Cryptanalysis of a Privacy-preserving Behavior-oriented Authentication
Scheme
Sigurd Eskeland
a
and Ahmed Fraz Baig
b
Norwegian Computing Center, Postboks 114 Blindern, 0314 Oslo, Norway
Keywords:
Privacy-preserving Protocols, Cryptographic Protocols, Cryptanalysis, Homomorphic Encryption, Continuous
Authentication.
Abstract:
Continuous authentication has been proposed as a complementary security mechanism to password-based
authentication for computer devices that are handled directly by humans, such as smart phones. Continuous
authentication has some privacy issues as certain user features and actions are revealed to the authentication
server, which is not assumed to be trusted. Wei et al. proposed in 2021 a privacy-preserving protocol for
behavioral authentication that utilizes homomorphic encryption. The encryption prevents the server from
obtaining sampled user features. In this paper, we show that the Wei et al. scheme is insecure regarding both
an honest-but-curious server and an active eavesdropper. We present two attacks: The first attack enables the
authentication server to obtain the secret user key, plaintext behavior template and plaintext authentication
behavior data from encrypted data. The second attack enables an active eavesdropper to restore the plaintext
authentication behavior data from the transmitted encrypted data.
1 INTRODUCTION
Continuous authentication has been proposed as a
complementary security measure for computer de-
vices that are handled directly by humans, such as
smart phones, in addition to common authentication
methods, such as passwords, iris recogniztion, etc.
The supposed advantage is a passive and seamless
authentication mechanism that does not require user
attention, like re-typing of passwords. While conven-
tional authentication methods are session-oriented by
which the device remains unlocked during the time
period of the session, the idea of continuous authenti-
cation is that the authentication process is conducted
at events of relevant user activity. The time window
of access is much smaller than for session-oriented
approaches. One purported benefit of continuous au-
thentication over session-oriented approaches is that
if a smart phone for a moment becomes accessible
to someone else while it is unlocked, the continuous
authentication mechanism will supposedly not recog-
nize the other person. This will cause the authentica-
tion to fail and the phone will then lock.
Behavioral authentication is the most important
category of modalities for continuous authentication.
a
https://orcid.org/0000-0003-0045-3387
b
https://orcid.org/0000-0001-6017-0237
The premise of behavioral authentication is that there
is a uniqueness to the way that a person moves and
acts, like walking style, typing style, or handling of
devices, and recognizing such unique patterns is suf-
ficient for identifying the person. Behavioral modal-
ities (or modes) include gait, screen touch (known as
touch dynamics), and typing (keystroke dynamics).
Continuous authentication is realized by continuously
monitoring and collecting user behavior data pertain-
ing to a specific modality, and checking whether they
are consistent with behavior reference template data
collected during user enrollment. In contrast, bio-
metric authentication modalities such as face and iris
recognition are oftentimes considered as continuous
authentication as well. However, since such modali-
ties require some user attention, they are not entirely
passive and seamless, and are therefore somewhat in-
consistent the aspect of continuity.
It has been noted that continual monitoring and
data collection of user activity can be considered in-
vasive and that it causes privacy concerns, as it may
reveal certain user actions and whereabouts while the
user is in contact with the device. Moreover, certain
private user characteristics may be deductable, such
as age group, gender, etc. In conclusion, such au-
thentication methods have indeed some privacy chal-
lenges.
Eskeland, S. and Baig, A.
Cryptanalysis of a Privacy-preserving Behavior-oriented Authentication Scheme.
DOI: 10.5220/0011140300003283
In Proceedings of the 19th International Conference on Security and Cryptography (SECRYPT 2022), pages 299-304
ISBN: 978-989-758-590-6; ISSN: 2184-7711
Copyright
c
2022 by SCITEPRESS – Science and Technology Publications, Lda. All r ights reserved
299
Homomorphic encryption techniques have been
suggested to mitigate the mentioned privacy chal-
lenges for continuous authentication modalities, as
homomorphic encryption permits certain kinds of
computations to be performed on encrypted data with-
out first decrypting them. This allows encrypted data
to be outsourced to commercial cloud environments
for processing, all while encrypted.
Wei et al. (2020) proposed in 2021 a privacy-
preserving protocol for behavioral authentication,
which assumes additive homomorphisms by build-
ing on the Paillier public key cryptosystem (Paillier,
1999). The authors claim that the scheme is secure
with regard to both an honest-but-curious server and
an active eavesdropper. The eavesdropper is assumed
to read and modify the communication between the
user device and the authentication server.
In this paper, we show that the Wei et al. scheme is
insecure regarding both an honest-but-curious server
and an active eavesdropper. We present two attacks,
in which the first enables the authentication server to
obtain the behavioral plaintext template, the authenti-
cation plaintext data, and the user’s secret encryption
key plaintext from the ciphertext data. The second
attack enables an eavesdropper to obtain authentica-
tion behavior plaintext data from the transmitted en-
crypted data.
2 RELATED WORK
A few privacy-preserving schemes have been pro-
posed for different types of modalities of behavior-
based and context-based user authentication. Govin-
darajan et al. (2013) proposed a privacy-preserving
protocol for touch dynamics-based authentication.
Their scheme utilizes a private comparison protocol
proposed by Erkin et al. (2009) and the homomorphic
DGK encryption algorithm proposed by Damg
˚
ard
et al. (2008). Note that the Erkin et al. (2009) compar-
ison protocol is based on the private comparison pro-
tocol proposed by Damg
˚
ard et al. (2007, 2009). The
scheme of Govindarajan et al. does not reveal any-
thing, because it makes comparisons in the encrypted
domain.
Safa et al. (2014) proposed a generic frame-
work for privacy-preserving implicit authentication
by utilizing context data, such as location data,
device-specific data, wifi connection, browsing his-
tory, etc. It utilizes homomorphic encryption and
order-preserving encryption, and Average Absolute
Deviation to compute the similarity between input
and reference templates.
Domingo-Ferrer et al. (2015) proposed an
privacy-preserving authentication scheme using con-
text features. It uses the Paillier cryptosystem and
a private set intersection computation protocol pro-
posed by the same authors (Blanco-Justicia et al.,
2014). Set intersection is used to determine the dis-
similarity between reference data and input data.
The privacy-preserving authentication scheme
proposed by Shahandashti et al. (2015) assumes con-
text features, and is based on order-preserving sym-
metric encryption (OPSE) and additive homomorphic
encryption. The cryptographic primitives are generic,
but the authors suggest the OPSE scheme proposed
by Boldyreva et al. (2009) and the Paillier public key
scheme.
A potential problem with (Safa et al., 2014;
Domingo-Ferrer et al., 2015; Shahandashti et al.,
2015) is that context-aware modes cannot differenti-
ate if the user is present or not, such as if the device
is stolen within the specified domain, then it cannot
distinguish between a legitimate user and imposters
(Baig and Eskeland, 2021).
Balagani et al. (2018) proposed a periodic
keystroke dynamics-based privacy-preserving au-
thentication scheme. It is similar to Govindarajan
et al. (2013), but it assumes the private comparison
protocol of Erkin et al. (2009) in addition to the ho-
momorphic DGK encryption algorithm of Damg
˚
ard
et al. (2008). This scheme has the same efficiency
problems as Govindarajan et al.
Wei et al. (2020) proposed a privacy-preserving
authentication scheme for touch dynamics using ho-
momorphic encryption properties. It is based on sim-
ilarity scores between input and reference features us-
ing cosine similarity. The authentication server per-
forms a comparison between the encrypted reference
template (provided during enrollment) and encrypted
input template sampled during authentication. The
authentication server decrypts the similarity scores
and compares them with a predefined threshold.
3 PRELIMINARIES
In this section we present some details on the Pail-
lier cryptosystem and how it realizes its homomorphic
properties.
3.1 Briefly about the Paillier
Cryptosystem
Computations in the Paillier public key cryptosys-
tem are conducted modulus n
2
, where n = pq, and
p and q are large distinct primes of about the same
SECRYPT 2022 - 19th International Conference on Security and Cryptography
300
size. The public key is constituted by (g,n), where
g = kn + 1 and k ≥ 1. For convenience, let g = n +1.
The private key consists of (λ, n), where λ = λ(n) =
lcm(p − 1,q − 1) is the Carmichael function. As a
sidenote, λ(n) is a reduced version of the Euler to-
tient function φ(n) = (p − 1)(q − 1), since λ(n) di-
vides φ(n). Therefore, φ(n) can be used as the private
key.
Encryption is conducted by means of the public
key (g,n) according to c = g
m
r
n
= (1 + mn)r
n
mod
n
2
, where r is a secret random integer selected by the
sender. We refer to r
n
as a Paillier encryption factor.
At decryption, this is eliminated by means of the pri-
vate key (λ, n), since rnλ ≡ 1 (mod n
2
). Likewise,
rnφ(n) ≡ 1 (mod n
2
).
The decisional composite residuosity (DCR) as-
sumption states that it is hard to decide whether z is
an n-residue modulo n
2
, that is, whether there exists
a number r ∈ Z
∗
n
2
so that z = r
n
mod n
2
. This means
that given a Paillier ciphertext c; if r is an unknown
random integer generated by the sender who com-
puted c, then r
n
is similarly hard to determine.
3.2 Homomorphic Properties of the
Paillier Public Key Cryptosystem
Consider the binomial expansion
(1 + n)
x
=
x
∑
j=0
x
j
=
x
∑
j=0
k
j
x
j
= 1 + xn + ... + n
x
where k
j
, 0 ≤ j ≤ x, are binomial coefficients. Since
all computations are conducted modulo n
2
, all terms
having the factor n
2
become eliminated, and so
H(x) = g
x
≡ (1 + n)
x
≡ 1 + xn (mod n
2
)
The additive homomorphic property is reflected by
H(x
1
)H(x
2
) = g
x
1
g
x
2
≡ (1 + x
1
n)(1 + x
2
n) (mod n
2
)
≡ 1 + (x
1
+ x
2
)n = H(x
1
+ x
2
) (mod n
2
)
and
H(x
1
)
H(x
2
)
=
g
x
1
g
x
2
≡
1 + x
1
n
1 + x
2
n
(mod n
2
)
≡ (1 + x
1
n)(1 − x
2
n) (mod n
2
)
≡ 1 + (x
1
− x
2
)n = H(x
1
− x
2
) (mod n
2
)
and
H(x)
k
= (g
x
1
)
k
= (1 + xn)
k
(mod n
2
)
≡ 1 + kxn = H(kx) (mod n
2
)
4 THE WEI ET AL.
PRIVACY-PRESERVING
AUTHENTICATION
PROTOCOL
The Wei et al. protocol involves two parties: A user
P
i
and an authentication server (AS). It consists of the
following steps:
System initialization. The authentication server (AS)
computes a Paillier key pair. The public key consists
of (g,n), where n = pq is a composite modulus of
which p and q are two large and distinct primes, and
g = kn + 1, for an integer k ≥ 1. For simplicity, let
g = n + 1. The private key (λ,n) is only known by
AS. In addition to the Paillier key pair of the AS, each
user generates a secret key vector during encrollment.
User enrollment. The user enrollment process con-
sists of three steps: User key generation, reference
template sampling and generation, and encryption
of the reference template. A user P
i
samples be-
havior data for the reference template vector ⃗a
i
=
(a
i,1
,..., a
i,t
). Then P
i
chooses two long-term se-
cret encryption key vectors ⃗x
i
= (x
i,1
,..., x
i,t
) and
⃗r
i
= (r
i,1
,..., r
i,t
), where each element is randomly
chosen in Z
∗
n
2
. ⃗x
i
is used for encryption of the refer-
ence template ⃗a
i
and for encryption of behavior data
in the subsequent authentication process.
P
i
encrypts each element in ⃗a
i
according to
⃗c
i
= (c
i, j
= g
a
i, j
+x
i, j
r
n
i, j
(mod n
2
), 1 ≤ j ≤ t)
Note that the secret factors r
n
i, j
, 1 ≤ j ≤ t, are con-
sistent with the Paillier encryption factor of the Pail-
lier cryptosystem. This means that in agreement with
Paillier decryption, the AS, holding the private Pail-
lier key, would be able to restore (a
i, j
+ x
i, j
). The
purpose of ⃗x
i
is therefore to protect ⃗a
i
from the AS.
User authentication. When P
i
has collected a feature
vector of sampled values
⃗
b
i
= (b
i,1
,..., b
i,t
), the au-
thentication process is initiated. It consists of the fol-
lowing three rounds:
Round 1. P
i
generates an ephemeral random vec-
tor ⃗r
i
∗
= (r
∗
i,1
,..., r
∗
i,t
), where each element is se-
lected in Z
∗
n
2
, and encrypts each element in
⃗
b
i
=
(b
i,1
,..., b
i,t
) according to
c
∗
i, j
= (g
b
i, j
r
∗
i, j
n
)
x
i, j
= g
b
i, j
x
i, j
r
∗
i, j
nx
i, j
(mod n
2
)
where r
∗
i, j
n
, 1 ≤ j ≤ t, are consistent with a Paillier
encryption factor having n in the exponent. P
i
sends
the encrypted feature vector⃗c
i
∗
= (c
∗
i,1
,..., c
∗
i,t
) to AS.
Round 2. The AS receives ⃗c
i
∗
and retrieves the
encrypted enrollment vector ⃗c
i
of P
i
. AS generates
an epehemral random vector ⃗r
i
′
= (r
′
i,1
,..., r
′
i,t
), and
Cryptanalysis of a Privacy-preserving Behavior-oriented Authentication Scheme
301
blinds each element of the encrypted template vector
⃗c
i
according to:
c
′
i, j
= c
r
′
i, j
i, j
= g
(a
i, j
+x
i, j
)r
′
i, j
r
nr
′
i, j
i, j
(mod n
2
), 1 ≤ j ≤ t
and sends the vector⃗c
i
′
= (c
′
i,1
,..., c
′
i,t
) to P
i
.
Round 3. P
i
receives⃗c
i
′
and computes
d
i, j
= c
′
i, j
b
i, j
= g
(a
i, j
+x
i, j
)r
′
i, j
b
i, j
r
nr
′
i, j
b
i, j
i, j
(mod n
2
)
(1)
for 1 ≤ j ≤ t, and sends the vector
⃗
d
i
= (d
i,1
,..., d
i,t
)
to AS.
Authentication decision. The AS holds now
(⃗c
∗
i
,
⃗
d
i
,⃗r
′
i
). By means of λ, the AS inverts the elements
in⃗r
′
i
modulo φ(n
2
) = nλ, and then computes
t
i, j
=
d
i, j
c
∗
i, j
r
′
i, j
!
(r
′
i, j
)
−1
=
d
(r
′
i, j
)
−1
i, j
c
∗
i, j
(mod n
2
)
=
g
(a
i, j
+x
i, j
)r
′
i, j
b
i, j
r
nr
′
i, j
b
i, j
i, j
(r
′
i, j
)
−1
g
b
i, j
x
i, j
r
∗
i, j
nx
i, j
(mod n
2
)
=
g
a
i, j
b
i, j
+x
i, j
b
i, j
r
nb
i, j
i, j
g
b
i, j
x
i, j
r
∗
i, j
nx
i, j
=
g
a
i, j
b
i, j
g
x
i, j
b
i, j
g
b
i, j
x
i, j
R
n
i, j
(mod n
2
)
= g
a
i, j
b
i, j
R
n
i, j
(mod n
2
), 1 ≤ j ≤ t
where R
n
i, j
= r
nr
′
i, j
b
i, j
i, j
/r
∗
i, j
nx
i, j
is consistent with a Pail-
lier encryption factor. AS aggregates
T =
t
∏
j=1
t
i, j
= g
⃗a
i
⃗
b
i
R
n
i
(mod n
2
)
where R
n
i
is an aggregated Paillier encryption factors.
AS decrypts T in agreement with the Paillier cryp-
tosystem, using its private key λ, to obtain the vector
product T
′
= ⃗a
i
⃗
b
i
. Let T
S
be a predetermined thresh-
old. If T
′
≥ T
S
then P
i
is considered authentic, other-
wise the authentication fails.
The primary purpose of the Paillier encryption
factor is to blind the plaintext so that it becomes un-
intelligible to anyone not holding the private key. The
designated recipient of the ciphertext, holding the pri-
vate key, decrypts the ciphertext which removes the
secret encryption factor (see Section 3.1), and the
plaintext is restored.
5 CRYPTANALYSIS
In this section we show that the Wei et al. protocol is
insecure with regard to passive and active attacks. In
any case, it is insecure due to its homomorphic prop-
erty.
5.1 Honest-but-curious Authentication
Server Attack
An honest-but-curious adversary is an adversary who
does not deviate from the defined protocol by mod-
ifying or computing messages in ways that are not
in agreement with the protocol. It will rather at-
tempt to learn all possible information from the re-
ceived messages and other legitimate information it
may hold, such as previous messages and public keys.
As shown as follows, an honest-but-curious authenti-
cation server is able to obtain not only the plaintext
timeseries vector
⃗
b
i
, but also the secret user key vec-
tor ⃗x
i
and the plaintext feature template vector ⃗a
i
.
During enrollment, AS receives ⃗c
i
from P
i
. De-
crypting each element in⃗c
i
in agreement with the Pail-
lier decryption algorithm removes the encryption fac-
tor r
n
i, j
:
C
i, j
= c
λ
i, j
= g
(a
i, j
+x
i, j
)λ
r
nλ
i, j
(mod n
2
)
= g
(a
i, j
+x
i, j
)λ
= 1 + (a
i, j
+ x
i, j
)nλ (mod n
2
)
and restores the sum of the elements of the enrollment
vector ⃗a
i
and key vector⃗x
i
:
L(C
i, j
) =
C
i, j
− 1
nλ
=
1 + (a
i, j
+ x
i, j
)nλ − 1
nλ
= a
i, j
+ x
i, j
(2)
In Round 3 the AS receives encrypted sampled vec-
tor
⃗
d
i
. Decrypting each element in agreement with
Paillier decryption removes the Paillier encryption
factor r
i, j
nr
′
i, j
b
i, j
from d
i, j
:
D
i, j
= d
(r
′
i, j
)
−1
λ
i, j
= g
(a
i, j
+x
i, j
)b
i, j
r
′
i, j
(r
′
i, j
)
−1
λ
r
nr
i, j
b
i, j
(r
′
i, j
)
−1
λ
i, j
= g
(a
i, j
+x
i, j
)b
i, j
λ
= 1 + (a
i, j
+ x
i, j
)b
i, j
λn (mod n
2
), 1 ≤ j ≤ t
and eventually
L(D
i, j
) =
D
i, j
− 1
λn
=
1 + (a
i, j
+ x
i, j
)b
i, j
λn − 1
λn
= (a
i, j
+ x
i, j
)b
i, j
(3)
Dividing Eqs. (3) and (2) reveals the sampled plain-
text vector
⃗
b
i
, in which
b
i, j
=
(a
i, j
+ x
i, j
)b
i, j
a
i, j
+ x
i, j
, 1 ≤ i ≤ t
The secret key vector ⃗x
i
of P
i
is restored as fol-
lows. In Round 1, P
i
sends the ciphertext c
∗
i, j
. De-
cryption yields
C
∗
i, j
= c
∗
i, j
λ
= g
b
i, j
x
i, j
λ
r
∗
i, j
nx
i, j
λ
= g
b
i, j
x
i, j
λ
= 1 + b
i, j
x
i, j
λn (mod n
2
)
SECRYPT 2022 - 19th International Conference on Security and Cryptography
302
and then
L(C
∗
i, j
) =
C
∗
i, j
− 1
λn
=
1 + b
i, j
x
i, j
λn − 1
λn
= b
i, j
x
i, j
(4)
AS can now restore the secret key vector ⃗x
i
by means
of Eqs. (4) and (2):
x
i, j
=
b
i, j
x
i, j
b
i, j
, 1 ≤ i ≤ t
By means of x
i, j
and Eq. (2) the plaintext template
vector ⃗a
i
is recovered:
a
i, j
= (a
i, j
+ x
i, j
) − x
i, j
, 1 ≤ i ≤ t
5.2 Active Adversary Attack
In the following, we show that the Wei et al. scheme is
insecure to active attacks that include an active eaves-
dropper A who is capable of modifying the commu-
nication between AS and the user P
i
. The attack can
be conducted so that neither P
i
or AS will be aware of
the ongoing attack.
In Round 2, A computes a random vector
⃗c
i
′′
= (c
′′
i, j
= 1 + n r
′′
i, j
mod n
2
, 1 ≤ j ≤ t)
where r
′′
i, j
, 1 ≤ j ≤ t, are random integers. A replaces
the legitimate vector ⃗c
i
′
from P
i
with ⃗c
i
′′
. Note that
this will not be noticeable since the Wei et al. scheme
does not provide a means to verify the authenticity of
⃗c
i
′′
.
In Round 3, P
i
receives⃗c
i
′′
, and computes
d
i, j
= c
′′
i, j
b
i, j
= 1 + n r
′′
i, j
b
i, j
(mod n
2
), 1 ≤ i ≤ t
in agreement with Eq. (1). A receives
⃗
d
i
, and restores
b
i, j
=
d
i, j
− 1
r
′′
i, j
n
=
1 + b
i, j
r
′′
i, j
n − 1
r
′′
i, j
n
, 1 ≤ i ≤ t
In order to keep the AS unaware of the attack, A
conducts Round 2 on behalf of P
i
by computing and
forwarding d
i, j
= c
′
i, j
b
i, j
to AS, whom receives a cor-
rect and legitimate computation.
Note that A is unable to eliminate the intrinsic
Paillier encryption factors of ⃗c
′
i
due to not knowing
the private key λ. The plaintext template vector ⃗a
i
,
supplied during enrollment and the secret key vector
⃗x
i
used during enrollment and Round 1 remain as such
protected.
6 CONCLUSION
Continuous authentication has been proposed as an
alternative to password-based authentication for com-
puter devices that are handled directly by humans,
such as smart phones. However, continuous authenti-
cation has some privacy issues as certain user features
and actions are revealed to the authentication server.
In this paper, we have considered a privacy-preserving
protocol for behavioral authentication proposed by
Wei et al. in 2021. We show that their scheme is
insecure with regard to an honest-but-curious server
and an active eavesdropper. We present two attacks,
in which the first enables the authentication server to
obtain behavioral template plaintext data, the authen-
tication plaintext data, and the user’s secret encryp-
tion key plaintext. The second attack enables an active
eavesdropper to obtain authentication plaintext data.
The foundational problem is the way that encryp-
tion is conducted during enrollment by means of user
key vector, and that this does not provide any real
protection regarding the authentication server, who
can remove the Paillier encryption factor, and then
algebraically compromise data and user key vectors.
Another foundational problem regarding active adver-
saries is that there is no way to detect message modi-
fication. This is something that would be detected by
most cryptographic authentication protocols, where
authentication is based on zero-knowledge proofs of
some cryptographic keys, but in behavioral authen-
tication schemes the authentication concept is con-
sequently not based on keys, although cryptographic
methods have been proposed for resolving the privacy
issues of behavioral authentication schemes. As such,
we do not see an immediate way to how to fix the
problem.
ACKNOWLEDGEMENT
This work is part of the Privacy Matters (PriMa)
project. The PriMa project has received funding from
European Union’s Horizon 2020 research and innova-
tion programme under the Marie Skłodowska-Curie
grant agreement No. 860315.
REFERENCES
Baig, A. F. and Eskeland, S. (2021). Security, privacy, and
usability in continuous authentication: A survey. Sen-
sors, 21(17):5967.
Balagani, K. S., Gasti, P., Elliott, A., Richardson, A.,
and O’Neal, M. (2018). The impact of application
context on privacy and performance of keystroke au-
thentication systems. Journal of Computer Security,
26(4):543–556.
Blanco-Justicia, A., Domingo-Ferrer, J., Farr
`
as, O., and
S
´
anchez, D. (2014). Distance computation be-
tween two private preference functions. In Cuppens-
Cryptanalysis of a Privacy-preserving Behavior-oriented Authentication Scheme
303
Boulahia, N., Cuppens, F., Jajodia, S., Kalam, A.
A. E., and Sans, T., editors, ICT Systems Security and
Privacy Protection - 29th IFIP TC 11 International
Conference, SEC 2014, Marrakech, Morocco, June 2-
4, 2014. Proceedings, volume 428 of IFIP Advances
in Information and Communication Technology, pages
460–470. Springer.
Boldyreva, A., Chenette, N., Lee, Y., and O’Neill, A.
(2009). Order-preserving symmetric encryption. In
Proceedings of the 28th Annual International Con-
ference on Advances in Cryptology - EUROCRYPT
2009 - Volume 5479, page 224–241, Berlin, Heidel-
berg. Springer-Verlag.
Damg
˚
ard, I., Geisler, M., and Krøigaard, M. (2007). Effi-
cient and secure comparison for on-line auctions. In
Australasian conference on information security and
privacy, pages 416–430. Springer.
Damg
˚
ard, I., Geisler, M., and Krøigard, M. (2008). Homo-
morphic encryption and secure comparison. Interna-
tional Journal of Applied Cryptography, 1(1):22–31.
Damg
˚
ard, I., Geisler, M., and Krøigard, M. (2009). A cor-
rection to ’efficient and secure comparison for on-line
auctions’. International Journal of Applied Cryptog-
raphy, 1(4):323–324.
Domingo-Ferrer, J., Wu, Q., and Blanco-Justicia, A. (2015).
Flexible and robust privacy-preserving implicit au-
thentication. In IFIP International Information Secu-
rity and Privacy Conference, pages 18–34. Springer.
Erkin, Z., Franz, M., Guajardo, J., Katzenbeisser, S., La-
gendijk, I., and Toft, T. (2009). Privacy-preserving
face recognition. In International symposium on pri-
vacy enhancing technologies symposium, pages 235–
253. Springer.
Govindarajan, S., Gasti, P., and Balagani, K. S. (2013).
Secure privacy-preserving protocols for outsourcing
continuous authentication of smartphone users with
touch data. In 2013 IEEE Sixth International Confer-
ence on Biometrics: Theory, Applications and Systems
(BTAS), pages 1–8. IEEE.
Paillier, P. (1999). Public-key cryptosystems based on com-
posite degree residuosity classes. In International
conference on the theory and applications of crypto-
graphic techniques, pages 223–238. Springer.
Safa, N. A., Safavi-Naini, R., and Shahandashti, S. F.
(2014). Privacy-preserving implicit authentication. In
IFIP International Information Security Conference,
pages 471–484. Springer.
Shahandashti, S. F., Safavi-Naini, R., and Safa, N. A.
(2015). Reconciling user privacy and implicit authen-
tication for mobile devices. Computers & Security,
53:215–233.
Wei, F., Vijayakumar, P., Kumar, N., Zhang, R., and Cheng,
Q. (2020). Privacy-preserving implicit authentication
protocol using cosine similarity for internet of things.
IEEE Internet of Things Journal, 8(7):5599–5606.
SECRYPT 2022 - 19th International Conference on Security and Cryptography
304
