A Framework for UC Secure Privacy Preserving Biometric Authentication Using Efficient Functional Encryption

Abstract

Despite its popularity, password based authentication is susceptible to various kinds of attacks, such as online or offline dictionary attacks. Employing biometric credentials in the authentication process can strengthen the provided security guarantees, but raises significant privacy concerns. This is mainly due to the inherent variability of biometric readings that prevents us from simply applying a standard hash function to them. In this paper we first propose an ideal functionality for modeling secure, privacy preserving biometric based two-factor authentication in the framework of universal composability (UC). The functionality is of independent interest and can be used to analyze other two-factor authentication protocols. We then present a generic protocol for biometric based two-factor authentication and prove its security (relative to our proposed functionality) in the UC framework. The first factor in our protocol is the possession of a device that stores the required secret keys and the second factor is the user’s biometric template. Our construction can be instantiated with function hiding functional encryption, which computes for example the distance of the encrypted templates or the predicate indicating whether the templates are close enough. Our contribution can be split into three parts:

• We model privacy preserving biometric based two-factor authentication as an ideal functionality in the UC framework. To the best of our knowledge, this is the first description of an ideal functionality for biometric based two-factor authentication in the UC framework.

• We propose a general protocol that uses functional encryption and prove that it UC-realizes our ideal functionality.

• We show how to instantiate our framework with efficient, state of the art inner-product functional encryption. This allows the computation of the Euclidean distance, Hamming distance or cosine similarity between encrypted biometric templates. In order to show its practicality, we implemented our protocol and evaluated its performance.

A Security Proof

Fig. 9.

The code of the simulator.

Fig. 10.

The second part of the code of the simulator.

Below we give the proof of Theorem 1.

Proof

We first provide a simulator in Fig. 9 and Fig. 10. Then we show that no \(\textsf{PPT}\) environment \(\mathcal {Z}\) can distinguish between the real world, where it is interacting with the honest parties and the dummy adversary, from the ideal world, where it is interacting with the honest parties and the simulator. We do so by considering all actions that \(\mathcal {Z}\) can take and argue for each of them that the results, which \(\mathcal {Z}\) gets in the real world and the ideal world, are essentially the same. The actions that \(\mathcal {Z}\) can take are:

• \((\textsc {Enrol}, \textsf{sid}, \textsf{ssid}, \mathfrak {b})\) to an honest client

• \((\textsc {Auth}, \textsf{sid}, \textsf{ssid}, \mathfrak {b}')\) to an honest client

• \((\textsc {ok}, (\textsf{sid}, \textsf{ssid}))\) to \(\mathcal {F}_{\text {SMT}}'\)

• \((\textsc {Send}, (\textsf{sid}, \textsf{ssid}), \mathcal {S}, m=(\text {enrol}, \textsf{rid}, \textsf{pk}, \textsf{sk}_\textbf{b}))\) to \(\mathcal {F}_{\text {SMT}}'\) in the name of a corrupted client

• \((\textsc {Send}, (\textsf{sid}, \textsf{ssid}), \mathcal {S}, m=(\text {auth}, \textsf{rid}, c, \sigma ))\) to \(\mathcal {F}_{\text {SMT}}'\) in the name of a corrupted client

• \((\textsc {Corrupt}, \textsf{sid})\) to a client \(\mathcal {C}\)

• \((\textsc {TryImpersonate}, \textsf{sid}, \textsf{ssid}, \mathfrak {b}')\) to a client \(\mathcal {C}\)

To simplify the presentation, we assume that \(\mathcal {Z}\) does not delay or block messages, whenever the sender or receiver is corrupted. In that case the receiver directly gets the message without the need for \(\mathcal {Z}\) to send \((\textsc {ok}, (\textsf{sid}, \textsf{ssid}))\) to \(\mathcal {F}_{\text {SMT}}'\). This is reasonable, because \(\mathcal {Z}\) cannot gain anything from blocking its own messages. Therefore, when \(\mathcal {S}\) is corrupted, \(\textsf{Sim}\) can directly send \((\textsc {EnrolOK},\textsf{sid}, \textsf{ssid})\) (resp. \((\textsc {AuthOK},\textsf{sid}, \textsf{ssid})\)) to \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) after receiving \((\textsc {enrol},\textsf{sid}, \textsf{ssid},\cdot )\) (resp.\((\textsc {auth},\textsf{sid}, \textsf{ssid},\cdot )\)) from \(\mathcal {F}_{\text {2FA}}^\textsf{out}\). In the real world we say that \(\textsf{rid}\) is enroled, if the server has a record \(\langle \textsf{rid},\cdot , \cdot \rangle \). In the ideal world we say that \(\textsf{rid}\) is enroled, if the ideal functionality has a record \(\langle \text {enroled},\cdot , \textsf{rid}, \cdot \rangle \) or \(\langle \text {enroled-adversarial},\textsf{rid}, \cdot \rangle \). In both worlds this is equivalent to the server having output \((\textsc {enrol}, \textsf{sid}, \textsf{ssid}, \textsf{rid})\), for some \(\textsf{sid}\) and \(\textsf{ssid}\).

The simulator uses five different tables. Table \(T_1\) is for pending messages, \(T_2\) contains entries for the adversarially enroled clients. In case the server is corrupted, \(T_3\) contains an entry for each of the enroled clients. Table \(T_4\) contains an entry for each client that was adaptively corrupted by \(\mathcal {Z}\) and \(T_5\) contains all (fake) messages that \(\textsf{Sim}\) created as response to \(\textsc {TryImpersonate}\) instructions from \(\mathcal {Z}\).

• (Enrol \(,\textsf{sid}, \textsf{ssid}, \mathfrak {b})\) to an honest client \(\mathcal {C}\): \(\mathcal {Z}\) calls the enrol-interface of \(\mathcal {C}\).

Case 1. The server is honest:

Real world: \(\mathcal {C}\) only continues if this is the first \(\textsc {Enrol}\) message they got. They execute the setup algorithm of the FE scheme and the signature scheme and choose a random \(\textsf{rid}\). \(\mathcal {C}\) prepares the message m for the server and sends \((\textsc {Send}, (\textsf{sid}, \textsf{ssid}), \mathcal {S}, m)\) to \(\mathcal {F}_{\text {SMT}}'\). \(\mathcal {F}_{\text {SMT}}'\) then sends \((\textsc {sent}, (\textsf{sid}, \textsf{ssid}), \mathcal {C}, \mathcal {S}, \text {length}(m))\) to \(\mathcal {A}\), who gives it to \(\mathcal {Z}\).

Ideal world: \(\mathcal {C}\) sends (Enrol\(, \textsf{sid}, \textsf{ssid}, \mathfrak {b})\) to \(\mathcal {F}_{\text {2FA}}^\textsf{out}\), which only continues if this is the first \(\textsc {Enrol}\) message from \(\mathcal {C}\). \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) then sends \((\textsc {enrol}, \textsf{sid}, \textsf{ssid}, \mathcal {C}, \mathcal {S})\) to \(\textsf{Sim}\), who gives \((\textsc {sent}, (\textsf{sid}, \textsf{ssid}), \mathcal {C}, \mathcal {S}, l_e)\) to \(\mathcal {Z}\).

In both worlds \(\mathcal {Z}\) gets a message if and only if the client has not yet sent an enrolment message. By definition of \(l_e\), we have that \(\text {length}(m) = l_e\) and, therefore, the messages that \(\mathcal {Z}\) gets in both worlds are the same.

Case 2. The server is corrupted:

Real world: \(\mathcal {C}\) sends \((\textsc {Send}, (\textsf{sid}, \textsf{ssid}), \mathcal {S}, m := (\text {enrol}, \textsf{rid}, \textsf{pk}, \textsf{sk}_\textbf{b}))\) to \(\mathcal {F}_{\text {SMT}}'\) for random \(\textsf{rid}\) and fresh \(\textsf{pk}\) and \(\textsf{sk}_\textbf{b}\). \(\mathcal {S}\) directly gives this message to \(\mathcal {Z}\).

Ideal world: \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) sends (enrol\(,\textsf{sid}, \textsf{ssid}, \mathcal {C})\) to \(\textsf{Sim}\), which replies with \((\textsc {EnrolOK},\textsf{sid}, \textsf{ssid})\). \(\textsf{Sim}\) then gets \((\textsc {enrol}, \textsf{sid}, \textsf{ssid}, \textsf{rid})\) as output to the corrupted server. \(\textsf{Sim}\) chooses \(\mathfrak {b}\) and generates \(\textsf{pk}\) and \(\textsf{sk}_\textbf{b}\). They then give \((\textsc {sent}, (\textsf{sid}, \textsf{ssid}), m := (\text {enrol}, \textsf{rid}, \textsf{pk}, \textsf{sk}_\textbf{b}))\) to \(\mathcal {Z}\) in the name of the corrupted server.

In both worlds \(\textsf{sid}\) and \(\textsf{ssid}\) are the same and \(\textsf{rid}\) is a random value that \(\mathcal {Z}\) has not previously seen. Also \(\textsf{pk}\) is in both worlds the result of \(\mathsf {Sig.Gen}\). The only critical part is \(\textsf{sk}_\textbf{b}\). In the real world the underlying vector \(\mathfrak {b}\) is the user’s biometric, whereas in the ideal world the simulator chose \(\mathfrak {b} \leftarrow \mathsf {chooseFakeRef()}\). However, both \(\textsf{sk}_\textbf{b}\) are indistinguishable due to the function hiding property of the FE scheme. In Lemma 1 we give a reduction that breaks the fh-IND-security of \(\textsf{FE}\) if \(\mathcal {Z}\) can distinguish between the real and ideal world.

• (Auth \(,\textsf{sid}, \textsf{ssid}, \mathfrak {b}')\) to an honest client \(\mathcal {C}\): \(\mathcal {Z}\) calls the auth-interface of \(\mathcal {C}\).

Case 1. The server is honest:

Real world: \(\mathcal {C}\) checks if they are enroled. If so, \(\mathcal {C}\) prepares the authentication message m for the server and sends \((\textsc {Send}, (\textsf{sid}, \textsf{ssid}), \mathcal {S}, m)\) to \(\mathcal {F}_{\text {SMT}}'\), which sends \((\textsc {sent}, (\textsf{sid}, \textsf{ssid}), \mathcal {C}, \mathcal {S}, \text {length}(m))\) to \(\mathcal {A}\), who forwards it to \(\mathcal {Z}\).

Ideal world: \(\mathcal {C}\) sends (Auth\(, \textsf{sid}, \textsf{ssid}, \mathfrak {b}')\) to \(\mathcal {F}_{\text {2FA}}^\textsf{out}\). If \(\mathcal {C}\) has previously sent an enrol-message, \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) sends \((\textsc {auth}, \textsf{sid}, \textsf{ssid}\mathcal {C}, \mathcal {S})\) to \(\textsf{Sim}\), who gives \((\textsc {sent}, (\textsf{sid}, \textsf{ssid}),\mathcal {C}, \mathcal {S}, l_a)\) to \(\mathcal {Z}\).

In both worlds \(\mathcal {Z}\) gets a message if and only if the client has previously sent an enrolment message. By definition of \(l_a\), we have that \(\text {length}(m) = l_a\) and, therefore, the messages that \(\mathcal {Z}\) gets are the same in both worlds.

Case 2. The server is corrupted:

Real world: If \(\mathcal {C}\) has previously sent an enrol-message, they send \((\textsc {Send}, (\textsf{sid}, \textsf{ssid}),\mathcal {S}, m=(\text {auth},\textsf{rid},c,\sigma ))\) to \(\mathcal {F}_{\text {SMT}}'\), where c is the encrypted, encoded \(\mathfrak {b}\) and \(\sigma \) a signature of \((\textsf{sid}, \textsf{ssid},\textsf{rid},c)\). \(\mathcal {S}\) receives this message and directly gives it to \(\mathcal {Z}\).

Ideal world: If \(\mathcal {C}\) has previously sent an enrol-message, \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) sends \((\textsc {auth},\textsf{sid}, \textsf{ssid}, \mathcal {C})\) to \(\textsf{Sim}\), which replies with \((\textsc {AuthOK}, \textsf{sid}, \textsf{ssid})\). \(\textsf{Sim}\) then gets \((\textsc {auth}, \textsf{sid}, \textsf{ssid}, \textsf{rid},d=\textsf{out}(\mathfrak {b},\mathfrak {b'}))\) as output to the corrupted server, where \(\mathfrak {b}\) and \(\mathfrak {b}'\) are the client’s reference and fresh template. \(\textsf{Sim}\) chooses a fake probe template such that its FE output with the fake reference template is exactly d. \(\textsf{Sim}\) then encodes and encrypts the new fake template and creates a signature, using the self-chosen keys from the enrolment phase, as an honest client would do. They then give \((\textsc {sent}, (\textsf{sid}, \textsf{ssid}), m := (\text {auth}, \textsf{rid}, c, \sigma ))\) to \(\mathcal {Z}\) in the name of the corrupted server.

In both worlds \(\textsf{ssid}\) is the same and \(\textsf{rid}\) is a random value that matches the \(\textsf{rid}\) from the enrolment phase. The critical component is the ciphertext c. Here we rely on the fh-IND-security of the FE scheme, which ensures that no PPT adversary can distinguish between two ciphertexts, if the output of \(\mathsf {FE.Dec}(\textsf{sk}_\textbf{b}, \cdot )\) is the same in both cases. By choosing the fake templates as \(\mathfrak {b}'\leftarrow \mathsf {chooseFakeProbe(\mathfrak {b},d)}\), \(\textsf{Sim}\) ensures that the FE outputs are the same in both worlds. We show the indistinguishability of both worlds formally in Lemma 1 by giving a reduction, which breaks the fh-IND-security of the FE scheme, if \(\mathcal {Z}\) is able to distinguish between the worlds. The signatures \(\sigma \) in both worlds are indistinguishable, as the secret keys are identically distributed and the signed messages are indistinguishable.

• (ok \(,(\textsf{sid},\textsf{ssid}))\) to \(\mathcal {F}_{{\textbf {SMT}}}'\): The environment lets through a client’s message:

Case 1. (\(\textsf{ssid}\) belongs to an enrol-message of a client \(\mathcal {C}\)):

Real world: \(\mathcal {C}\) chose \(\textsf{rid}\) uniformly from \(\{0,1\}^\lambda \), therefore, \(\mathcal {S}\) will not have a record \(\langle \textsf{rid}, \textsf{pk}, \textsf{sk}_\textbf{b}\rangle \) with overwhelming probability. Thus, \(\mathcal {S}\) outputs \((\textsc {enrol}, \textsf{sid},\textsf{ssid}, \textsf{rid})\).

Ideal world: \(\textsf{Sim}\) sends \((\textsc {EnrolOK},\textsf{sid},\textsf{ssid})\) to \(\mathcal {F}_{\text {2FA}}^\textsf{out}\). \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) will not have a record \(\langle \text {enroled},\mathcal {C},\cdot ,\cdot \rangle \), because \(\mathcal {C}\) has not yet enroled and enrols at most once. Hence, \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) will choose \(\textsf{rid}\) at random and give \((\textsc {enrol}, \textsf{sid},\textsf{ssid}, \textsf{rid})\) as output to \(\mathcal {Z}\).

In both worlds \(\textsf{rid}\) is a random bit string that \(\mathcal {Z}\) has not seen before. Therefore, both worlds are indistinguishable for \(\mathcal {Z}\).

Case 2. (\(\textsf{ssid}\) belongs to an authentication-message of a client \(\mathcal {C}\)): If \(\mathcal {Z}\) previously let through the corresponding enrol-message of \(\mathcal {C}\) then \(\mathcal {S}\) has a record \(\langle \textsf{rid}, \textsf{pk},\textsf{sk}_\textbf{b}\rangle \) and \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) has a record \(\langle \text {enroled},\mathcal {C},\textsf{rid},\mathfrak {b}\rangle \). Thus, in the real world \(\mathcal {Z}\) will get \((\textsc {auth}, \textsf{sid},\textsf{ssid},\textsf{rid}, d=\textsf{FE2out}(\mathsf {FE.Dec}(\textsf{sk}_\textbf{b},c)))\) from \(\mathcal {S}\). In the ideal world \(\mathcal {Z}\) will get \((\textsc {auth}, \textsf{sid},\textsf{ssid},\textsf{rid},\textsf{out}(\mathfrak {b}, \mathfrak {b}'))\), where \(\mathfrak {b}, \mathfrak {b}'\) are the same in both worlds (chosen by \(\mathcal {Z}\)). In both worlds \(\textsf{rid}\) will match the \(\textsf{rid}\) from the enrol-message. By correctness of \((\textsf{encodeRef}, \textsf{encodeProbe},\textsf{out},\textsf{FE2out})\) we have \(d=\textsf{out}(\mathfrak {b},\mathfrak {b}')\).

If \(\mathcal {Z}\) did not let through \(\mathcal {C}\)’s enrol-message, \(\mathcal {S}\) has no record \(\langle \textsf{rid},\cdot ,\cdot \rangle \) (\(\mathcal {Z}\) does not even know \(\textsf{rid}\)) and \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) has no record \(\langle \text {enroled},\mathcal {C},\cdot ,\cdot \rangle \). Thus, in both worlds, \(\mathcal {Z}\) gets as output \((\textsc {auth}\text {-}\textsc {fail},\textsf{sid},\textsf{ssid})\).

• (Send \(,(\textsf{sid},\textsf{ssid}),m=({\textbf {enrol}},\textsf{rid},\textsf{pk},\textsf{sk}_\textbf{b}))\) to \(\mathcal {F}_{{\textbf {SMT}}}'\): A corrupted client’s enrol-message:

Case 1. The server is honest:

Real world: If \(\mathcal {S}\) previously output \((\textsc {enrol},\textsf{sid},\textsf{ssid}',\textsf{rid})\) (i.e. \(\textsf{rid}\) is already enroled), then \(\mathcal {S}\) will output \((\textsc {enrol}, \textsf{sid}, \textsf{ssid},\bot )\). Otherwise \(\mathcal {S}\) will output \((\textsc {enrol},\textsf{sid},\textsf{ssid},\textsf{rid})\).

Ideal world: \(\textsf{Sim}\) uses the adversary-interface of \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) by sending \((\textsc {Enrol},\) \(\textsf{sid},\textsf{ssid},\textsf{rid},\mathfrak {b})\), for a fake template \(\mathfrak {b}\). If \(\textsf{rid}\) is already enroled, \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) will output \((\textsc {enrol},\textsf{sid},\textsf{ssid},\bot )\) to \(\mathcal {S}\) and otherwise \((\textsc {enrol},\textsf{sid},\textsf{ssid},\textsf{rid})\). The outputs in both worlds are identical.

Case 2. The server is corrupted: In the real world \(\mathcal {S}\) will receive \((\textsc {sent},(\textsf{sid},\textsf{ssid}),m)\) from \(\mathcal {F}_{\text {SMT}}'\) and output it to \(\mathcal {Z}\). In the ideal world \(\textsf{Sim}\) will give \((\textsc {sent},(\textsf{sid},\textsf{ssid}),m)\) to \(\mathcal {Z}\) in the name of \(\mathcal {S}\). In both worlds \(\mathcal {Z}\) gets identical output.

• (Send \(,(\textsf{sid},\textsf{ssid}),m=({\textbf {auth}},\textsf{rid},c,\sigma ))\) to \(\mathcal {F}_{{\textbf {SMT}}}'\): A corrupted client’s auth-message:

Case 1. The server is honest: This is the case which shows that an attacker can first, not impersonate an honest client and second, still needs a valid biometric to impersonate an adaptively corrupted client.

First consider the case where \(\textsf{rid}\) is not enroled, or the signature \(\sigma \) is not valid. Then in both worlds \(\mathcal {Z}\) will get \((\textsc {auth}\text {-}\textsc {fail},\textsf{sid},\textsf{ssid})\) as output from \(\mathcal {S}\).

Next, consider the case that the signature is valid and \(\textsf{rid}\) belongs to a client that has been enroled by \(\mathcal {A}\), i.e. \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) has a record \(\langle \text {enroled-adversarial}, \textsf{rid}, \cdot \rangle \) and equivalently \(\textsf{Sim}\) has an entry \((\textsf{rid},\cdot ,\cdot ,\cdot )\) in \(T_2\). In the real world, \(\mathcal {S}\) will output \((\textsc {auth},\textsf{sid},\textsf{ssid},\textsf{rid},d_\text {real})\) and in the ideal world \(\mathcal {S}\) will output \((\textsc {auth},\textsf{sid},\textsf{ssid},\textsf{rid},d_\text {ideal})\). We have \(d_\text {real}=d_\text {ideal}\), because \(\textsf{Sim}\) computes its internal variable d exactly as the real server computes its output value and then uses it to generate fake templates that make \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) output \(\textsf{out}(\mathfrak {b},\mathfrak {b}')\) to \(\mathcal {S}\). By correctness of\((\textsf{chooseFakeRef},\textsf{chooseFakeProbe})\) \(\textsf{Sim}\)’s fake template \(\mathfrak {b}'\leftarrow \textsf{chooseFakeProbe}\) \((\mathfrak {b},d)\) satisfies \(\textsf{out}(\mathfrak {b},\mathfrak {b}')=d\).

Now consider the case where \(\textsf{rid}\) is enroled, the signature is valid and \(\textsf{Sim}\) has an entry \((\textsf{rid},\textsf{sid}, \textsf{ssid},c,\cdot ,\mathcal {C},\mathfrak {b}')\) in \(T_5\), where \(\textsf{rid}\), \(\textsf{sid}\), \(\textsf{ssid}\) and c are the same as from \(\mathcal {Z}\)’s message to \(\mathcal {F}_{\text {SMT}}'\). This implies that \(\mathcal {Z}\) has corrupted \(\mathcal {C}\) and has sent a \((\textsc {TryImpersonate}, \textsf{sid},\textsf{ssid}, \mathfrak {b}')\) instruction to \(\mathcal {A}\)/\(\textsf{Sim}\) and is now instructing \(\mathcal {A}\)/\(\textsf{Sim}\) to send the message —that \(\mathcal {Z}\) got as response to the \(\textsc {TryImpersonate}\) instruction —to \(\mathcal {S}\). Thus, in the real world \(\mathcal {S}\) will output \((\textsc {auth},\textsf{sid},\textsf{ssid},\textsf{rid},d_\text {real})\). In the ideal world \(\textsf{Sim}\) will send \((\textsc {TryImpersonate}, \textsf{sid},\textsf{ssid}, \mathcal {C}, \mathfrak {b}')\) to \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) which will then send \((\textsc {auth},\textsf{sid},\textsf{ssid},\textsf{rid},\textsf{out}(\mathfrak {b},\mathfrak {b}'))\) to \(\mathcal {S}\). Since in this case \(\mathfrak {b}\) and \(\mathfrak {b}'\) will be the same in both worlds, we have that \(d_\text {real} = \textsf{out}(\mathfrak {b},\mathfrak {b}')\), by correctness of \((\textsf{encodeRef},\) \(\textsf{encodeProbe},\textsf{out},\textsf{FE2out})\).

Let us now consider the last case, where neither of the above is true, \(\textsf{Sim}\) gets to the else-case (in line 34) and \(\textsf{rid}\) is enroled and the signature is valid. In the ideal world, \(\textsf{Sim}\) will send \((\textsc {Auth},\textsf{sid},\textsf{ssid},\bot ,\bot )\) to \(\mathcal {F}_{\text {2FA}}^\textsf{out}\), which will then give \((\textsc {auth}\text {-}\textsc {fail},\textsf{sid},\textsf{ssid})\) as output to \(\mathcal {S}\). In the real world, however, \(\mathcal {S}\) will output \((\textsc {auth},\textsf{sid},\textsf{ssid},\textsf{rid},d_\text {real})\). Thus, in this case \(\mathcal {Z}\) can distinguish between the worlds. However, this case can only occur if \(\mathcal {Z}\) forges a signature. In Lemma 2 we sketch a reduction that wins the EUF-CMA game in that case.

Case 2. The server is corrupted: Exactly as in the case of a corrupted client’s enrol-message, in both worlds the server will output \((\textsc {sent},(\textsf{sid},\textsf{ssid}),m)\).

• Instruction to \(\mathcal {A}/\textsf{Sim}\) to send (Corrupt \(,\textsf{sid})\) to (the backdoor tape of) client \(\mathcal {C}\):

Real world: \(\mathcal {A}\) will send \((\textsc {Corrupt}, \textsf{sid})\) to \(\mathcal {C}\) (on the backdoor tape). If and only if the client \(\mathcal {C}\) exists and is enroled, \(\mathcal {C}\)’s shell will answer with \((\textsc {corrupted}, \textsf{sid})\). \(\mathcal {A}\) will then forward this message to \(\mathcal {Z}\).

Ideal world: \(\textsf{Sim}\) will send \((\textsc {Corrupt}, \textsf{sid}, \mathcal {C})\) to \(\mathcal {F}_{\text {2FA}}^\textsf{out}\). \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) will answer with \((\textsc {corrupted}, \textsf{sid}, \textsf{rid})\) if and only if the client \(\mathcal {C}\) exists and is enroled. In that case \(\textsf{Sim}\) will send \((\textsc {corrupted}, \textsf{sid})\) to \(\mathcal {Z}\).

Therefore, in both worlds \(\mathcal {Z}\) will get the output \((\textsc {corrupted}, \textsf{sid})\) if and only if \(\mathcal {C}\) exists and is enroled. This is independent of whether the server is corrupted.

• Instruction to \(\mathcal {A}/\textsf{Sim}\) to send (TryImpersonate \(,\textsf{sid},\textsf{ssid}, \mathfrak {b}')\) to (the backdoor tape of) client \(\mathcal {C}\):

Case 1. The server is honest:

Real world: \(\mathcal {A}\) will send \((\textsc {TryImpersonate}, \textsf{sid},\textsf{ssid}, \mathfrak {b}')\) to \(\mathcal {C}\) (on the backdoor tape). If \(\mathcal {C}\) is corrupted, the shell will give \((\textsc {Auth},\textsf{sid},\textsf{ssid}, \mathfrak {b}')\) to the secure hardware, which will respond with \(m = (\text {auth}, \textsf{rid}, c, \sigma )\). The shell will give m to \(\mathcal {A}\) who forwards it to \(\mathcal {Z}\).

Ideal world: \(\textsf{Sim}\) will retrieve the fake keys from table \(T_4\) which will exist only if \(\mathcal {C}\) has been corrupted. Then \(\textsf{Sim}\) will encode, encrypt and sign \(\mathfrak {b}'\) as the secure hardware would have done and give \(m = (\text {auth}, \textsf{rid}, c, \sigma )\) to \(\mathcal {Z}\).

In both worlds \(\mathcal {Z}\) will get an answer if and only if \(\mathcal {C}\) has been corrupted before. In both worlds the \(\textsf{rid}\) is uniformly random, but stays the same over multiple \(\textsc {TryImpersonate}\) instructions. Furthermore, c and \(\sigma \) are generated with the same inputs and identically distributed keys which stay the same for multiple calls to \(\textsc {TryImpersonate}\). Therefore, both worlds are perfectly indistinguishable.

Case 2. The server is corrupted:

Real world: \(\mathcal {Z}\) will get the same as in the case of an uncorrupted server, namely \(m = (\text {auth}, \textsf{rid}, c, \sigma )\).

Ideal world: \(\textsf{Sim}\) will retrieve the fake keys from table \(T_4\) which will exist only if \(\mathcal {C}\) has been corrupted. Then \(\textsf{Sim}\) will send \((\textsc {TryImpersonate}, \textsf{sid},\textsf{ssid}, \mathcal {C}, \mathfrak {b}')\) to \(\mathcal {F}_{\text {2FA}}^\textsf{out}\) and get back \((\textsc {auth},\textsf{sid},\textsf{ssid},\textsf{rid},d)\) as \(\mathcal {F}_{\text {2FA}}^\textsf{out}\)’s answer to the corrupted server. \(\textsf{Sim}\) creates a fake probe template so that the distance to the earlier fake reference template is exactly d and encrypts and signs the message with the corresponding fake keys. \(\textsf{Sim}\) then gives \(m = (\text {auth}, \textsf{rid}, c, \sigma )\) to \(\mathcal {Z}\).

In both worlds \(\textsf{rid}\) is uniformly random and stays the same over multiple calls to \(\textsc {TryImpersonate}\). The encryption and signature keys are identically distributed and also stay the same for multiple calls to \(\textsc {TryImpersonate}\). The only difference is that the ciphertext c in the real world is the encryption of \(\mathfrak {b}'\), whereas in the ideal world it is the encryption of the fake probe template \(\widehat{\mathfrak {b}}'\). In Lemma 1 we show that if \(\mathcal {Z}\) can distinguish between the real and the ideal world, there is a reduction which breaks the fh-IND-security of the FE scheme.

Lemma 1

If \(\mathcal {Z}\) can distinguish between a key \(\textsf{sk}_\textbf{b}\) in the real world and the ideal world, or between a ciphertext c in the real world and the ideal world, then there is a reduction \(\mathcal {B}\) that wins the fh-IND-security experiment of the FE scheme.

Proof sketch. We use a hybrid argument over an upper bound on the number of honest clients l. Let \(H_i\) be the execution in which the first i honest clients use keys and ciphertexts as produced by the simulator. The other clients are still executed as in the real world. In a bit more detail, in \(H_i\), for honest clients \(\{1,\dots ,i\}\), whenever an enrolment-message is delivered to a corrupted server, \(\mathcal {Z}\) gets the output of the “\(\text {on } (\textsc {Enrol}, \textsf{sid},\textsf{ssid}, \textsf{rid})\) from \(\mathcal {F}_{\text {2FA}}^\textsf{out}\)”-interface of the simulator. Whenever an authentication-message of one of the first i clients is delivered to a corrupted server, \(\mathcal {Z}\) gets the output of the “on \((\textsc {Auth}, \textsf{sid},\textsf{ssid}, \textsf{rid}, d)\) from \(\mathcal {F}_{\text {2FA}}^\textsf{out}\)”-interface of the simulator. For clients \(\{i+1,\dots ,l\}\), \(\mathcal {Z}\) gets the output of the real clients \(\textsc {Enrol}\) (resp. \(\textsc {Auth}\)) interface. So in \(H_0\) all secret keys \(\textsf{sk}_\textbf{b}\) and ciphertexts c are produced as in the real world, whereas in \(H_l\) all secret keys and ciphertexts are produced as in the ideal world. An environment that is able to tell apart the real world from the ideal world by distinguishing between the real and simulated FE keys or ciphertexts, is also able to distinguish between \(H_0\) and \(H_l\). Therefore, there must exist \(i\in \{1,\dots ,l\}\) such that \(\mathcal {Z}\) can distinguish between \(H_{i-1}\) and \(H_i\). We give a reduction \(\mathcal {B}\) that wins the fh-IND-security experiment, given a distinguisher \(\mathcal {D}\) for \(H_{i-1}\) and \(H_i\):

When \(\mathcal {Z}\) calls the “\((\textsc {Enrol}, \textsf{sid},\textsf{ssid}, \mathfrak {b})\)”-interface of the i-th honest client, \(\mathcal {B}\) takes the public parameters from the fh-IND FE security experiment and asks a \(\textsf{QKeyGen}(\textbf{b}, \widehat{\textbf{b}})\) query, where \(\textbf{b}\) is the encoding of \(\mathfrak {b}\) and \(\widehat{\textbf{b}}=\textsf{encodeRef}(\textsf{chooseFakeRef}())\) is the encoding of the fake reference template. \(\mathcal {B}\) receives back the functional decryption key \(\textsf{sk}\) and gives this as part of the enrolment-message to the corrupted server and thereby to \(\mathcal {Z}\). When \(\mathcal {Z}\) calls the “\((\textsc {Auth}, \textsf{sid},\textsf{ssid}, \mathfrak {b}')\)”-interface of the i-th honest client, \(\mathcal {B}\) asks a \(\textsf{QEnc}(\textbf{b}', \widehat{\textbf{b}'})\) query, where \(\textbf{b}'\) is the encoding of \(\mathfrak {b}'\) and \(\widehat{\textbf{b}'}\) is the encoding of the fake probe template that the simulator would have chosen via \(\mathsf {chooseFakeProbe(\cdot ,\cdot )}\). \(\mathcal {B}\) receives back the ciphertext c and gives this as part of the authentication-message to the corrupted server and thereby to \(\mathcal {Z}\).

When the experiment’s bit \(b=0\), then \(\mathcal {B}\) gets the secret key and ciphertexts for the real biometric templates, whereby \(\mathcal {B}\) perfectly simulates \(H_{i-1}\). When the experiment’s bit \(b=1\), then \(\mathcal {B}\) gets the secret key and ciphertexts for the fake biometric templates chosen by the simulator, whereby \(\mathcal {B}\) perfectly simulates \(H_i\).

Lemma 2

There is a reduction \(\mathcal {B}\) that wins the EUF-CMA game if the environment manages to get to the else-case in line 34 of the simulator with a valid signature \(\sigma \).

Proof sketch. The general idea is that \(\mathcal {B}\) runs the simulator’s code, but whenever the simulator would create a signature keypair, or sign a message, \(\mathcal {B}\) instead uses its challenger to get the keypair or signature.

A bit more in detail, \(\mathcal {B}\) will guess a client \(\mathcal {C}^*\). When \(\textsf{Sim}\) creates a keypair for that client in line 60 in Fig. 10), \(\mathcal {B}\) will get the public key from its EUF-CMA challenger. Whenever \(\textsf{Sim}\) would create a signature under the corresponding secret key (e.g. in line 77 in Fig. 10), \(\mathcal {B}\) asks a signing query to their challenger and uses the response as the signature that \(\textsf{Sim}\) would have created. When \(\mathcal {B}\) gets a “\((\textsc {Send}, (\textsf{sid},\textsf{ssid}), \mathcal {S}, m=(\textsf{auth}, \textsf{rid}, c, \sigma ))\)” instruction from \(\mathcal {Z}\) with a valid signature \(\sigma \) (relative to the \(\textsf{pk}\) associated with \(\textsf{rid}\)), and gets to the else-case in line 34 in Fig. 9), \(\mathcal {B}\) outputs \(((\textsf{sid},\textsf{ssid},\textsf{rid},c), \sigma )\) as forgery to its EUF-CMA challenger.

Now let us argue that this is indeed a valid forgery. First, observe that since \(\mathcal {B}\) came to the else-case, it does not have an entry in table \(T_2\), which means that the message did not belong to an adversarially enroled client and thereby \(\textsf{pk}\) was not chosen by \(\mathcal {Z}\), but by \(\mathcal {B}\)’s EUF-CMA challenger. Second, since \(\mathcal {B}\) came to the else-case, it also does not have a matching entry in table \(T_5\), which means, it did not ask a signing query for \((\textsf{sid},\textsf{ssid},\textsf{rid},c)\) to its challenger in response to a \(\textsc {TryImpersonate}\) instruction. Therefore, \(((\textsf{sid},\textsf{ssid},\textsf{rid},c), \sigma )\) constitutes a valid forgery and \(\mathcal {B}\) wins the EUF-CMA game.