A Biometric Self Authentication Scheme

Herv

e Chabanne

1,2 a

IDEMIA, Paris, France

ecom Paris, France

ﬁ

Keywords:

Biometrics, Authentication Protocol, Veriﬁable Computation.

Abstract:

Biometric authentication systems aim to authenticate users with their physiological characteristics. They have

to deal with the inherent noise that occurs when biometric data from the same individual are captured several

times. Leveraging veriﬁable computation techniques, we introduce a new biometric authentication scheme

where users bring proofs of who they pretend to be, while keeping their biometrics. Experimental results

show that our scheme is practical. We detail a real-life use-case of our anonymous self-scan protocol.

1 INTRODUCTION

Progresses in deep learning today enable to recognise

people with tremendous performances. For biomet-

rics, such as, for instance, faces (Wang and Deng,

2021), a vector called template is extracted from im-

ages of the same biometric trait, and associated to his

owner. Unfortunately, for the same person, the tem-

plate may slightly vary due to several reasons: sur-

rounding perturbations, posture, sensor noise, aging.

Biometric authentication has to deal, unlike conven-

tional cryptographic authentication protocols, with

different templates representing the same individual.

The difference between two templates is measured

based on some metric (e.g. Hamming or Euclidean

distance) in a vector space and all templates linked

with the same individual lie, with a strong probabil-

ity, within a maximum distance from a base template

called reference template which was acquired, during

an enrollment step. Therefore, the distance between

a fresh and the reference templates is compared to a

threshold which is ﬁxed for a given system. Whenever

the distance is inferior to the threshold, we consider to

have a match.

In broad words, in our proposal, a user ﬁrst, during

enrollment phase, commits to his reference template.

Later, when he wants to authenticate himself thanks to

another template originating from a real-time reading

of his features, the user has to convince a veriﬁer that

his new template is close to the committed reference

template and a proof based on Veriﬁable Computing

https://orcid.org/0000-0002-5916-3387

(VC) (Parno et al., 2013; Costello et al., 2015) for the

distance evaluation operation is emitted. This way,

leveraging on VC techniques, we can get a self-scan

procedure.

Furthermore, to guarantee privacy of the under-

lying biometrics data, we are going to use commit-

ment schemes (Blum, 1981) for the commitments of

biometric templates and send zero-knowledge proofs

of their opening by the user to the veriﬁer. At the

end, the user will authenticate himself without ever

disclosing the reference or the fresh templates.

A practical illustration is airplane boarding where

a company wants to verify that the person who is

boarding the airplane actually is the one who is reg-

istered in the ticket. In an imaginary scenario based

on our proposal, the passenger’s reference template,

which, for instance, can be derived from the biomet-

ric passport, is included in the ticket using the commit

operation that hides the reference template. This use

case relevantly capitalizes on the features of our bio-

metric authentication scheme: the passenger’s refer-

ence and fresh templates are kept secret thanks to the

privacy-preserving aspect of the protocol, the main

goal of boarding check is achieved based on the bind-

ing property with respect to the authentication of the

passenger. Finally, we imagine that passengers runs

our protocol walking between the entry and exit gates

of boarding corridors.

Another example where our proposal is directly

applicable is for retrieving your car in self-service car

rentals. We think that numerous other applications of

our anonymous self-scan protocol are emerging

Chabanne, H.

A Biometric Self Authentication Scheme.

DOI: 10.5220/0011874400003405

In Proceedings of the 9th International Conference on Information Systems Security and Privacy (ICISSP 2023), pages 749-756

ISBN: 978-989-758-624-8; ISSN: 2184-4356

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

749

2 RELATED WORKS

The analogy between biometric authentication and

commitment schemes has already been made before.

Fuzzy commitment schemes have been proposed by

Juels and Wattenberg (Juels and Wattenberg, 1999)

who deﬁned the syntax and security goals of such

schemes and proposed an instantiation based on error-

correcting code. Their scheme apply to biometric

templates for which the approximate relationship is

the Hamming distance. They proved the security of

their scheme if the input noisy data is uniformly dis-

tributed in the input space. However, biometric data

are not uniformly distributed (see (Tuyls et al., 2007)

for an overview of security applications dealing with

noisy data). In contrast, our scheme leverages a stan-

dard commitment scheme to conceal the biometric

data. We thus do not have to make any assumption on

the distribution of noisy data for the security of our

scheme. Moreover, compared to the previous propos-

als, our scheme has the advantage of being generic

and can deal with various distances such as Hamming

or Euclidean distance.

Another major difference between our proposal

and Juels and Wattenberg’s scheme is related to their

security. Keller et al. (Keller et al., 2020) show that

the fuzzy commitment scheme (Juels and Wattenberg,

1999) offers insufﬁcient protection to biometric tem-

plates when produced by deep learning systems such

as (Schroff et al., 2015; Wu et al., 2018; He et al.,

2016). They present a reconstruction attack that takes

a protected template, and recovers a facial image with

a good chance of success. Note that a similar attack

against a ﬁngerprint access system has also been re-

ported by (Hidano et al., 2012). Finally, (Rathgeb and

Uhl, 2012) presents a statistical attack against fuzzy

commitment schemes. Our proposal does not suffer

from these shortcomings. Indeed, thanks to veriﬁable

computation, the opening of the reference template is

performed by the user. We thus obtain the privacy

of the reference template beyond the opening of the

commit.

Despite their convenience, biometric-based sys-

tems offer several attack points, which are for ex-

ample listed in Jain et al. (Jain et al., 2006). Com-

pared to several privacy-preserving biometric authen-

tication systems, as our proposal does not leak infor-

mation about the result of the distance computation, it

is therefore immune to hill-climbing attacks (Simoens

et al., 2012), whose strategy consists of recovering the

reference template by successive trials, the next pre-

sented template being built by leveraging the last sub-

mitted template and score of the previous attempt

2.1 Liveness Detection

Replay attacks are particularly relevant: a fake bio-

metric trait may be presented at the sensor. The same

can happen at the template level: a stolen template

may be sent again to the biometric matcher in a later

authentication. Extensive research have been con-

duced to thwart these attacks, they belong to the ﬁeld

of liveness detection which is itself a whole research

area (Marcel et al., 2019).

In order to leave the whole process to the user, we

would also need to prove that his template was cor-

rectly extracted from his biometrics and that a live-

ness detection algorithm has accepted the biometric

trait as a legitimate one. This goal is not reachable

in the actual state of the art in veriﬁable computing.

Therefore, we assume that a liveness detection algo-

rithm is run on the user’s device and make the fol-

lowing assumption, similar to (Abidin et al., 2016):

we assume that the client’s device that extracts his

template is trusted in the sense that the biometric

sensor and the biometric templates are only accessi-

ble to the authorized applications of the device; such

trusted environment is today common for mobile de-

vices (Zinkus et al., 2022). This precludes the replay

during the authentication phase – and, even from his

owner – of the reference biometric trait or the direct

injection of any other images; i.e. we make the hy-

pothesis that all the templates in our protocol are com-

ing from a trusted sensor.

3 OVERVIEW OF OUR

PROPOSAL

The protocol takes place between a prover called U

and a veriﬁer called S. From a high-level view, our

goal is to allow a party to commit to a concealed ref-

erence value and to later prove that a freshly captured

value is close to the committed one without revealing

any of those. We stress that both the fresh and the

reference value are known by the prover but are kept

secret from a veriﬁer, who only sees commitments on

these values.

First, U commits to his reference template t

ref

that

will be kept secret, sends that commitment c

ref

to S.

U stores t

ref

and the randomness involved in the com-

mitment computing.

When U wants to authenticate himself, S sends

him a nonce r

nonce

, U captures his own fresh template,

denoted by t

live

, and compares t

ref

and t

live

The function match(t

ref

live

) should thus achieve

fuzzy matching in the sense that even if t

ref

and t

live

are not equal, they should still match if they are close

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

750

enough in the sense of a distance computation.

Since the veriﬁer S has no control on the freshly

captured value, we ask the prover U to commit on that

fresh value and to send S this commitment, c

live

. Note

that U has to use r

nonce

– along with his a random

value r

live

of his own – to compute c

live

At the end of the protocol the veriﬁer is in pos-

session of two commitments that he cannot open, the

prover leverages the proof scheme to prove that the

commitments open to two values t

ref

and t

live

that

match. The proof π should therefore not reveal any

information about the opened values except that i) the

opening was computed following a protocol on which

the veriﬁer and the prover have agreed upon and that

ii) these opened values match. U ﬁnally returns the

proof mentioned above to authenticate himself and S

checks the validity of the proof. If the proof passes,

S can assume with overwhelming probability that the

freshly captured value matches with the reference one

that has been committed in the beginning of the pro-

tocol.

4 BUILDING BLOCKS

4.1 Veriﬁable Computation

A zero-knowledge Succinct Non-Interactive Argu-

ment of Knowledge (Bitansky et al., 2012) (zk-

SNARK) is a protocol where a computationally

bounded prover convinces a veriﬁer that a statement

is true without revealing the veriﬁer anything on the

statement witness. Additionally, a zk-SNARK proof

has short length and requires no interaction between

the veriﬁer and the prover to produce the proof nor

to verify its validity. The zk-SNARKs we will be in-

terested in are also publicly veriﬁable, meaning that

anyone can verify the resulting proof. All the ex-

isting implemented systems can produce proofs on

the NP-complete language of circuit satisﬁability: the

computation to be proved has to be expressed as an

arithmetic circuit, i.e. as an acyclic graph carrying

ﬁnite ﬁeld values where nodes are either additions

or multiplications. Several practical instantiations of

zk-SNARKs have been published (Parno et al., 2013;

Ben-Sasson et al., 2013; Costello et al., 2015; Wahby

et al., 2015; Groth, 2016), building on Gennaro et

al.’s seminal paper (Gennaro et al., 2013), which in-

troduces Quadratic Arithmetic Programs (QAPs) as a

mean to efﬁciently encode circuit satisﬁability.

4.1.1 Syntax

Let C be a NP-statement, expressed as an arithmetic

circuit over a ﬁnite ﬁeld F and λ be a security param-

eter. We denote by w a witness of a valid statement.

A zk-SNARK scheme is deﬁned by three polynomial-

time algorithms (G, P, V), such that:

• (ek

, vk

) ← G(1

, C ): the randomized G algo-

rithm takes as input a security parameter and an

arithmetic circuit and produces two public keys,

an evaluation key ek

and a veriﬁcation key vk

• (y, π) ← P(ek

, x, w): the deterministic P algo-

rithm, takes as inputs a value x, a witness w and

the evaluation key ek

and outputs y = C (x, w)

along with π, a proof that y has been correctly

computed.

• {0, 1} ← V(vk

, x, y, π): Given the veriﬁcation key

, the deterministic V algorithm outputs 1 if

there exists a witness w such that y = C (x, w) and

0 otherwise.

Note that the G algorithm occurs in a pre-processing

phase. It has to be run once for a circuit and can be

reused over multiple instances. A zk-SNARK reaches

the following security properties that we describe in-

formally.

• Completeness: if there exists a satisfying witness

for the statement C , the veriﬁer should always ac-

cept a proof produced by an honest prover.

• Proof of Knowledge: if the proof of a statement C

is accepted by the veriﬁer, it means that not only

a witness exists for the statement but also that the

prover indeed knows this witness. This is formal-

ized with an efﬁcient algorithm that is able to ex-

tract the witness from the proof.

• Zero-Knowledge: the proof reveals no more in-

formation about the witness that what could be

inferred from the result of the computation. This

is formalized with an algorithm that can simulate

proofs, zero-knowledge is thus reached if a veri-

ﬁer cannot distinguish between a proof produced

by the prover and a proof produced by the simula-

tor.

• Efﬁciency: the proof has a polynomial size in the

security parameter and the veriﬁer algorithm runs

in time that is polynomial in the security parame-

ter and the input length.

The classical Soundness property which states that

no cheating prover can convince an honest veriﬁer

that a false statement is true, except with some small

probability can be hardened to Knowledge Soundness

where a malicious prover cannot convince the veriﬁer

unless he knows the witness for the statement.

A Biometric Self Authentication Scheme

751

Finally, Simulation Soundness property tells

whether an adversary can cheat knowing simulated

proofs. Note that knowledge soundness combined

with simulation soundness implies non-malleability

of proofs.

4.1.2 Security

Gennaro et al. show in (Gennaro et al., 2013) that

the above properties are reached for pairing-based

zk-SNARKs built from QAPs as long as a Difﬁe-

Hellman like assumption and a knowledge of ex-

ponent assumption in bilinear groups (Groth, 2010)

hold. Groth (Groth, 2016) obtains an efﬁcient pairing-

based zk-SNARK at the cost of proving security in the

generic group model. We denote this scheme Groth16

in the following.

4.2 Commitment Schemes

Commitment schemes (Blum, 1981) involve two par-

ties and allow one party called U to commit to a mes-

sage m to another party S. Later, the commitment can

be opened, which means that U reveals the commit-

ted message. The commitment scheme is secure if it

is hiding and binding. The hiding property guarantees

that the commitment reveals no information about the

message itself while the binding property states that,

once a message is committed, the commitment can-

not be opened to another value than the committed

one. It is also required that the scheme is correct: if

U opens the commitment to the good message, S must

accept it. Depending on the scheme goal, the hiding

and binding properties can be unconditional or com-

putational but hiding and binding properties cannot be

simultaneously unconditional (Fischlin, 2001). Syn-

tax of non-interactive commitment schemes are given

below.

Parameter Generation: p

← KeyGen(1

): From

a security parameter λ, the key generation algorithm

KeyGen outputs a public key p

Commit Stage: c ← Commit(p

, m;r): the commit-

ment algorithm Commit takes a message m, a public

key p

and some randomness r and outputs a commit-

ment c.

Open Stage: b ∈ {0, 1} ← Verif(p

, c, r, m): the ver-

iﬁcation algorithm Verif takes as input a public key

, a message m, a commitment c and an opening

value r and outputs 1 if c opens to m and 0 otherwise.

5 SECURITY PROPERTIES

Our proposal is an application of well-known cryp-

tographic techniques and directly inherits its security

properties from them.

Correctness. Following a deﬁnition by Abidin et al.

(Abidin et al., 2016) that says that a biometric au-

thentication protocol is correct if for all enrolled users

with corresponding reference template t

ref

and for all

fresh biometric template t

live

, successful authentica-

tion occurs when and only when d(t

ref

live

) < τ. It is

easy to see that our scheme fulﬁls these requirements

of correctness.

Besides correctness, on the one hand, we want

users’ privacy, i.e. the conﬁdentiality of their biomet-

rics and on the other hand, as biometric authentica-

tion is entirely completed by users, the elements they

send must be faithful about how authentication goes;

moreover, we have to enforce the fact that the biomet-

ric data involved in this procedure correspond to the

actual person who is authenticating.

5.1 Conﬁdentiality of Biometric

Templates

By design, all biometric data are kept by their owner.

We rely on the hiding property of the commitment

schemes to ensure the conﬁdentiality of t

ref

(resp. t

live

)

having access to c

ref

(resp. c

live

). The only other ele-

ments that are revealed by users are proofs. The zero-

knowledge property of the VC system implies that

S learns anything from π other than the value of the

proven statement.

5.2 Delegation of Biometric

Authentication Protocol to U

Our self-authentication scheme must be carried out as

it was realized by S.

We introduce two procedural measures: trusted

sensors (see Sec. 2.1) and boarding corridors (see

Sec. 7.1).

Trusted sensors ensure that templates are extracted

from the biometric traits of real persons.

The idea behind boarding corridors is to isolate

users from the rest of the world during the authenti-

cation phase; preventing them from using their smart-

phone with their biometric data and then lend it to

someone else. Note that at the entry gate of the corri-

dor, a nonce r

nonce

is sent by S, triggering the authen-

tication phase; the use of r

nonce

is made mandatory

for the computation of c

live

(see Sec. 6). In corri-

dors, users perform a fresh biometric capture, getting

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

752

live

and compute c

live

together with the proof π. Our

protocol is fast enough for being executed while the

passenger is crossing the corridor. If the authentica-

tion succeeds, the exit boarding gate opens to let the

passenger reach his plane.

Binding of U. The binding property of commitment

schemes ensures that c

ref

(resp. c

live

) sent by U cannot

be opened by other values than corresponding biomet-

ric template t

ref

(resp. t

live

π also indicates if t

ref

is close to t

live

and, whether

or not r

nonce

has been used during the computation of

live

Non Malleability of π. If the proof π is malleable

(and in particular is not simulation sound), then a ma-

licious party could impersonate the prover by taking a

proof computed with respect to a random value – for

instance, before the entrance of the passenger inside

a boarding corridor – transforming it into a new proof

for another value, e.g. r

nonce

To thwart this threat,

we have to use a zk-SNARK scheme which guaran-

tees that an adversary cannot change π to prove a new

statement. Note that the original Groth’s zk-SNARK

Groth16 is indeed malleable (Groth and Maller, 2017)

but that there are alternatives (Baghery et al., 2020;

Baghery et al., 2021; Atapoor and Baghery, 2019)

providing non-malleability while achieving an efﬁ-

ciency close to Groth16.

6 OUR PROPOSAL

In this section, we describe in details our protocol

overviewed in Section 3. We keep the notations de-

ﬁned in Section 4.

Let C be the circuit implementing the function f tak-

ing as input (t

ref

live

, r

ref

, r

live

, c

ref

, c

live

) and return-

ing:











ref

← Verif(p

, c

ref

, r

ref

)

= 1

live

← Verif(p

, c

live

, r

auth

live

)

= 1

dist

← d(t

ref

live

)

< τ

nonce

← r

auth

= r

nonce

||r

live

(1)

where r

auth

= r

nonce

||r

live

with || standing for the

concatenation; r

nonce

being sent by the veriﬁer S and

live

being randomly chosen by the user.

The function f veriﬁes in d

dist

a matching between

live

and t

ref

under the threshold τ, in d

ref

(resp. d

live

)

commitments opening to t

ref

(resp. t

live

) and in d

nonce

that r

auth

is well-formed, beginning with r

nonce

. The

inputs t

ref

and t

live

and the commitments opening

should be private in (1), i.e. the proof that f was cor-

rectly computed should reveal no information about

live

and t

ref

nor about the computation of the commit-

ment openings.

The protocol proceeds in the following way:

In the setup phase, the KeyGen algorithm of the

commitment scheme is run to get the public key p

later used in the commit function.

Then, the G algorithm of the zk-SNARK scheme

is run and the evaluation key ek

and the veriﬁcation

key vk

are generated. The input circuit of the al-

gorithm is the circuit C implementing the function f

deﬁned in formula (1). The distance and the thresh-

old are algorithm dependent and are set once the cir-

cuit is deﬁned. The commitment veriﬁcation function

Verif is also set in the circuit. The commit public

key and the evaluation and veriﬁcation keys are thus

supplied to U and S.

We assume that there exists a function denoted by

GetTemplate that outputs the biometric template of

the user. We make the assumption that templates of

the same person extracted thanks to GetTemplate are

taken at random within a distance τ. I.e. for a given

biometric trait, two calls to GetTemplate, will out-

put t,t

′

such that d(t,t

′

) < τ. This is validated in prac-

tice where multiple acquisitions of the same biometric

trait lead to different templates.

During the enrollment phase, U calls

GetTemplate and obtains a reference tem-

plate t

ref

from his biometric trait. He gets

ref

= Commit(p

ref

) the commitment as-

sociated to t

ref

and sends it to S.

Remark 1. We assume that the function

GetTemplate is implemented by a trusted sen-

sor. The same is true for the commitments, i.e.

the function CommitReferenceTemplate (resp.

CommitFreshTemplateProve) is implemented by

a trusted environment during the enrollment (resp.

authentication) phase (see Sec. 2.1).

For the authentication phase, U calls again the

GetTemplate function and gets a fresh biometric

template t

live

U picks a random value r

live

, gets another random

value r

nonce

from S and uses it to compute a com-

mitment c

live

= Commit(p

live

auth

) where r

auth

nonce

||r

live

. Using the evaluation key ek

, U com-

putes a proof π of correctness for the function f de-

ﬁned in (1). In this computation, t

ref

, t

live

, r

ref

and

live

are private inputs for the prover. This means

that, leveraging the zero-knowledge functionality of

the zk-SNARK scheme, the proof π does not reveal

information about them. Moreover, the argument

of knowledge property of the zk-SNARK guarantees

that the prover is in possession of t

ref

and t

live

. On the

contrary, the values c

ref

and c

live

are public inputs in

function f and the veriﬁer can supply them in the zk-

A Biometric Self Authentication Scheme

753

Setup:

Given the circuit C associated to function f de-

ﬁned by formula (1)

(ek

, vk

, p

) ← Setup(1

where:



(ek

, vk

) ← G( f , 1

)

← KeyGen(1

)

Enrollment:

GetReferenceTemplate:

ref

← GetTemplate()

CommitReferenceTemplate:

ref

← Commit(p

ref

), r

ref

← {0, 1}

Authentication:

GetFreshTemplate:

live

← GetTemplate()

CommitFreshTemplateProve:

live

, π) ← CommitFTProve(ek

, p

ref

live

ref

, r

auth

, c

ref

)

where:

• r

live

← {0, 1}

• c

live

← Commit(p

live

auth

where r

auth

= r

nonce

||r

live

• π ← P(ek

ref

live

, r

ref

, r

auth

, c

ref

, c

live

)

Matching:

out ← V(vk

, p

, π, c

ref

, c

live

Figure 1: Instantiation Syntax of Our Authentication Proto-

col (Functions in boxes are implemented inside U’s smart-

phone trusted environment).

SNARK veriﬁcation algorithm V. U then sends S the

proof π and the second commitment c

live

. Note that

π contains the result of the matching since the func-

tion checks that the computed distance is inferior to

the threshold.

In the following, we write CommitFTProve for

the function which outputs both the commitment c

live

of the fresh biometric template t

live

together with the

proof π.

For the matching phase, using the veriﬁcation

key vk

and the inputs c

ref

and c

live

, S checks the va-

lidity of the proof. If the proof veriﬁcation passes, the

matching algorithm V outputs accept and S can con-

clude that U is in possession of a fresh template t

live

that matches with the initially committed template t

ref

The syntax of our protocol is given in Fig. 1, with

the notations of Sec. 4.

7 APPLICATIONS

7.1 Use Case: Privacy-Preserving

Boarding Check Systems

Let us consider a scenario where an airline proposes a

privacy-preserving boarding check for its ﬂights. We

assume that users who want to beneﬁt of this scheme

are in possession of a smartphone, which is equipped

with a face recognition algorithm with liveness detec-

tion.

User U will proceed in two steps to board. First,

U extracts a template from his face, commits to it and

builds an airplane ticket containing the commitment

and additional information such as the ﬂight number,

the seat number and the validity duration of the ticket.

This ticket is signed by the airline and sent back to U.

In a second phase, when U arrives at the airport,

he has to cross a boarding corridor equipped with a

device able to receive data and to store the signature

veriﬁcation keys and the veriﬁcation keys vk

of the

system. In this corridor, he runs our protocol. Using

the signature public key, the device runs the signature

veriﬁcation algorithm to check the authenticity of the

commitment c

ref

. If the signature veriﬁcation passes,

the device then checks that the ticket is valid by sim-

ply checking the date of validity ﬁeld of the ticket. If

so, the device runs the algorithm V with inputs c

ref

live

and π to grant access to U .

7.1.1 Law Enforcement

The previous scenario enables to perform authentica-

tion without needing the user’s identity. In real life,

this might not seem realistic since no airline can ac-

cept to board a customer without having his name. In-

deed, many countries require airlines to provide per-

sonal information about the passengers they carry. We

thus propose a slight change to the previous scenario

in order to take this requirement into account: dur-

ing the registration phase, user U sends to a trusted

party (which we can be for instance the state where

the airplane ticket is bought or the ICAO) not only his

commit, ﬂight number and seat but also his identity

information (e.g. a photo of his passport). The trusted

party can check the latter to verify for instance that

user U does not belong to a blacklist. Once the se-

curity checks have been performed, the trusted party

can remove the identity of the user and sign the same

ticket as in the previous section. The protocol then

proceeds as before.

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

754

Table 1: Experimental results on the VC part.

Template component numbers EK size VK size Keygen Prove Verify Proof size

128 4.5 MB 61 kB 1.91 s 0.66 s 0.0015 s 120 B

256 8.2 MB 61 kB 3.37 s 1.32 s 0.0015 s 120 B

384 11.7 MB 61 kB 4.90 s 1.75 s 0.0015 s 120 B

512 15.9 MB 61 kB 6.46 s 2.57 s 0.0015 s 120 B

8 EXPERIMENTS

We here report some ﬁgures about the implementation

of our proposal. The experiments were performed on

a 8-core machine running at 2.9 GHz with 16 GB of

RAM, using no parallelization. The veriﬁable compu-

tation system is Groth16 (Groth, 2016) – which seems

to us representative in terms of performances – and its

implementation within the libsnark library (avail-

able at https://github.com/scipr-lab/libsnark). We ﬁrst

assume that the biometric face recognition system is

Schroff et al.’s Facenet (Schroff et al., 2015). This

state of the art convolutional neural network algo-

rithm takes as input a face image and outputs a vector

with 128 ﬂoating-point numbers components. To de-

cide if two vectors come from the same individual an

Euclidean distance is computed. Afterwards, we also

experiment the scalability of our scheme by letting the

number of components of the templates increase.

Recall that to be able to verify a computation, a

circuit representing this computation needs to be de-

signed. Moreover, minimizing the size of the circuit

improves the performance of the zk-SNARK scheme.

We thus implement a squared euclidean distance to

avoid an expensive square root computation. We also

convert the ﬂoating-point numbers into a ﬁxed-point

representation on 32 bit integers. Doing that way,

we keep the same biometric performances. The re-

sulting biometric template is thus 4096 bit long. Re-

garding the commitment scheme, we choose Kawachi

et al.’s commitment scheme (Kawachi et al., 2008)

which is built from Ajtai hash function (Ajtai, 1996).

Ajtai hash function is provably secure and is efﬁ-

ciently implementable in the zk-SNARK efﬁciency

model (Kosba et al., 2015) (recall that a computa-

tion to be veriﬁed has to be expressed as a circuit

over a ﬁnite ﬁeld and that addition in this circuit are

free). Kawachi et al. prove that the resulting com-

mitment scheme is statistically hiding and computa-

tionally binding. Let q be the prime number equal

to the cardinality of the prime ﬁeld where the com-

putations of the zk-SNARK scheme take place. Let

(n, m) be two integers such that: m > n log q. The

Ajtai hash function family is deﬁned as H (q, m) =

{ f

: {0, 1}

→ F

|A ∈ M

n,m

)} where f

(x) =

A · x mod q.

Let B and C be two randomly chosen (n, m)-matrices

in M

n,m

). Denoting by A the matrix deﬁned by

A = [B C] and by ρ a randomly chosen value in

{0, 1}

, the commitment of an input string s ∈ {0, 1}

is thus: Com

(s;ρ) := f

(ρ) + f

(s). Using Merkle-

Damg

ard construction, Kawachi et al. extend this

commitment scheme to arbitrary length strings in

(Kawachi et al., 2008). Based on Kosba et al. (Kosba

et al., 2015), we choose q to be the 254-bit prime

where arithmetic circuits are deﬁned, m = 1524 and

n = 3.

Table 1 reports our proving and veriﬁcation times.

Note that the key generation algorithm, besides being

efﬁcient, has only to be run once: the same evaluation

and veriﬁcation keys can be reused after that.

ACKNOWLEDGMENTS

A ﬁrst version of this work has been written by Julien

Keuffer while he was working at Idemia, his PhD su-

pervisor Reﬁk Molva and me. I thank Melek

Onen

and Vincent Despiegel for their help.

REFERENCES

Abidin, A., Aly, A., Argones-R

ua, E., and Mitrokotsa, A.

(2016). Efﬁcient veriﬁable computation of XOR for

biometric authentication. In CANS, volume 10052 of

Lecture Notes in Computer Science, pages 284–298.

Ajtai, M. (1996). Generating hard instances of lattice prob-

lems (extended abstract). In STOC, pages 99–108.

ACM.

Atapoor, S. and Baghery, K. (2019). Simulation extractabil-

ity in groth’s zk-snark. In DPM/CBT@ESORICS, vol-

ume 11737 of Lecture Notes in Computer Science,

pages 336–354. Springer.

Baghery, K., Kohlweiss, M., Siim, J., and Volkhov, M.

(2021). Another look at extraction and randomization

of groth’s zk-snark. In Financial Cryptography (1),

volume 12674 of Lecture Notes in Computer Science,

pages 457–475. Springer.

Baghery, K., Pindado, Z., and R

afols, C. (2020). Simulation

extractable versions of groth’s zk-snark revisited. In

CANS, volume 12579 of Lecture Notes in Computer

Science, pages 453–461. Springer.

A Biometric Self Authentication Scheme

755

Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., and

Virza, M. (2013). Snarks for C: verifying program

executions succinctly and in zero knowledge. In

CRYPTO (2), volume 8043 of Lecture Notes in Com-

puter Science, pages 90–108. Springer.

Bitansky, N., Canetti, R., Chiesa, A., and Tromer, E. (2012).

From extractable collision resistance to succinct non-

interactive arguments of knowledge, and back again.

In Innovations in Theoretical Computer Science 2012,

pages 326–349.

Blum, M. (1981). Coin ﬂipping by telephone. In CRYPTO,

pages 11–15. U. C. Santa Barbara, Dept. of Elec. and

Computer Eng., ECE Report No 82-04.

Costello, C., Fournet, C., Howell, J., Kohlweiss, M.,

Kreuter, B., Naehrig, M., Parno, B., and Zahur, S.

(2015). Geppetto: Versatile veriﬁable computation.

In IEEE Symposium on Security and Privacy, pages

253–270. IEEE Computer Society.

Fischlin, M. (2001). Trapdoor commitment schemes and

their applications. PhD thesis, Goethe University

Frankfurt, Frankfurt am Main, Germany.

Gennaro, R., Gentry, C., Parno, B., and Raykova, M.

(2013). Quadratic span programs and succinct nizks

without pcps. In EUROCRYPT, volume 7881 of

Lecture Notes in Computer Science, pages 626–645.

Springer.

Groth, J. (2010). Short pairing-based non-interactive zero-

knowledge arguments. In ASIACRYPT, volume 6477

of Lecture Notes in Computer Science, pages 321–

340. Springer.

Groth, J. (2016). On the size of pairing-based non-

interactive arguments. In EUROCRYPT (2), volume

9666 of Lecture Notes in Computer Science, pages

305–326. Springer.

Groth, J. and Maller, M. (2017). Snarky signatures:

Minimal signatures of knowledge from simulation-

extractable snarks. In CRYPTO (2), volume 10402 of

Lecture Notes in Computer Science, pages 581–612.

Springer.

He, K., Zhang, X., Ren, S., and Sun, J. (2016). Deep resid-

ual learning for image recognition. In CVPR, pages

770–778. IEEE Computer Society.

Hidano, S., Ohki, T., and Takahashi, K. (2012). Evaluation

of security for biometric guessing attacks in biomet-

ric cryptosystem using fuzzy commitment scheme. In

BIOSIG, volume P-196 of LNI, pages 1–6. GI.

Jain, A. K., Ross, A., and Pankanti, S. (2006). Biomet-

rics: a tool for information security. IEEE Trans. Inf.

Forensics Secur., 1(2):125–143.

Juels, A. and Wattenberg, M. (1999). A fuzzy commitment

scheme. In CCS, pages 28–36. ACM.

Kawachi, A., Tanaka, K., and Xagawa, K. (2008). Con-

currently secure identiﬁcation schemes based on the

worst-case hardness of lattice problems. In ASI-

ACRYPT, volume 5350 of Lecture Notes in Computer

Science, pages 372–389. Springer.

Keller, D., Osadchy, M., and Dunkelman, O. (2020). Fuzzy

commitments offer insufﬁcient protection to biomet-

ric templates produced by deep learning. CoRR,

abs/2012.13293.

Kosba, A. E., Zhao, Z., Miller, A., Qian, Y., Chan, T. H.,

Papamanthou, C., Pass, R., Shelat, A., and Shi, E.

(2015). How to use snarks in universally composable

protocols. IACR Cryptol. ePrint Arch., 2015:1093.

Marcel, S., Nixon, M. S., Fi

errez, J., and Evans, N. W. D.,

editors (2019). Handbook of Biometric Anti-Spooﬁng

- Presentation Attack Detection, Second Edition. Ad-

vances in Computer Vision and Pattern Recognition.

Springer.

Parno, B., Howell, J., Gentry, C., and Raykova, M. (2013).

Pinocchio: Nearly practical veriﬁable computation. In

IEEE Symposium on Security and Privacy, pages 238–

252. IEEE Computer Society.

Rathgeb, C. and Uhl, A. (2012). Statistical attack against

fuzzy commitment scheme. IET Biom., 1(2):94–104.

Schroff, F., Kalenichenko, D., and Philbin, J. (2015).

Facenet: A uniﬁed embedding for face recognition

and clustering. In CVPR, pages 815–823. IEEE Com-

puter Society.

Simoens, K., Bringer, J., Chabanne, H., and Seys, S. (2012).

A framework for analyzing template security and pri-

vacy in biometric authentication systems. IEEE Trans.

Inf. Forensics Secur., 7(2):833–841.

Tuyls, P., Skoric, B., and Kevenaar, T., editors (2007). Secu-

rity with noisy data : on private biometrics, secure key

storage and anti-counterfeiting. Springer, Germany.

Wahby, R. S., Setty, S. T. V., Ren, Z., Blumberg, A. J., and

Walﬁsh, M. (2015). Efﬁcient RAM and control ﬂow

in veriﬁable outsourced computation. In NDSS. The

Internet Society.

Wang, M. and Deng, W. (2021). Deep face recognition: A

survey. Neurocomputing, 429:215–244.

Wu, X., He, R., Sun, Z., and Tan, T. (2018). A light CNN

for deep face representation with noisy labels. IEEE

Trans. Inf. Forensics Secur., 13(11):2884–2896.

Zinkus, M., Jois, T. M., and Green, M. (2022). Sok: Cryp-

tographic conﬁdentiality of data on mobile devices.

Proc. Priv. Enhancing Technol., 2022(1):586–607.

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

756