A FRESH LOOK INTO THE BIOMETRIC AUTHENTICATION

Perspective from Shannon’s Secrecy System and a Special Wiretap Channel

Yanling Chen

and A. J. Han Vinck

Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2A, Trondheim, Norway

Institute for Experimental Mathematics, University of Duisburg-Essen, Ellernstr. 29, Essen, Germany

Keywords:

Biometrics, Authentication, Error-correcting codes, Information theory.

Abstract:

In this paper, we ﬁrst look at the biometric authentication scheme as an extension of Shannon’s secrecy system

with an error-prone key, and derive the necessary condition for the perfect secrecy. Furthermore, we show

that the Juels-Wattenberg scheme is optimal by fulﬁlling such a condition once the biometric key and its

error pattern satisfy certain statistical distributions; otherwise, it is possible to improve its performance by

coding on basis of the biometric. We further conﬁrm this proposition by reformulating the Juels-Wattenberg

scheme with a smart encoder to a speciﬁc model of wiretap channel with side information, where the side

information is the enrolled biometric template and assumed to be known at the encoder. The idea of the smart

encoder is inspired by the fact that the authorities are collecting the biometric information from people since

years, and this knowledge could in turn be used to better design the biometric systems for people’s good.

From an information theoretic perspective, we explore the secrecy capacity of this speciﬁc wiretap channel

and demonstrate that the knowledge of the enrolled biometric template at the smart encoder does provide an

advantage so as to enhance the performance of the biometric authentication scheme.

1 INTRODUCTION

Traditional user authentication systems are mostly

based on something one knows but one may forget

(e.g.: a password), or something one has but one may

lose (e.g.: a passport), whilst the new biometric sys-

tems are based on people’s biometric characteristics

which represent who one really is. Thus the new sys-

tems overcome the disadvantages of the traditional

ones and provide an attractive solution to do user au-

thentication in a fast, easy and convenient manner.

The biometric characteristics can be physiological

(such as ﬁngerprint, DNA, iris or face), or behavioral

(such as typing rhythm, gait and voice). All of them

are (or rather should be) unique, not duplicable or

transferable. So it is important that no biometric im-

age or template is stored. What is stored is so-called

“encrypted biometric template”. To do this, one can

bind a random key to a biometric such that neither the

random key nor the biometric can be retrieved from

the stored data. We note that in practice, the bio-

metric representations of a person vary dramatically

depending on the acquisition method, acquisition en-

vironment and user’s interaction with the acquisition

device. Thus it arises the challenge how to tolerate

the fuzziness of biometric readings and ensure the ex-

actitude at the same time so as to fulﬁll the system

requirements.

Among the emerging biometric authentication

systems, fuzzy commitment (Juels and Wattenberg,

1999) and fuzzy vault (Juels and Sudan, 2006) are

two of the most representative. In particular, ac-

cording to a thorough study presented in (Cavoukian

and Stoianov, 2009), the fuzzy commitment scheme,

whose main spirit is to employ error correcting codes

(J.MacWilliams and Sloane, 1977) to tackle the fuzzi-

ness problem of biometric templates, is conceptually

the simplest, but also one of the best for the biomet-

rics where the proper alignment of images is possi-

ble. Whilst when the biometric data is unordered

or with arbitrary dimensionality (such as ﬁngerprint

minutiae), it is more suitable to apply the fuzzy vault

scheme. As observed by (Y. Dodis and Smith, 2008),

the fuzzy commitment scheme and the fuzzy vault

scheme are essentially secure sketches in Hamming

metric space and set difference metric space, respec-

tively. In (Y. Dodis and Smith, 2008), the authors also

introduced a scheme based on the constant-weight

code and permutations. Balakirsky et al. in (V. B. Bal-

akirsky and Vinck, 2009) reviewed this permutation

block coding scheme and pointed out that most of the

permutations could be “bad” in the manner that a ran-

168

Chen Y. and J. Han Vinck A..

A FRESH LOOK INTO THE BIOMETRIC AUTHENTICATION - Perspective from Shannon’s Secrecy System and a Special Wiretap Channel.

DOI: 10.5220/0003519001680177

In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2011), pages 168-177

ISBN: 978-989-8425-71-3

 2011 SCITEPRESS (Science and Technology Publications, Lda.)

dom choice of permutations may result in a poor per-

formance in secrecy. They further demonstrated that

proper assignment of the permutations on the basis of

the biometric and the employed constant-weight code

could signiﬁcantly reduces the probability of a suc-

cessful attack.

In this paper, we take a fresh look into biometric

authentication from an information-theoretic perspec-

tive. As a general model, we reconsider the biometric

authentication as an extension of Shannon’s secrecy

system. Similarly to the results for Shannon’s secrecy

system, we derive a necessary condition for obtaining

perfect secrecy, which do not depend on any speciﬁc

metric spaces. More speciﬁcally, we put our focus on

the fuzzy commitment scheme, i.e., Juels-Wattenberg

scheme as referred in the rest of the paper, as the

Hamming distance is perhaps the most natural met-

ric to consider. We show that the Juels-Wattenberg

scheme can be optimal in transmission/storage efﬁ-

ciency under some idealized settings.

Going one step further, we notice that since years

the authorities have been collecting the biometric in-

formation from people. For instance, in most coun-

tries to apply for a visa, a digital photograph needs

to be submitted; and when one enters the border of

a country, she/he might be required to have her/his

ﬁngerprint scanned. So we could assume that there

is a smart encoder which learns the enrolled biomet-

ric templates, and in turn may use this knowledge to

improve the performance of the current biometric au-

thentication scheme. Inspired by this observation and

previous work, we investigate the Juels-Wattenberg

scheme with a smart encoder which learns the en-

rolled biometric template. By remodeling it to a spe-

ciﬁc model of wiretap channel, we establish insights

into limitations and possible improvement on the cur-

rent biometric system.

There are two kinds of errors that biometric sys-

tems do: false rejection occurs when a legitimate user

is rejected and false acceptance occurs when an im-

poster is accepted as a legitimate user. So the perfor-

mance of the system is often illustrated by the false

rejection rate (FRR) and false accept rate (FAR). The

less are both rates, the better is the system perfor-

mance. In the reformulated systems present in this pa-

per, we use the terminologies average probability of

error at the legitimate user and the information leak-

age rate to the eavesdropper to evaluate the accuracy

and privacy performance. The former concept is by

deﬁnition the FRR; whilst the latter, as its name sug-

gests, characterizes the amount of information leak to

a third party. If the best an attacker can do is to try to

obtain the biometric template/key from the database

of the “encrypted biometric templates”, then due to

Fano’s inequality it can be shown that the FAR is up-

per bounded by the information leakage rate. One can

refer to the Appendix for a detailed proof of this.

In this paper, we use b to denote the master bio-

metric template, which is mostly generated from mul-

tiple biometric samples from the user at the enroll-

ment phase; b

′

denotes the biometric template ob-

tained at the time of authentication; while e repre-

sents the difference of the biometric readings of the

same user at two different phases. For simplicity, the

analysis of this paper is based on the following as-

sumptions.

• information is represented and transmitted in bits.

• biometric characteristics contain enough random-

ness which can be extracted to guarantee the sys-

tem performance in terms of accuracy and se-

crecy.

• variation in the biometric readings e is indepen-

dent of the master biometric template b.

Throughout this paper, between two binary se-

quences, the bitwise addition is carried out modulo

2. Besides, when the dimension of a sequence is clear

from the context or to be deﬁned, we denote the se-

quences in boldface letters for simplicity. A simi-

lar convention applies to random variables, which are

denoted by upper-case letters. For the readers’ con-

venience, we also provide a list of notations in Ap-

pendix.

The rest of the paper is organized as follows: in

Section 2, we brieﬂy review the Juels-Wattenberg

scheme. In Section 3, we look into the biomet-

ric authentication scheme from the perspective of an

extension of Shannon’s secrecy system. In Section

4, we reformulate the Juels-Wattenberg scheme with

a smart encoder to a speciﬁc wiretap channel with

side information. We demonstrate how the knowl-

edge of the enrolled biometrics can be employed

to improve the performance of the Juels-Wattenberg

scheme through both theoretical results and numeri-

cal examples. Finally we conclude in Section 5.

2 JUELS-WATTENBERG

SCHEME

The Juels-Wattenberg scheme (Juels and Wattenberg,

1999) is described as follows:

At enrollment,

• choose a random vector s and accordingly con-

struct a codeword c by a prespeciﬁed error cor-

recting code.

A FRESH LOOK INTO THE BIOMETRIC AUTHENTICATION - Perspective from Shannon's Secrecy System and a

Special Wiretap Channel

169

• calculate and store Hash(s) and r = c+ b. Here

Hash(·) is a cryptographic hash function.

At the authentication phase,

• input b

′

and calculate c

′

= b

′

+r= b

′

+b+c=

c+ e. Here e = b

′

+ b.

• decode

c and recover

s. Correct decoding deliv-

ers

s = s.

• compare Hash(

s) with Hash(s). Accept if they

are equal and reject otherwise.

3 PERSPECTIVE OF SHANNON’S

SECRECY SYSTEM

In this section, we ﬁrst brieﬂy review Shannon’s se-

crecy system (Shannon, 1949). Then we take the bio-

metric authentication scheme as an extension of Shan-

non’s secrecy system, addressing its performance

limit in terms of efﬁciency at perfect secrecy.

Encoder

Decoder

Eavesdropper

Figure 1: Shannon’s secrecy system.

The model of Shannon’s secrecy system (Shan-

non, 1949) is illustrated in Fig. 1. A sender (Alice)

wants to communicate a message s to a receiver (Bob)

over a public channel in the presence of an eavesdrop-

per (Eve) who observes the channel output. Alice and

Bob share a key k, which is unknown to Eve. So to

each message s and key k, the encoder assigns a ci-

phertext x, and to each ciphertext x and k, the decoder

assigns

s as a decoded message corresponding to s.

Suppose that a (2

,n) secrecy code is used to en-

code s into x, where 2

is the number of the messages

s and n is the length of the sequence x. Clearly R is

the transmission rate from the sender to the receiver.

Further we denote the information leakage rate asso-

ciated with the (2

,n) secrecy code to be

(n)

I(S;X); (1)

and the average probability of error to be

(n)

= Pr{S 6=

S}. (2)

Here I(·) is the mutual information function, which

measures the amount of information shared by two

variables. For its deﬁnition, one can refer to (Cover

and Thomas, 2005).

The communication system shown in Fig. 1 is said

to have perfect secrecy if

• P

(n)

= 0, i.e., the message is decoded correctly,

and

• R

(n)

= 0, i.e., the information leakage I(S;X) =

0, the ciphertext reveals no information about the

message.

By Shannon’s perfect secrecy theorem (Shannon,

1949), the necessary condition for perfect secrecy

is H(K) ≥ H(S). Here H(·) is the entropy function

(Cover and Thomas, 2005), which measures the un-

certainty associated with a random variable.

3.1 An Extension of Shannon’s Secrecy

System

Now let us take a fresh look at the biometric authen-

tication scheme from the point of view of Shannon’s

secrecy system. Alice and Bob can be considered as

the same user at the enrollment phase and the authen-

tication phase. The user uses his/her biometric prop-

erty as a key. In Shannon’s secrecy system model, the

key used at the encoder and the decoder is the same.

However, in the biometrics authentication scheme, the

biometric key varies slightly in each reading: b at en-

rollment whilst b

′

at the authentication phase. There-

fore, we could formulate the biometric authentication

scheme as an extension of Shannon’s secrecy system,

as shown in Fig. 2. Similarly to Shannon’s perfect se-

crecy theorem, we have the following theorem for the

Shannon’s secrecy system with an error-prone key.

Encoder

Decoder

Eavesdropper

B B

′

B ≈ B

′

Figure 2: An extension of Shannon’s secrecy system.

Theorem 3.1. Consider the extension of Shannon’s

secrecy system as shown in Fig. 2. The necessary

condition for perfect secrecy is H(S) ≤ I(B;B

′

Proof. The proof uses deﬁnitions of entropy, mutual

information as well as their properties such as chain

rule, data-processing inequality and so on (Cover and

Thomas, 2005). We consider

SECRYPT 2011 - International Conference on Security and Cryptography

170

H(S)

(a)

= H(S|X)

= H(S,B

′

|X) − H(B

′

|S,X)

(b)

= H(B

′

|X) − H(B

′

|S,X)

(c)

≤ H(B

′

|X) − H(B

′

|S,B)

(d)

≤ H(B

′

|X) − H(B

′

|B)

≤ H(B

′

) − H(B

′

|B)

= I(B;B

′

where (a) follows by deﬁnitions of entropy and mu-

tual information: H(S) = H(S|X) + I(S;X); and by

the secrecy constraint I(S;X) = 0; (b) follows that

by chain rule of entropy: H(S,B

′

|X) = H(B

′

|X) +

H(S|X, B

′

); further by data-processing inequality:

H(S|X, B

′

) ≤ H(S|

S), since S → (X, B

′

) →

S forms

a Markov chain; and by deﬁnition of entropy and

the communication constraint Pr{S 6=

S} = 0, we

have H(S|

S) = 0; (c) follows that H(B

′

|S,X) ≥

H(B

′

|S,X, B) = H(B

′

|S,B) since B

′

→ (S,B) → X

forms a Markov chain; and (d) follows the fact that

given B, B

′

is independent of S.

As one can see in next subsection, the equality in

Theorem 3.1 can be achieved under some idealized

settings. In fact, the achievabilityis largely depending

on the statistical behavior of the error pattern e.

We also note that the results we have obtained in

this subsection are general, do not depend on any par-

ticular metric space. However, from next subsection

on, our discussion will be mainly in Hamming metric

space. Special focus will be on the Juels-Wattenberg

scheme and its variants.

3.2 Juels-Wattenberg Scheme can be

Optimal

Let k be the length of sequence s; n be the length of

sequences b,b

′

(thus e) and x. Recall that e = b+ b

′

represents the difference of the two readings of the

same biometric property at two different phases. It

is reasonable to assume that there exists t, such that

hw(e) ≤ t always holds, where hw(·) is the Ham-

ming weight function, representing the number of the

non-zero bits in a sequence. Under this assumption,

we can use an error correcting code to tackle the

fuzziness problem of the biometric key as the Juels-

Wattenberg scheme does.

Suppose that there exists an (n,k,d) linear code

C of length n, dimension k and minimum distance d,

where d = 2t + 1. For any k-bit secret s, ﬁrst we en-

code it into an n-bit sequence c, where c ∈ C. Then

take x = c+ b.

To recover the secret s from the ciphertext x, we

simply add b

′

. Thus we have c

′

= x+ b

′

= c+ e. Due

to the fact that hw(e) ≤ t and c ∈ C, s will be correctly

decoded. Thus we have P

(n)

= 0.

If the key B is uniformly distributed over C, it

can be readily checked that X is also uniformly dis-

tributed over C and Pr{s} = Pr{s|x}. Thus S and X

are independent and we have H(S|X) = H(S) = k,

i.e., R

(n)

= 0.

Furthermore, if the error sequence E is uniformly

distributed among the sequences, which are of length

n, have Hamming weight ≤ t and are in total M =

∑

i=0





of them, then it is easy to check that B

′

= B+

E has a uniform distributions among M · 2

different

n-bit sequences. Straightforwardly we have

I(B;B

′

) = H(B

′

) − H(B

′

|B)

= H(B

′

) − H(E)

= log{M · 2

} − logM

= k = H(S).

Therefore, in order to tolerate t errors in the key

b, the amount of information can be carried in n bits

is bounded by the largest dimension k of a t-error cor-

recting linear code of length n, which turns out to be

a coding problem. If we characterize the transmis-

sion/storage efﬁciency R of the above scheme by the

information rate k/n of the linear code C, then ac-

cording to the Singleton bound (J.MacWilliams and

Sloane, 1977), we easily derive an upper bound R ≤

1−

d−1

= 1−

. Besides, if we allow n to grow since

we have assumed that the biometric under considera-

tion has enough randomness, then due to the Gilbert-

Varshamov bound (J.MacWilliams and Sloane, 1977),

the rate R ≥ 1 − h(

) is achievable for d/n < 1/2.

Here h(·) is the binary entropy function.

Recall that in the Juels-Wattenberg scheme, the

biometric vector b is assumed to be uniformly dis-

tributed among vectors of a given length n. In that

case, the published vector c + b is also uniformly

distributed among the n-bit vectors and thus yields

no information on the secret s or the biometric tem-

plate b. In the extension of Shannon’s secrecy system

discussed above, we see that the Juels-Wattenberg

scheme is still optimal once b is uniformly distributed

over a linear (n,k,2t + 1) code C and e is uniformly

distributed over n-bits sequences of Hamming weight

≤ t.

However, in reality, the statistical distributions of

the extracted biometrics and its error pattern can be

far different (one can refer to (A. Pankanti and Jain,

2002) for a comprehensive survey on the probability

of the ﬁngerprint conﬁguration). The equality in The-

orem 3.1 can be hard to achieve or not achievable at

A FRESH LOOK INTO THE BIOMETRIC AUTHENTICATION - Perspective from Shannon's Secrecy System and a

Special Wiretap Channel

171

all. So open problems are challenging up to the real

biometric readings and the real error patterns.

3.3 Improvement of Juels-Wattenberg

Scheme

In last subsection, we show that once b,e satisfy

certain statistical distributions, the Juels-Wattenberg

scheme provides with optimal performance by em-

ploying an error correcting code. However, we won-

der if this still holds otherwise. We further notice

that in the Juels-Wattenberg scheme, the choice of the

codeword c (not necessarily from a linear code) is in-

dependent of the enrolled biometric reading b. In the

following, we present an example and show that by

exploring their dependency, i.e., taking codeword c

on the basis of b, it is possible to improve the secrecy

performance of the Juels-Wattenberg scheme.

Example 3.2. Consider the Juels-Wattenberg

scheme. We let C ,B be sets of the codewords c and

master biometric templates b, respectively. Suppose

C = {c

} and B = {b

In particular, we specify c and b by the following

matrices:













00110011

01010101

10101010























00001111

00110011

01010101

10101010

11001100

11110000







For simplicity we assume that b is uniformly dis-

tributed over B .

In the original Juels-Wattenberg scheme, c is cho-

sen randomly independent of b. Thus c is uniformly

distributed over C . It is easy to check that c+ b has a

non-uniform distribution over 8 different sequences.

In fact, c + b is 00111100 or 11000011 either with

probability 1/18; 01011010 or 10100101 with either

probability 1/9; and 00000000, 01100110, 10011001

or 11111111 each with probability 1/6.

In particular, we notice that if c+ b turns out to be

either 00111100 or 11000011, then it corresponds to

one possibility c = c

. Besides, with the observation

c+ b, one can easily calculate that the probability of

correct guess of c (thus b) is

2∗

+ 2∗

∗

+ 4∗

∗

= 0.4444;

the information leakage from c+ b on c is

I(C;C+ B) =H(C) + H(C+ B)− H(C,B)

(a)

=H(C+ B) − H(B)

=2∗

∗ log18+ 2∗

∗ log9

+ 4∗

log6− log6

=0.3061;

and the information leakage from c+ b on b is

I(B;C+ B) =H(B) + H(C+ B) − H(C,B)

(a)

=H(C+ B) − H(C)

=2∗

∗ log18+ 2∗

∗ log9

+ 4∗

log6− log3

=1.3061;

where (a) is due to the fact that the choice of c is in-

dependent of b. The logarithm is to the base 2.

Now we slightly modify the Juels-Wattenberg

scheme by introducing a bit dependency to the choice

of c on the basis of b. When b = b

or b

, we do not

take c

as a candidate of c so as to avoid the output

00111100 or 11000011 of c+ b. That is, if b 6= b

, we choose c randomly from set C ; and if b = b

or b

, we choose c randomly from set C \ { c

}. Then

it is easy to check that c+ b is uniformly distributed

among 6 different sequences, 01011010, 10100101,

00000000, 01100110, 10011001 and 11111111, each

with probability 1/6. Thus C + B has the same en-

tropy as B. In this case, with the observation c + b,

one can calculate and see that the probability of cor-

rect guess of c (thus b) is reduced to

2∗

∗

+ 4∗

∗

= 0.3889;

the information leakage on c is reduced to

I(C;C+ B) =H(C) + H(C+ B)− H(C,B)

(b)

=H(C) − H(C|B)

∗ log

+ 2∗

∗ log

−

(2∗ log2+ 4∗ log3)

=0.1520;

and the information leakage on b is reduced to

I(B;C+ B) =H(B) + H(C+ B) − H(C,B)

(b)

=H(C+ B) − H(C|B)

=log6−

(2∗ log2+ 4∗ log3)

=1.1950;

SECRYPT 2011 - International Conference on Security and Cryptography

172

where (b) is due to the fact that the choice of c is de-

pendent on b, and H(B) = H(C+ B).

This example demonstrates how one can enhance

the secrecy performance of the Juels-Wattenberg

scheme by choosing codewords based on knowl-

edge of the biometric template. Clearly, the Juels-

Wattenberg scheme does not always provide optimal

solutions. To achieve a good performance accuracy

and secrecy, the appropriate error correcting code, in

particular the choice of the codeword, should be cho-

sen largely based on the biometric template and its

error pattern.

One may also notice that the example looks very

similar to the one in (V. B. Balakirsky and Vinck,

2009). However, the underneath coding methods are

different, where in our example we use the coding

from Juels-Wattenberg scheme while a permutation

block coding is employed in (V. B. Balakirsky and

Vinck, 2009).

In next section, we build an information theoretic

framework for the Juels-Wattenberg scheme with a

smart encoder which learns the biometric templates

at enrollment, further conﬁrm its advantage in obtain-

ing better trade-offsbetween the accuracy and secrecy

performance.

4 PERSPECTIVE OF THE

WIRETAP CHANNEL

The concept of the wiretap channel was ﬁrst intro-

duced by Wyner in (Wyner, 1975). Its goal is to

achieve not only efﬁcient, reliable but also secure

communication between the sender and legitimate re-

ceiver. Here being secure is against an eavesdropper,

who is assumed to know the deployed encoding and

decoding scheme and observe a degraded version of

the output at the legitimate receiver. Similarities can

be easily recognized between the model of the wiretap

channel, and a biometric authentication system with

an attacker who is assumed to have access to the en-

crypted biometrics stored in the database. So an in-

formation theoretic approach can be taken by looking

into the biometric authentication system from a per-

spective of the wiretap channel. Such an instance is

ﬁrst given in (Cohen and Z´emor, 2004). Other trials

can be found in (V. B. Balakirsky and Vinck, 2009)

and (Vinck and Balakirsky, 2010), etc.

In (Cohen and Z´emor, 2004), the authors recon-

sider the Juels-Wattenberg scheme as a Wyner’s wire-

tap channel. The reformulation is shown in Fig. 3,

where S, X serve similar roles as s,c in the Juels-

Wattenberg scheme, respectively, representing the se-

cret chosen randomly and the corresponding code-

Encoder

Legitimate User

Eavesdropper

Authentication

Enrollment

′

= B+ E

Figure 3: Reformulation of Juels-Wattenberg scheme as a

wiretap channel (Cohen and Z´emor, 2004).

word; Y = X + E at the legitimate receiver, is the

sequence recovered by the legal user at the authen-

tication phase; Z = X+ B is the encrypted biometric

template stored in database and assumed to be acces-

sible to an attacker. E, as the variation of two biomet-

ric readings, is assumed to be less noisy than B and

independent of B. That is, the channel from X to Y,

to the legitimate receiver, is less noisy than the one

from X to Z, to the eavesdropper.

For the model shown in Fig. 3, we recall the infor-

mation leakage rate associated with a (2

,n) secrecy

code

(n)

I(S;Z);

and the average probability of error at the legitimate

receiver

(n)

= Pr{S 6=

S}.

We note that in most communication systems based

on a statistical channel model, it is often impossible

to achieve a positive transmission rate at the absolute

perfect secrecy (i.e. R

(n)

= P

(n)

= 0). For instance,

the zero-error capacity (maximum transmission rate

at P

(n)

= 0) of a binary symmetric channel is zero. So

it is necessary to consider a weaker concept: asymp-

totic perfect secrecy.

A communication system is said to have asymp-

totic perfect secrecy, if for any arbitrary small ε,ε

′

0, there exists a secrecy code (2

,n) such that

• P

(n)

< ε, i.e., decoding error occurs only with ar-

bitrarily small probability;

• R

(n)

< ε

′

, i.e., the information leakage can be

made arbitrarily small.

We say a secrecy rate R

∗

achievable if for any arbi-

trary small ε,ε

′

,ε

′′

> 0, there exists a secrecy code

,n) such that

R > R

∗

− ε

′′

, P

(n)

< ε, R

(n)

< ε

′

. (3)

The maximum secrecy rate is called asymptotic se-

crecy capacity or for short secrecy capacity.

A FRESH LOOK INTO THE BIOMETRIC AUTHENTICATION - Perspective from Shannon's Secrecy System and a

Special Wiretap Channel

173

As a direct consequence of Wyner’s result (Wyner,

1975), the (asymptotic) secrecy capacity: C

, of the

model in Fig. 3 is

= max

Pr{x}

{I(X;X + E) − I(X;X + B)}. (4)

4.1 A Special Wiretap Channel with

Side Information

Motivated by the observation that the authorities col-

lect the biometric information from people since

years, we introduce a smart encoder into the biomet-

ric authentication scheme. The smart encoder learns

the enrolled biometric templates, and in turn uses its

knowledge to enhance the performance of scheme. To

explore how much gain can be achieved, we can re-

formulate the Juels-Wattenberg scheme with a smart

encoder to 1): a wiretap channel with two-sided infor-

mation, one (i.e., b) available at the encoder and the

other (i.e., b

′

) at the decoder of the legitimate receiver;

2) a wiretap channel with side information available

at the encoder, where the side information b, is at the

same time, the noise in the eavesdropper channel, as

shown in Fig. 4. The idea 2) is originally proposed in

(Vinck and Balakirsky, 2010).

Encoder

Legitimate User

Eavesdropper

Authentication

Enrollment

′

= B+ E

Figure 4: Reformulation of Juels-Wattenberg scheme with

a smart encoder as a wiretap channel with side information.

Following the results from (Chen and Vinck,

2008) and (Liu and Chen, 2007), one can obtain some

direct results on the secrecy rate (achievable transmis-

sion rate at asymptotic perfect secrecy) of the refor-

mulated model. However, the single-letter characteri-

zation of the secrecy rate for both models involves an

auxiliary parameter, and at present its calculation still

remains an unsolved problem. To avoid this, we take

a new approach and investigate the reformulation 2).

In this subsection, we consider the secure com-

munication problem via the channel shown in Fig.

4. We note that both S and B are known at the

encoder. We look at the extreme case, where X is

chosen totally based on knowledge of B. In particu-

lar, we take X = B. Then the legitimate receiver re-

ceives Y = B + E; whilst the eavesdropper receives

Z = X + B. Since the information is transmitted in

bits, Z results in a zero sequence. That is, the eaves-

dropper constantly receives a zero sequence no matter

what B is. Clearly it does not help him to have a better

guess of the information being transmitted. Therefore

in this case, according to Shannon’s coding theorem

for noisy channels, I(X;Y) = I(B;B + E) bits infor-

mation can be reliably transmitted to the legitimate

receiver while keeping it ignorant to the eavesdrop-

per. If the length of the codeword is n, then we obtain

a secrecy rate

I(B;B+ E). (5)

If we let C

be the secrecy capacity of the chan-

nel shown in Fig. 4, then we have R

≤ C

. Next we

will show the converse R

≥ C

and thus prove the

following theorem.

Theorem 4.1. C

= R

Proof. The proof uses the deﬁnitions of entropy,

mutual information, data-processing inequality and

Fano’s inequality, for which one can refer to (Cover

and Thomas, 2005).

Consider a (2

,n) secrecy code with a secrecy

constraint: R

(n)

I(S;Z) ≤ ε

and a communication

constraint P

(n)

= Pr{S 6=

S} ≤ ε

≤ H(S)

(a)

≤ H(S|Z) + nε

= H(S,B

′

|Z) − H(B

′

|S,Z) + nε

= H(B

′

|Z) + H(S|B

′

,Z) − H(B

′

|S,Z) + nε

(b)

≤ H(B

′

|Z) + H(S|Y) − H(B

′

|S,Z) + nε

(c)

≤ H(B

′

|Z) − H(B

′

|S,Z, X) + nε

+ nε

(d)

≤ H(B

′

|Z) − H(B

′

|B) + nε

+ nε

≤ H(B

′

) − H(B

′

|B) + nε

+ nε

= I(B;B

′

) + nε

+ nε

where (a) follows by the deﬁnitions of entropy and

mutual information: H(S) = H(S|Z) + I(S;Z); and

by the secrecy constraint I(S;Z) ≤ nε

; (b) follows

by the data-processing inequality that H(S|B

′

,Z) ≤

H(S|Y) since Y = Z + B

′

; (c) follows the fact that

H(B

′

|S,Z) ≥ H(B

′

|S,Z, X) and H(S|Y) ≤ H(S|

S) ≤

(n)

+ h(P

(n)

)− 1 ≤ nε

, where the last two inequal-

ities are due to the Fano’s inequality and the commu-

nication constraint P

(n)

≤ ε

, respectively; (d) follows

that H(B

′

|S,Z, X) = H(B

′

|S,X, B) = H(B

′

|B).

SECRYPT 2011 - International Conference on Security and Cryptography

174

As a conclusion, we have proven that the special

wiretap channel with side information as shown in

Fig. 4 has secrecy capacity C

I(B;B

′

). Besides,

if B,E and B

′

are sequences of i.i.d random variables

B,E and B

′

, respectively, where B

′

= B+ E (this cor-

responds a discrete memoryless channel with additive

noises scenario), we have the following single-letter

characterization of the secrecy capacity:

I(B;B+ E) = I(B;B+ E). (6)

Remarks on the secrecy constraint: It is easy

to see that the above proof also applies to a

stricter secrecy constraint

I(S,B;Z) ≤ ε

, since

I(S;Z) ≤ I(S,B;Z). Although the stricter constraint

I(S,B;Z) ≤ ε

is more suitable for biometric secu-

rity concerns, we still use

I(S;Z) ≤ ε

since it is

enough for the proof of the converse and consistent

with the terminology used in the study on wiretap

channels.

4.2 Advantage of Knowing the Noise in

the Eavesdropper Channel

In this subsection, we will show that knowing the

noise in the eavesdropper channel provides an advan-

tage, in the manner that the secrecy capacity of com-

munication model in Fig. 4 is no less than the one in

Fig. 3. Intuitively this is true, since any secrecy rate

achievable for the model in Fig. 3 is also achievable

for the model in Fig. 4 (because the encoder can al-

ways ignore the side information). Theoretically we

conﬁrm this by the followingtheorem and further pro-

vide numerical comparisons in next subsection.

Theorem 4.2. C

≤ C

, i.e.,

I(X;X + E) − I(X;X + B) ≤ I(B;B+ E). (7)

Proof. First we consider the term I(X;X + B). By

chain rule of the mutual information (Cover and

Thomas, 2005), we have

I(X;X + B) = I(X,B;X + B) − I(B;X + B|X)

= I(B;X + B) + H(X|B) − H(B|X).

Similarly we have

I(X;X + E)

(a)

= I(E;X + E) + H(X) − H(E);

I(B;B+ E)

(a)

= I(E;B + E) + H(B) − H(E),

where (a) follows that E is independent of X and B.

Applying the above equalities to (7), we derive the

following inequality, which is equivalent to (7).

I(E;X + E) − I(B;X + B) ≤ I(E;B+ E).

So in order to prove the theorem, it is enough to show

I(B;X + B) ≥ I(E;X + E) − I(E;B+ E).

This inequality is valid, since

I(B;X + B)

(b)

≥ I(B;X + B|B+ E)

= H(B|B+ E) − H(B|B+ E,X + B)

= H(E|B+ E) − H(E|B + E, X + E)

(c)

≥ H(E|B + E) − H(E|X + E)

= I(E;X + E) − I(E;B+ E),

where (b) is due to Lemma 4.3; (c) follows the fact

that H(E|B+ E,X + E) ≤ H(E|X + E).

Lemma 4.3. I(B;X + B) ≥ I(B;X + B|B+ E).

Proof. First we note that X + B → (X,B) → B + E

forms a Markov chain. Thus we have

I(X,B;X + B) ≥ I(X,B;X + B|B+ E).

In addition, by chain rule of the mutual information

(Cover and Thomas, 2005), we have

I(X,B;X + B) =I(B;X + B) + I(X;X + B|B);

I(X,B;X + B|B+ E)

(a)

=I(B;X + B|B+ E)

+ I(X;X + B|B),

where (a) is due to the fact that E is independent of X

and B. As a direct consequence, we obtain I(B;X +

B) ≥ I(B;X + B|B + E) and thus complete the proof.

4.3 Numerical Examples

In this subsection, we give two examples where the

secrecy capacity of communication model in Fig. 4 is

strictly larger than the one in Fig. 3.

Example 4.4. Suppose that the channel shown in

Fig. 4 is an additive white Gaussian noise (AWGN)

wiretap channel, i.e., E and B are white Gaussian

noises added into the main channel and the eaves-

dropper channel, respectively. Further we assume

that E ∼ N (0,N) and B ∼ N (0,Q), where N (a, b)

stands for a Gaussian distribution with mean a and

variance b. In addition, the average power constraint

on X is P.

It is easy to calculate

= I(B;B+ E)



log(1+

) if P < Q

log(1+

) if P ≥ Q

;

= max

Pr(x)

{I(X;X + E) − I(X;X + B)}

log(1+

) −

log(1+

A FRESH LOOK INTO THE BIOMETRIC AUTHENTICATION - Perspective from Shannon's Secrecy System and a

Special Wiretap Channel

175

where C

is in fact the difference of the capacities of

the main channel and the eavesdropper channel. Easy

comparison shows us that C

> C

holds always.

Example 4.5. Suppose that the channel shown in Fig.

4 is a binary memoryless symmetric wiretap channel,

i.e., both main channel and the eavesdropper channel

are binary symmetric channels (BSCs). We further

assume that E and B have the following probability

distributions: Pr(E = 1) = 1 − Pr(E = 0) = e and

Pr(B = 1) = 1− Pr(B = 0) = p, where 0 < e, p < 1/2.

It is easy to calculate

= I(B;B+ E) = H(B+ E) − H(E)

= h(p∗ e) − h(e);

= max

Pr(x)

{I(X;X + E) − I(X;X + B)}

= h(p) − h(e),

where C

is in fact the difference of the capaci-

ties of the main channel and the eavesdropper chan-

nel; h(·) is the binary entropy function (Cover and

Thomas, 2005), and p∗e = p+ e− 2pe is the value of

Pr(X + E = 1). Clearly C

> C

holds due to the fact

that p∗ e > p and thus h(p∗ e) > h(p).

For this speciﬁc example, it is easy to see that the

gain on the secrecy capacity is h(p∗ e) − h(p), which

is increasing with respect to e while decreasing with

respect to p, and equal to 0 at either e = 0 or p = 1/2.

5 CONCLUSIONS

In this paper, we reformulate the biometric authen-

tication scheme to an extension of Shannon’s se-

crecy system with an error-prone key, and the Juels-

Wattenberg scheme with a smart encoder to a speciﬁc

model of wiretap channel, where the encoder knows

the noise in the eavesdropper’s channel.

From the point of view of an extension of Shan-

non’s secrecy system, we provide theoretical limits

on the maximal randomness of the secret that can be

concealed and revealed by an error-prone key while

hidden perfectly from a third party. Since the code

rate of the employed error correcting code reﬂects the

storage efﬁciency, one can easily derive lower bounds

and upper bounds on the storage efﬁciency by the nu-

merous results on the error correcting codes. Further-

more, we show that the Juels-Wattenberg scheme is

optimal if the biometric key and the biometric error

pattern satisfy certain statistical distributions; other-

wise, it is possible to improve the performance of the

Juels-Wattenberg scheme by choosing the codeword

from a prespeciﬁed error correcting code on the basis

of the biometric template.

We further reformulate the Juels-Wattenberg

scheme with a smart encoder to a speciﬁc model of

wiretap channel with side information, where the side

information is the noise of the eavesdropper’s chan-

nel and known at the encoder. The idea of the smart

encoder is inspired by the fact that the authorities

are collecting the biometric information from peo-

ple since years and this knowledge could in turn be

used to better design the biometric system for peo-

ple’s good. From an information theoretic perspec-

tive, we demonstrate that the knowledge of the en-

rolled biometric template at the smart encoder does

provide an advantage so as to enhance the perfor-

mance of the biometric authentication scheme. As a

byproduct, we derive the secrecy capacity of this spe-

cial wiretap channel with side information and pro-

vide two numerical examples showing that strictly

larger secrecy capacities can be achieved when both

the main channel and the eavesdropper’s channel are

AWGN channels or BSCs.

Our work also inspires research problems on the

extension of Shannon’s secrecy system with an error-

prone key and the general wiretap channels with

side/two-sided (asymmetric) information, where the

key or the side information subjects to a certain con-

straint in any particular metric space.

REFERENCES

A. Pankanti, S. P. and Jain, A. K. (2002). On the individu-

ality of ﬁngerprints. In IEEE Transactions on Pattern

Analysis and Machine Intelligence. IEEE Computer

Society.

Cavoukian, A. and Stoianov, A. (2009). Biometric encryp-

tion. In Encyclopedia of Biometrics. Springer.

Chen, Y. and Vinck, A. J. H. (2008). Wiretap channel with

side information. In IEEE Transactions on Inforam-

tion Theory. IEEE Computer Society.

Cohen, G. and Z´emor, G. (2004). The wire-tap channel

applied to biometrics. In Proc. Int. Symp. Inf. Theory

& its Apps.

Cover, T. M. and Thomas, J. A. (2005). Elements of Infor-

mation Theory. John Wiley & Sons, Inc., New Jersey,

2nd edition.

J.MacWilliams, F. and Sloane, N. J. A. (1977). The The-

ory of Error-Correcting Codes. North-Holland, New

York, 1st edition.

Juels, A. and Sudan, M. (2006). A fuzzy vault scheme. In

Design, Codes and Cryptography. Kluwer Academic

Publishers.

Juels, A. and Wattenberg, M. (1999). A fuzzy commit-

ment scheme. In Proc. 6th ACM Conf. Computer and

Comm. Security. ACM.

Liu, W. and Chen, B. (2007). Wiretap channel with two-

sided channel state information. In The 41 Asilomar

Conference on Signals, Systems & Computers.

SECRYPT 2011 - International Conference on Security and Cryptography

176

Shannon, C. E. (1949). Communication theory of secrecy

systems. In Bell Sys. Tech. J.

V. B. Balakirsky, A. R. G. and Vinck, A. J. H. (2009). Per-

mutation block coding from biometrical authentica-

tion. In Proc. 7th Int. Conf. on Computer Science and

Info. Technologies.

Vinck, A. J. H. and Balakirsky, V. (2010). Template pro-

tection and biometric veriﬁcation. In Proc. 6th Asia-

Europe Workshop on Information Theory.

Wyner, A. D. (1975). The wire-tap channel. In Bell Sys.

Tech. J.

Y. Dodis, R. Ostrovsky, L. R. and Smith, A. (2008). Fuzzy

extractors: How to generate strong keys from biomet-

rics and other noisy data. In SIAM Journal on Com-

puting. Society for Industrial and Applied Mathemat-

ics (SIAM).

APPENDIX

Fano’s Inequality

Let P

= Pr{

S(Z) 6= S}, where

S(Z) is an estimate of

S based on the observation Z. Then

H(P

) + P

log|S | ≥ H(S|Z), (8)

where S is the set of S and |S | is the cardinality of S .

Upper Bound on FAR

Fano’s inequality gives a lower bound on the ‘error’

probability of decoding P

on secret S. However, in

the context when we consider FAR, we talk about the

probabilityof ‘correct’ decoding on S given the eaves-

dropper’s observation Z, where

FAR = Pr{

S(Z) = S} = 1− P

. (9)

The information leakage from Z on S is by deﬁnition

I(S;Z). By Fano’s inequality, we have

H(P

) + P

log|S | ≥ H(S|Z),

i.e.,

H(1 − FAR) + (1 − FAR)log|S | ≥ H(S) − I(S;Z).

Note that H(1− FAR) ≤ 1. Easy calculation gives us

FAR ≤

1+ log|S | + I(S;Z) − H(S)

log|S |

. (10)

In particular, if the secret S is uniformly distributed

over S , then H(S) = log|S |. The above upper bound

can be simpliﬁed to

FAR ≤

1+ I(S;Z)

log|S |

. (11)

List of Notations

b biometric template at enrollment phase

′

biometric template at the authentication phase

e variation in biometric readings

c a codeword

R transmission rate

information leakage rate

average probability of error

secrecy rate for model in Fig. 4

secrecy capacity for model in Fig. 3

secrecy capacity for model in Fig. 4

,n) a secrecy code of 2

codewords of length n

(n,k, d) a linear code, of length n, dimension k and

minimum distance d

hw(·) Hamming weight function, numbers of non-

zeros in a sequence

Pr{·} probability function

h(·) binary entropy function

H(·) entropy function, uncertainty associated with a

variable

I(·) mutual information function, amount of informa-

tion shared by two variables

A FRESH LOOK INTO THE BIOMETRIC AUTHENTICATION - Perspective from Shannon's Secrecy System and a

Special Wiretap Channel

177