On the realization of fuzzy identitybased identification scheme using ...

SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks (2012) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.408

RESEARCH ARTICLE

On the realization of fuzzy identity-based identification scheme using fingerprint biometrics Syh-Yuan Tan1, Zhe Jin2, Andrew Beng Jin Teoh3,5*, Bok-Min Goi4 and Swee-Huay Heng2 1 2 3 4 5

Faculty of Information and Communication Technology, Tunku Abdul Rahman University, Perak, Malaysia Faculty of Information Science and Technology, Multimedia University, Melaka, Malaysia School of Electrical and Electronic Engineering, Engineering College, Yonsei University, Seoul 120-749, South Korea Faculty of Engineering and Science, Tunku Abdul Rahman University, Kuala Lumpur, Malaysia Predictive Intelligence Research Cluster, Sunway University, Bandar Sunway 46150, P.J. Selangor, Malaysia

ABSTRACT Fuzzy identity-based identification (FIBI) scheme is a recently proposed cryptographic identification protocol. The scheme utilizes user biometric trait as public keys. The authentication is deemed success in the presence of the genuine query biometric together with the valid private key. Because of the fuzziness nature of biometrics, FIBI does not correct the errors on the query biometric with respect to the public key; instead, it tolerates the errors using Lagrange polynomial interpolation. Therefore, FIBI requires the biometric trait to be represented in a discrete (binary or integer) array that is fixed in length. In this paper, we report the first realization of FIBI scheme by means of fingerprint biometrics using minutia representation where our technique integrates the security features of both biometric and cryptography effectively. The simulation shows that the entire protocol can be completed within 1 s where false acceptance rate (FAR) = 0% and false reject rate (FRR) = 0.25% in FVC2002 DB1, and FAR = 0% and FRR = 0.125% in FVC2002 DB2. Our integration technique may also be applied on other fuzzy identity-based cryptosystems. Copyright © 2012 John Wiley & Sons, Ltd. KEYWORDS fuzzy identity-based identification; Lagrange polynomial; biometrics; fingerprint *Correspondence Andrew Beng Jin Teoh, School of Electrical and Electronic Engineering, Engineering College, Yonsei University, Seoul 120-749, South Korea. E-mail: [email protected]

1. INTRODUCTION In 1976, Diffie and Hellman [1] pioneered the thought of public key cryptography (PKC) and solved the key distribution problem in symmetric key cryptography. However, the downside of PKC is that it requires a certification authority (CA) to generate a certificate in order to guarantee the validity of a user public key. This leads to the storage and key management problems of the certificates and public keys. The design of a secure and efficient cryptographic scheme without certificate becomes the goal of many cryptographers. The concept of identity-based cryptography (IBC) was introduced by Shamir [2], where the public key is the user’s public identity (e.g. name, ID number, and e-mail) as depicted in Figure 1. A trusted third party, namely, private key generator (PKG), is required to generate the user private key for every user on the basis of their public key, and this rule out the need of the storage of certificates and public keys. Because PKG knows the Copyright © 2012 John Wiley & Sons, Ltd.

private key of every user, the compromise of PKG’s master secret key is therefore more disastrous than the compromise of the signing key of the traditional CA. However, it is worth to note that IBC makes good use of the key escrow feature in some closed-group operations practice such as company proxies and gateways. 1.1. Identification scheme The seminal paper on identification scheme was published by Fiat and Shamir [3]. An identification scheme guarantees one (through acquirement of affirmative evidence) of both parties the identity of a second party involved and that the second party was active during the creation of evidence [4]. In other words, an identification protocol is an interactive process that allows a prover who holds a private key to identify himself or herself to a verifier who holds the corresponding public key. At the end of the identification protocol, the verifier learns nothing more than the fact that

S.-Y. Tan et al.

Fuzzy identity-based identification scheme

Figure 1. Concept of identity-based cryptography.

the prover owns a valid private key. In particular, the objectives of an identification scheme take the following measures [4]: (1) If both parties Alice and Bob are honest, Bob can complete the identification protocol to accept Alice’s identity as authentic. (2) Bob cannot reuse the communication history with Alice to impersonate Alice to a third party. (3) If somebody else other than Alice is trying to impersonate Alice by performing the identification protocol with Bob, the probability for Bob to accept Alice’s identity is negligible. (4) The above points remain true even if (a) a polynomially large number of identification protocols of Alice and Bob have been observed. (b) an impersonator participated in a previous execution with either Alice or Bob, or both of them. (c) multiple clones of the identification protocol (possibly initiated by impersonator) can be run in parallel. One of the primary purposes of identification is to facilitate access control to a resource where the right access is linked to a particular identity. Some predominant applications of electronically proving one’s identity are in credit card, ATM machines, e-voting, computer remote control, and so on [4] . The identification schemes in PKC are well established but not for identification schemes without certificates. In

order to eliminate the certificate storage problem of CA, some identity-based identification (IBI) schemes [5,6] were published, but they are facing the problem of identity uniqueness in practice despite the security of the scheme is provable. A new user needs to register an “identity” with the system where troublesome procedures and documents are involved. Besides, there will be cases such as the user public key is lost or outdated. The solution for the above problems is the fuzzy identitybased identification (FIBI), which uses the user public biometric identity that can be obtained easily as the public key [7]. 1.2. Related works The marriage of identity-based cryptosystem (IBC) and biometrics technology was first introduced by Sahai and Waters in year 2005 [8] in order to solve the “identity” registration and key revocation problem in IBC. They outlined the concept of fuzzy identity-based cryptosystem (FIBC) by presenting one of the primitives of IBC, namely fuzzy identity-based encryption (FIBE) scheme [8] as shown in Figure 2. FIBE allows a user private key corresponding to a user identity set ID (enrolled biometric identity) to decrypt a ciphertext encrypted with a user public identity set ID ’ (query biometric identity), if and only if the user identity sets ID and ID ’ are, at least, overlapped by a pre-defined security parameter. Some may argue that publicizing the enrolled biometric data violates user privacy, but this concern is resolvable using biometric template protection techniques such as biometric salting, non-invertible transform, key binding, and key generation [30,31].

Figure 2. Model of fuzzy identity-based encryption. PKG, private key generator.

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S.-Y. Tan et al.

Fuzzy identity-based identification scheme

Fuzzy identity-based cryptosystem can be viewed as an extension to IBC where public identity in IBC is now a set of descriptive attributes. Therefore, IBC is actually a special case of FIBC where there is only one value in the public identity. FIBC was created to serve biometric identity-based encryption, which is having advantage on the uniqueness of the biometric identity. Moreover, because biometric identity is linked to human naturally, FIBC overcomes the key revocation problem of IBC and PKC. Only a few FIBE schemes [10–12] appeared in the literature and FIBE lost focus when attribute-based encryption (ABE) [13,14] was introduced. Sahai and Waters [8] claimed that FIBE is also an ABE, but their FIBE can only be considered as a general framework of ABE [13,14]. ABE inherits the main concept of FIBE whereby the identity set is considered as an attribute set. On the other hand, fuzzy identity-based signature (FIBS)—the second IBC primitive—has not drawn much attention as only a few FIBS schemes [15–18] have been proposed up to date. The first FIBS in the literature was proposed by Yang et al. [15] by adopting the key extraction technique of Sahai and Waters’ FIBE, and the signature is generated by using the query public biometric identity ID ’. The signature of FIBS can be verified successfully if and only if ID and ID ’ are overlapped for certain distance metric where ID is the enrolled public biometric identity that is used by PKG during key extraction algorithm as depicted in

Figure 3. The most efficient FIBS scheme among all would be Wang and Kim’s FIBS [17], which is claimed to be existentially unforgeable under the chosen message attack and fuzzy identity attack in the random oracle model, assuming that the discrete logarithm problem is computationally hard. On the other hand, the most flexible FIBS scheme would be the FIBS of Chen et al. [16], which is proven secure against unforgeability in the standard model if the multi-sequence of Diffie–Hellman exponents problem is computationally hard. As a third primitive of IBC, IBI discussed in Section 1.1 has also been fuzzified, namely FIBI (Figure 4) [7] by using the similar technique of FIBE and FIBS. In FIBI, a user who holds the enrolled public biometric identity ID will be verified successfully by a verifier who holds the query biometric identity ID ’ if ID ’ is a genuine identity, and at least d elements of the user private key is confirmed to be valid, that is, |ID ∩ ID ’ | ≥ d. Therefore, IBI is a special case of FIBI where the public identity in IBI is a singleton. The advantage of FIBI against FIBE and FIBS is that it does not need a public directory to keep the enrolled ID because the identification process is performed in real time. Prover can send the enrolled ID from smart card and the query ID ’ from a biometric reader. Up to date, there is only one FIBI scheme that appeared in the literature, and no implementation is given [7]. We summarize the similarities of these primitives in Table I.

Figure 3. Model of fuzzy identity-based signature. PKG, private key generator.

Figure 4. Model of fuzzy identity-based identification. PKG, private key generator.

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S.-Y. Tan et al.

Fuzzy identity-based identification scheme

Table I. Similarities of fuzzy identity-based cryptography primitives.

Setup Extract Encrypt Decrypt Sign Verify Identification protocol Need public directory to store ID

FIBE

FIBS

FIBI

Same Same Encrypt to ID Decrypt using ID ’ – – – Yes

Same Same – – Sign using ID ’ Verify using ID – Yes

Same Same – – – – Prover authenticates using ID ’ No

FIBE, fuzzy identity-based encryption; FIBS, fuzzy identity-based signature; FIBI, fuzzy identity-based identification.

1.3. Our contribution To the best of our knowledge, this work is the first realization of FIBCs. Other FIBCs [8,10,15] can be adopted directly because they are sharing the same nature in the user private key extraction algorithm. The realization of FIBI is not as trivial as FIBI + Biometric because FIBI demands biometric trait to be represented in a fixed-size discrete array where the attributes are in the binary or integer form. This is because FIBI uses Lagrange polynomial to bind discrete elements in the user public biometric identity to the corresponding elements in the user private key [7]. Unfortunately, most biometric modalities represent each identity using a set of continuous attributes, that is, continuous array. In this paper, we implement the FIBI using fingerprint biometrics as public key. However, the number of minutiae, which is extracted from a fingerprint image, is indefinite and depends on the image quality, and the minutiae are characterized neither in integer nor in binary form. Therefore, we devise a technique that transforms the fingerprint minutiae into a fixed-length bit string using minutiae pair representation and subsequently calculate a matching score using a normalized AND operation; if the matching score is larger than a normalized threshold t, random d elements from user private key will be chosen to construct a (d
1)degree random polynomial. We show that our technique integrates the security features of both biometrics and cryptography effectively besides fitting well into FIBI in generating the random (d
1)-degree polynomial for user private key as well as reconstructing the correct information at the end of identity verification process. We organized the rest of the paper as follows. Firstly, we give an overview on the FIBI of Tan et al. and its security analysis in Section 2. Secondly, we present the modified biometric identity extraction method of Jin et al. in Section 3 followed by the simulation of FIBI in Section 4. Security analysis and discussion is given in Section 5. Finally, we draw the conclusion in Section 6.

2. OVERVIEW ON THE FIBI OF TAN ET AL. Before going into the implementation details of FIBI, we define a few important symbols used in the scheme:

ID 2 Zn n ID’
2Z  S bed ; bqd

d t q(x) H(i, X, v) tkID Δi, U(x)

enroll biometric trait query biometric trait normalized matching score of ID and ID ’ where be and bq are enrolled bit string and query bit string security parameter of FIBI represents pre-defined threshold that determines to accept or reject the attempt of verification polynomial with the input x hashing algorithm with the input i, X, and v permutation token Lagrange coefficient with the input x

The FIBI scheme requires a PKG that runs the Setup algorithm as follows (Figure 5): (1) On input of a security parameter k, choose a large random prime p > 2k such that the discrete logarithm problem in the finite field Zp is hard. (2) Choose a large prime divisor q ≥ 2160 such that q|(p
1). (3) Choose a random generator g 2 Zp and a random value s in Zq to compute v = g
s mod q. (4) Select a secure normalized threshold t and a desired security parameter d. (5) Choose a collision resistant hash function H (for instance, SHA-1, SHA-256, SHA-512, etc. [19]), which will take a string and two elements in the group generated by the generator g as inputs.

The master public key mpk = (p, q, g, v, H) will be made public, whereas the master secret key msk = s will be kept secret to PKG only. When a user enrolls with the public biometric identity ID to generate the user private key upk, PKG will run the Extract algorithm as follows (Figure 5): (1) Choose a random value u 2 Zq and random coefficients ai in Zq for 1 ≤ i ≤ tint
1 to construct a (d
1)-degree polynomial q(x) = u + a1x1 + ⋯ + at
1xt
1 mod q. (2) Compute X = gu and calculate the hash value ai = H (i, X, v) mod q for every i 2 ID. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S.-Y. Tan et al.

Fuzzy identity-based identification scheme

Figure 5. Setup and Extract algorithms performed by private key generator (PKG).

(3) Compute Yi = q(i) + sai mod q for every i 2 ID. PKG returns the upk = {{ai}, {Yi}, tkID} to the user. During the identification process as shown in Figure 6, the user (prover) first sends a commitment to the verifier to initiate the protocol. In return, the verifier sends the challenge to the user, and with the challenge, the user generates a response for verifier. At the end, with the user’s response, the verifier will output reject or accept: (1) User chooses random values ri 2 ID 2 Zq, computes fxi g ¼ fgri gi2ID mod p and fXi g ¼ fgYi vai gi2ID ¼



 gqðiÞ i2ID mod p. User then sends {{Xi},{xi}, ID, ID’, tkID} to the verifier. (2) In return, verifier chooses a random c 2 Zq as the challenge and sends c to user. (3) As a response to the challenge, user calculates x {yi} = {ri + cYi}i 2 ID mod q and sends {yi} to the verifier.
 (4) Once the verifier confirms that S bed ; bqd ≥t, a set U 2 ID with d elements is then randomly selected and outputs 1 (accept) if gyi and xi ðXi =vai Þc are equal for every iQ 2 U where {ai} = {H(i, X, v)}i 2 S and X ¼ gu ¼ Δ ð0Þ Xi i;U , and 0 (reject) otherwise. S

Figure 6. Identification Protocol of prover and verifier.

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S.-Y. Tan et al.

Fuzzy identity-based identification scheme

The polynomial q() in Extract algorithm is a Lagrange polynomial that binds every i 2 ID to the secret value u. It prevents FIBI from the collusion attack where more than one legitimate user cannot collude together to generate a more privileged upk, which none of them alone could. In particular, the polynomial q() ensures that at least d out of n =
ID| elements in the upk corresponding to the biometric trait ID are valid such that the value X can be recovered tP
1
 by computing X = gu where u ¼ q i Δi ;U ð0Þ;U 2 ID ¼0 Q x
j and Δi;U ðxÞ ¼ i
j . j2U;j= 2i

In the Identification Protocol, the user’s secret information {Yi} acts as the password that proves to the verifier that the person (or to be exact, smart card) who initiates the protocol is indeed who he or she (or it) claims to be. But there is significant diverseness where the values {Yi} are not revealed throughout the identification protocol; otherwise, some eavesdroppers or the verifier itself can impersonate the user. The user proves that he or she knows the values {Yi} by computing the values {yi} as the response to verifier’s challenge. This type of protocol is called the honest verifier zero-knowledge (HVZK) protocol. For details of such a protocol, the reader is referred to [20]. We also note that this HVZK protocol is different from the symmetric key cryptosystems’ challenge-and-response protocol [21], which requires the user and verifier to reach consensus on a symmetric key prior to the execution of protocol.

2.1. A toy example We now present a toy example for FIBI. Consider the scenario where a credit card company would like to adopt FIBI as their customers’ identity verification mechanism. The security administrator Bob will instruct the PKG to run the Setup algorithm of FIBI for defining the security parameters mpk and msk as well as the secure threshold t and the desired security parameter d. To register a user Alice to the system, PKG runs the Extract algorithm, which takes fingerprint images of Alice as the input. At the end of biometric feature extraction, a bit string, b is generated and the indexes of bit 1, ID, are recorded. Then, q(ID) of the (d
1)-degree random polynomial q(x) is constructed and bound to the master secret key msk = s along with the corresponding aID (see step 3 of Extract algorithm in Section 2). For the purpose of key revocation, the PKG may concatenate the credit card expiry date to Alice’s ID in the Extract algorithm, such as aID = H(ID||expire_date, X, v). PKG will return to Alice her public key ID and upk = {{ai}, {Yi}, tkID}, which are stored in her cryptography-enabled credit card. Because biometric trait is used as the public key and no further documentation is required, we can see that the credit card initialization process can be completed within minutes under a trained operator. After receiving her credit card, Alice plans to make some purchasing, and she is verifying her identity on a

credit card verification device, V, which comprised of a fingerprint scanner and a credit card reader. Alice will give V her fingerprint reading ID ’ while scanning her credit card, which contains her public key ID and upk. V will calculate Alice’s biometric normalized matching score

 S bed ; bqd . V checks firstly S bed ; bqd ≥t ; if this condition is not met, V rejects Alice, otherwise continues to verify the validity of Alice’s upk trough the Identification Protocol and outputs reject or accept. The details calculations of V outputs accept are as depicted in Table II. Note that throughout the identity verification process, the verification device V does not need to communicate with any database or certificate authority in order to verify Alice’s identity. Moreover, because of the zero-knowledge property, at the end of protocol, V learns nothing on the secret key of Alice except the fact that she is the owner for the credit card, which is valid in the system. These advantages cannot be acheived alone either by using IBI or biometric authentication system.

3. BIOMETRIC IDENTITY EXTRACTION METHOD In this section, we demonstrate the biometric identity ID extraction method. Recall that this is the main challenge in implementing FIBI: how to extract a fixed-length biometric trait in which the elements are either in integers or binary form. Some well-known instances of bit string-based fingerprint template protection methods were proposed in literature, such as [9,22,23]. Lee and Kim [9] and Ahmad et al. [22] presented a size of M  D feature matrix as template, where M is the number of minutiae extracted from fingerprint image and D represents a fixed-length bit string or real number vector generated from one minutia. Unfortunately, such a template does not meet the requirement of FIBI as it needs a fixed-length 1
D integer or binary vector. Besides, the method proposed by Farooq et al. [23] required exhaustive calculation for all the possible minutiae triplet invariant features, which results in high computation cost. Therefore, we adapt the template protection method proposed by Jin et al. [24] in which a binary fingerprint template is generated by using minutiae pair representation. In general, given a set of minutiae points, mi = {xi, yi, θi}, where xi, yi, and θi [0,360] represent the coordinates and the orientation angle of the ith minutiae, respectively; a set of the minutiae pairs is then derived from mi, and invariant features are extracted from the derived minutiae pairs. The invariant features are further processed through minutiae pair quantization and histogram binning, hashing, binarization, and permutation to produce a bit string. By incorporating the majority voting training process, a public biometric identity ID, which has a fixed length of 214 bits, is generated. A pictorial illustration of the fingerprint minutia to bit string transformation is showed in Figure 7. The detailed fingerprint bit-string extraction is described as follows. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S.-Y. Tan et al.

Fuzzy identity-based identification scheme

Table II. Toy example of fuzzy identity-based identification. Algorithm Setup

Extract

Identification protocol

Parameter

Value

q q bit length p k = p bit length g s v H t d ID ID bit string u X q() ai Yi Xi ri xi C yi ID ’ ID ’ bit string
 S bde ; bdq U Δi, U (0)

557 10 1 102 861 21 273 948 506 660 497 SHA-1 0.9 3 {8, 15, 23, 28, 33} 00000000100000010000000100001000010 116 669 450 116 + 520x + 3x2 {48, 288, 21, 469, 320} {349, 30, 338, 350, 324} {953 382, 177 830, 1 032 349, 354 429, 824 705} {8, 14, 435, 106, 63} {633 433, 828 074, 735 186, 404 711, 994 240} 372 {55, 34, 289, 525, 279} {2, 8, 14, 23, 28} 00100000100000100000000100001000000 0.95 {8, 23 28} {17, 49, 492}

Figure 7. Overall flow of transforming minutiae representation into bit string.

3.1. Feature extraction from minutiae pairs The invariant features derivation from the minutiae pairs are inspired by the work of Parziale and Niel [25]. A single minutiae point suffers from the elastic deformation from fingerprint to fingerprint. However, the change of a minutiae pair formed by two minutiae points is not evident under rigid transformation. Besides that, minutiae pairing provide a certain degree of immunity against noise due Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

to the use of redundant combinations of two minutiae points. The four invariant features we used are as follows: (1) The distance L between the two minutiae, where L is measured in pixel units. (2) The angle a between the orientation of the two minutiae (angular difference between O1 and O2), the range of the angle a is (0, 2p], and O1 and O2 represent the orientation of minutiae m1 and m2, respectively.

S.-Y. Tan et al.

Fuzzy identity-based identification scheme

(3) The angles b1 and b2 between the orientation of each minutia and the segment connecting them— the range of b1 and b2 is (0, p]. It is noted that b1, b2, and a are three distinct invariant measurements. b1 and b2 are the angles between a straight line along the minutiae orientation, and another straight line connects to two minutiae. On the other hand, a is the angular difference in between two minutiae orientations that ranges from 0 to 360 . Orientation records the direction of local fingerprint ridge. Therefore, b1, b2, and a belong to different domains that is not necessarily correlative with each other. Figure 8 demonstrates the invariant features that are extracted from a minutiae pair formed by the minutiae m1 and m2.

3.2. Minutiae pair quantization Because of the distortion that occurred during the image capture process, the invariant features are quantized to alleviate this problem. Assume that the maximum distance, L, between two minutiae points is l pixels; we quantize L into q segments with each segment containing l/q pixels for each quantization step. To represent these q segments in binary form, log2(l/q) bits are required. Similarly, assume that the maximum angle between the orientations of two minutiae is 2p, and we set the quantization step to be p; thus b2p/pc bits are required to represent the angle between the orientations of the two minutiae, a. The same procedure applies to the remaining features, that is, b1 and b2. After determining the number of bits required to represent each feature, we are in place to quantize the feature into binary form. The feature value is quantized on the basisi of the index of the segment that it falls in. Each segment is labeled by a binary decimal code. If L is represented by l bits, angle a by a bits, angle b1 by b1 bits, and b2 by b2 bits, then every minutiae pair can be represented by a bit string with length lmp bits, where lmp = l +

a + b1 + b2. The bit string is then converted to its corresponding integer, such as 01111 00101 0011 0100 to 124212. The same procedure is repeated to all the minutiae pairs found in a fingerprint image. In general, s = n C2 ¼ 12 nðn
1Þ possible combinations of the minutiae pairs can be generated from a fingerprint image, where n is the number of minutiae in an image. 3.3. Histogram binning and bit-string generation Because there are 2lmp possible combinations of bits for each minutiae pair, a histogram mi is formed to count the number of minutiae pairs that fall into each of the disjoint bins in the histogram. Mathematically, the histogram binning function is given as follows:

s¼

2lmp X

mi

i¼1

where s is the total number of minutiae pair for all 2lmp of bins. Next, we binarize the histogram mi by retaining the count of value 1 while setting the rest of the count values to 0. This is to ensure that the fingerprint image can be represented by a set of unique minutiae pairs, that is, occur only once in the fingerprint image. The binarization rule is given as follow:   8i 2 0; 2lmp ;

 bi ¼

0 1

if mi 6¼ 1; otherwise

3.4. Generating user public biometric identity We adopt majority voting training process to obtain a binary template for a user. In the training process, seven out of eight images are selected as the training samples and the remaining one is used for testing. Besides, to avoid statistical biasness, cross-validation by examining C78 ¼ 8 combinations is performed to determine the average of false reject rate (FRR) when false acceptance rate (FAR) equals to zero (FAR = 0%). The value in every position in the user template is based on the majority count of the training data. Figure 9 shows the majority voting scheme for generating the user template. The majority voting scheme also can be described in mathematical form as follows:   bd ¼ bdi i ¼ 1; 2; 3; . . . ; mg

Figure 8. Invariant features extraction from minutiae pair.

where bdi = majority(b1, i, b2, i, . . ., bk, i); bdi is the trained binary template of most occurrence of bit 1 s from k training binary templates. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S.-Y. Tan et al.

Fuzzy identity-based identification scheme

Figure 9. Generating user template through majority voting.

However, it is undesirable to transmit plain biometric template because of privacy concern. Therefore, a transformed version of the binary vectors is used as the user template. The said transformation is the permutation that is based on a user-specific token (tk), which is uniquely assigned to each individual. The user-specific token guarantees that the fingerprint presented for verification is permuted in the same manner as the one enrolled for the same users and in a different manner for the different users We then store the indexes of bit 1 of the trained binary template in an array as the public biometric identity ID for FIBI. 3.5. Matching score Assume that bed represents an enrolled bit string and bqd represents a query bit string; the matching score,
 S bed ; bqd , can be calculated as follows: n
P

 b edi  bqdi
e q i¼1 ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi S bd ; bd ¼ s n n P P b edi bqdi i¼1

where

i¼1

• represents a bit-wise AND operator.

n
P

bedi  bqdi



i¼1

counts the positions in the bit string that have a bit n1 in both P e bi and enrolled and query templates and sums them up. n P

i¼1

bqi

denote the total number of 1’s of the enrolled and

i¼1

query templates. 3.6. Experimental results The well-known public database FVC2002 (DB1, DB2) [26] is used to evaluate the proposed method. This dataset Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

contains 100 fingers, and each finger has eight sample images. Seven out of eight images are selected as training samples, and the remaining image is used for testing, which results eight possible combinations for training samples; that is, C78 ¼ 8 and the average of FRR is recorded when FAR equals to zero (FAR = 0%). Three performance measurements are used to evaluate the proposed technique, namely, FRR [27], FAR [28], and equal error rate (EER) [29]. FRR refers to the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs, which are incorrectly rejected (FRR). On the other hand, FAR is the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs, which are incorrectly accepted (FAR). FRR and FAR can be described as fol-(1) lows: number of rejected genuine users FRR ¼ 100% total number of genuine access
 Noted that a genuine user is rejected if S bed ; bqd < t: (2)

number of accepted impostor  100% FAR ¼ total number of impostor access
 Noted an impostor is accepted if S bed ; bqd ≥ t: where S and t represent the matching score and pre-defined threshold. Equal error rate indicates the rate at which both accept and reject rates are equal. EER provides a quick way to compare the accuracy between different biometrics systems. In general, the lower the EER is, the more accurate the system is considered to be (EER). With the increase of threshold t, FAR decreases, whereas FRR increases. Tables III and IV displays the performance in terms of FRR where FAR = 0% and EER for FVC2002 DB1 and DB2. To avoid statistical biasness, cross-validation by examining C78 ¼ 8 combinations is performed. The average FRR (when FAR = 0%) is 0.625% where the threshold t is set to 0.11 for DB1. On the other hand, the average FRR (when FAR = 0%) is 0.25% where the threshold t is set to 0.08 for DB2. Figure 10 depicts the plot of FAR and FRR against the normalized threshold when the fifth image is used for testing in FVC2002 DB1 where EER = 1.44% at t = 0.06, and FAR = 0% and FRR = 2% when t = 0.11. Similarly, Figure 11 illustrates the plot of FAR and FRR against the normalized threshold when the fifth image is used for testing in FVC2002 DB2 where EER = 0.99% when t = 0.06, and FAR = 0% and FRR = 1% when t = 0.08. As a cryptographic protocol, FIBI requires zero risk of intrusion but might be less user-convenient, subsequently. Hence, FAR should be strictly controlled to 0%, whereas FRR can be within a certain degree of inconvenient tolerance. The resulted FRRs for FVC2002 DB1, DB2, are 0.625% and 0.25%, respectively, and they are

S.-Y. Tan et al.

Fuzzy identity-based identification scheme

Table III. Performance results for cross-validation using FVC2002 DB1. Training images (#th) 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 5, 1, 2, 4, 5, 1, 3, 4, 5, 2, 3, 4, 5, Average

5, 5, 5, 6, 6, 6, 6, 6,

6, 7 6, 8 7, 8 7, 8 7, 8 7, 8 7, 8 7, 8

Testing images (#th)

FRR (%) when FAR = 0%

Threshold for EER

EER (%)

8 7 6 5 4 3 2 1 –

0.00 0.00 0.00 2.00 2.00 0.00 0.00 1.00 0.625

0.08–0.13 0.11–0.14 0.08–0.13 0.06 0.08–0.09 0.09–0.12 0.09–0.13 0.08–0.09 –

0.00 0.00 0.00 1.87 0.00 0.00 0.00 0.00 0.2338

FRR, false reject rate; FAR, false acceptance rate; EER, equal error rate.

Table IV. Performance results for cross-validation using FVC2002 DB2. Training images (#th) 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 5, 1, 2, 4, 5, 1, 3, 4, 5, 2, 3, 4, 5, Average

5, 5, 5, 6, 6, 6, 6, 6,

6, 7 6, 8 7, 8 7, 8 7, 8 7, 8 7, 8 7, 8

Testing images (#th)

FRR (%) when FAR = 0%

Threshold for EER

EER (%)

8 7 6 5 4 3 2 1 –

0.00 0.00 0.00 1.00 1.00 0.00 0.00 0.00 0.25

0.08–0.10 0.08–0.14 0.09–0.11 0.08 0.08–0.09 0.08–0.12 0.08–0.14 0.09–0.12 –

0.00 0.00 0.00 0.99 0.00 0.00 0.00 0.00 0.1238

FRR, false reject rate; FAR, false acceptance rate; EER, equal error rate.

acceptable. It is noted that a higher FRR implies worse user convenience and otherwise. In other words, the threshold t is directly proportional to FRR, which is inversely proportional to user convenience.

Figure 10. False reject rate (FRR) and false acceptance rate (FAR) against the normalized threshold for FVC2002 DB1. (EER = 1.44% at t = 0.06 and FAR = 0%, FRR = 2% when t = 0.11).

4. FIBI SIMULATION AND COMPUTATION TIME Using the public biometric identity extraction method presented in the previous section, we manage to produce a 214 bit string given a user fingerprint image as well as define the threshold t for matching score using normalized AND operation. We would like to note that the change in the value of parameter d will affect the security level of FIBI only when d is set to 1. Besides suffering from collusion attack, any user in FIBI can extract the msk from their upk when d = 1 where the Lagrange polynomial q(x) becomes a (0)-degree polynomial, which is eventually the secret value u itself such that q(x) will always output u regardless of the input x. The upk is now Yi = u + sH(i, X, v), and a user can calculate msk = s = (Yi
Yj)H(i, X, v)
H(j, X, v) for any i, j 2 ID. When d ≥ 2, collusion attack will fail because the secret value u is randomized and the only way for an adversary to extract msk is by brute force attack, which needs 280(d
1) for 160-bit group order q. We show in the simulation that the FIBI is efficient and the extracted public biometric identity serves the FIBI scheme perfectly. 4.1. Optimizations After the first step of protocol, verifier can determine to continue or abort the Identification Protocol on the basis Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S.-Y. Tan et al.

Fuzzy identity-based identification scheme

IDi’ for the Identification Protocol where tDB1 = 2 and tDB2 = 6 for respective databases, and 1 ≤ i ≤ 8. We randomly select the security parameter 2 ≤ d ≤ 10 to construct a (d
1)-degree random polynomial each time Setup is repeated. We set the prime q to 160 bits in length and the prime p to 1024 bits in length with SHA-1 as the hashing algorithm. The FIBI is executed for 1000 rounds where the algorithms Setup, Extract, and Identification Protocol are executed sequentially. The average timing is calculated in nanoseconds as shown in the Table V.

5. SECURITY ISSUES Figure 11. False reject rate (FRR) and false acceptance rate (FAR) against the normalized threshold for FVC2002 DB2. (EER = 0.99% at t = 0.06 and FAR = 0%, FRR = 1% when t = 0.08).


 of the condition S bed ; bqd ≥t. If the condition is met, verifier can now randomly select d elements from ID to form the set S such that |S| = d and send both the set S and the challenge c to the prover. Thus, the prover and the verifier can reduce the computations in step 3 and step 4 for a factor of n
d. Note that this optimization does not affect the security because the verifier only needs to know d out of n elements of Xi to Q Δ ð0Þ reconstruct X ¼ Xi i;U , and so, prover only needs to U

prove the partial knowledge of upk corresponding to the set S, which is the partial elements of public biometric identity. Furthermore, some pre-calculations can be performed for the last step of identification protocol. Firstly, the PKG can compute for verifier the value v
1 during the setup phase to avoid expensive inverses computation of vai for 1 ≤  ≤ d. The value v
1 can be used in the last step of every Identification Protocol such that Xi =vai ¼ a Xi ðv
1 Þ i . Secondly, the verifier can compute the Lagrange coefficient on the point 0, which is the value Δi ;U ð0Þ immediately after determining the set U in step 2 instead of doing so after receiving the response in step 3. 4.2. Results With the use of J2SE 6 and NetBeans as the IDE, the FIBI is implemented on Intel Core i5 750 2.67 GHz, 2-GB RAM with Windows XP Professional Service Pack 3. Fingerprint images from 10 fingers are randomly selected from the FVC2002 DB1 and FVC2002 DB2, respectively. The same combination of fingerprint images as in Tables III and IV are used where seven fingerprint images of each finger are used to generate the enroll public biometric identity, ID for PKG, whereas the remaining one fingerprint image is used as the query public biometric identity, ID ’ in Identification Protocol. During the execution, we randomly select enroll IDi for the Extract algorithm and the corresponding query Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

The goal of an adversary on an IBI scheme is impersonation. An adversary is considered successful if it interacts with the verifier as a cheating prover using public identity and is able to be accepted by the verifier with nonnegligible probability. Three types of attacks are considered on the honest, private key equipped prover [5,6]: • Passive attack—the adversary can eavesdrop, and he or she is in possession of transcripts of conversations between the provers and the verifiers. • Active attack—the adversary first plays the role of a cheating verifier, interacting with the provers several times before the impersonation. • Concurrent attacks—the adversary first plays the role of a cheating verifier, interacting with the provers several times concurrently before the impersonation. Tan et al. proved that FIBI is secure against impersonation under passive attack as well as active and concurrent attacks in the random oracle model, but they did not mention the potential security issues from biometrics perspective. Besides take into accounts the attacks of its ancestor, FIBI needs to further consider the false acceptance attack of biometrics, which falls under the active attack and concurrent attacks categories. We hereby define the two types of false acceptance attack: (1) Outsider attack—the adversary is not a registered user in the system, but he or she manages to present two biometric identities ID and ID ’ to the verifier

Table V. Average timing of 1000 rounds fuzzy identity-based identification. Time (ms) Algorithm Setup Minutiae to bit string Extract Identification protocol

FVC2002 DB1

FVC2002 DB2

6.236 143.200 21.195 1089.690

6.275 223.400 15.340 536.738

S.-Y. Tan et al.

Fuzzy identity-based identification scheme


 such that S bed ; bqd ≥t where ID and ID ’ are the biometric identities of an existing user in the system. (2) Insider attack—the adversary is a registered user in the system, and he or she manages to present a query biometric identity ID ’ to the verifier such that
 S bed ; bqd ≥t where ID is the enrolled biometric identity of the adversary, whereas ID ’ is the biometric identity of an existing user in the system who is not the adversary himself. The outsider attack is harmless to FIBI because the adversary is not a registered user, and thus, he or she does not possess a valid user private key to run a successful identification protocol with the verifier. The insider attack on the other hand allows a user A who has a valid user private key to impersonate as another user B. To overcome this problem, we must set the threshold t of the biometric identity extraction method to the point where the FAR is equals to 0% as presented in Section 3.6.

7.

8.

9.

10.

11.

6. CONCLUSION We reported the first implementation of FIBI scheme. A public biometric identity in the scheme is realized by transforming the fingerprint minutiae set into a fixed-length binary string. We showed that the identification protocol can be completed within 1 s with an optimization mechanism. By and large, other FIBCs such as [8,10,15] can be adopted directly because they share the same mechanism in the private key extraction. Our future works are to construct a generalize FIBI, which diminishes the demand on the public biometric identity extraction method.

12.

13.

14.

REFERENCES 1. Diffie W, Hellman ME. New directions in cryptography. IEEE Transactions on Information Theory 1976; 22(6): 644–654. 2. Shamir A. Identity-based cryptosystems and signature schemes. In Proceedings of the CRYPTO 1984, Vol. 0196, California, Springer-Verlag: New York. 1984; 47–53. 3. Fiat A, Shamir A. How to prove yourself: practical solutions to identification and signature problems. In Proceedings of the CRYPTO 1986, Vol. 263, California, Springer-Verlag: London, UK.1986; 186–194. 4. Menezes AJ, Okamoto T, Vanstone SA. Handbook of Applied Cryptography. CRC Press: New York, 1997. 5. Kurosawa K, Heng S-H. From digital signature to ID-based identification/signature. In Proceedings of the PKC 2004, Vol. 2947, Singapore, Springer: Berlin / Heidelberg.March 2004; 248–261. 6. Bellare M, Namprempre C, Neven G. Security proofs for identity-based identification and signature schemes.

15.

16.

17.

18.

19.

20.

In Proceedings of the EUROCRYPT 2004, Vol. 3027, Interlaken, Switzerland, Springer-Verlag: New York. May 2004; 268–286. Tan S-Y, Heng S-H, Goi B-M, Moon SJ. Fuzzy identitybased identification scheme. In Proceedings of UNESST 2009, Vol. 62, Korea, Springer: Berlin / Heidelberg. December 2009; 123–130. Sahai A, Waters B. Fuzzy identity-based encryption. In Proceedings of the EUROCRYPT 2005, Vol. 3494, Aarhus, Springer: Berlin / Heidelberg. May 2005; 457–473. Lee C, Kim J. Cancelable fingerprint templates using minutiae-based bit strings. Journal of Network and Computer Applications 2010; 33(3): 236–246. Baek J, Susilo W, Zhou J. New constructions of fuzzy identity-based encryption. In Proceedings of the CCS 2007, Alexandria, USA, ACM: New York. October 2007; 368–370. Ren Y, Gu D, Wang S, Zhang X. New fuzzy identity-based encryption in the standard model. Informatica 2010; 21(3): 393–407. Shi W, Jang I, Hyeong SY. An improved fuzzy identity-based encryption scheme with constant size ciphertext. International Journal of Digital Content Technology and its Applications July 2010; 4(4). Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data. Proceedings of the CCS 2006, ACM New York: Alexandria, USA, October 2006; 89–98. Bethencourt J, Sahai A, Waters B. Ciphertext-policy attribute-based encryption. Proceedings of the 2007 IEEE Symposium on Security and Privacy, IEEE computer society: Oakland, CA, May 2007. Yang P, Cao Z, Dong X. Fuzzy identity based signature. (IACR ePrint Archive 2008. Available from http://eprint.iacr.org/2008/002.pdf). Chen W, Zhu L, Cao X, Geng Y. A novel fuzzy identitybased signature with dynamic threshold. In Proceedings of NSS IEEE computer society Gold Coast, Australia, October 2009; 192–198. Wang CJ, Kim JH. Two constructions of fuzzy identity based signature. In Proceedings of BEI 09, IEEE: Tianjian, China, October 2009; 1–5. Wang CJ, Chen W, Liu Y. A fuzzy identity based signature scheme. In Proceedings of EBISS 09, IEEE: Wuhan, China, 2009; 1–5. National Institute of Standards. Secure Hash Standard. (Available from http://csrc.nist.gov/publications/fips/ fips180-2/fips180-2withchangenotice.pdf). Goldreich O. Foundation of Cryptography: Volume 1, Basic Tools, 1st ed., New York: Cambridge University Press, 2007. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S.-Y. Tan et al.

21. Xi K, Ahmad T, Han F, Hu J. A fingerprint based biocryptographic security protocol designed for client/ server authentication in mobile computing environment. Special Issue on Biometric Security for Mobile Computing. Journal of Security and Communication Networks, John Wiley 2010. DOI: 10.1002/sec.225 22. Ahmad T, Hu J, Wang S. Pair-polar coordinate based cancellable fingerprint templates. Patter Recognition, Elsevier 2011. DOI: 10.1016/j.patcog.2011.03.015 23. Farooq F, Bolle RM, Jea TY, Ratha NK. Anonymous and revocable fingerprint recognition. Proceeding of the International Conference on Computer Vision and Pattern Recognition, IEEE computer society, Minneapolis: Minnesota, USA. 2007; 1–7. 24. Jin Z, Teoh ABJ, Ong TS, Tee C. A revocable fingerprint template for security and privacy preserving. KSII Transaction on Internet and Information System 2010; 4(6): 1327–1342. 25. Parziale G, Niel A. A fingerprint matching using minutiae triangulation. In Proceedings of CBA,

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Fuzzy identity-based identification scheme

26. 27.

28.

29.

30.

31.

Springer Berlin / Heidelberg: Hong Kong, July 2004; 241–248. FVC 2002. Second International Fingerprint Verification Competition. http://bias.csr.unibo.it/fvc2002/, 2002. FRR. In Wikipedia, the Free Encyclopedia. Retrieved August 28, 2010, from http://en.wikipedia.org/wiki/ Biometrics#cite_note-2 FAR. In Wikipedia, the Free Encyclopedia. Retrieved August 28, 2010, from http://en.wikipedia.org/wiki/ Biometrics#cite_note-2 EER. In Wikipedia, the Free Encyclopedia. Retrieved August 28, 2010, from http://en.wikipedia.org/wiki/ Biometrics#cite_note-2 Jain A, Nandakumar K, Nagar A. Biometric template security. EURASIP Journal on Advances in Signal Processing 2008; 2008: 1–17. Teoh ABJ, Goh A, Ngo DCL. Random multispace quantization as an analytic mechanism for BioHashing of biometric and random identity inputs. IEEE Transactions on PAMI December 2006; 28(12): 1892–1901.