. In these studies, the description of an architecture specifies each component, their computations and the communications between them. This static approach makes it possible to reason about design choices at the very architectural level, leaving aside the implementation details. Although it is important to express privacy properties at this level, this approach fails to catch some leakage which may result from the system runtime. In particular, in the case of biometric systems, known attacks allow to recover some biometric information following a black-box approach, without breaking any part of the system. In this paper, we extend the existing formal model in order to deal with such side-channel attacks and we apply the extended model to analyse biometric information leakage in several variants of a biometric system architecture.


Formal methods Biometric systems Privacy by design 



This work has been partially funded by the French ANR-12-INSE-0013 project BIOPRIV and the European FP7-ICT-2013-1.5 project PRIPARE.


  1. 1.
    Antignac, T., Le Métayer, D.: Privacy architectures: reasoning about data minimisation and integrity. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 17–32. Springer, Heidelberg (2014) Google Scholar
  2. 2.
    Antignac, T., Le Métayer, D.: Trust driven strategies for privacy by design. In: Damsgaard Jensen, C., Marsh, S., Dimitrakos, T., Murayama, Y. (eds.) IFIPTM 2015. IFIP AICT, vol. 454, pp. 60–75. Springer, Heidelberg (2015) Google Scholar
  3. 3.
    Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: framework and applications. In: IEEE Symposium on Security and Privacy, S&P 2006, pp. 184–198. IEEE Computer Society (2006)Google Scholar
  4. 4.
    Becker, M.Y., Alexander, M., Laurent, B.: S4P: A generic language for specifying privacy preferences and policies. Technical report, Microsoft Research/IMDEA Software/EMIC (2010)Google Scholar
  5. 5.
    Bringer, J., Chabanne, H., Kevenaar, T.A.M., Kindarji, B.: Extending match-on-card to local biometric identification. In: Fierrez, J., Ortega-Garcia, J., Esposito, A., Drygajlo, A., Faundez-Zanuy, M. (eds.) BioID MultiComm2009. LNCS, vol. 5707, pp. 178–186. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  6. 6.
    Bringer, J., Chabanne, H., Le Métayer, D., Lescuyer, R.: Privacy by design in practice: reasoning about privacy properties of biometric system architectures. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 90–107. Springer, Heidelberg (2015) CrossRefGoogle Scholar
  7. 7.
    Bringer, J., Chabanne, H., Simoens, K.: Blackbox security of biometrics (invited paper). In: Conference on Intelligent Information Hiding and Multimedia Signal Processing, IIH-MSP 2010, pp. 337–340. IEEE Computer Society (2010)Google Scholar
  8. 8.
    Delaune, S., Kremer, S., Ryan, M.: Verifying privacy-type properties of electronic voting protocols: a taster. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 289–309. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  9. 9.
    Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  10. 10.
    Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  11. 11.
    European Parliament. European parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. General data protection regulation, ordinary legislative procedure: first reading (2014)Google Scholar
  12. 12.
    Fagin, R., Halpern, J., Moses, Y., Vardi, M.: Reasoning about Knowledge. MIT Press, Cambridge (2004) zbMATHGoogle Scholar
  13. 13.
    Fournet, C., Kohlweiss, M., Danezis, G., Luo, Z.: ZQL: a compiler for privacy-preserving data processing. In: USENIX 2013 Security Symposium, pp. 163–178. USENIX Association (2013)Google Scholar
  14. 14.
    Govan, M., Buggy, T.: A computationally efficient fingerprint matching algorithm for implementation on smartcards. In: Biometrics: Theory, Applications, and Systems, BTAS 2007, pp. 1–6. IEEE Computer Society (2007)Google Scholar
  15. 15.
    Gürses, S., Troncoso, C., Díaz, C.: Engineering privacy by design. In: Privacy and Data Protection Conference, Presented at the Computers (2011)Google Scholar
  16. 16.
    Halpern, J.Y., Pucella, R.: Dealing with logical omniscience. In: Conference on Theoretical Aspects of Rationality and Knowledge, TARK 2007, pp. 169–176 (2007)Google Scholar
  17. 17.
    Juels, A., Sudan, M.: A fuzzy vault scheme. Des. Codes Crypt. 38(2), 237–257 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: ACM Conference on Computer and Communications Security, CCS 1999, pp. 28–36. ACM Press (1999)Google Scholar
  19. 19.
    Kanak, A., Sogukpinar, I.: BioPSTM: a formal model for privacy, security, and trust in template-protecting biometric authentication. Secur. Commun. Netw. 7(1), 123–138 (2014)CrossRefGoogle Scholar
  20. 20.
    Kerschbaum, F.: Privacy-preserving computation. In: Preneel, B., Ikonomou, D. (eds.) APF 2012. LNCS, vol. 8319, pp. 41–54. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  21. 21.
    Lai, L., Ho, S.-W., Vincent Poor, H.: Privacy-security trade-offs in biometric security systems - part I: single use case. IEEE Trans. Inf. Forensics Secur. 6(1), 122–139 (2011)CrossRefGoogle Scholar
  22. 22.
    Li, L., Ho, S.-W., Vincent Poor, H.: Privacy-security trade-offs in biometric security systems - part II: multiple use case. IEEE Trans. Inf. Forensics Secur. 6(1), 140–151 (2011)CrossRefGoogle Scholar
  23. 23.
    Li, H., Pang, L.: A novel biometric-based authentication scheme with privacy protection. In: Conference on Information Assurance and Security, IAS 2009, pp. 295–298. IEEE Computer Society (2009)Google Scholar
  24. 24.
    Maffei, M., Pecina, K., Reinert, M.: Security and privacy by declarative design. In: IEEE Symposium on Computer Security Foundations, CSF 2013, pp. 81–96. IEEE Computer Society (2013)Google Scholar
  25. 25.
    McSherry, F.: Privacy integrated queries: an extensible platform for privacy-preserving data analysis. In: ACM Conference on Management of Data, SIGMOD 2009, pp. 19–30. ACM Press (2009)Google Scholar
  26. 26.
    Le Métayer, D.: Privacy by design: a formal framework for the analysis of architectural choices. In: ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 95–104. ACM Press (2013)Google Scholar
  27. 27.
    Mulligan, D.K., King, J.: Bridging the gap between privacy and design. Univ. Pennsylvania J. Const. Law 14, 989–1034 (2012)Google Scholar
  28. 28.
    National Institute of Standards and Technology (NIST). MINEXII - an assessment of match-on-card technology (2011).
  29. 29.
    International Standard Organization. International standard ISO/IEC 24787:2010, information technology - identification cards - on-card biometric comparison (2010)Google Scholar
  30. 30.
    Pagnin, E., Dimitrakakis, C., Abidin, A., Mitrokotsa, A.: On the leakage of information in biometric authentication. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. Lecture Notes in Computer Science, vol. 8885, pp. 265–280. Springer, LNCS (2014) Google Scholar
  31. 31.
    Pucella, R.: Deductive algorithmic knowledge. J. Log. Comput. 16(2), 287–309 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Simoens, K., Bringer, J., Chabanne, H., Seys, S.: A framework for analyzing template security and privacy in biometric authentication systems. IEEE Trans. Inf. Forensics Secur. 7(2), 833–841 (2012)CrossRefGoogle Scholar
  33. 33.
    Spiekermann, S., Faith Cranor, L.: Engineering privacy. IEEE Trans. Softw. Eng. 35(1), 67–82 (2009)CrossRefGoogle Scholar
  34. 34.
    Tang, Q., Bringer, J., Chabanne, H., Pointcheval, D.: A formal study of the privacy concerns in biometric-based remote authentication schemes. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 56–70. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  35. 35.
    Uludag, U., Pankanti, S., Jain, A.K.: Fuzzy vault for fingerprints. In: Kanade, T., Jain, A., Ratha, N.K. (eds.) AVBPA 2005. LNCS, vol. 3546, pp. 310–319. Springer, Heidelberg (2005) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Julien Bringer
    • 1
  • Hervé Chabanne
    • 1
    • 2
  • Daniel Le Métayer
    • 3
  • Roch Lescuyer
    • 1
    Email author
  1. 1.MorphoIssy-Les-MoulineauxFrance
  2. 2.Télécom ParisTechParisFrance
  3. 3.InriaUniversité de LyonLyonFrance

Personalised recommendations