**Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints**

Bon K. Sy and Arun P. Kumara Krishnan

Additional information is available at the end of the chapter

http://dx.doi.org/10.5772/51372

## **1. Introduction**

18 New Trends and Developments in Biometrics

190 New Trends and Developments in Biometrics

34–39, 2009.

2011.

[55] A. Stoianov, T. Kevenaar, and M. van der Veen. Security issues of biometric encryption. In *Proc. of the Toronto Int. Conf. Science and Technology for Humanity (TIC-STH)*, pages

[56] I. R. Buhan, J. M. Doumen, P. H. Hartel, and R. N. J. Veldhuis. Fuzzy extractors for

[57] E. J. C. Kelkboom, J. Breebaart, I. Buhan, and R. N. J. Veldhuis. Analytical template protection performance and maximum key size given a gaussian modeled biometric

[58] T. Ignatenko and F. M. J. Willems. Information leakage in fuzzy commitment schemes.

[59] X. Zhou, A. Kuijper, R. N. J. Veldhuis, and C. Busch. Quantifying privacy and security of biometric fuzzy commitment. In *Int'l Joint Conf. on Biometrics - IJCB2011*, pages 1–8,

continuous distributions. Technical report, University of Twente, 2006.

source. In *Proc. of SPIE defense, security and sensing*, 2010.

*Trans. on Information Forensics and Security*, 5(2):337–348, 2010.

Biometric approach for authentication is appealing because of its convenience and possibili‐ ty to offer security with non-repudiation. However, additional hardware such as biometric scanners and complex software for feature extraction and biometric template matching are required if biometric approach is to provide security for protecting sensitive data such as personal health information.

Cryptographic approach, on the other hand, ties data protection mathematically to the *Key* that is utilized to protect it. This allows a data owner to have complete control over one's personal information without relying on, or relinquishing control to, a third party authority. The protection of personal sensitive information is also not tied to complex software and hardware systems that may need constant patches.

Biometric authentication and authorization for data protection could be thought of as ena‐ bling security based on "what one is." The lynchpin of biometric security is the use of suffi‐ ciently unique, but often imprecise, physiological or behavioral traits to characterize an individual for authentication and identification purposes. The characterization is expressed in form of some biometric signature, which often can be reduced to some feature vector or matrix representation. For example, a biometric face could be expressed in terms of a linear‐ ized vector of color distribution [1], EigenMap [2], or Eigen Face components [3]. In our re‐ search a fingerprint is expressed in terms of a 320x1 vector of integers containing minutia point information, and a voice signature is expressed in terms of a 20x1 mean vector and a 20x20 covariance matrix of Mel cepstrum characterizing the multi-variant Gaussian distribu‐ tion of an individual's voiceprint [4]. The security parameter for assessing the strength of a biometrically based approach is typically related to the size of the underlying feature vector (or matrix) and the number of bits for representing a value, as well as the biometric data dis‐

© 2012 Sy and Kumara Krishnan; licensee InTech. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. © 2012 Sy and Kumara Krishnan; licensee InTech. This is a paper distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

tribution leading to inter and intra variability --- a main source of false negative or false pos‐ itive alarms when applying biometric approach for security.

on fingerprints. In other words, we use a (cryptographic) key generator to generate the en‐ cryption/decryption key pair, and use the key to encrypt the sensitive personal information. Afterward, we discard the key generator and the encryption key. Then, we encode the de‐ cryption key using an individual's biometric signatures. The encrypted personal data and the encoded decryption key are given to the individual while the original decryption key will be kept in a separated server without the sensitive personal data. During the retrieval process, the data owner will use his/her biometric signature to *subtract* from the encoded de‐ cryption key, and then use it to reconstruct the exact decryption key through SIPPA-2.0 for

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

http://dx.doi.org/10.5772/51372

193

The contribution of this research is a cryptographic key (re)generation scheme based on bio‐

**1.** A client/server model is developed for privacy preserving cryptographic key regenera‐ tion; where the decryption key --- no (encrypted) personal data --- is stored in the serv‐ er. In this case, the security and the privacy of the data are still preserved even if the server is compromised. The client party, on the other hand, holds a storage device con‐ taining the encrypted sensitive data and the decryption key encoded with personal bio‐ metrics. Without the individual's biometrics, decryption key cannot be decoded, thus the confidentiality of the encrypted sensitive data is still preserved even if the storage

**2.** A 2-party secure computation protocol, referred to as *SLSSP*(Secure Linear System Solu‐ tion Protocol), is developed for privacy preserving data comparison based on solving lin‐ ear equations that yields a solution; and this solution can be used to estimate the similarity or the closeness between the source (server side) data and the target (client side) data.

**3.** A secure information processing protocol, referred to as SIPPA-2.0 (Secure Information Processing with Privacy Assurance Version 2.0), is developed to realize a 2-party mes‐ sage exchange protocol through which the client and the server could determine how similar their data are to each other by using SLSSP --- without ever revealing their own private data. Furthermore, the client can perfectly reconstruct the server side data if the server provides helper data after the server side determines that the client data is suffi‐ ciently similar; whereas the perfect reconstruction is based on a geometrical relation‐ ship in the vector space among the helper data and the Eigen components of the client

**4.** For proof-of-concept, we implement the cryptographic key regeneration scheme as an Android application for privacy preserving health data management. More specifically, the Android application stores in the memory of a smart phone the encrypted health da‐ ta and the decryption key encoded by personal fingerprints. During the health data re‐ trieval process, the Android application receives a fingerprint sample (from a fingerprint scanner via a Bluetooth channel) and uses it as an offset to the encoded decryption key to arrive at an estimated decryption key; and then acts as a client to invoke SLSSP and SIPPA for reconstructing a perfect decryption key based on the helper data of the serv‐ er when the estimated decryption key is sufficiently similar to the actual decryption key.

decrypting the personal information.

device is compromised or stolen.

and source data.

metrics. The scheme is comprised of the following components:

On the other hand, cryptographically based security could be thought of as a security ap‐ proach based on "what one knows." The lynchpin of cryptographic security is the secret key for decrypting a cipher text that is the encrypted from sensitive data. The security parameter for assessing the strength of a cryptographic approach is typically the key size in terms of the number of bits, and information leakage which can be measured by the information gain on the sensitive data given its corresponding cipher text and the mathematical structure of the cryptographic mechanism for encryption/decryption. In order to mitigate the risk of in‐ formation leakage, semantic security is desirable. In brief, we say it is semantically secure with IND-CPA property (INDistinguishability under Chosen Plaintext Attack) [5] if one is given the cipher texts of some encryption, one could not tell whether the cipher texts corre‐ spond to the encryption of the same text; i.e., the given cipher texts are indistinguishable, thus thwarting a Chosen Plaintext Attack.

In theory, the size of a biometric signature or the size of a secret key in cryptography could be increased indefinitely to increase the security strength. However, in practice, the limita‐ tion in the resolution of biometric sensors, among other factors, does not allow the security strength to be scaled proportionally. On the other hand, cryptographic approach has its own drawback too. Since the confidentiality of sensitive data is protected through encryption, one must keep the decryption key as a secret. Generally the secret key is generated and withheld by the party that handles the decryption of the sensitive data. If the secret key is compromised, the confidentiality of the sensitive data is compromised.

**Figure 1.** Cryptographic key (re)generation protocol.

The objective of this research is to investigate a secure computation protocol for (re)generat‐ ing cryptographic key based on biometric signatures. More specifically, we want to protect sensitive personal data based on strong cryptographic approach (e.g., AES256) [6]. But we do not store the secret key anywhere. Instead, we (re)generate the secret key based on an individual's biometric signatures; e.g., fingerprints or voiceprints. In this research we focus on fingerprints. In other words, we use a (cryptographic) key generator to generate the en‐ cryption/decryption key pair, and use the key to encrypt the sensitive personal information. Afterward, we discard the key generator and the encryption key. Then, we encode the de‐ cryption key using an individual's biometric signatures. The encrypted personal data and the encoded decryption key are given to the individual while the original decryption key will be kept in a separated server without the sensitive personal data. During the retrieval process, the data owner will use his/her biometric signature to *subtract* from the encoded de‐ cryption key, and then use it to reconstruct the exact decryption key through SIPPA-2.0 for decrypting the personal information.

tribution leading to inter and intra variability --- a main source of false negative or false pos‐

On the other hand, cryptographically based security could be thought of as a security ap‐ proach based on "what one knows." The lynchpin of cryptographic security is the secret key for decrypting a cipher text that is the encrypted from sensitive data. The security parameter for assessing the strength of a cryptographic approach is typically the key size in terms of the number of bits, and information leakage which can be measured by the information gain on the sensitive data given its corresponding cipher text and the mathematical structure of the cryptographic mechanism for encryption/decryption. In order to mitigate the risk of in‐ formation leakage, semantic security is desirable. In brief, we say it is semantically secure with IND-CPA property (INDistinguishability under Chosen Plaintext Attack) [5] if one is given the cipher texts of some encryption, one could not tell whether the cipher texts corre‐ spond to the encryption of the same text; i.e., the given cipher texts are indistinguishable,

In theory, the size of a biometric signature or the size of a secret key in cryptography could be increased indefinitely to increase the security strength. However, in practice, the limita‐ tion in the resolution of biometric sensors, among other factors, does not allow the security strength to be scaled proportionally. On the other hand, cryptographic approach has its own drawback too. Since the confidentiality of sensitive data is protected through encryption, one must keep the decryption key as a secret. Generally the secret key is generated and withheld by the party that handles the decryption of the sensitive data. If the secret key is

The objective of this research is to investigate a secure computation protocol for (re)generat‐ ing cryptographic key based on biometric signatures. More specifically, we want to protect sensitive personal data based on strong cryptographic approach (e.g., AES256) [6]. But we do not store the secret key anywhere. Instead, we (re)generate the secret key based on an individual's biometric signatures; e.g., fingerprints or voiceprints. In this research we focus

compromised, the confidentiality of the sensitive data is compromised.

itive alarms when applying biometric approach for security.

thus thwarting a Chosen Plaintext Attack.

192 New Trends and Developments in Biometrics

**Figure 1.** Cryptographic key (re)generation protocol.

The contribution of this research is a cryptographic key (re)generation scheme based on bio‐ metrics. The scheme is comprised of the following components:


## **2. Problem formulation and Related Work**

### **2.1. SLSSP and SIPPA formulation**

The concept of SLSSP (formerly referred to as PPCSC) and SIPPA was first introduced in the book chapter of *Biometrics* [7] (INTECH 2011). SLSSP aims at solving the following problem:

(c) Only if the client and server data are sufficiently close and the server sends the client the

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

http://dx.doi.org/10.5772/51372

195

The major improvement of SIPPA-2.0 over the previous one is the use of a newly discovered computational geometry that allows perfect data reconstruction from the solution x securely computed in SLSSP. Before we discuss the details of SIPPA-2.0, we first present a survey on

Our research draws from various other works in the literature of biometrics and secure com‐ putation. We first discuss the major works in biometrics on which we draw upon, and then

Hao et al. [8] [9] were among the pioneers in successfully melding biometrics with cryptog‐ raphy. Iris codes typically contain 10-20% error between samples of the same eye. By utiliz‐ ing a two tier approach of Hadamard and Reed Solomon Codes to correct both random and burst errors; they achieved a successful *Key* retrieval rate of over 99%. Our research draws from their overall approach of appending a random *Key* with biometrics and then negating this appended biometrics with another biometric sample to retrieve the original crypto‐ graphic *Key*. However, SIPPA-2.0 allows us to achieve perfect key reconstruction without

Barni et al. [10] utilize a finger-code approach to represent a fingerprint partitioned into sec‐ tors from a reference point. Their approach is to utilize these finger-codes to perform finger‐ print matching over homomorphic encryption; essentially computing a Euclidean distance between two sets of finger-codes over homomorphic encryption. In contrast to traditional matching methods, such an approach is more privacy aware because the matching process does not expose the biometric sample being matched to the matching agent. Our research draws a few ideas from them including the use of a reference point and sector segmentation to represent fingerprints. However, we notice that any approach applying homomorphic en‐ cryption for matching comparison is restricted by using only the matching functions that can be privately computed via the multiplicative or additive properties of the specific homo‐ morphic encryption. In our research, homomorphic encryption is applied in the (SIPPA-2.0) protocol layer which allows not only private data comparison, but source data reconstruc‐ tion; thus providing additional flexibility on the choice of matching criteria and functions.

Clancy et al. [11] pioneered the use of fingerprints to generate cryptographic Keys. Their es‐ sential approach is to use Minutia points as the feature set and Reed-Solomon error correc‐ tion to handle noise inherent in biometric samples. To describe their approach in their own

*"Fingerprint minutiae coordinates m <sup>i</sup> are encoded as elements in a Finite Field F and the secret Key is encoded in a polynomial f(x) over F[x]. The polynomial is evaluated at the minutiae locations, and the pairs (m <sup>i</sup> ; f(m i)) are stored along with random (c <sup>i</sup> ; d i) chaff points such that d i!= f(c i). Given a matching Fingerprint, a valid user can separate out enough true points from the chaff points to recon‐*

helper data, the client can perfectly reconstruct the source data.

the advances in secure computation to which SIPPA-2.0 is related.

using any error correction codes such as Hadamard or Reed Solomon.

related work.

words:

*struct f(x), and hence the original secret Key."*

**2.2. Related Work**

Let P1 and P2 be two parties and each has private data (Ai, bi) for i=1,2; whereas Ai is a ma‐ trix and bi is a vector. Both parties wish to compute x in (A1+ A2)x = (b1 + b2) without re‐ vealing its own private data (Ai, bi) to each other.

In section 6 we will present the protocol design of SLSSP --- which is an improved version of PPCSC. The security and privacy analysis of SLSSP under realistic and reasonable model as‐ sumptions will be presented in the appendix. Specifically, the security and privacy of SLSSP will be analyzed under these model assumptions; authenticated communication channels with computational security, the behavior of the participants being rational, and the compu‐ tational power of the adversary is polynomial bounded1 . Our SLSSP possess the following two desirable security properties:

(a) The malicious behavior of a party deviating from semi-honest behavior is detectable through verifiable correctness of the private message exchange.

(b) The practical implementation of the homomorphic encryption for SLSSP realizes seman‐ tic security with IND-CPA property.

SIPPA-2.0 is the second generation of our secure computation protocol for the following 2 party scenario; where a client party can reconstruct source data of a server party under the following conditions:

(a) The client party must possess some client data that is a "sufficiently good approxima‐ tion" of the source data, in order to initiate the SIPPA process.

(b) Rather than revealing the source data of the server party to the client party, only some helper data related to the Eigen components of the source data is provided (by the server party) to the client party for reconstructing the source data.

2-party SIPPA-2.0 is a secure process for private data reconstruction with the following de‐ sirable security and privacy properties:

(a) The server party retains complete control over the sharing of helper data – thus keeping private the source data - based on the "closeness" between the client and server data.

(b) The server party can determine the "closeness" between the client and server data with‐ out the client party ever disclosing it's data to the server party – thus the privacy of both client and server data is respected.

<sup>1</sup> The analysis presented in the appendix is part of our other paper entitled "SIPPA-2.0 – Secure Information Process‐ ing with Privacy Assurance (version 2.0)" appeared in the proceeding of the PST 2012, Paris, France. It is included to make this chapter self-sufficient.

(c) Only if the client and server data are sufficiently close and the server sends the client the helper data, the client can perfectly reconstruct the source data.

The major improvement of SIPPA-2.0 over the previous one is the use of a newly discovered computational geometry that allows perfect data reconstruction from the solution x securely computed in SLSSP. Before we discuss the details of SIPPA-2.0, we first present a survey on related work.

## **2.2. Related Work**

**2. Problem formulation and Related Work**

vealing its own private data (Ai, bi) to each other.

tational power of the adversary is polynomial bounded1

through verifiable correctness of the private message exchange.

tion" of the source data, in order to initiate the SIPPA process.

party) to the client party for reconstructing the source data.

The concept of SLSSP (formerly referred to as PPCSC) and SIPPA was first introduced in the book chapter of *Biometrics* [7] (INTECH 2011). SLSSP aims at solving the following problem:

Let P1 and P2 be two parties and each has private data (Ai, bi) for i=1,2; whereas Ai is a ma‐ trix and bi is a vector. Both parties wish to compute x in (A1+ A2)x = (b1 + b2) without re‐

In section 6 we will present the protocol design of SLSSP --- which is an improved version of PPCSC. The security and privacy analysis of SLSSP under realistic and reasonable model as‐ sumptions will be presented in the appendix. Specifically, the security and privacy of SLSSP will be analyzed under these model assumptions; authenticated communication channels with computational security, the behavior of the participants being rational, and the compu‐

(a) The malicious behavior of a party deviating from semi-honest behavior is detectable

(b) The practical implementation of the homomorphic encryption for SLSSP realizes seman‐

SIPPA-2.0 is the second generation of our secure computation protocol for the following 2 party scenario; where a client party can reconstruct source data of a server party under the

(a) The client party must possess some client data that is a "sufficiently good approxima‐

(b) Rather than revealing the source data of the server party to the client party, only some helper data related to the Eigen components of the source data is provided (by the server

2-party SIPPA-2.0 is a secure process for private data reconstruction with the following de‐

(a) The server party retains complete control over the sharing of helper data – thus keeping

(b) The server party can determine the "closeness" between the client and server data with‐ out the client party ever disclosing it's data to the server party – thus the privacy of both

1 The analysis presented in the appendix is part of our other paper entitled "SIPPA-2.0 – Secure Information Process‐ ing with Privacy Assurance (version 2.0)" appeared in the proceeding of the PST 2012, Paris, France. It is included to

private the source data - based on the "closeness" between the client and server data.

. Our SLSSP possess the following

**2.1. SLSSP and SIPPA formulation**

194 New Trends and Developments in Biometrics

two desirable security properties:

tic security with IND-CPA property.

sirable security and privacy properties:

client and server data is respected.

make this chapter self-sufficient.

following conditions:

Our research draws from various other works in the literature of biometrics and secure com‐ putation. We first discuss the major works in biometrics on which we draw upon, and then the advances in secure computation to which SIPPA-2.0 is related.

Hao et al. [8] [9] were among the pioneers in successfully melding biometrics with cryptog‐ raphy. Iris codes typically contain 10-20% error between samples of the same eye. By utiliz‐ ing a two tier approach of Hadamard and Reed Solomon Codes to correct both random and burst errors; they achieved a successful *Key* retrieval rate of over 99%. Our research draws from their overall approach of appending a random *Key* with biometrics and then negating this appended biometrics with another biometric sample to retrieve the original crypto‐ graphic *Key*. However, SIPPA-2.0 allows us to achieve perfect key reconstruction without using any error correction codes such as Hadamard or Reed Solomon.

Barni et al. [10] utilize a finger-code approach to represent a fingerprint partitioned into sec‐ tors from a reference point. Their approach is to utilize these finger-codes to perform finger‐ print matching over homomorphic encryption; essentially computing a Euclidean distance between two sets of finger-codes over homomorphic encryption. In contrast to traditional matching methods, such an approach is more privacy aware because the matching process does not expose the biometric sample being matched to the matching agent. Our research draws a few ideas from them including the use of a reference point and sector segmentation to represent fingerprints. However, we notice that any approach applying homomorphic en‐ cryption for matching comparison is restricted by using only the matching functions that can be privately computed via the multiplicative or additive properties of the specific homo‐ morphic encryption. In our research, homomorphic encryption is applied in the (SIPPA-2.0) protocol layer which allows not only private data comparison, but source data reconstruc‐ tion; thus providing additional flexibility on the choice of matching criteria and functions.

Clancy et al. [11] pioneered the use of fingerprints to generate cryptographic Keys. Their es‐ sential approach is to use Minutia points as the feature set and Reed-Solomon error correc‐ tion to handle noise inherent in biometric samples. To describe their approach in their own words:

*"Fingerprint minutiae coordinates m <sup>i</sup> are encoded as elements in a Finite Field F and the secret Key is encoded in a polynomial f(x) over F[x]. The polynomial is evaluated at the minutiae locations, and the pairs (m <sup>i</sup> ; f(m i)) are stored along with random (c <sup>i</sup> ; d i) chaff points such that d i!= f(c i). Given a matching Fingerprint, a valid user can separate out enough true points from the chaff points to recon‐ struct f(x), and hence the original secret Key."*

Clancy et al. in their pioneering work achieved a *Key* size of 69 bits, with an EER (Equal Er‐ ror Rate) at about 30%. Our research also draws inspiration from Clancy et al. in their over‐ all approach of melding a proven biometric modality such as fingerprints with the field of cryptography; bringing forth desirable properties such as non-repudiation into the field of cryptography. In our research we are able to show a much improved result for a similar ap‐ proach that can accommodate an arbitrary large key size and a much better EER. We will show one such result in the experimental study section of this book chapter.

such as fingerprints. Over the past few years, privacy preserving protocols based on homo‐ morphic cryptosystems have also been developed; e.g., protocol for secure scalar/dot prod‐ uct between vectors [23], protocol for secure Euclidean distance derivation between vectors [24], secure Hamming distance protocol [25], secure evaluation of linear systems [26], and kmean clustering [27]. These protocols are practically usable in biometric applications and utilize semantically secure Partially Homomorphic (PH) cryptosystems to achieve metric specific privacy preserving biometric authentication. SIPPA-2.0 takes the current state-ofthe-art one step further by facilitating not just private data comparison which can be used for privacy preserving biometric authentication, but also private data reconstruction for bio‐

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

http://dx.doi.org/10.5772/51372

197

The theoretical foundation of SIPPA-2.0 is built upon two main theorems. We first summa‐ rize the important findings of the theorems, and then present the rigorous formulation and proof, followed by the use of the theorems to realize the SIPPA-2.0 protocol for private re‐

Let P1 and P2 be the SIPPA-2.0 server and client respectively. Let **de** and **dv** be the column vector representing private data of P1 and P2 respectively. Let (λDe **vde** ) and (λDv **vdv** ) be the 2-tuples of the most significant Eigen value and the corresponding unity normalized Eigen

If the deviation between the most significant eigenvector of **de•de** T and **dv•dv** <sup>T</sup> (similarity score) correlates to the distribution of the instances of **de** and **dv** as classified by being from the same or different biometric source, this provides a basis for a good threshold function. SIPPA-2.0 can then be utilized to provide secure and private derivation on this deviation,

We will show in theorem 1 below that there is an algebraic relationship between the sym‐ metric matrix representation of the client and the server data in the Eigen vector space; and the algebraic relationship guarantees the existence of a bisector vector that allows each party to use it to determine whether the client and server data are sufficiently similar. Second, the source data can be perfectly reconstructed by the client if a carefully scaled Eigen value of the symmetric matrix representation of the source data is given. In other words, this scaled Eigen value serves as the helper data --- and the only data --- that the server needs to share;

*Theorem 1:* Consider (**de•de** T + **dv•dv** T)x = λde **v de** + λdv **v dv**, the solution x = v satisfying (**de•de** T + **dv•dv** T)**v** = λde **v de** + λdv **vdv** has a unity scalar projection onto the unity normal‐

ized **vde** and **vdv** , and is a bisector for the interior angle between **vde** and **vdv** .

metric information retrieval.

**3. Theoretical Foundation of SIPPA-2.0**

construction of the server source data by the client.

vector of the matrices **de•de** T and **dv•dv** T respectively.

thus the privacy of the server side source data is preserved.

without each party revealing their private biometric data to each other.

Recently, non-minutiae methods as features for fingerprint are proposed in addition to the minutiae methods [39, 40], these methods are viable alternatives to consider in trying to im‐ prove the performance of many cryptographic key generation protocols.In this research we have primarily focused on minutiae features as data points for our cryptographic key gener‐ ation protocol. On the other hand, Lalithamani et al. [12] proposed a method utilizing can‐ cellable biometrics to transform a fingerprint into a revocable form; this revocable form is then transformed into an irrevocable viable cryptographic *Key*. The essence of this approach relies on image processing to transform noisy biometric samples into standard representa‐ tions, from which a cryptographic *Key* is derived. Unfortunately, no practical experimental data was presented utilizing this approach. Nonetheless, this is another indication on the potential interest in combining biometrics with cryptography.

Various secure computation protocols based on cryptographic approach have been devel‐ oped in the past for privacy preserving data comparison [13] [14]. One main thrust is to rely on Oblivious Transfer (OT) protocols [15] for private joint table lookup. Privacy protection is achieved by transmitting encrypted versions of the entire table using pre-computed public keys. However, even with significant progress in reducing the computational complexity of OT protocols, the relative enormity of the table size coupled with the complexity of encrypt‐ ing large amounts of data with public key cryptography makes OT based Secure Computa‐ tion protocols impractical for certain viable privacy preserving applications such as biometrics.

Recent advances in cryptography has led to various cryptosystems that preserve certain op‐ erations such as addition [16], multiplication [17], and XOR [18], in the encrypted domain. Such cryptosystems are classified into either Partially Homomorphic (PH) [19] [20] or Fully Homomorphic (FH) [21]. A PH cryptosystem does not allow the evaluation of both addi‐ tion and multiplication in encrypted domain; and a FH allows the evaluation of unlimited ad‐ dition and multiplication operations in encrypted domain. A FH cryptosystem would allow [13] the secure evaluation of any function in the encrypted domain where the privacy of the original data is guaranteed if knowing only the function output is not a privacy concern. How‐ ever the only known semantically secure FH cryptosystems are extremely inefficient for prac‐ tical use. To put it in context, recently, one of the leading inventors of such a FH cryptosystem Craig Gentry, states that performing a single search query utilizing the best available FH cryp‐ tosystem would increase computational complexity by about a trillion [22].

To balance the practical usability and the complexity inherited in a fully homomorphic cryp‐ tosytem, we develop SIPPA-2.0 that allows parallelization while relying only on cryptosys‐ tems that are Partially Homomorphic for cryptographic key generation from biometric data such as fingerprints. Over the past few years, privacy preserving protocols based on homo‐ morphic cryptosystems have also been developed; e.g., protocol for secure scalar/dot prod‐ uct between vectors [23], protocol for secure Euclidean distance derivation between vectors [24], secure Hamming distance protocol [25], secure evaluation of linear systems [26], and kmean clustering [27]. These protocols are practically usable in biometric applications and utilize semantically secure Partially Homomorphic (PH) cryptosystems to achieve metric specific privacy preserving biometric authentication. SIPPA-2.0 takes the current state-ofthe-art one step further by facilitating not just private data comparison which can be used for privacy preserving biometric authentication, but also private data reconstruction for bio‐ metric information retrieval.

## **3. Theoretical Foundation of SIPPA-2.0**

Clancy et al. in their pioneering work achieved a *Key* size of 69 bits, with an EER (Equal Er‐ ror Rate) at about 30%. Our research also draws inspiration from Clancy et al. in their over‐ all approach of melding a proven biometric modality such as fingerprints with the field of cryptography; bringing forth desirable properties such as non-repudiation into the field of cryptography. In our research we are able to show a much improved result for a similar ap‐ proach that can accommodate an arbitrary large key size and a much better EER. We will

Recently, non-minutiae methods as features for fingerprint are proposed in addition to the minutiae methods [39, 40], these methods are viable alternatives to consider in trying to im‐ prove the performance of many cryptographic key generation protocols.In this research we have primarily focused on minutiae features as data points for our cryptographic key gener‐ ation protocol. On the other hand, Lalithamani et al. [12] proposed a method utilizing can‐ cellable biometrics to transform a fingerprint into a revocable form; this revocable form is then transformed into an irrevocable viable cryptographic *Key*. The essence of this approach relies on image processing to transform noisy biometric samples into standard representa‐ tions, from which a cryptographic *Key* is derived. Unfortunately, no practical experimental data was presented utilizing this approach. Nonetheless, this is another indication on the

Various secure computation protocols based on cryptographic approach have been devel‐ oped in the past for privacy preserving data comparison [13] [14]. One main thrust is to rely on Oblivious Transfer (OT) protocols [15] for private joint table lookup. Privacy protection is achieved by transmitting encrypted versions of the entire table using pre-computed public keys. However, even with significant progress in reducing the computational complexity of OT protocols, the relative enormity of the table size coupled with the complexity of encrypt‐ ing large amounts of data with public key cryptography makes OT based Secure Computa‐ tion protocols impractical for certain viable privacy preserving applications such as

Recent advances in cryptography has led to various cryptosystems that preserve certain op‐ erations such as addition [16], multiplication [17], and XOR [18], in the encrypted domain. Such cryptosystems are classified into either Partially Homomorphic (PH) [19] [20] or Fully Homomorphic (FH) [21]. A PH cryptosystem does not allow the evaluation of both addi‐ tion and multiplication in encrypted domain; and a FH allows the evaluation of unlimited ad‐ dition and multiplication operations in encrypted domain. A FH cryptosystem would allow [13] the secure evaluation of any function in the encrypted domain where the privacy of the original data is guaranteed if knowing only the function output is not a privacy concern. How‐ ever the only known semantically secure FH cryptosystems are extremely inefficient for prac‐ tical use. To put it in context, recently, one of the leading inventors of such a FH cryptosystem Craig Gentry, states that performing a single search query utilizing the best available FH cryp‐

To balance the practical usability and the complexity inherited in a fully homomorphic cryp‐ tosytem, we develop SIPPA-2.0 that allows parallelization while relying only on cryptosys‐ tems that are Partially Homomorphic for cryptographic key generation from biometric data

tosystem would increase computational complexity by about a trillion [22].

show one such result in the experimental study section of this book chapter.

potential interest in combining biometrics with cryptography.

biometrics.

196 New Trends and Developments in Biometrics

The theoretical foundation of SIPPA-2.0 is built upon two main theorems. We first summa‐ rize the important findings of the theorems, and then present the rigorous formulation and proof, followed by the use of the theorems to realize the SIPPA-2.0 protocol for private re‐ construction of the server source data by the client.

Let P1 and P2 be the SIPPA-2.0 server and client respectively. Let **de** and **dv** be the column vector representing private data of P1 and P2 respectively. Let (λDe **vde** ) and (λDv **vdv** ) be the 2-tuples of the most significant Eigen value and the corresponding unity normalized Eigen vector of the matrices **de•de** T and **dv•dv** T respectively.

If the deviation between the most significant eigenvector of **de•de** T and **dv•dv** <sup>T</sup> (similarity score) correlates to the distribution of the instances of **de** and **dv** as classified by being from the same or different biometric source, this provides a basis for a good threshold function. SIPPA-2.0 can then be utilized to provide secure and private derivation on this deviation, without each party revealing their private biometric data to each other.

We will show in theorem 1 below that there is an algebraic relationship between the sym‐ metric matrix representation of the client and the server data in the Eigen vector space; and the algebraic relationship guarantees the existence of a bisector vector that allows each party to use it to determine whether the client and server data are sufficiently similar. Second, the source data can be perfectly reconstructed by the client if a carefully scaled Eigen value of the symmetric matrix representation of the source data is given. In other words, this scaled Eigen value serves as the helper data --- and the only data --- that the server needs to share; thus the privacy of the server side source data is preserved.

*Theorem 1:* Consider (**de•de** T + **dv•dv** T)x = λde **v de** + λdv **v dv**, the solution x = v satisfying (**de•de** T + **dv•dv** T)**v** = λde **v de** + λdv **vdv** has a unity scalar projection onto the unity normal‐ ized **vde** and **vdv** , and is a bisector for the interior angle between **vde** and **vdv** .

Proof: By the definition of Eigen vectors and values, **de•de** <sup>T</sup>•**vde** = λde **vde** . Since **de** <sup>T</sup>•**vde** is a scalar, **de** and **vde** has the same directionality. Furthermore, **de**/|**de**| = **vde** because **vde** is a uni‐ ty normalized vector. Similarly, **dv**/|**dv**| = **vdv** , and the following results can be established:

**de**/|**de**| = **vdede•de**<sup>T</sup>•**vde** = λde**vde** (**de**/|**de**|)•(|**de**|•**de**<sup>T</sup>•**vde**) = (**vde**)(λde) λde = **de**<sup>T</sup>•**de**

**dv**/|**dv**| = **vdvdv•dv**<sup>T</sup>•**vdv** = λdv**vdv** (**dv**/|**dv**|)•(|**dv**|•**dv**<sup>T</sup>•**vdv**) = (**vdv**)(λdv) λdv = **dv**<sup>T</sup>•**dv**

To prove theorem 1, we need to prove that (1) **v** has a unity scalar projection onto the unity normalized **de** and **dv**, and (2) **v** is a bisector.

To prove **v** has a unity scalar projection onto the unity normalized **vde** and **vdv**, it is sufficient to show **vde• v** = **vdv•v** = 1, or (**de**/|**de**|)•**v** = (**dv**/|**dv**|)•**v** = 1. Since **v** is a solution to (**de**•**de** <sup>T</sup> + **dv•dv** T)**x** = λde **vde** + λdv **vdv** , we re-write the RHS and the LHS as below:

**Figure 2.** Geometric relationship between x and eigenvector of data.

In SIPPA-2.0, private reconstruction of the server source data by a client relies on the helper data. The server provides the helper data only if the target data of the client is sufficiently close to the source data. But how could the server determine the closeness between the tar‐ get data and the source data while the client can keep the target data private? As shown in figure3, vde, vdv and x all converge to each other when **de** and **dv** converge to each other. In addition, the matrices **de•de** T and **dv•dv** T can be thought of as the mapping functions for the eigenvectors and x. The difference between **de** and **dv** proportionality affects the differ‐ ence in the mapping functions, which subsequently introduces an angular deviation on the angle between the unity normalized Eigen vectors as well as the magnitude deviation as measured by the Euclidean distance between the two Eigen vectors scaled by the corre‐ sponding Eigen values. Therefore, angular deviation and magnitude deviation between the client and server Eigen vectors can be used to obtain the information about the closeness be‐

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

http://dx.doi.org/10.5772/51372

199

In SIPPA-2.0, if angular deviation is used as the metric to determine closeness, then both the server and the client can privately and precisely determine whether the data of the other party is sufficiently similar without revealing one's own private data. Recall from theorem 2 the angular deviation can be derived from 2cos-1(**vdv•x**/(|**vdv** |•|**x**|)) or 2cos-1(**vde•x**/(|**vde** |•| **x**|)). If x is known, each party with one's own Eigen vector can derive the angular deviation.

**3.1. Secure Computation of Angular Deviation**

tween the target and the source data.

**Figure 3.** Relationship between source and target data in Eigen space.

LHS = (**de•de** T + **dv•dv** T)**v** = **de**•(**de** <sup>T</sup>•**v**) + **dv**•(**dv** <sup>T</sup>•**v**) = |**de**|•**de**•(**de**<sup>T</sup>•**v**/|**de**|) + |**dv**|•**dv**•(**dv**<sup>T</sup>•**v**/|**dv**|)

RHS = λde **vde** + λdv **vdv** = **de** <sup>T</sup>•**de**•(**de**/|**de**|) + **dv** <sup>T</sup>•**dv**•(**dv**/|**dv**|)

= |**de**|•**de** + |**dv**|•**dv** because **de** <sup>T</sup>•**de** = |**de**|2 and **dv** <sup>T</sup>•**dv** = |**dv**|2

Comparing the terms on the RHS and LHS, when de and dv are linearly independent, **deT•v**/|**de**| = 1 (**de**/|**de**|)•**v**= **vde•v**= 1 and **dv** <sup>T</sup>•**v**/|**dv**| = 1 (**dv**/|**dv**|)•**v**= **vdv•v**= 1. Therefore, v has a unity scalar projection onto the unity normalized **de** and **dv**. This com‐ pletes the proof for (1).

The scalar projection of **v** onto **vde** is one, and so as the scalar projection of **v** onto **vdv** . By the theorem of bisector, v is the bisector of the interior angle of **vde** and **vdv** . This completes the proof for (2).

*Theorem 2:* Consider (**de•de** T + **dv•dv** T)**x** = λde **vde** + λdv **vdv** , **de** can be efficiently reconstruct‐ ed − with an accuracy proportional to the closeness between **vde** and **vdv** − by a party with **dv**, λdv,, and **vdv** when (i) the interior angle between **vde** and **vdv** is less than 90 degree and (ii) the party is given **x** and λde/ **de** <sup>T</sup>•**x**. Specifically, **de** = (**est**\_**v de**/| **est\_v de** |)(λde/ **de** <sup>T</sup> **x**); where

$$\mathbf{\tilde{v}} \cdot \mathbf{\tilde{v}}\_{\mathrm{de}} = \mathbf{v}\_{\mathrm{dv}} + \left[ |\, \mathbf{v}\_{\mathrm{dv}} \mid \bullet \, \mathrm{tan} \left( 2 \cos^{-1} (\mathbf{v}\_{\mathrm{dv}} \bullet \mathbf{x} / (|\, \mathbf{v}\_{\mathrm{dv}} \mid \bullet \, | \, \mathbf{x} \mid)) \right) \right] \bullet \left[ (\mathbf{x} \cdot \mathbf{v}\_{\mathrm{dv}}) / |\, \mathbf{x} \cdot \mathbf{v}\_{\mathrm{dv}}| \right]$$

Proof: Let **x** = **vde** + **e1** and **x** = **vdv** + **e2**. We can derive the length of **te** (as shown in Fig. 2), which is a vector with the same directionality as that of the vector **e2** when the interior angle between **vde** and **vdv** is less than 90 degree. Specifically, **vdv** and **e2** are orthogonal (i.e., they are perpendicular of each other). The length of **te**=|**te**|=[|**v dv**|•tan(2cos-1(**vdv•x**/(|**vdv** |•| **x**|)))] because **e1** = **e2** and the angle between **vdv** and (**vdv** + **te**) is twice the angle between **vdv** and **x** (theorem 1). Therefore, **te**=|**te**|•[**e2**/|**e2**|]=[|**vdv** |•tan(2cos-1(**vdv•x**/(|**vdv** |•|**x**|) ))] •[**e2**/|**e2**|]. Since **vdv** + **te** (=**est\_vde** ) produces a vector with the same directionality as **vde** , and **vde** is a unity normalized vector, we can conveniently derive **vde** by normalizing **est\_vde** ; i.e., **vde** = **est\_vde** /| **est\_vde** |. Finally, since **de•de** <sup>T</sup>x≈ λde **vde** , we can derive **de** from (λde/ **de** <sup>T</sup>•**x**)•**vde** or (λde/ **de** <sup>T</sup>•x)•( **est\_vde** /|**est\_vde** |) with an approximation error proportional to the closeness between **vde** and **vdv** . Q.E.D.

**Figure 2.** Geometric relationship between x and eigenvector of data.

#### **3.1. Secure Computation of Angular Deviation**

Proof: By the definition of Eigen vectors and values, **de•de** <sup>T</sup>•**vde** = λde **vde** . Since **de** <sup>T</sup>•**vde** is a scalar, **de** and **vde** has the same directionality. Furthermore, **de**/|**de**| = **vde** because **vde** is a uni‐ ty normalized vector. Similarly, **dv**/|**dv**| = **vdv** , and the following results can be established:

**de**/|**de**| = **vdede•de**<sup>T</sup>•**vde** = λde**vde** (**de**/|**de**|)•(|**de**|•**de**<sup>T</sup>•**vde**) = (**vde**)(λde) λde = **de**<sup>T</sup>•**de**

**dv**/|**dv**| = **vdvdv•dv**<sup>T</sup>•**vdv** = λdv**vdv** (**dv**/|**dv**|)•(|**dv**|•**dv**<sup>T</sup>•**vdv**) = (**vdv**)(λdv) λdv = **dv**<sup>T</sup>•**dv**

normalized **de** and **dv**, and (2) **v** is a bisector.

198 New Trends and Developments in Biometrics

= |**de**|•**de** + |**dv**|•**dv** because **de** <sup>T</sup>•**de** = |**de**|2

the closeness between **vde** and **vdv** . Q.E.D.

pletes the proof for (1).

proof for (2).

LHS = (**de•de** T + **dv•dv** T)**v** = **de**•(**de** <sup>T</sup>•**v**) + **dv**•(**dv** <sup>T</sup>•**v**) = |**de**|•**de**•(**de**<sup>T</sup>•**v**/|**de**|) + |**dv**|•**dv**•(**dv**<sup>T</sup>•**v**/|**dv**|)

RHS = λde **vde** + λdv **vdv** = **de** <sup>T</sup>•**de**•(**de**/|**de**|) + **dv** <sup>T</sup>•**dv**•(**dv**/|**dv**|)

**est\_vde** = **vdv** + [|**vdv** |•tan(2cos-1(**vdv•x**/(|**v dv**|•|x|) ))]•[(**x-v dv**)/|**x-vdv** |]

To prove theorem 1, we need to prove that (1) **v** has a unity scalar projection onto the unity

To prove **v** has a unity scalar projection onto the unity normalized **vde** and **vdv**, it is sufficient to show **vde• v** = **vdv•v** = 1, or (**de**/|**de**|)•**v** = (**dv**/|**dv**|)•**v** = 1. Since **v** is a solution to (**de**•**de** <sup>T</sup>

Comparing the terms on the RHS and LHS, when de and dv are linearly independent, **deT•v**/|**de**| = 1 (**de**/|**de**|)•**v**= **vde•v**= 1 and **dv** <sup>T</sup>•**v**/|**dv**| = 1 (**dv**/|**dv**|)•**v**= **vdv•v**= 1. Therefore, v has a unity scalar projection onto the unity normalized **de** and **dv**. This com‐

The scalar projection of **v** onto **vde** is one, and so as the scalar projection of **v** onto **vdv** . By the theorem of bisector, v is the bisector of the interior angle of **vde** and **vdv** . This completes the

*Theorem 2:* Consider (**de•de** T + **dv•dv** T)**x** = λde **vde** + λdv **vdv** , **de** can be efficiently reconstruct‐ ed − with an accuracy proportional to the closeness between **vde** and **vdv** − by a party with **dv**, λdv,, and **vdv** when (i) the interior angle between **vde** and **vdv** is less than 90 degree and (ii) the party is given **x** and λde/ **de** <sup>T</sup>•**x**. Specifically, **de** = (**est**\_**v de**/| **est\_v de** |)(λde/ **de** <sup>T</sup> **x**); where

Proof: Let **x** = **vde** + **e1** and **x** = **vdv** + **e2**. We can derive the length of **te** (as shown in Fig. 2), which is a vector with the same directionality as that of the vector **e2** when the interior angle between **vde** and **vdv** is less than 90 degree. Specifically, **vdv** and **e2** are orthogonal (i.e., they are perpendicular of each other). The length of **te**=|**te**|=[|**v dv**|•tan(2cos-1(**vdv•x**/(|**vdv** |•| **x**|)))] because **e1** = **e2** and the angle between **vdv** and (**vdv** + **te**) is twice the angle between **vdv** and **x** (theorem 1). Therefore, **te**=|**te**|•[**e2**/|**e2**|]=[|**vdv** |•tan(2cos-1(**vdv•x**/(|**vdv** |•|**x**|) ))] •[**e2**/|**e2**|]. Since **vdv** + **te** (=**est\_vde** ) produces a vector with the same directionality as **vde** , and **vde** is a unity normalized vector, we can conveniently derive **vde** by normalizing **est\_vde** ; i.e., **vde** = **est\_vde** /| **est\_vde** |. Finally, since **de•de** <sup>T</sup>x≈ λde **vde** , we can derive **de** from (λde/ **de** <sup>T</sup>•**x**)•**vde** or (λde/ **de** <sup>T</sup>•x)•( **est\_vde** /|**est\_vde** |) with an approximation error proportional to

and **dv** <sup>T</sup>•**dv** = |**dv**|2

+ **dv•dv** T)**x** = λde **vde** + λdv **vdv** , we re-write the RHS and the LHS as below:

In SIPPA-2.0, private reconstruction of the server source data by a client relies on the helper data. The server provides the helper data only if the target data of the client is sufficiently close to the source data. But how could the server determine the closeness between the tar‐ get data and the source data while the client can keep the target data private? As shown in figure3, vde, vdv and x all converge to each other when **de** and **dv** converge to each other. In addition, the matrices **de•de** T and **dv•dv** T can be thought of as the mapping functions for the eigenvectors and x. The difference between **de** and **dv** proportionality affects the differ‐ ence in the mapping functions, which subsequently introduces an angular deviation on the angle between the unity normalized Eigen vectors as well as the magnitude deviation as measured by the Euclidean distance between the two Eigen vectors scaled by the corre‐ sponding Eigen values. Therefore, angular deviation and magnitude deviation between the client and server Eigen vectors can be used to obtain the information about the closeness be‐ tween the target and the source data.

**Figure 3.** Relationship between source and target data in Eigen space.

In SIPPA-2.0, if angular deviation is used as the metric to determine closeness, then both the server and the client can privately and precisely determine whether the data of the other party is sufficiently similar without revealing one's own private data. Recall from theorem 2 the angular deviation can be derived from 2cos-1(**vdv•x**/(|**vdv** |•|**x**|)) or 2cos-1(**vde•x**/(|**vde** |•| **x**|)). If x is known, each party with one's own Eigen vector can derive the angular deviation. Therefore, a key aspect to realize SIPPA-2.0 is a 2-party secure computation protocol through which the client and the server can collaborate to solve for x in the algebraic system (**de•de** T + **dv•dv** T)**x** = λde **vde** + λdv **vdv** while each party will keep one's data, Eigen value and Eigen vector private. Furthermore, the security and privacy of SIPPA-2.0 will defer to the security and privacy of the 2-party secure computation protocol for solving the algebraic system. In this research we show one such protocol, referred to as SLSSP (Secure Linear Sys‐ tem Solution Protocol), that we developed. As formulated in section 3, SLSSP is a novel and general two-party secure computation protocol to solve for x in (A1+ A2)x = (b1 + b2) with‐ out each party revealing their private data (Ai, bi) to each other.

*Step 4:* If **de** and **dv** are sufficiently similar as determined by either the angular distance or the Euclidean distance between vectors **vde** and **vdv** as measured by some pre-defined thresh‐

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

= **vde** or **de**= |**de**|•**vde,** (from Theorem 1) and (3)**est\_vde** /|**est\_vde** |=**vde** (from Theorem 2) if we

*Step 5:* Derive estimated **vde- est\_vde** as stated in theorem 2, and then derive **de** = (**est\_vde** /|

SIPPA-2.0 relies on the protocol SLSSP to solve for x in step 2. To provide semantic security, Pailler encryption is adopted in the protocol design for SLSSP. Pailler encryption is operated over Integer domain on scalar values. Yet SIPPA-2.0 deals with Real Number domain and matrix operations. Therefore, prior to presenting the details on the protocol for SLSSP, we will first discuss two related issues: (i) homomorphic matrix addition and multiplication

All matrix operations described in this section require knowledge of only the Pailler public-

where each element of the matrix or vector is an element encrypted utilizing the Paillier

tors; whereas the operator "[X]" represents multiplication of matrices, where one of the two

The Paillier encryption scheme is a probabilistic, asymmetric, public-key cryptosystem whose security is based on the hypothetical intractability of the Decisional Composite Resi‐ duosity Assumption (DCRA). The Paillier encryption function PE(m, r), a bijection

An important consequence of this approach is that the Paillier Cryptosystem is additively

) = PE(m1 + m2 , r1)

) = PE(m1. m2 , r1)

) = PE(m1 + m2 , r1 . r2 )

\* ) encrypts a message mby raising a basis gto the power m, then multiplying g<sup>m</sup>

n) modulo n<sup>2</sup>

). The operator "[+]" denotes homomorphic addition of matrices or vec‐

with encrypted matrices, and (ii) the fixed point representation of real numbers.

**4.2. Homomorphic Matrix addition and Multiplication with Encrypted Matrices.**

key pair(*g*, *n*). Encrypted matrices and vectors are denoted *M <sup>P</sup>*(*g*,*n*)

and reducing the product (gm.r

homomorphic, specifically the following properties hold:

) mod n<sup>2</sup>

public-key pair (*g*, *n*). Specifically, the decryption of any element *M <sup>i</sup>*, *<sup>j</sup>*

0.5 as the helper data to allow perfect reconstruction of

http://dx.doi.org/10.5772/51372

201

, *v <sup>P</sup>*(*g*,*n*)

*P*(*g*,*n*)

where nis the public modulus.

respectively,

equals *Mi*, *<sup>j</sup>* i.e.

0.5 because (1) λde=**de** <sup>T</sup>•**de** = |**de**|2 (from Theorem 1), (2) **de**/|**de**|

old, proceed to send the following helper data: λde/**de** <sup>T</sup>•x.

are to realize unconditional source data reconstruction.

Remark: We can also only send (λde)

**de**= (**est\_vde** /|**est\_vde** |)(λde)

**est\_vde** |)(λde/**de** <sup>T</sup>x).

*Mi*, *<sup>j</sup>* = *PD*( *M <sup>i</sup>*, *<sup>j</sup>*

(ZnxZ<sup>n</sup> \* →Zn<sup>2</sup>

with a random r

**2.** ((PE(m1, r1) . <sup>g</sup>m2

**3.** ((PE(m1, r1)m2) mod <sup>n</sup><sup>2</sup>

matrices are encrypted.

*4.2.1. Paillier Cryptosystem:*

n

**1.** ((PE(m1, r1) . PE(m2, r2)) mod <sup>n</sup><sup>2</sup>

*P*(*g*,*n*)

There are two noteworthy points about SLSSP. First SLSSP is readily available to realize SIP‐ PA-2.0 with (A1, b1) and (A2, b2) being (**de•de** <sup>T</sup>, λde **vde** ) and (**dv•dv** <sup>T</sup>, λdv **vdv** ) respective‐ ly. Second, SLSSP has the same problem formulation as that of PPCSC (Privacy Preserving Collaborative Scientific Computation). Our focus on SLSSP is to also achieve desirable secur‐ ity properties so that SLSSP is secure and private under realistic and reasonable assump‐ tions discussed in section 3.

## **4. Procotol design for SLSSP and SIPPA**

#### **4.1. SIPPA2.0 Protocol**

There are three major aspects of SIPPA-2.0: (1) derivation of the eigenvalues and the corre‐ sponding unity normalized eigenvectors of the symmetric matrix representation of the data; (2) derivation of a vector *x* which provides for the two parties to determine the deviation between their respective eigenvectors, which is formulated as a two-party secure computa‐ tion SLSSP [28]; and if required: (3) reconstruction of the source data based on *helper data* composed of a scalar eigenvalue combined with a scalar derived from the vector product be‐ tween the transpose of the linearized source data vector and the vector *x*. The steps for the SIPPA2.0 protocol are detailed below using the notation introduced in the previous section:

*Step 1:* Derive, by the respective party, the most significant eigenvalue and its corresponding unity-normalized eigenvector of **de•de<sup>T</sup>** and **dv•dv<sup>T</sup>** . This step yields (λde **vde** ) for SIPPA2.0 server and (λdv **vdv** ) for SIPPA2.0 client.

*Step 2:* Compute **x** such that (**de•de** T + **dv•dv** T)**x** = λde **vde** + λdv **vdv** utilizing SLSSP. The vec‐ tor x is known to both parties following SLSSP. The details on SLSSP will be presented later in this section.

*Step 3:* The party that wishes to determine the deviation between its eigenvector and the oth‐ er party's eigenvector can do so utilizing *x* (derived in step 2). Suppose that the party with **vde** wishes to determine the angular deviation between **vde** and **vdv** , this can be done by ob‐ taining the angle between **vde** and *x*. i.e. cos-1(**vde•x**/(|**vde** |•|**x**|)). The angular deviation be‐ tween **vde** and **vdv** is then

2cos-1(**vde•x**/(|**vde** |•|**x**|)).

*Step 4:* If **de** and **dv** are sufficiently similar as determined by either the angular distance or the Euclidean distance between vectors **vde** and **vdv** as measured by some pre-defined thresh‐ old, proceed to send the following helper data: λde/**de** <sup>T</sup>•x.

Remark: We can also only send (λde) 0.5 as the helper data to allow perfect reconstruction of **de**= (**est\_vde** /|**est\_vde** |)(λde) 0.5 because (1) λde=**de** <sup>T</sup>•**de** = |**de**|2 (from Theorem 1), (2) **de**/|**de**| = **vde** or **de**= |**de**|•**vde,** (from Theorem 1) and (3)**est\_vde** /|**est\_vde** |=**vde** (from Theorem 2) if we are to realize unconditional source data reconstruction.

*Step 5:* Derive estimated **vde- est\_vde** as stated in theorem 2, and then derive **de** = (**est\_vde** /| **est\_vde** |)(λde/**de** <sup>T</sup>x).

SIPPA-2.0 relies on the protocol SLSSP to solve for x in step 2. To provide semantic security, Pailler encryption is adopted in the protocol design for SLSSP. Pailler encryption is operated over Integer domain on scalar values. Yet SIPPA-2.0 deals with Real Number domain and matrix operations. Therefore, prior to presenting the details on the protocol for SLSSP, we will first discuss two related issues: (i) homomorphic matrix addition and multiplication with encrypted matrices, and (ii) the fixed point representation of real numbers.

### **4.2. Homomorphic Matrix addition and Multiplication with Encrypted Matrices.**

All matrix operations described in this section require knowledge of only the Pailler publickey pair(*g*, *n*). Encrypted matrices and vectors are denoted *M <sup>P</sup>*(*g*,*n*) , *v <sup>P</sup>*(*g*,*n*) respectively, where each element of the matrix or vector is an element encrypted utilizing the Paillier public-key pair (*g*, *n*). Specifically, the decryption of any element *M <sup>i</sup>*, *<sup>j</sup> P*(*g*,*n*) equals *Mi*, *<sup>j</sup>* i.e. *Mi*, *<sup>j</sup>* = *PD*( *M <sup>i</sup>*, *<sup>j</sup> P*(*g*,*n*) ). The operator "[+]" denotes homomorphic addition of matrices or vec‐ tors; whereas the operator "[X]" represents multiplication of matrices, where one of the two matrices are encrypted.

### *4.2.1. Paillier Cryptosystem:*

Therefore, a key aspect to realize SIPPA-2.0 is a 2-party secure computation protocol through which the client and the server can collaborate to solve for x in the algebraic system (**de•de** T + **dv•dv** T)**x** = λde **vde** + λdv **vdv** while each party will keep one's data, Eigen value and Eigen vector private. Furthermore, the security and privacy of SIPPA-2.0 will defer to the security and privacy of the 2-party secure computation protocol for solving the algebraic system. In this research we show one such protocol, referred to as SLSSP (Secure Linear Sys‐ tem Solution Protocol), that we developed. As formulated in section 3, SLSSP is a novel and general two-party secure computation protocol to solve for x in (A1+ A2)x = (b1 + b2) with‐

There are two noteworthy points about SLSSP. First SLSSP is readily available to realize SIP‐ PA-2.0 with (A1, b1) and (A2, b2) being (**de•de** <sup>T</sup>, λde **vde** ) and (**dv•dv** <sup>T</sup>, λdv **vdv** ) respective‐ ly. Second, SLSSP has the same problem formulation as that of PPCSC (Privacy Preserving Collaborative Scientific Computation). Our focus on SLSSP is to also achieve desirable secur‐ ity properties so that SLSSP is secure and private under realistic and reasonable assump‐

There are three major aspects of SIPPA-2.0: (1) derivation of the eigenvalues and the corre‐ sponding unity normalized eigenvectors of the symmetric matrix representation of the data; (2) derivation of a vector *x* which provides for the two parties to determine the deviation between their respective eigenvectors, which is formulated as a two-party secure computa‐ tion SLSSP [28]; and if required: (3) reconstruction of the source data based on *helper data* composed of a scalar eigenvalue combined with a scalar derived from the vector product be‐ tween the transpose of the linearized source data vector and the vector *x*. The steps for the SIPPA2.0 protocol are detailed below using the notation introduced in the previous section: *Step 1:* Derive, by the respective party, the most significant eigenvalue and its corresponding unity-normalized eigenvector of **de•de<sup>T</sup>** and **dv•dv<sup>T</sup>** . This step yields (λde **vde** ) for SIPPA2.0

*Step 2:* Compute **x** such that (**de•de** T + **dv•dv** T)**x** = λde **vde** + λdv **vdv** utilizing SLSSP. The vec‐ tor x is known to both parties following SLSSP. The details on SLSSP will be presented later

*Step 3:* The party that wishes to determine the deviation between its eigenvector and the oth‐ er party's eigenvector can do so utilizing *x* (derived in step 2). Suppose that the party with **vde** wishes to determine the angular deviation between **vde** and **vdv** , this can be done by ob‐ taining the angle between **vde** and *x*. i.e. cos-1(**vde•x**/(|**vde** |•|**x**|)). The angular deviation be‐

out each party revealing their private data (Ai, bi) to each other.

**4. Procotol design for SLSSP and SIPPA**

server and (λdv **vdv** ) for SIPPA2.0 client.

tions discussed in section 3.

200 New Trends and Developments in Biometrics

**4.1. SIPPA2.0 Protocol**

in this section.

tween **vde** and **vdv** is then 2cos-1(**vde•x**/(|**vde** |•|**x**|)). The Paillier encryption scheme is a probabilistic, asymmetric, public-key cryptosystem whose security is based on the hypothetical intractability of the Decisional Composite Resi‐ duosity Assumption (DCRA). The Paillier encryption function PE(m, r), a bijection (ZnxZ<sup>n</sup> \* →Zn<sup>2</sup> \* ) encrypts a message mby raising a basis gto the power m, then multiplying g<sup>m</sup> with a random r n and reducing the product (gm.r n) modulo n<sup>2</sup> where nis the public modulus. An important consequence of this approach is that the Paillier Cryptosystem is additively homomorphic, specifically the following properties hold:


Paillier Key Generation:

**1.** Choose a modulus n=p . q. The modulus is chosen in accordance with the RSAES-OAEP [2] specification, where nhas the properties of a well-chosen RSA modulus.

2. Given an plain-text *mXb*matrix*A* and an encrypted *bXn*matrix

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

= *C <sup>P</sup>*(*g*,*n*)

The Paillier cryptosystem operates over a finite field Z*n*, we extend the cryptosystem to op‐ erate over the reals utilizing a simple Fixed Point representation scheme. Let *s* ∈Zbe some

, where *C <sup>P</sup>*(*g*,*n*) is an *mXn*matrix,

http://dx.doi.org/10.5772/51372

203

) *mod n* <sup>2</sup> (4)

*r* ) ∈ Z. An approximation of

*r* , *x*), where *x*is some ran‐

*r* , *x*), where *n*is the Pailli‐

<sup>10</sup>*<sup>s</sup>* }, whereas extending the fixed

**Private Data:** *m***X***m* **Matrix A2,** *m***X***1* **vector b2**

Obtain a Paillier Public Key and Private Key pair

~

upon de‐

) = *AB <sup>P</sup>*(*g*,*n*)

=(∏ *k*=1 *b*

<sup>10</sup>*<sup>s</sup>* ∈ R, specifically:

, a Paillier ciphertext is obtained by *PE*( 10*<sup>s</sup>*

, a Paillier ciphertext is obtained by *PE*(*n* + 10*<sup>s</sup>*

It is to be noted that representing reals with a fixed point representation introduces errors due to truncation, which is directly proportional to the size of *s*chosen. The domain of the

point scheme to include negative reals further reduces the encryption domain to

on downscaling operations in the encrypted domain. A record of the change in scale is kept

after each operation in the encrypted domain; this record is utilized to obtain *r*

<sup>2</sup> *\** <sup>10</sup>*<sup>s</sup>* }. Since division operations are not properly defined in Paillier, we hold off

**Step # PARTY β**

β1 Generate a random *m*X*m* matrix **P2**.

i.e. (*g*β,*n*β) and (λβ,μβ) respectively.

*r* , *x*)) - *n*

( *B <sup>i</sup>*,*<sup>k</sup> P*(*g*,*n*) ) *Ak* , *<sup>j</sup>*

*B <sup>P</sup>*(*g*,*n*)

(*A X B <sup>P</sup>*(*g*,*n*)

**4.3. Fixed Point Representation.**

*r*, can be obtained by*r*

~

er modulus and *r*

**1.** For any*r* ∈ R<sup>+</sup>

dom and*r*

**2.** For any*r* ∈ R-

{0,1, …. *<sup>n</sup>* - <sup>1</sup>

cryption of the result.

**4.4. SLSSP protocol details**

**Step # PARTY α**

α1 Generate a random *m*X*m* matrix**P1**. Generate a random 1Xn vector **vT.**

(gα,nα) and (λα,μα) respectively.

which can be computed in the following manner:

~ <sup>=</sup> <sup>10</sup>*<sup>s</sup> r*

<sup>=</sup> *PD*(*PE*( <sup>10</sup>*<sup>s</sup>*

~

*C <sup>i</sup>*, *<sup>j</sup> P*(*g*,*n*)

exponent of 10, then for every *r* ∈ R, *r*is represented as( 10*<sup>s</sup>*

*r* , *x*)) <sup>10</sup>*<sup>s</sup>* .

<sup>=</sup> *PD*(*PE*(*<sup>n</sup>* <sup>+</sup> <sup>10</sup>*<sup>s</sup>*

encryption function is also truncated from Z*n* to{0,1, …. *<sup>n</sup>* - <sup>1</sup>

**Private Data:** *m***X***m* **Matrix A1,** *m***X***1* **vector b1**

Obtain a Paillier Public Key and Private Key pair i.e.

10*<sup>s</sup>*


The Paillier Encryption function PE(m, r):

Given a Paillier public-key pair, choose a message to be encrypted m ∈ Zn, and a randomr chosen uniformly fromZ<sup>n</sup> \* , then the Paillier encryption function is defined as PE(m, r)=(g<sup>m</sup> . r n) mod n<sup>2</sup> .PE(m, r)is a bijection (ZnxZ<sup>n</sup> \* →Zn<sup>2</sup> \* )which produces a ciphertext (c ∈Zn<sup>2</sup> \* ).

The Paillier decryption function PD(c):

Given a Paillier public-key, private –key pair and a Paillier ciphertext c∈Zn<sup>2</sup> \* , then the Pailli‐ er decryption function is defined as:

$$PD(c) = \left( L \begin{pmatrix} c^{\lambda} \bmod & n^{2} \end{pmatrix} \mu \right) \bmod \ n \tag{1}$$

#### *4.2.2. Homomorphic addition of two matrices:*

1. Given two encrypted *mXn*matrices *A <sup>P</sup>*(*g*,*n*) and *B <sup>P</sup>*(*g*,*n*) , their homomorphic addition ( *A <sup>P</sup>*(*g*,*n*) + *B <sup>P</sup>*(*g*,*n*) ) = *A* + *B <sup>P</sup>*(*g*,*n*) = *C <sup>P</sup>*(*g*,*n*) ) is carried out by multiplying each ele‐ ment of *A*with its matching element in *B*i.e.

$$\mathbf{II} \mathbf{C} \mathbf{III}\_{l,\cdot}^{P(\mathbf{g},n)} = \left( \mathbf{II} \mathbf{A} \mathbf{III}\_{l,\cdot}^{P(\mathbf{g},n)} \cdot \mathbf{III} \mathbf{B} \mathbf{III}\_{l,\cdot}^{P(\mathbf{g},n)} \right) \mod n^2 \tag{2}$$

#### *4.2.3. Multiplication with encrypted matrices.*

1. Given an encrypted *mXb*matrix *A <sup>P</sup>*(*g*,*n*) and a *bXn*plain-text matrix*B*, ( *A <sup>P</sup>*(*g*,*n*) *X B*) = *AB <sup>P</sup>*(*g*,*n*) = *C <sup>P</sup>*(*g*,*n*) , where *C <sup>P</sup>*(*g*,*n*) is an *mXn*matrix, which can be computed in the following manner:

$$\coprod \mathbf{II} \subset \mathbf{II}\_{l,\cdot}^{P(\cdot \mid \mathcal{G}, n)} = \left( \coprod\_{k=1}^{b} \left( \coprod \mathbf{II} \, A \, \mathbf{II}\_{l,k}^{P(\cdot \mid \mathcal{G}, n)} \right)^{B\_{k,\cdot,j}} \right) \bmod n^2 \tag{3}$$

2. Given an plain-text *mXb*matrix*A* and an encrypted *bXn*matrix *B <sup>P</sup>*(*g*,*n*) (*A X B <sup>P</sup>*(*g*,*n*) ) = *AB <sup>P</sup>*(*g*,*n*) = *C <sup>P</sup>*(*g*,*n*) , where *C <sup>P</sup>*(*g*,*n*) is an *mXn*matrix, which can be computed in the following manner:

$$\mathbf{III} \subset \mathbf{III}\_{l\_{\cdot,\cdot}}^{P(\cdot \mid \mathcal{G}, n)} = \left( \prod\_{k=1}^{b} \left( \mathbf{III} \, \mathbf{III}\_{l\_{\cdot,k}}^{P(\cdot \mid \mathcal{G}, n)} \right)^{A\_{k,\cdot,j}} \right) \mod n^2 \tag{4}$$

#### **4.3. Fixed Point Representation.**

Paillier Key Generation:

**4.** Let*<sup>L</sup>* (u)= (<sup>u</sup> - 1)

PE(m, r)=(g<sup>m</sup> . r

(c ∈Zn<sup>2</sup> \* ).

**2.** Choose a random g <sup>∈</sup> <sup>Z</sup>n<sup>2</sup>

202 New Trends and Developments in Biometrics

chosen uniformly fromZ<sup>n</sup>

**5.** The Paillier public-key pair is (g, n). **6.** The Paillier private-key pair is (λ, µ). The Paillier Encryption function PE(m, r):

n) mod n<sup>2</sup>

The Paillier decryption function PD(c):

er decryption function is defined as:

( *A <sup>P</sup>*(*g*,*n*) + *B <sup>P</sup>*(*g*,*n*)

*4.2.2. Homomorphic addition of two matrices:*

ment of *A*with its matching element in *B*i.e.

*4.2.3. Multiplication with encrypted matrices.*

( *A <sup>P</sup>*(*g*,*n*) *X B*) = *AB <sup>P</sup>*(*g*,*n*)

computed in the following manner:

*C <sup>i</sup>*, *<sup>j</sup> P*(*g*,*n*)

1. Given an encrypted *mXb*matrix *A <sup>P</sup>*(*g*,*n*)

*C <sup>i</sup>*, *<sup>j</sup> P*(*g*,*n*)

1. Given two encrypted *mXn*matrices *A <sup>P</sup>*(*g*,*n*) and *B <sup>P</sup>*(*g*,*n*)

) = *A* + *B <sup>P</sup>*(*g*,*n*)

=( *A <sup>i</sup>*, *<sup>j</sup>*

= *C <sup>P</sup>*(*g*,*n*)

=(∏ *k*=1 *b*

( *A <sup>i</sup>*,*<sup>k</sup> P*(*g*,*n*) ) *Bk* , *<sup>j</sup>*

*P*(*g*,*n*)

choose anotherg until the requirement is met.

\*

<sup>n</sup> , compute µ=(L(g<sup>λ</sup> mod <sup>n</sup>2))-1

**1.** Choose a modulus n=p . q. The modulus is chosen in accordance with the RSAES-OAEP [2] specification, where nhas the properties of a well-chosen RSA modulus.

Given a Paillier public-key pair, choose a message to be encrypted m ∈ Zn, and a randomr

= *C <sup>P</sup>*(*g*,*n*)

⋅ *B <sup>i</sup>*, *<sup>j</sup> P*(*g*,*n*)

, where *C <sup>P</sup>*(*g*,*n*)

**3.** Compute λ = λ(n) =lcm((p - 1), (q - 1)), where λ(n) is the Carmichael function.

.PE(m, r)is a bijection (ZnxZ<sup>n</sup>

Given a Paillier public-key, private –key pair and a Paillier ciphertext c∈Zn<sup>2</sup>

\* ensure that the order of gin modulo n<sup>2</sup>

mod n.

, then the Paillier encryption function is defined as

*PD*(*c*)=(*L* (*c <sup>λ</sup>mod n* 2).*μ*) *mod n* (1)

\* →Zn<sup>2</sup> is a multiple ofn, if not

\* )which produces a ciphertext

, their homomorphic addition

) is carried out by multiplying each ele‐

) *mod n* <sup>2</sup> (2)

and a *bXn*plain-text matrix*B*,

) *mod n* <sup>2</sup> (3)

is an *mXn*matrix, which can be

\* , then the Pailli‐

The Paillier cryptosystem operates over a finite field Z*n*, we extend the cryptosystem to op‐ erate over the reals utilizing a simple Fixed Point representation scheme. Let *s* ∈Zbe some exponent of 10, then for every *r* ∈ R, *r*is represented as( 10*<sup>s</sup> r* ) ∈ Z. An approximation of *r*, can be obtained by*r* ~ <sup>=</sup> <sup>10</sup>*<sup>s</sup> r* <sup>10</sup>*<sup>s</sup>* ∈ R, specifically:


It is to be noted that representing reals with a fixed point representation introduces errors due to truncation, which is directly proportional to the size of *s*chosen. The domain of the encryption function is also truncated from Z*n* to{0,1, …. *<sup>n</sup>* - <sup>1</sup> <sup>10</sup>*<sup>s</sup>* }, whereas extending the fixed point scheme to include negative reals further reduces the encryption domain to {0,1, …. *<sup>n</sup>* - <sup>1</sup> <sup>2</sup> *\** <sup>10</sup>*<sup>s</sup>* }. Since division operations are not properly defined in Paillier, we hold off on downscaling operations in the encrypted domain. A record of the change in scale is kept

after each operation in the encrypted domain; this record is utilized to obtain *r* ~ upon de‐ cryption of the result.

#### **4.4. SLSSP protocol details**



**Figure 4.** SLSSP protocol illustration.

optimal performance.

**5. Biometric Crypto Key Experiment & Application Showcase**

A modified finger-code approach is used to represent a fingerprint as an *attribute* vector. Several concentric circles are extended from a chosen core point; these concentric circles are further divided into sectors. Each of the sectors forms the boundary of one coding region representing the fingerprint. The Euclidean distance of the farthest and closest minutia points within each coding region in relation to the core point is normalized to a value be‐ tween 0 and 255. These values make up the above described *attribute* vector. The length of the attribute vector; i.e., the number and area of each coding region is a variable chosen for

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

http://dx.doi.org/10.5772/51372

205

**5.1. Generation and retrieval of cryptographic keys from fingerprints**

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints http://dx.doi.org/10.5772/51372 205

**Figure 4.** SLSSP protocol illustration.

α2 Compute and Send ( *A*1 *<sup>P</sup>*(*g*α,*n*α) )and ( *b*1 *<sup>P</sup>*(*g*α,*n*α) ) to PARTY β.

204 New Trends and Developments in Biometrics

α4 Compute and send to PARTY β: ( *P*1(*A*1 + *A*2) *<sup>P</sup>*(*g*β,*n*β) )

α6 Send the following to party β:

the solution *x <sup>P</sup>*(*g*β,*n*β)

multiplying *v* -1

α9 Send *x <sup>P</sup>*(*g*β,*n*β)

α10 Receive *x <sup>P</sup>*(*g*α,*n*α)

VERIFICATION PHASE:

Obtain the solution *x*

obtained in step α3:

elements close to zero.

**Table 1.** SLSSP protocol details

α7 Send ( *<sup>v</sup>*-1 *<sup>P</sup>*(*g*α,*n*α) )to PARTY β, where *<sup>v</sup>* -1

α8 Receive *X* 1from partyβ, (step β7) and compute

α10 Compute the mx1 vector using the information

*c***α**= ( ((*A*1 + *A*2)*x*) - (*b*1 + *b*2) *<sup>P</sup>*(*g*β,*n*β) )

For each verification request from PARTY β, require that one PARTY α's verification request is processed reciprocally. Abort at any **cα***i*,1 if PARTY β is unable to prove that the decryption of **cα***i*,1∈γ

α11 For each element in **cα***i*,1, utilizing the zeroknowledge proof protocol specified in the appendix, verify with party β that **cα***i*,1is an encryption of some element within a setγ, where the set γcontains a finite list of fixed point

to *X* 1

*Y <sup>P</sup>*(*g*β,*n*β)

squared.

PARTY β.

α3 Receive( *A*2 *<sup>P</sup>*(*g*β,*n*β) ) and ( *b*2 *<sup>P</sup>*(*g*β,*n*β) ) from

=( ( (*P*1(*b*<sup>1</sup> <sup>+</sup> *<sup>b</sup>*2)*<sup>v</sup> <sup>T</sup>* ) ) *<sup>P</sup>*(*g*β,*n*β)

by homomorphically

from PARTY β and decrypt to

conjugate transpose of*v* divided by its magnitude

β2 Receive ( *A*1 *<sup>P</sup>*(*g*α,*n*α) ) and ( *b*1 *<sup>P</sup>*(*g*α,*n*α)

β3 Compute and Send ( *A*2 *<sup>P</sup>*(*g*β,*n*β) ) and ( *b*2 *<sup>P</sup>*(*g*β,*n*β) ) to PARTY α.

β4 Receive and decrypt matrix obtained from step α4 to obtain a *m*X*m* matrix: ( *P*1(*A*1 + *A*2) )

β6 Receive from PARTY α (Step α6), and decrypt to

*X* 1, utilizing **Y.** Send *X* 1 to PARTY α.

homomorphically multiplying (**R\*Y**)to

to PARTY α.

β10 Compute the mx1 vector using the information

*c***β**= ( ((*A*1 + *A*2)*x*) - (*b*1 + *b*2) *<sup>P</sup>*(*g*α,*n*α) )

For each verification request from PARTY α, require that one PARTY β's verification request is processed reciprocally. Abort at any **cβ***i*,1 ifPARTY α is unable to prove that the decryption

β11 For each element in **cβ***i*,1, utilizing the zeroknowledge proof protocol specified in the appendix, verify with party α that **cβ***i*,1is an encryption of some element within a setγ, where the set γcontains a finite list of fixed

point elements close to zero.

of **cβ***i*,1∈γ

obtain *Y* = *P*1(*b*1 + *b*2)*v <sup>T</sup>*

β7 Receive *v*-1 *<sup>P</sup>*(*g*α,*n*α)

( *<sup>v</sup>*-1 *<sup>P</sup>*(*g*α,*n*α) )

β10 Send *x <sup>P</sup>*(*g*α,*n*α)

*X* 1= **R\***(**Y**) *<sup>P</sup>*(*g*β,*n*β)

β8 Compute the solution *x <sup>P</sup>*(*g*α,*n*α)

to Obtain the solution *x*

obtained in step β2:

( (*P*1(*A*1 + *A*2)) ) to obtain *R* =((*P*1(*A*1 + *A*2)))-1

from step α7 and compute

by

from PARTY α and decrypt

PARTY α.

α5 Compute ( (*P*1(*b*<sup>1</sup> <sup>+</sup> *<sup>b</sup>*2)*<sup>v</sup> <sup>T</sup>* ) *<sup>P</sup>*(*g*β,*n*β) ) β5 Compute the Moore–Penrose Pseudoinverse of

)

is the

to PARTY β β9 Receive *x <sup>P</sup>*(*g*β,*n*β)

)from

## **5. Biometric Crypto Key Experiment & Application Showcase**

#### **5.1. Generation and retrieval of cryptographic keys from fingerprints**

A modified finger-code approach is used to represent a fingerprint as an *attribute* vector. Several concentric circles are extended from a chosen core point; these concentric circles are further divided into sectors. Each of the sectors forms the boundary of one coding region representing the fingerprint. The Euclidean distance of the farthest and closest minutia points within each coding region in relation to the core point is normalized to a value be‐ tween 0 and 255. These values make up the above described *attribute* vector. The length of the attribute vector; i.e., the number and area of each coding region is a variable chosen for optimal performance.

In this proposed method, generation of a cryptographic *Key* utilizable with strong symmet‐ ric encryption algorithms such as AES256 is straightforward. The *Key* generation phase es‐ sentially involves generation of a vector called the *k-vector,* whose length exactly equals the *attribute* vector. The *k-vector* consists of a series of random integers between 0 and 255. A fin‐ gerprint template attribute vector (T) is obtained to lock the *k-vector* (K); elementary addition of the two vectors (K + T) produces the locked vector (KL). The unlocking process begins by deriving an error laden version of K. This is done by procuring a fingerprint sample attrib‐ ute vector (S), and elementary subtraction (KL - S) to obtain an error laden k-vector (KE). KE typically is not exactly identical to K. It cannot be directly utilized for the decryption of data encrypted with K. Measuring any physical object produces an error between measurements. Hence it is unlikely that matching minutia points in T and S will completely cancel each oth‐ er during the locking and unlocking process. Our secure computation protocol, SIPPA is uti‐ lized to determine the deviation between KE and K. If the party with KE deems sufficient similar, it will send *helper data* (as described in the SIPPA section 6) which allows the party with KE to derive K.

A perfect copy of K is retained at a 3rd party called the SIPPA server, and the SIPPA client engages with the SIPPA server utilizing KE to obtain a reconstruction of K, if the server deems similarity. SIPPA also guarantees that no information that each of the parties possess‐ es will leak to the other party in the case where T & S are dissimilar.

Figure 5 details the exact parameters utilized by us in our Key generation and retrieval algo‐ rithm, A Futronic FS88 [28] fingerprint scanner was utilized to capture fingerprints and a commercial algorithm (Neurotechnology's Verifinger v6.3 [29]) was used to extract minutia and core point coordinates from fingerprints.

**Figure 5.** Cryptographic locking and unlocking illustration.

vectors. Each of these splits yields a vector*Xi*

**Figure 6.** SIPPA-2.0 complexity performance.

reported in figure 6.

Because of the overheads involved in the matrix encryption and decryption process within our secure computation protocol (SLSSP), it becomes impractical to directly engage in SIP‐ PA-2.0 with a 320x1 vector. An experiment was conducted to determine the performance of SIPPA-2.0 with various vector sizes, i.e., the 320x1 vector was split into 10x1, 16x1 and 20x1

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

http://dx.doi.org/10.5772/51372

207

core 3Ghz machine with 4Gb RAM) with actual fingerprint data at each split size(10,16,20). The average time to process the 320x1 vector at each of the three diffrent split parameters is

, 100 such experiments were conducted (dual-

#### **5.2. Secure Computation of Angular Deviation**

In order to assess SIPPA-2.0's usability in privacy preserving fingerprint biometrics, we con‐ ducted our performance analysis with the publicly availalble CASIA-FingerprintV5 data‐ base [38]. The database contains five diffrent digital impressions of each finger from 500 subjects. Each of these fingerprint images were converted to our custom fingercode format (as described in figure 8), which yields a 320x1 vector. NEUROtechnology's Verifinger SDK was utilized to orient and extract minutia, corepoints from the fingerprint images.For each session, a random key of size 320x1 of integers in the range 0 and 255 (i.e., 320x256=81920 bits) was generated (R), to which the fingercode vector (T) is added to obtain the vector (R +T). Party A possesses the key vector (R), whereas Party B possesses the vector (R+T). An impostor session is generated by subtracting the fingercode vector of a finger other than (T) from (R+T) to yield (IM), whreas a true user session is generated by subtracting the finger‐ code vector of a diffrent impression of (T) to yield (TU). SIPPA-2.0 is utilized as the match‐ ing function which compares [(R) vs (IM)] or [(R) vs (TU)] where the similarity score can either be the angle between the securely computed vector (X) (vector X is the final output of SIPPA-2.0) and (R), or the euclidean distance between the vector (X) and (R).

**Figure 5.** Cryptographic locking and unlocking illustration.

In this proposed method, generation of a cryptographic *Key* utilizable with strong symmet‐ ric encryption algorithms such as AES256 is straightforward. The *Key* generation phase es‐ sentially involves generation of a vector called the *k-vector,* whose length exactly equals the *attribute* vector. The *k-vector* consists of a series of random integers between 0 and 255. A fin‐ gerprint template attribute vector (T) is obtained to lock the *k-vector* (K); elementary addition of the two vectors (K + T) produces the locked vector (KL). The unlocking process begins by deriving an error laden version of K. This is done by procuring a fingerprint sample attrib‐ ute vector (S), and elementary subtraction (KL - S) to obtain an error laden k-vector (KE). KE typically is not exactly identical to K. It cannot be directly utilized for the decryption of data encrypted with K. Measuring any physical object produces an error between measurements. Hence it is unlikely that matching minutia points in T and S will completely cancel each oth‐ er during the locking and unlocking process. Our secure computation protocol, SIPPA is uti‐ lized to determine the deviation between KE and K. If the party with KE deems sufficient similar, it will send *helper data* (as described in the SIPPA section 6) which allows the party

A perfect copy of K is retained at a 3rd party called the SIPPA server, and the SIPPA client engages with the SIPPA server utilizing KE to obtain a reconstruction of K, if the server deems similarity. SIPPA also guarantees that no information that each of the parties possess‐

Figure 5 details the exact parameters utilized by us in our Key generation and retrieval algo‐ rithm, A Futronic FS88 [28] fingerprint scanner was utilized to capture fingerprints and a commercial algorithm (Neurotechnology's Verifinger v6.3 [29]) was used to extract minutia

In order to assess SIPPA-2.0's usability in privacy preserving fingerprint biometrics, we con‐ ducted our performance analysis with the publicly availalble CASIA-FingerprintV5 data‐ base [38]. The database contains five diffrent digital impressions of each finger from 500 subjects. Each of these fingerprint images were converted to our custom fingercode format (as described in figure 8), which yields a 320x1 vector. NEUROtechnology's Verifinger SDK was utilized to orient and extract minutia, corepoints from the fingerprint images.For each session, a random key of size 320x1 of integers in the range 0 and 255 (i.e., 320x256=81920 bits) was generated (R), to which the fingercode vector (T) is added to obtain the vector (R +T). Party A possesses the key vector (R), whereas Party B possesses the vector (R+T). An impostor session is generated by subtracting the fingercode vector of a finger other than (T) from (R+T) to yield (IM), whreas a true user session is generated by subtracting the finger‐ code vector of a diffrent impression of (T) to yield (TU). SIPPA-2.0 is utilized as the match‐ ing function which compares [(R) vs (IM)] or [(R) vs (TU)] where the similarity score can either be the angle between the securely computed vector (X) (vector X is the final output of

SIPPA-2.0) and (R), or the euclidean distance between the vector (X) and (R).

es will leak to the other party in the case where T & S are dissimilar.

and core point coordinates from fingerprints.

**5.2. Secure Computation of Angular Deviation**

with KE to derive K.

206 New Trends and Developments in Biometrics

Because of the overheads involved in the matrix encryption and decryption process within our secure computation protocol (SLSSP), it becomes impractical to directly engage in SIP‐ PA-2.0 with a 320x1 vector. An experiment was conducted to determine the performance of SIPPA-2.0 with various vector sizes, i.e., the 320x1 vector was split into 10x1, 16x1 and 20x1 vectors. Each of these splits yields a vector*Xi* , 100 such experiments were conducted (dualcore 3Ghz machine with 4Gb RAM) with actual fingerprint data at each split size(10,16,20). The average time to process the 320x1 vector at each of the three diffrent split parameters is reported in figure 6.


**Figure 6.** SIPPA-2.0 complexity performance.

Due to SIPPA-2.0's complexity constraints, an extensive experiment directly utilizing SIP‐ PA-2.0 was ruled out. Since SLSSP is theoretically guaranteed to produce a correct solution *x*, we conducted our experiment by replacing SLSSP with a standard linear algebra package (EJML) to solve for *x*in the algebraic system (**de•de** T + **dv•dv** T)*x* = λde **v de** + λdv **v dv.** The error between SLSSP's solution *x*, and the solution produced EJML was determined experi‐ mentally to be always less than 4.77E-8 in over 6800 trials.

also conducted at other split dimensions i.e. 15, 20; however they produced inferior or simi‐ lar results with an exponentially increased processing times. No obvious methods (addi‐ tion, scaling etc.) of combining the ED and Ang scores yielded better results suggesting possible dependency (between the two) that will deserve further research. Of the over 50,000 instances where helper data was sent to reconstruct the random key R, R was always recon‐ structed successfully except 6 instances out of the over 50,000 instances. We postulate that this is due to the sensitivities in finite precision arithmetic. In these 6 instances, the number of errors in the 320 integers constituting the random key R ranges between one and four. To safeguard against this remote possibility, R can be encoded in error correction codes, allow‐

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

http://dx.doi.org/10.5772/51372

209

For proof of concept, we show a use case of SIPPA-2.0 for emergency health data manage‐ ment on an Android device. The diagram in figure 9 shows a scenario on an emergency res‐ ponder using his/her Android phone to retrieve the emergency health data from the Android phone of an unconscious individual. In the enrolment process, the emergency health data of the individual is first encrypted and stored in the Shared Preference of his/her Android device. Furthermore, the fingerprint of the individual, together with a random noise vector generated by a third party, are used to encode the decryption key, and the en‐

ing for correcting R when the reconstruction fails due to a few errors.

**5.3. Android app prototype for emergency health data retrieval**

coded decryption key is also stored in the Shared Preference.

**Figure 9.** Use Case on applying SIPPA for emergency health data on an Andriod device.

**Figure 7.** SIPPA-2.0 Performance (Split 10x1), ED(R vs. X).

**Figure 8.** SIPPA-2.0 Performance (Split 10x1), Ang(R vs. X).

To assess SIPPA-2.0's ability to securely distinguish between True Users and Impostors we obtained over 20,000 unique True User sessions (20k-TU) and 20,000 unique Impostor ses‐ sions (20k-IM) from the extensive CASIA-FingerprintV5 database as described in the previ‐ ous paragraphs. The ROC plot for (20k-TU) with (20k-IM) is provided in figure 7, a SIPPA-2.0 split dimension of 10X1 was utilized, and the 32 Euclidean distance (ED) scores ( ED(R vs. *x*) ) per session was aggregated into one similarity score by obtaining their Geometric Mean. The ROC plot (20k-TU) with (20k-IM) where a SIPPA-2.0 split dimension of 10X1 was utiliz‐ ed, and the 32 dot product(Ang) scores( Ang(R vs. *x* )) per session was aggregated into one similarity score by obtaining their Geometric Mean is provided in figure 8. Experiments were also conducted at other split dimensions i.e. 15, 20; however they produced inferior or simi‐ lar results with an exponentially increased processing times. No obvious methods (addi‐ tion, scaling etc.) of combining the ED and Ang scores yielded better results suggesting possible dependency (between the two) that will deserve further research. Of the over 50,000 instances where helper data was sent to reconstruct the random key R, R was always recon‐ structed successfully except 6 instances out of the over 50,000 instances. We postulate that this is due to the sensitivities in finite precision arithmetic. In these 6 instances, the number of errors in the 320 integers constituting the random key R ranges between one and four. To safeguard against this remote possibility, R can be encoded in error correction codes, allow‐ ing for correcting R when the reconstruction fails due to a few errors.

## **5.3. Android app prototype for emergency health data retrieval**

Due to SIPPA-2.0's complexity constraints, an extensive experiment directly utilizing SIP‐ PA-2.0 was ruled out. Since SLSSP is theoretically guaranteed to produce a correct solution *x*, we conducted our experiment by replacing SLSSP with a standard linear algebra package (EJML) to solve for *x*in the algebraic system (**de•de** T + **dv•dv** T)*x* = λde **v de** + λdv **v dv.** The error between SLSSP's solution *x*, and the solution produced EJML was determined experi‐

To assess SIPPA-2.0's ability to securely distinguish between True Users and Impostors we obtained over 20,000 unique True User sessions (20k-TU) and 20,000 unique Impostor ses‐ sions (20k-IM) from the extensive CASIA-FingerprintV5 database as described in the previ‐ ous paragraphs. The ROC plot for (20k-TU) with (20k-IM) is provided in figure 7, a SIPPA-2.0 split dimension of 10X1 was utilized, and the 32 Euclidean distance (ED) scores ( ED(R vs. *x*) ) per session was aggregated into one similarity score by obtaining their Geometric Mean. The ROC plot (20k-TU) with (20k-IM) where a SIPPA-2.0 split dimension of 10X1 was utiliz‐ ed, and the 32 dot product(Ang) scores( Ang(R vs. *x* )) per session was aggregated into one similarity score by obtaining their Geometric Mean is provided in figure 8. Experiments were

mentally to be always less than 4.77E-8 in over 6800 trials.

208 New Trends and Developments in Biometrics

**Figure 7.** SIPPA-2.0 Performance (Split 10x1), ED(R vs. X).

**Figure 8.** SIPPA-2.0 Performance (Split 10x1), Ang(R vs. X).

For proof of concept, we show a use case of SIPPA-2.0 for emergency health data manage‐ ment on an Android device. The diagram in figure 9 shows a scenario on an emergency res‐ ponder using his/her Android phone to retrieve the emergency health data from the Android phone of an unconscious individual. In the enrolment process, the emergency health data of the individual is first encrypted and stored in the Shared Preference of his/her Android device. Furthermore, the fingerprint of the individual, together with a random noise vector generated by a third party, are used to encode the decryption key, and the en‐ coded decryption key is also stored in the Shared Preference.

**Figure 9.** Use Case on applying SIPPA for emergency health data on an Andriod device.


During the retrieval process, the emergency responder will first establish a WiFi connection with the individual's Android device and retrieve the encrypted personal emergency health data and the encoded decryption key. The emergency responder will then use a built-in or wireless bluetooth fingerprint scanner to capture the indvidual's fingerpint for decoding the decryption key. The decoded fingerprint is then transmitted to the third party for noise re‐ moval to arrive at a sufficently close decrpytion key. The third party then acts as a SIPPA-2.0 client to interact with the SIPPA-2.0 server, and reconstruct the orginal decryption key based on the helper data provided by the SIPPA-2.0 server. The reconstrcted original key is sent back to the emergency responder for decrypting the personal emergency health data. The

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

http://dx.doi.org/10.5772/51372

211

In this book chapter we present a novel mechanism for generating and retrieving crypto‐ graphic *keys* from fingerprints. Our approach brings together the worlds of biometrics and cryptography bytackling the problem of generating revocable repeatable keys (binary strings) from biometric channels which are by their nature noisy. Our scheme efficiently gener‐ ates strong keys (256 bits) from fingerprint biometrics where there is no direct mapping of a key to the fingerprint from which it was generated. The entire key space is utilized where different keys can be produced from the same fingerprint for varying applications. Our scheme makes possible various new applications where there is a requirement for the strong coupling of an identity to cryptographic applications. For instance, data can be encrypted utilizing biometrics such as fingerprints where the key is linked to a person's physiology, oran individual's identity can be verified without the need for a central database of finger‐ prints.Such approaches allow for users to retain complete control of their data. It is not nec‐ essary for them to store their private data at a third party, thus alleviating privacy concerns. A use case utilizing our cryptographic key generation protocol is also presented; where health data is encrypted with a user's fingerprint and privately stored in a user's smart‐ phone for secure retrieval during emergency scenarios. We also present our newly devel‐ oped secure computation protocol called SIPPA-2.0, which is central to the cryptographic key generation protocol.Additionally, SIPPA-2.0 is shown to be provably correct, with an included security analysis proving SIPPA-2.0 to be secure under the semi-honest and semimalicious models. Experiments revealing acceptable computational performance including

UML class diagram in figure 10 illustrates the overall structural design.

ROC's indicating usability in practical scenarios are also presented.

Our future plans for this research include exploiting the parallelizability of our protocol to increase performance through a parallel architecture, and exploring recent non-minutia based fingerprint representation/comparison developments to improve segregation per‐

**6. Conclusion**

formance.

**Figure 9.1.** Figure 9 Legend.

**Figure 10.** UML class diagram of the overall structural design.

During the retrieval process, the emergency responder will first establish a WiFi connection with the individual's Android device and retrieve the encrypted personal emergency health data and the encoded decryption key. The emergency responder will then use a built-in or wireless bluetooth fingerprint scanner to capture the indvidual's fingerpint for decoding the decryption key. The decoded fingerprint is then transmitted to the third party for noise re‐ moval to arrive at a sufficently close decrpytion key. The third party then acts as a SIPPA-2.0 client to interact with the SIPPA-2.0 server, and reconstruct the orginal decryption key based on the helper data provided by the SIPPA-2.0 server. The reconstrcted original key is sent back to the emergency responder for decrypting the personal emergency health data. The UML class diagram in figure 10 illustrates the overall structural design.

## **6. Conclusion**

**Figure 9.1.** Figure 9 Legend.

210 New Trends and Developments in Biometrics

**Figure 10.** UML class diagram of the overall structural design.

In this book chapter we present a novel mechanism for generating and retrieving crypto‐ graphic *keys* from fingerprints. Our approach brings together the worlds of biometrics and cryptography bytackling the problem of generating revocable repeatable keys (binary strings) from biometric channels which are by their nature noisy. Our scheme efficiently gener‐ ates strong keys (256 bits) from fingerprint biometrics where there is no direct mapping of a key to the fingerprint from which it was generated. The entire key space is utilized where different keys can be produced from the same fingerprint for varying applications. Our scheme makes possible various new applications where there is a requirement for the strong coupling of an identity to cryptographic applications. For instance, data can be encrypted utilizing biometrics such as fingerprints where the key is linked to a person's physiology, oran individual's identity can be verified without the need for a central database of finger‐ prints.Such approaches allow for users to retain complete control of their data. It is not nec‐ essary for them to store their private data at a third party, thus alleviating privacy concerns. A use case utilizing our cryptographic key generation protocol is also presented; where health data is encrypted with a user's fingerprint and privately stored in a user's smart‐ phone for secure retrieval during emergency scenarios. We also present our newly devel‐ oped secure computation protocol called SIPPA-2.0, which is central to the cryptographic key generation protocol.Additionally, SIPPA-2.0 is shown to be provably correct, with an included security analysis proving SIPPA-2.0 to be secure under the semi-honest and semimalicious models. Experiments revealing acceptable computational performance including ROC's indicating usability in practical scenarios are also presented.

Our future plans for this research include exploiting the parallelizability of our protocol to increase performance through a parallel architecture, and exploring recent non-minutia based fingerprint representation/comparison developments to improve segregation per‐ formance.

## **7. Appendix: Security Analysis**

We approach the security analysis of SLSSP through the following steps. We first define the notion of perfect secrecy. We then analyze the cryptographic primitives employed by SLSSP and the protocol itself using the notion of perfect secrecy. To show that SLSSP is secure un‐ der semi-honest and semi-malicious models, we adopt a zero-knowledge proof protocol that can verify a given cipher text in SLSSP is indeed a Paillier encryption of its corresponding message; thus providing a mechanism to detect malicious behavior and to guarantee cor‐ rectness with perfect secrecy.

for*C*. Let (**R**∈*GL <sup>n</sup>*(Z*p*)), be the set of possible keys, i.e., the sample space for*R*. Note that

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

*s*

*PA*(*m*)*PR*(*k*)

(5)

213

2. Let (*l* ∈**C**)be a possible ciphertext, and given the independence of *A*and *R*then:

*PR*(*k*)= <sup>1</sup>

*s* \* ( <sup>∑</sup> *m*∈A,*k*∈ℛ *l*=(*m*\**k*)

*s*

4. Because*l*, *m*uniquely determine k(given *l*and*m* there exists exactly one *k*that satisfies the encryption equation (*l* =(*m\*k*)), every *m*∈**A**occurs exactly once in the above summation;

6. Since knowledge of (*A*, *R*) or(*A*, *C*) is sufficient to completely know

In an ideal Secure Computation protocol, where there are no assumptions made about mali‐ ciousness or computational capabilities of the parties involved; no participant learns any‐ thing about any other's private input(s) apart from any advantage obtained from the malleability of a legitimate output. In the semi-honest model[37], the parties involved are limited to PP [34] complexity, are assumed to follow the defined protocol honestly but are allowed to retain a transcript of all communication, which they can utilize to obtain informa‐ tion about other party's private input(s). In the semi-malicious model[37], parties are still re‐ stricted to PP complexity, whereas they are allowed to manipulate the secure computation

*PA*(*m*)

: (6)

) (7)

http://dx.doi.org/10.5772/51372

*PC*(*l*)= <sup>∑</sup> *<sup>m</sup>*∈*<sup>A</sup>* , *<sup>k</sup>*∈*<sup>R</sup> l* =(*m\*k*)

*PC*(*l*)=<sup>1</sup>

*s* =|*GL <sup>n</sup>*(Z*p*)|= ∏

3. Since

therefore *PC*(*l*)= <sup>1</sup>

*s*

5. Since *PC*(*l*) = *PR*(*k*) for all *l*and*k*, *H* (*C*)=*H* (*R*)

7. Since *M* and *K*are independent, *H* (*A*, *R*)=*H* (*A*) + *H* (*R*)

8. By the chain rule for conditional entropy, *H* (*A*, *C*)=*H* (*A*|*C*) + *H* (*C*)

9. From (5),(7),(8) we obtain*H* (*A*|*C*)=*H* (*A*); Proving *Perfect Secrecy.*

(*A*, *C*, *R*), *H* (*A*, *R*, *C*)=*H* (*A*, *R*)= *H* (*A*, *C*)

**7.3. Security Analysis of the SLSSP protocol:**

*i*=0 *i*=*n*-1

(*p <sup>n</sup>* - *p <sup>i</sup>*) 33 .

1. Let (*<sup>k</sup>* <sup>∈</sup>**R**)be a possible key, then *PR*(*k*)= <sup>1</sup>

#### **7.1. General Assumptions**

Throughout this section the security analysis is carried out in the Random Oracle model [36]; i.e., every party is assumed to have access to a Random Oracle where ideal hash func‐ tions and true random generators are available.

#### *Perfect Secrecy*:

Given a Cryptosystem, Plaintext (**M**), a Key (**K**) and Ciphertext (**C**); *Perfect Secrecy* [30] or *Information Theoretic Security* is an attribute assigned to Cryptosystems where knowledge of the Ciphertext provides no additional information about the original Plaintext independent of the computational power of an adversary. More specifically, a Cryptosystem has *Perfect Secrecy* if uncertainty within the Plaintext equals uncertainty within the Plaintext given the Ciphertext; i.e. utilizing Shannon Entropy, *Perfect Secrecy* can be defined as *H* (*M* | *C*)=*H* (*M* ).

#### **7.2. Security Analysis of cryptographic primitives in SLSSP**

### *Multiplication of candidate matrix with a random matrix.*

At time **t1,** Alice wants to securely send an **nXn** matrix *A*∈*GL <sup>n</sup>*(Z*p*)(*p* is a prime)[31] to Bob over an authenticated channel [32], where Eve can intercept and store any messages over the channel. Eve is assumed to possess unbounded computational power. Alice wants to be as‐ sured that the matrix A is being sent with *Perfect Secrecy;* i.e., Eve should not be able to ob‐ tain any information about A due to knowledge of data sent over the channel.

Alice also has access at some time **t0** (**t0** < **t1** ) to a secure channel [32] with Bob. Alice shares a random nXn matrix *R*chosen uniformly from *GL <sup>n</sup>*(Z*p*) with Bob. At time **t1,** through the au‐ thenticated channel Alice sends *C* =(*A\*R*)to Bob. To decrypt and obtain matrix*A*, Bob calcu‐ lates*A*=(*C\*R* -1). Alice and Bob, discard *R*and do not use it to encrypt any other messages. Assuming that Eve only has knowledge of*C*, to prove *Perfect Secrecy* it will be sufficient to show that*H* (*A*|*C*)=*H* (*A*). Let (**A**∈*GL <sup>n</sup>*(Z*p*)), be the set of possible plaintexts, i.e, the sam‐ ple space for*A*. Let (**C**∈*GL <sup>n</sup>*(Z*p*)), be the set of possible ciphertexts, i.e. the sample space for*C*. Let (**R**∈*GL <sup>n</sup>*(Z*p*)), be the set of possible keys, i.e., the sample space for*R*. Note that *s* =|*GL <sup>n</sup>*(Z*p*)|= ∏ *i*=0 *i*=*n*-1 (*p <sup>n</sup>* - *p <sup>i</sup>*) 33 .

1. Let (*<sup>k</sup>* <sup>∈</sup>**R**)be a possible key, then *PR*(*k*)= <sup>1</sup> *s*

2. Let (*l* ∈**C**)be a possible ciphertext, and given the independence of *A*and *R*then:

$$P\_{\subset} \text{(l)} = \sum\_{\substack{m \in A \ \text{(}k \in R\text{)}}} P\_A(m) P\_R(k) \tag{5}$$

3. Since

**7. Appendix: Security Analysis**

212 New Trends and Developments in Biometrics

rectness with perfect secrecy.

**7.1. General Assumptions**

*Perfect Secrecy*:

*H* (*M* | *C*)=*H* (*M* ).

tions and true random generators are available.

**7.2. Security Analysis of cryptographic primitives in SLSSP**

*Multiplication of candidate matrix with a random matrix.*

We approach the security analysis of SLSSP through the following steps. We first define the notion of perfect secrecy. We then analyze the cryptographic primitives employed by SLSSP and the protocol itself using the notion of perfect secrecy. To show that SLSSP is secure un‐ der semi-honest and semi-malicious models, we adopt a zero-knowledge proof protocol that can verify a given cipher text in SLSSP is indeed a Paillier encryption of its corresponding message; thus providing a mechanism to detect malicious behavior and to guarantee cor‐

Throughout this section the security analysis is carried out in the Random Oracle model [36]; i.e., every party is assumed to have access to a Random Oracle where ideal hash func‐

Given a Cryptosystem, Plaintext (**M**), a Key (**K**) and Ciphertext (**C**); *Perfect Secrecy* [30] or *Information Theoretic Security* is an attribute assigned to Cryptosystems where knowledge of the Ciphertext provides no additional information about the original Plaintext independent of the computational power of an adversary. More specifically, a Cryptosystem has *Perfect Secrecy* if uncertainty within the Plaintext equals uncertainty within the Plaintext given the Ciphertext; i.e. utilizing Shannon Entropy, *Perfect Secrecy* can be defined as

At time **t1,** Alice wants to securely send an **nXn** matrix *A*∈*GL <sup>n</sup>*(Z*p*)(*p* is a prime)[31] to Bob over an authenticated channel [32], where Eve can intercept and store any messages over the channel. Eve is assumed to possess unbounded computational power. Alice wants to be as‐ sured that the matrix A is being sent with *Perfect Secrecy;* i.e., Eve should not be able to ob‐

Alice also has access at some time **t0** (**t0** < **t1** ) to a secure channel [32] with Bob. Alice shares a random nXn matrix *R*chosen uniformly from *GL <sup>n</sup>*(Z*p*) with Bob. At time **t1,** through the au‐ thenticated channel Alice sends *C* =(*A\*R*)to Bob. To decrypt and obtain matrix*A*, Bob calcu‐ lates*A*=(*C\*R* -1). Alice and Bob, discard *R*and do not use it to encrypt any other messages. Assuming that Eve only has knowledge of*C*, to prove *Perfect Secrecy* it will be sufficient to show that*H* (*A*|*C*)=*H* (*A*). Let (**A**∈*GL <sup>n</sup>*(Z*p*)), be the set of possible plaintexts, i.e, the sam‐ ple space for*A*. Let (**C**∈*GL <sup>n</sup>*(Z*p*)), be the set of possible ciphertexts, i.e. the sample space

tain any information about A due to knowledge of data sent over the channel.

$$P\_R(k) = \prescript{1}{}{\int}\_s \colon \tag{6}$$

$$P\_C(l) = \left| \int\_s \ast \left( \sum\_{m \in \mathbb{A}, k \in \mathcal{R} \atop l = \{m^\*k\}} P\_A(m) \right) \right| \tag{7}$$

4. Because*l*, *m*uniquely determine k(given *l*and*m* there exists exactly one *k*that satisfies the encryption equation (*l* =(*m\*k*)), every *m*∈**A**occurs exactly once in the above summation; therefore *PC*(*l*)= <sup>1</sup> *s*

5. Since *PC*(*l*) = *PR*(*k*) for all *l*and*k*, *H* (*C*)=*H* (*R*)

6. Since knowledge of (*A*, *R*) or(*A*, *C*) is sufficient to completely know (*A*, *C*, *R*), *H* (*A*, *R*, *C*)=*H* (*A*, *R*)= *H* (*A*, *C*)

7. Since *M* and *K*are independent, *H* (*A*, *R*)=*H* (*A*) + *H* (*R*)

8. By the chain rule for conditional entropy, *H* (*A*, *C*)=*H* (*A*|*C*) + *H* (*C*)

9. From (5),(7),(8) we obtain*H* (*A*|*C*)=*H* (*A*); Proving *Perfect Secrecy.*

#### **7.3. Security Analysis of the SLSSP protocol:**

In an ideal Secure Computation protocol, where there are no assumptions made about mali‐ ciousness or computational capabilities of the parties involved; no participant learns any‐ thing about any other's private input(s) apart from any advantage obtained from the malleability of a legitimate output. In the semi-honest model[37], the parties involved are limited to PP [34] complexity, are assumed to follow the defined protocol honestly but are allowed to retain a transcript of all communication, which they can utilize to obtain informa‐ tion about other party's private input(s). In the semi-malicious model[37], parties are still re‐ stricted to PP complexity, whereas they are allowed to manipulate the secure computation protocol, retain a transcript of all communication, which they can utilize to influence the outcome of the protocol and to obtain information about other party's private input(s). It is assumed in all these models that secure channels are utilized for inter-party communication.

5. **V** checks and accepts that *m'* =*m*if

an encryption of zero, i.e.*z* =*r <sup>n</sup> mod n* <sup>2</sup>

4. From (1),(2),(3), we get that, i *f* (*m'*

(*g <sup>m</sup> '* - *<sup>m</sup>* . *r <sup>n</sup> mod n* 2) where (*g <sup>m</sup> '* - *<sup>m</sup>* ≠1).

*mod n* 2).

8. From (5), (6), (7) we get that:*if* ( ¬(*m'*

*Completeness –Prover P and verifier V are assumed to be honest:*

(*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) = (*qnr en*)*mod n* <sup>2</sup>

(*q <sup>n</sup>* . *r en mod n* 2).

(*q <sup>n</sup>* . *r en mod n* 2).

(*q <sup>n</sup>* . *r en mod n* 2).

(*q <sup>n</sup>* . (*g <sup>m</sup> '* - *<sup>m</sup>* . *r <sup>n</sup>*)*<sup>e</sup>*

true that:(*m'*

modulo *n* <sup>2</sup>

*h* = *k <sup>n</sup>* . *z* -*<sup>e</sup> mod n* <sup>2</sup>

gcd (*h* , *n*)=1 , gcd (*k*, *n*)=1and (*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2) i.e.,

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

http://dx.doi.org/10.5772/51372

215

1. Assume that*m'* =*m*,then *z*as computed by **V** in Step-1 of the Zero-Knowledge protocol is

2.(*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2), from the verification in Step-5 of the protocol can be rewritten as

3. Due to assumption in (1), (*h* .*z <sup>e</sup> mod n* 2), from the verification in Step-5 can be rewritten as

5. Assume that*m'* ≠*m*, then *z*as computed by **V** in Step-1 of the protocol equals

6.(*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2), from the verification in Step-5 of the protocol can be rewritten as

7. Due to assumption in (5)(*h* .*z <sup>e</sup> mod n* 2), from the verification in Step-5 can be rewritten as

9. Since the verifier **V**, checks the equality in Step-5 of the protocol as a condition for accept‐ ance, from (4), (8), it is shown that the verifier **V** is correct in his conviction i.e. it is indeed

1. Assume that a cheating prover **P\*** is trying to convince **V** that*m'* =*m*, where in actuality, (*m'* - *m*) ≠0.Therefore **P\*** would try to show that(*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2), where **P\***

2. Any choice of *k*sent by party **P\*** in Step-4 of the protocol will yield the **n** th power of *k*in

3. Since the **P\*** has to show that (*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2) and has no control over *z <sup>e</sup>*

4. (3) presumes knowledge of*z*and*e*. It is to be noted that *h* must be committed before **V** sends*e* to **P\***. Hence **P\*** can at best guess **z** and **e**, then computes and sends

for the left hand side of the verification equation(*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2).

=*m*) *if and only if* ((*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2)).

*Soundness – Assuming a cheating prover P\* and honest verifier V:*

has control over *k*and *h* and no knowledge of *z*since (*m'* - *m*) ≠0.

either *h* must equal (*k <sup>n</sup>* . *z* -*<sup>e</sup> mod n* 2) or *k <sup>n</sup>* must equal (*h* .*z <sup>e</sup>*).

, before knowledge of*e*.

=*m*), *then* ((*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2))

=*m*)), *then* ( ¬((*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2))).

;

.

The SLSSP protocol is secure under the semi-honest model, since through the entire proto‐ col, each party only observes encrypted versions of each other's private input(s). The en‐ cryption primitives utilized in SLSSP have been shown in this section to be at least IND-CPA. Even though both parties have access to the encryption oracle, and SLSSP is a multistep protocol, they do not gain any advantage by observing multiple versions of each other's encrypted private input(s). The SLSSP protocol can further be made secure under the semimalicious model by utilizing the following Zero-Knowledge protocol (ZKP) which guaran‐ tees correctness of SLSSP's output.

*Zero-Knowledge proof that a Paillier encrypted message encrypts a particular plaintext:*

The Paillier encryption function *P*(*m*, *r*)is a Bijection(Z*n*xZ*<sup>n</sup> \** <sup>→</sup>Z*<sup>n</sup>* <sup>2</sup> *\** ), which maps every plain‐ text (*m*∈ Z*n*), random (*r* ∈ Z*<sup>n</sup> \** ) pair to a unique Ciphertext(*<sup>c</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* <sup>2</sup> *\** ). The prover **P** could therefore send *r*toa verifier **V**, which would be sufficient to establish that*c* encrypts a partic‐ ular message*m*. Revealing*r* may however jeopardize certain desirable qualities of the Paillier Cryptosystemincluding its indistinguishability under a chosen plain text attack (IND-CPA). However, since Paillier encryption is semantically secure (IND-CPA), the verifier V will not be able to tell whether a given cipher text *c* is indeed the encryption of a message *m*. To solve this problem without leaking additional information, we adapt from [35] an honest verifier Zero-Knowledge protocol which can be formulated as below:

The honest Verifier **V** knows **m** and **possesses** a Paillier Ciphertext*c* = *g m'* . *r <sup>n</sup> mod n* <sup>2</sup> , and knows only the Paillier public-key pair (*g*, *n*). **V**, not knowing *r* or the corresponding pri‐ vate-key pair(**λ**, **μ**), would like to verify that*c* is the encryption of a particular message*m*, where the prover **P** possesses (*g*, *n*) and random*r*.

1. **V** homomorphically subtracts *m*from*c*; i.e., computes z as an encryption of (*m'*-*m*) ↔ *z* =(*c*.*g* -*m*) *mod n* 2). Note that if*m'* =*m*, then *z*is an encryption of Zero; i.e.,*z* =*r <sup>n</sup> mod n* <sup>2</sup>

*Remark:* This step may require using the fixed point representation discussed in section 6.3 to compute*z* =(*c*.*g* -*m*) *mod n* 2).

2. **P** chooses a random*q* ∈ Z*<sup>n</sup> \** and computes an encryption of zero:*h* = *g* <sup>0</sup> . *q <sup>n</sup> mod n* <sup>2</sup> . **P** sends *h* to **V**.

3. **V** chooses a random *e* (*e* ≠ *an*, *a*∈ Z)∈ Zand sends *e*to **P**. (This step stages a commitment from **P** through his chosen q that defines an encrypted zero so that **V** can tie it to a random **e** to verify the **r** used in encrypting **m**.)

4. **P** computes*k* = *qr<sup>e</sup> mod n*. **P** sends *k*to V.

*Remark*: Even V knows *h* and *n*, *q* cannot be derived under DCRA (Decisional Composite Re‐ siduosity Assumption).

## 5. **V** checks and accepts that *m'* =*m*if

protocol, retain a transcript of all communication, which they can utilize to influence the outcome of the protocol and to obtain information about other party's private input(s). It is assumed in all these models that secure channels are utilized for inter-party communication. The SLSSP protocol is secure under the semi-honest model, since through the entire proto‐ col, each party only observes encrypted versions of each other's private input(s). The en‐ cryption primitives utilized in SLSSP have been shown in this section to be at least IND-CPA. Even though both parties have access to the encryption oracle, and SLSSP is a multistep protocol, they do not gain any advantage by observing multiple versions of each other's encrypted private input(s). The SLSSP protocol can further be made secure under the semimalicious model by utilizing the following Zero-Knowledge protocol (ZKP) which guaran‐

*Zero-Knowledge proof that a Paillier encrypted message encrypts a particular plaintext:*

*\** ) pair to a unique Ciphertext(*<sup>c</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* <sup>2</sup>

therefore send *r*toa verifier **V**, which would be sufficient to establish that*c* encrypts a partic‐ ular message*m*. Revealing*r* may however jeopardize certain desirable qualities of the Paillier Cryptosystemincluding its indistinguishability under a chosen plain text attack (IND-CPA). However, since Paillier encryption is semantically secure (IND-CPA), the verifier V will not be able to tell whether a given cipher text *c* is indeed the encryption of a message *m*. To solve this problem without leaking additional information, we adapt from [35] an honest verifier

The honest Verifier **V** knows **m** and **possesses** a Paillier Ciphertext*c* = *g m'* . *r <sup>n</sup> mod n* <sup>2</sup>

knows only the Paillier public-key pair (*g*, *n*). **V**, not knowing *r* or the corresponding pri‐ vate-key pair(**λ**, **μ**), would like to verify that*c* is the encryption of a particular message*m*,

1. **V** homomorphically subtracts *m*from*c*; i.e., computes z as an encryption of (*m'*-*m*) ↔

*Remark:* This step may require using the fixed point representation discussed in section 6.3

3. **V** chooses a random *e* (*e* ≠ *an*, *a*∈ Z)∈ Zand sends *e*to **P**. (This step stages a commitment from **P** through his chosen q that defines an encrypted zero so that **V** can tie it to a random **e**

*Remark*: Even V knows *h* and *n*, *q* cannot be derived under DCRA (Decisional Composite Re‐

*z* =(*c*.*g* -*m*) *mod n* 2). Note that if*m'* =*m*, then *z*is an encryption of Zero; i.e.,*z* =*r <sup>n</sup> mod n* <sup>2</sup>

*\** <sup>→</sup>Z*<sup>n</sup>* <sup>2</sup>

and computes an encryption of zero:*h* = *g* <sup>0</sup> . *q <sup>n</sup> mod n* <sup>2</sup>

*\** ), which maps every plain‐

*\** ). The prover **P** could

, and

. **P**

The Paillier encryption function *P*(*m*, *r*)is a Bijection(Z*n*xZ*<sup>n</sup>*

Zero-Knowledge protocol which can be formulated as below:

*\**

where the prover **P** possesses (*g*, *n*) and random*r*.

tees correctness of SLSSP's output.

214 New Trends and Developments in Biometrics

text (*m*∈ Z*n*), random (*r* ∈ Z*<sup>n</sup>*

to compute*z* =(*c*.*g* -*m*) *mod n* 2).

2. **P** chooses a random*q* ∈ Z*<sup>n</sup>*

to verify the **r** used in encrypting **m**.)

siduosity Assumption).

4. **P** computes*k* = *qr<sup>e</sup> mod n*. **P** sends *k*to V.

sends *h* to **V**.

$$\begin{array}{ll} \text{gcd} \ (\mathsf{h}, \ n) = 1 \ \mathsf{g} \ \mathsf{crd} \ (\mathsf{k}, \ n) = 1 \ \mathsf{and} \\ \begin{array}{ll} \text{g} \ \text{g} \ \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ } \text{ }$$

*Completeness –Prover P and verifier V are assumed to be honest:*

1. Assume that*m'* =*m*,then *z*as computed by **V** in Step-1 of the Zero-Knowledge protocol is an encryption of zero, i.e.*z* =*r <sup>n</sup> mod n* <sup>2</sup> .

2.(*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2), from the verification in Step-5 of the protocol can be rewritten as (*q <sup>n</sup>* . *r en mod n* 2).

3. Due to assumption in (1), (*h* .*z <sup>e</sup> mod n* 2), from the verification in Step-5 can be rewritten as (*q <sup>n</sup>* . *r en mod n* 2).

4. From (1),(2),(3), we get that, i *f* (*m'* =*m*), *then* ((*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2))

5. Assume that*m'* ≠*m*, then *z*as computed by **V** in Step-1 of the protocol equals (*g <sup>m</sup> '* - *<sup>m</sup>* . *r <sup>n</sup> mod n* 2) where (*g <sup>m</sup> '* - *<sup>m</sup>* ≠1).

6.(*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2), from the verification in Step-5 of the protocol can be rewritten as (*q <sup>n</sup>* . *r en mod n* 2).

7. Due to assumption in (5)(*h* .*z <sup>e</sup> mod n* 2), from the verification in Step-5 can be rewritten as (*q <sup>n</sup>* . (*g <sup>m</sup> '* - *<sup>m</sup>* . *r <sup>n</sup>*)*<sup>e</sup> mod n* 2).

8. From (5), (6), (7) we get that:*if* ( ¬(*m'* =*m*)), *then* ( ¬((*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2))).

9. Since the verifier **V**, checks the equality in Step-5 of the protocol as a condition for accept‐ ance, from (4), (8), it is shown that the verifier **V** is correct in his conviction i.e. it is indeed true that:(*m'* =*m*) *if and only if* ((*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2)).

*Soundness – Assuming a cheating prover P\* and honest verifier V:*

1. Assume that a cheating prover **P\*** is trying to convince **V** that*m'* =*m*, where in actuality, (*m'* - *m*) ≠0.Therefore **P\*** would try to show that(*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2), where **P\*** has control over *k*and *h* and no knowledge of *z*since (*m'* - *m*) ≠0.

2. Any choice of *k*sent by party **P\*** in Step-4 of the protocol will yield the **n** th power of *k*in modulo *n* <sup>2</sup> for the left hand side of the verification equation(*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2).

3. Since the **P\*** has to show that (*g* <sup>0</sup> . *k <sup>n</sup> mod n* 2) =(*h* .*z <sup>e</sup> mod n* 2) and has no control over *z <sup>e</sup>* ; either *h* must equal (*k <sup>n</sup>* . *z* -*<sup>e</sup> mod n* 2) or *k <sup>n</sup>* must equal (*h* .*z <sup>e</sup>*).

4. (3) presumes knowledge of*z*and*e*. It is to be noted that *h* must be committed before **V** sends*e* to **P\***. Hence **P\*** can at best guess **z** and **e**, then computes and sends *h* = *k <sup>n</sup>* . *z* -*<sup>e</sup> mod n* <sup>2</sup> , before knowledge of*e*.

5. When computing*k*, **P\*** has knowledge of*e*, and no knowledge of *z*.Since (*m'* ≠ *m*), *z* =(*g <sup>m</sup> '* - *<sup>m</sup>* . *r <sup>n</sup> mod n* 2) where (*g <sup>m</sup> '* - *<sup>m</sup>* ≠1), (*h* .*z <sup>e</sup>*)contains a term ((*g<sup>m</sup> '* - *<sup>m</sup>*)*<sup>e</sup>* ) which is not a power of*n*, (*g* (*m'* - *m*) )cannot be a power of *n*because of domain restrictions).

[8] http://en.wikipedia.org/wiki/Reed%E2%80%93Solomon\_error\_correction.

rics effectively. University of Cambridge, Tech. Rep. UCAMCL-TR-640.

ACM.

*tions Workshop*, 45-52.

*an Journal of Scientific Research*, 31(3), 372-387.

[13] http://en.wikipedia.org/wiki/Secure\_computation.

*Foundations of Computer Science*.

January, New York.

21-24, 1997, California.

*System Sciences*, 28(2), 270-299.

ty Classes, in EUROCRYPT.

*System Sciences*, 28(2), 270-299.

*Symposium on Theory of Computing*.

[9] Hao, F., Anderson, R., & Daugman, J. (2005). Combining cryptography with biomet‐

Generation of Cryptographic Keys from Personal Biometrics: An Illustration Based on Fingerprints

http://dx.doi.org/10.5772/51372

217

[10] Barni, M., Bianchi, T., Catalano, D., Raimondo, M. D., Labati, R. D., & Faillia, P. (2010). Privacy-preserving finger code authentication. In MM&Sec', Roma, Italy.

[11] Clancy, T. C., Kiyavash, N., & Lin, D. J. (2003). Secure smart card-based finger print authentication. *Proc. ACMSIGMM 2003 Multimedia, Biometrics Methods and Applica‐*

[12] Lalithamani, N., & Soman, K. P. (2009). Irrevocable Cryptographic Key Generation from Cancelable Fingerprint Templates: An Enhanced and Effective Scheme. *Europe‐*

[14] Du, W., & Atallah, M. (2001). Privacy-Preserving Statistical Analysis, in ACSAC.

[15] Yao, A. C. (1982). Protocols for secure computations. *Proceeding of 23rd IEEE Sym. On*

[16] Goldreich, O., Micali, S., & Wigderson, A. (1987). How to play ANY mental game. *Proceedings of the nineteenth annual ACM symposium on Theory of computing*, 218-229,

[17] Goldwasser, S. (1987). Multi party computations: past and present. *Proceedings of the sixteenth annual ACM symposium on Principles of distributed computing*, 1-6, August

[18] Goldwasser, S., & Micali, S. (1984). Probabilistic Encryption. *Journal of Computer and*

[19] Paillier, P. (1999). Public-Key Cryptosystems Based on Composite Degree Residuosi‐

[20] Elgamal, T. (1985). A public key cryptosystem and a signature scheme based on dis‐

[21] Goldwasser, S., & Micali, S. (1984). Probabilistic Encryption. *Journal of Computer and*

[22] Gentry, C. (2009). Fully Homomorphic Encryption Using Ideal Lattices. *41st ACM*

[23] Cooney, M. (2009). IBM touts encryption innovation. *Computerworld*, 25 June 2009. [Online]. Available, http://www.computerworld.com/s/article/9134823/

crete logarithms. *IEEE Transactions on Information Theory*, 31(4), 469-472.

IBM\_touts\_encryption\_innovation, Accessed 15.03.2012.

6. From (4),(5) **P\*** cannot successfully convince **V** that*m'* =*m*, when in actuality*m'* ≠*m*.

### **Acknowledgements**

This work was supported in part by a grant from PSC-CUNY Collaborative Research Award and a NSF DUE Award.

## **Author details**

Bon K. Sy and Arun P. Kumara Krishnan\*

\*Address all correspondence to: bon@bunny.cs.qc.cuny.edu

Computer Science Dept., Queens College/CUNY, Flushing NY, USA

## **References**


5. When computing*k*, **P\*** has knowledge of*e*, and no knowledge of *z*.Since

This work was supported in part by a grant from PSC-CUNY Collaborative Research Award

[1] Tian, Yingli, & Tsui, Hungtat. (1995). Estimating Shape and Reflectance of Surfaces by Color Image Analysis. *Lecture Notes in Computer Science 1024, "Image Analysis Ap‐*

[2] Belkin, Mikhail, & Niyogi, Partha. (2003). Laplacian Eigenmaps for Dimensionality Reduction and Data Representation. *Neural Computation*, MIT Press, June, 15(6),

[3] Turk, M., & Pentland, A. (1991a). Eigenfaces for recognition. *Journal of Cognitive Neu‐*

[4] Sy, Bon K. (1911). Secure Computation for Biometric Data Security Application to

[5] Katz, J., & Lindell, Y. (2007). Introduction to Modern Cryptography: Principles and

[7] Kumara Krishnan, Arun P., Ramirez, Adam, & Sy, Bon K. (2011). Parallel Secure Computation Scheme for Biometric Security and Privacy in Standard-Based BioAPI Framework. *Biometrics*, INTECH 2011, http://www.intechopen.com/source/pdfs/ 14648/InTech-Parallel\_secure\_computation\_scheme\_for\_biometric\_security\_and\_pri‐

)cannot be a power of *n*because of domain restrictions).

) which

≠ *m*), *z* =(*g <sup>m</sup> '* - *<sup>m</sup>* . *r <sup>n</sup> mod n* 2) where (*g <sup>m</sup> '* - *<sup>m</sup>* ≠1), (*h* .*z <sup>e</sup>*)contains a term ((*g<sup>m</sup> '* - *<sup>m</sup>*)*<sup>e</sup>*

6. From (4),(5) **P\*** cannot successfully convince **V** that*m'* =*m*, when in actuality*m'* ≠*m*.

(*m'*

is not a power of*n*, (*g* (*m'*

216 New Trends and Developments in Biometrics

**Acknowledgements**

and a NSF DUE Award.

Bon K. Sy and Arun P. Kumara Krishnan\*

\*Address all correspondence to: bon@bunny.cs.qc.cuny.edu

*plications and Computer graphics"*, 266-273.

Speaker Verification. *IEEE Systems Journal*, 3(4).

vacy\_in\_standard\_based\_bioapi\_framework.pdf.

[6] http://en.wikipedia.org/wiki/Advanced\_Encryption\_Standard.

Computer Science Dept., Queens College/CUNY, Flushing NY, USA

**Author details**

**References**

1373-1396.

*roscience*, 3(1).

Protocols, Chapman & Hall.



[24] Goethals, B., Laur, S., Lipmaa, H., & Mielikainen, T. (2004). On Private Scalar Product Computation for Privacy-Preserving Data Mining. *ICISC*.

**Section 4**

[25] Erkin, Z., Franz, M., Guajardo, J., Katzenbeisser, S., Lagendijk, I., & Toft, T. (2009). Privacy-Preserving Face Recognition. *Privacy Enhancing Technologies*, Springer Ber‐ lin / Heidelberg, 235-253.

**Others**


**Section 4**
