An Efficient Entity Authentication Protocol with Enhanced Security and Privacy Properties

  • Aysajan Abidin
  • Enrique Argones Rúa
  • Bart Preneel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10052)


User authentication based on biometrics is getting an increasing attention. However, privacy concerns for biometric data have impeded the adoption of cloud-based services for biometric authentication. This paper proposes an efficient distributed two-factor authentication protocol that is privacy-preserving even in the presence of colluding internal adversaries. One of the authentication factors in our protocol is biometrics, and the other factor can be either knowledge-based or possession-based. The actors involved in our protocol are users, user/client devices with biometric sensors, service provider, and cloud for storing protected biometric templates. Contrary to the existing biometric authentication protocols that offer security only in the honest-but-curious adversarial model, our protocol provides enhanced security and privacy properties in the active (or malicious) adversarial model. Specifically, our protocol offers identity privacy, unlinkability, and user data (i.e., the biometric template data and the second factor) privacy against compromised cloud storage service, and preserves the privacy of the user data even if the cloud storage service colludes with the service provider. Moreover, our protocol only employs lightweight schemes and thus is efficient. The distributed model combined with the security and privacy properties of our protocol paves the way towards a new cloud-based business model for privacy-preserving authentication.


Biometrics Security Privacy Privacy-preserving authentication 


  1. 1.
    Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Daugman, J.: The importance of being random: statistical principles of iris recognition. Pattern Recogn. 36(2), 279–291 (2003)CrossRefGoogle Scholar
  3. 3.
    Rua, E.A., Maiorana, E., Castro, J.L.A., Campisi, P.: Biometric template protection using universal background models: an application to online signature. IEEE Trans. Inf. Forensics Secur. 7(1), 269–282 (2012)CrossRefGoogle Scholar
  4. 4.
    Rabin, M.O.: How to exchange secrets with oblivious transfer. IACR Cryptology ePrint Archive 2005, 187 (2005)Google Scholar
  5. 5.
    Yao, A.C.C.: How to generate and exchange secrets. In: 27th Annual Symposium on Foundations of Computer Science, pp. 162–167. IEEE (1986)Google Scholar
  6. 6.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  7. 7.
    Goldwasser, S., Micali, S.: Probabilistic encryption & how to play mental poker keeping secret all partial information. In: STOC, pp. 365–377. ACM (1982)Google Scholar
  8. 8.
    Chor, B., Kushilevitz, E., Goldreich, O., Sudan, M.: Private information retrieval. J. ACM 45(6), 965–981 (1998)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Ostrovsky, R., Skeith III, W.E.: A survey of single-database private information retrieval: techniques and applications. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 393–411. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Bringer, J., Chabanne, H., Izabachène, M., Pointcheval, D., Tang, Q., Zimmer, S.: An application of the Goldwasser-Micali cryptosystem to biometric authentication. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 96–106. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Barbosa, M., Brouard, T., Cauchie, S., de Sousa, S.M.: Secure biometric authentication with improved accuracy. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 21–36. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Stoianov, A.: Cryptographically secure biometrics. In: SPIE 7667, Biometric Technology for Human Identification VII, pp. 76670C-1–76670C-12 (2010)Google Scholar
  13. 13.
    Simoens, K., et al.: A framework for analyzing template security and privacy in biometric authentication systems. IEEE Trans. Inf. Forensics Secur. 7(2), 833–841 (2012)CrossRefGoogle Scholar
  14. 14.
    Abidin, A., Mitrokotsa, A.: Security aspects of privacy-preserving biometric authentication based on ideal lattices and ring-lwe. In: Proceedings of the IEEE Workshop on Information Forensics and Security, pp. 1653–1658 (2014)Google Scholar
  15. 15.
    Abidin, A., Pagnin, E., Mitrokotsa, A.: Attacks on privacy-preserving biometric authentication. In: Proceedings of the 19th Nordic Conference on Secure IT Systems (NordSec 2014), pp. 293–294. Tromso, Norway (2014)Google Scholar
  16. 16.
    Pagnin, E., Dimitrakakis, C., Abidin, A., Mitrokotsa, A.: On the leakage of information in biometric authentication. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 265–280. Springer, Heidelberg (2014). doi:10.1007/978-3-319-13039-2_16 Google Scholar
  17. 17.
    Abidin, A., Matsuura, K., Mitrokotsa, A.: Security of a privacy-preserving biometric authentication protocol revisited. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 290–304. Springer, Heidelberg (2014)Google Scholar
  18. 18.
    Syta, E., Wolinsky, D., Fischer, M., Silberschatz, A., Ford, B., Gallegos-Garcıa, G.: Efficient and privacy-preserving biometric authentication. Yale University Technical Report TR1469 (2012)Google Scholar
  19. 19.
    Lee, J., Ryu, S., Yoo, K.: Fingerprint-based remote user authentication scheme using smart cards. Electron. Lett. 38(12), 554–555 (2002)CrossRefGoogle Scholar
  20. 20.
    Lin, C.H., Lai, Y.Y.: A flexible biometrics remote user authentication scheme. Comput. Stand. Interfaces 27(1), 19–23 (2004)CrossRefGoogle Scholar
  21. 21.
    Khan, M.K., Zhang, J.: Improving the security of flexible biometrics remote user authentication scheme. Comput. Stand. Interfaces 29(1), 82–85 (2007)CrossRefGoogle Scholar
  22. 22.
    Li, C.T., Hwang, M.S.: An efficient biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 33(1), 1–5 (2010)CrossRefGoogle Scholar
  23. 23.
    Li, X., Niu, J.W., Ma, J., Wang, W.D., Liu, C.L.: Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 34(1), 73–79 (2011)CrossRefGoogle Scholar
  24. 24.
    Li, X., Niu, J., Khan, M.K., Liao, J.: An enhanced smart card based remote user password authentication scheme. J. Netw. Comput. Appl. 36(5), 1365–1371 (2013)CrossRefGoogle Scholar
  25. 25.
    Kaliski, B.: PKCS #5: password-based cryptography specification version 2.0. RFC 2898 (2000)Google Scholar
  26. 26.
    Kelsey, J., Schneier, B., Hall, C., Wagner, D.: Secure applications of low-entropy keys. In: Okamoto, E., Davida, G., Mambo, M. (eds.) ISW 1997. LNCS, vol. 1396, pp. 121–134. Springer, Heidelberg (1998). doi:10.1007/BFb0030415 CrossRefGoogle Scholar
  27. 27.
    Yao, F.F., Yin, Y.L.: Design and analysis of password-based key derivation functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Kushilevitz, E., Ostrovsky, R.: Replication is not needed: single database, computationally-private information retrieval. In: FOCS, pp. 364–373. IEEE Computer Society (1997)Google Scholar
  29. 29.
    Ostrovsky, R., Skeith III, W.E.: A survey of single-database private information retrieval: techniques and applications. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 393–411. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  30. 30.
    Goldberg, I.: Improving the robustness of private information retrieval. In: IEEE SP 2007, pp. 131–148. IEEE (2007)Google Scholar
  31. 31.
    Gasarch, W.: A survey on private information retrieval. Bull. EATCS 82, 72–107 (2004)MathSciNetMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Aysajan Abidin
    • 1
  • Enrique Argones Rúa
    • 1
  • Bart Preneel
    • 1
  1. 1.ESAT/COSIC, KU Leuven and iMindsLeuvenBelgium

Personalised recommendations