Iris Ciphertext Authentication System Based on Fully Homomorphic Encryption

1. Introduction

In recent years, the biometric authentication has gradually changed the way people live, the first of which is mobile payment. Compared with traditional password authentication, biological features are not easily lost or forgotten, while ensuring the uniqueness of authentication users. On the other hand, due to the high security of biological characteristics, once biometric data is stolen, it will have more serious consequences than other authentication methods. Therefore, it is very important to develop a solution to the biometric data with stronger protection force for the authentication system.

At present, researchers have put forward many different biological feature template protection schemes, which fall into two broad categories:

(1) Feature transformation method. This method transforms biometric data into random data using client-specific keys or passwords. Typical examples of this method are the Biohashing [1] and Robust Hashing [2]. This method is performance-wise, but it is no longer safe if the client-specific key is compromised.

(2) Biometric encryption method based on ECC. The method includes fuzzy vault (FV) [3] and fuzzy commitment [4]. Since this method requires strong restrictions on the accuracy of the authen¬tication, there are some practical and security issues.

Most of the existing authentication systems are based on the improvement of the above biometric template protection scheme, and there are few authentication systems based on fully homomorphic encryption. Because the fully homomorphic encryption can calculate the ciphertext arbitrarily without knowing the key, the decryption result is the same as the corresponding calculation for the plaintext. Therefore, it is necessary to guarantee the security of the biometric authentication system by combining the protection scheme of biometric template with fully homomorphic encryption technology. Blanton and Gasti [5] proposed a security protocol for iris and fingerprint, homomorphic encryption algorithm using DGK scheme [6], their scheme takes only 150 ms to complete 2048-bit binary iris feature template Hamming distance, but the homomorphic encryption ciphertext is shorter, it is difficult to guarantee the security. Kulkarni et al. [7] proposed an iris authentication scheme based on the SHE scheme [8]. For the 2048 iris, the execution time of the server was 58 seconds, but their agreement was only three rounds. Karabat and Namboodiri [9] proposed an authentication protocol that uses a pure threshold homing encryption, whose scheme runs on the server side for 6.1 seconds, and the client runs for 2.1 seconds. Therefore, the application of fully homomorphic encryption technology still needs to consider the actual problems such as performance and encryption data size. One might consider a simple way to store a hash template in a server through a one-way hash function, such as SHA3 [10]. However, because of the scanning noise, the biological characteristics are not identical in each capture, so it is impossible to have the same hash value, which is not feasible. The authors [11] proposed a biometric authentication method based on fully homomorphic encryption using Helib library. They exploit SIMD operations to split biometric plaintext to small size segments. However, we find the segmented ciphertext modulus de¬creases little and SIMD (single instruction multiple data) operations are cost. Therefore, the segmentation does not significantly improve the efficiency and safety of the system.

In this paper, the scheme of FV and SEAL library implements a design based on the iris features of fully homomorphic encryption ciphertext authentication system, it does not depend on reliable hardware, using one-time MAC authentication, can very good protect user iris feature template and complete the corresponding iris certification, greatly enhance the system security.

2. Certification Scheme Design

2.1 FV Scheme

The FV scheme [12,13] is based on the polynomial ring R. It is used [TeX:] $$R=Z[x] /\left(x^{n}+1\right)$$. Not only that the scheme also involves several parameters. n is the degree of the polynomial and it is always a power of two. [TeX:] $$\lambda$$ is the safety parameter. q is a ciphertext modulus, which is used to reduce the coefficients of a ciphertext polynomial. t is a plaintext modulus, used to reduce the coefficients of a plaintext polynomial. Sample [TeX:] $$\alpha \leftarrow S$$ means that S is randomly selected uniformly from the finite set [TeX:] $$\alpha$$ and [TeX:] $$\chi$$ is an error probability distribution on R. [TeX:] $$\omega$$ is the basis of decomposition of the whole coefficient. [TeX:] $$\ell=\left\lfloor\log _{\omega} d\right\rfloor$$ means dividing the integer d into [TeX:] $$\ell$$ parts. The concrete algorithm of the scheme is as follows:

[TeX:] $$\operatorname{Kev} \operatorname{Gen}(\lambda): \text { Sample } s \leftarrow R_{2} \text { and output } s k=s . \text { sample } a_{1} \leftarrow R_{q} \text { and } e \leftarrow \chi, \text { output }(s k, p k)=\left(s,\left(a_{0}, a_{1}\right)\right)$$

[TeX:] $$\begin{aligned} &\text { EvKeyGen }(s k, \omega) \text { : For } i \in\{0, \ldots, \ell\}, \text { sample } a_{i} \leftarrow R_{q} \text { and } e_{i} \leftarrow \chi, \text { output } e v k=\left(\left(-\left(a_{i} s+e_{i}\right)+\omega^{i} s_{2}\right) m o d\right.\\ &\left.q, a_{i}\right) \end{aligned}$$).

[TeX:] $$\begin{aligned} &\text {Encrypt}(\boldsymbol{p k}, m): \operatorname{For} m \in R_{t} \text { let } \boldsymbol{p} \boldsymbol{k}=\left(a_{0}, a_{1}\right), \text { sample } u \leftarrow R_{2} \text { and } e_{1}, e_{2} \leftarrow \chi . \text { Compute } c_{0}=\left(\Delta m+a_{0} u\right.\\ &+e_{1} \text { ) } \bmod q \text { and } c_{1}=\left(a_{1} u+e_{2}\right) \text { mod } q . \text { Output } c t=\left(c_{0}, c_{1}\right) \end{aligned}$$

[TeX:] $$\text {Decrypt}(s k, c t): \text { Let } c t=\left(c_{0}, c_{1}\right)$$ and [TeX:] $$s k=s, \text { output } m^{\prime}=\left(\left(t / q\left(c_{0}+c_{1} s\right)\right) \bmod q\right) \bmod t$$

[TeX:] $$A d d\left(c t_{0}, c t_{1}\right): \text { Input } c t_{0}, c t_{1,} \text { output } c t_{0}+c t_{1}$$

[TeX:] $$\operatorname{Mul}\left(c t_{0}, c t_{1}\right): \text { Input } c t_{0}, c t_{1}, \text { output } c t_{0} \times c t_{1}$$

2.2 Batching and Automorphism

Batching technique refers to the use of Chinese remainder theorem (CRT) and SIMD [14,15] to pack n numbers into a plaintext polynomial at a time, and to operate the polynomial is equivalent to a combination of the n number of the same operation (i.e., parallel).

The use of batching is conditional: plaintext mode t is prime and t = 1 (mod 2n). This means where t > 2n, which sometimes affects efficiency.

This condition ensures that the multiplicative group of the integer modulus t contains a subgroup with the number of elements 2n. That is: [TeX:] $$\zeta \in Z_{t} \mathrm{m}$$ make [TeX:] $$\zeta^{2 n}=1(\bmod t)$$, and for all 0 < m < 2n. The root of the 2n sub-primitive unit called the modulus t.

It is important to have such a primitive unit root, because the polynomial modulus [TeX:] $$x^{n}+1$$ can be decomposed into the product of the following factors at modulus t:

According to the CRT, the ring [TeX:] $$R_{t}$$ can be decomposed into:

All of the isomorphisms are isomorphic on the ring, which means that both the addition and the multiplication structures are kept on both sides of the equation. The [TeX:] $$\prod_{i=0}^{n-1} Z_{t}$$ on the right, which can be expressed as [TeX:] $$Z_{t} \times Z_{t} \ldots \times Z_{t}$$, can also be regarded as an n-dimensional vector. So the addition of the two elements on the right needs to execute the addition of the n corresponding components. According to the isomorphism, the correspondence and the left are only the addition of the two polynomials on the ring [TeX:] $$R_{t}$$. The same multiplication is the same. Let [TeX:] $$\alpha_{i}=\zeta^{2 i+1}$$ have Decompose:

The same is the same in the opposite direction, which is called Compose. Compose and Decompose can be called packing and unpacking.

Automorphisms technique is a way in which the plaintext corresponding to each plaintext slot can be replaced. When the plaintext is [TeX:] $$m(\alpha)$$, the plaintext corresponding to each plaintext slot is [TeX:] $$m\left(\alpha_{1}\right), m\left(\alpha_{2}\right), \ldots, m\left(\alpha_{n-1}\right)$$. By using Frobenius automorphism, [TeX:] $$m(\alpha) \rightarrow m\left(\alpha^{2}\right)$$ means that the plaintext slot moves i plaintext slots. For example, when i = 1, the plaintext slot of [TeX:] $$m(\alpha)$$ is cyclically moved by one position, and the plaintext corresponding to each plaintext slot becomes [TeX:] $$m\left(\alpha_{1}\right), m\left(\alpha_{2}\right), \ldots, m\left(\alpha_{n-1}\right)$$ [16].

Therefore, batching technique and automorphisms technique can be used to complete the cyclic movement operation of the plaintext in the corresponding plaintext slot in the case of ciphertext.

2.3 OTM Authentication

The message authentication code (MAC) generally uses the hash function of the portable key to verify the integrity of the transmitted data. Commonly used hash functions are MD5, SHA-2, and SHA-3. The storage of the iris feature ciphertext in this paper can use the above method to compress the ciphertext, and then the database only needs to store the ciphertext compressed summary. However, the authentication strategy designed in this paper is that the cloud server decrypts the result after the ciphertext’s homomorphic operation, and the decryption operation can only be completed by the user. Therefore, the use of the hash function does not meet the needs of this design. Therefore, this paper designs a one-time MAC (OTM) authentication method, that is, the key generated by the message key algorithm in the MAC scheme can only be used once, and the user is secret. After decryption, the cloud server can authenticate the decryption result. The specific plan is as follows:

MKGen[TeX:] $$\left(Z_{i}\right)$$: Set [TeX:] $$m k=\left(r_{0}, r_{1}\right), r_{0} \text { and } r_{1}$$ are randomly selected from the [TeX:] $$Z_{I}$$, where [TeX:] $$Z_{I}$$ is a set of I-bit integers.

MACGen(mk, m): The information authentication code [TeX:] $$m_{c}$$ of the information m is obtained by calculating [TeX:] $$m_{c}=m \times r_{0}+r_{1}$$.

Verification(mk, m, [TeX:] $$m_{c}$$): Input mk, x and [TeX:] $$m_{c}$$, verify m is equal to [TeX:] $$\left(m_{c}-r_{0}\right) / r_{1}$$, if so, b is 1, otherwise b is 0.

2.4 Iris Ciphertext Recognition Method

At present, there are few iris recognition products on the market, mainly because the recognition accuracy of iris is largely dependent on the hardware facilities and recognition algorithms of iris acquisition [17,18]. In order to simulate the real iris recognition scene, this paper selects the public iris database, CASIA-Iris [18], to replace the iris acquisition process, using the public MATRIB code provided by the School of Computer Science and Software Engineering of the University of Western Australia [19] to preprocess the iris data, and in order to weigh the performance of the homomorphic calculation, the final use of 2048 The binary vector of bits represents the iris feature template.

The iris recognition method in this paper uses Hamming distance calculation to compare the encoded iris feature templates. It is to measure the distance between the two templates by counting the number of corresponding codes on the two templates [20]. The smaller the distance, the more the two templates match.

Suppose [TeX:] \boldsymbol{A}=\left(a_{0}, a_{1}, \ldots, a_{n-1}\right) \text { and } \boldsymbol{B}=\left(b_{0}, b_{1}, \ldots, b_{n-1}\right)$$ represent two binary vectors of length n, whose Hamming distance refers to this The sum of two vector exclusive ORs. Therefore, it is defined as:

In order to ensure the security of the iris feature template, this paper designs a recognition method based on iris ciphertext using the characteristics of fully homomorphic encryption technology. First, the purpose of this paper is to test homomorphic performance, transforming XOR into a combination of subtraction and multiplication when calculating Hamming distance. Secondly, since the FV scheme is built on the ring R, the iris feature template must be encoded into a polynomial. The usual practice is to use integer encoding. However, the iris initial template used in this paper is a binary vector of length n. It takes at least n multiplications to calculate the Hamming distance between two iris feature templates. However, the multiplication time between the ciphertexts of the iris feature template after fully homomorphic encryption is very slow, and the integer coding results in low computational efficiency, which is difficult to meet the actual system requirements.

Therefore, this paper uses the batching technique to pack the binary vector of length n into a polynomial, so that the XOR calculation of the vector is completed by one subtraction and one multiplication. At the same time, using the characteristics of automorphisms, only the [TeX:] $$\log _{2} n$$ time shifts and [TeX:] $$\log _{2} n$$ n time additions to complete the calculation of the sum of the elements in the homomorphic ciphertext slot, that is, the ciphertext distance is calculated. As shown in Figs. 1 and 2, assuming that the vector V = (1, 2, 3, 4), its corresponding homomorphic ciphertext is [TeX:] $$V^{\prime}=\left(v_{1}, v_{2}, v_{3}, v_{4}\right)$$. Since the ciphertext slot is 4, only two-time shifts and two-time additions are required, where [TeX:] $$\left(k_{1}, k_{2}\right)=\left(2^{0}, 2^{1}\right)$$.

In summary, the iris ciphertext recognition process in this paper is shown in Fig. 3. First, the client U packs the binary iris feature templates A and B into plaintext polynomials [TeX:] $$B P_{A}, B P_{B} \in R_{t}$$; then it encrypts [TeX:] $$B P_{A}, B P_{B}$$, output ciphertext polynomial [TeX:] $$\boldsymbol{c t}_{A}, \boldsymbol{c t}_{B} \in R_{q} \times \boldsymbol{R}_{\mathcal{A}}$$ and send it to the server S; the server S calculates the Hamming distance between the ciphertext polynomial [TeX:] $$c t_{A} \ and \ c t_{B}$$, and outputs HD([TeX:] $$c t_{A}, c t_{B}$$).

2.5 Iris Ciphertext Authentication Protocol

This paper encrypts biometrics templates and stores ciphertext through fully homomorphic encryption, and then measures similarity between two ciphertext templates. Finally, it is authenticated by OTM authentication. As shown in Fig. 4, the overall protocol of the system is only three rounds.

The first round, from step 1 to step 3 in the protocol diagram, the client U generates the secret key and public key through the KeyGen algorithms; then the client U acquires the original iris Bio, encodes the Bio using the CRT encoding, generates the polynomial [TeX:] $$B P_{B i 0}$$, and then uses the Encrypt algorithm encrypts [TeX:] $$B P_{B i 0}$$ and generates ciphertext [TeX:] $$c t_{\text {Bio }}$$. Finally, the client U sends a registration request ([TeX:] $$U_{i d}, c t_{B i o}$$) to the server S (i.e. user registration information and iris ciphertext). The server S stores ([TeX:] $$U_{i d}, c t_{B i o}$$) in the database and returns a success or failure message to the client.

The second round, from step 4 to step 7 in the protocol diagram, the client U obtains the current iris x, uses the CRT encoding to encode the x, generates the polynomial [TeX:] $$B P_{x}$$, and then uses the Encrypt algorithm to encrypt [TeX:] $$B P_{x}$$ to generate the ciphertext [TeX:] $$c t_{x}$$; then the client sends the authentication Request ([TeX:] $$U_{i d}, c t_{k}$$) to the server S; the server S calculates the Hamming distance between [TeX:] $$c t_{B i o} \ and \ c t_{x}$$, output [TeX:] $$c t_{d}=\mathrm{HD}\left(c t_{\text {Bio}}, c t_{x}\right)$$, then the server randomly selects [TeX:] $$\left(r_{0}, r_{1}\right)$$ from [TeX:] $$Z_{I}$$, and outputs the message key [TeX:] $$m k=\left(r_{0}, r_{1}\right)$$, and calculates the Hamming distance message authentication code [TeX:] $$\boldsymbol{c} \boldsymbol{t}_{\boldsymbol{T}}$$ through the [TeX:] $$\boldsymbol{c t}_{T}=\boldsymbol{c t}_{d} \times r_{0}+r_{1}$$ ; The last server S sends [TeX:] $$\left(c t_{d}, c t_{T}\right)$$ to the client U.

Third, from step 8 to step 11 in the protocol diagram, the client U decrypts [TeX:] $$\left(c t_{d}, c t_{T}\right)$$ using the Decrypt algorithm, and then performs CRT decoding on the decrypted result to generate plaintext (d, T); then sends it to the server S, and the server S verifies whether d is equal to [TeX:] $$\left(T-r_{0}\right) / r_{1}$$, the authentication result b is output and sent to the client. If the received b is 1 by the client U, the iris recognition result is not tampered, otherwise the iris recognition result has been tampered. Note: (d, T) is two integers at this time, they do not affect the security of the protocol, so the transmission process does not choose to encrypt it.

3. System Design and Implementation

4. System Analysis

3.1 System Model and Participants

This system mainly designs the verification server and uses one to one way to verify each user. The whole system consists of two participants, that is, the user and the authentication server. The user U has a binary feature template extracted from his iris feature. The server S has abundant computing resources and storage space, so it can complete any function calculation of homomorphic ciphertext, but cannot decrypt its generated ciphertext and user's ciphertext.

3.2 System Architecture

As shown in Fig. 5, the system adopts the C/S architecture. The main function of the client is to provide registration and authentication services for users, while the cloud server provides homomorphic computing and authentication services. The overall function is described below.

First, the client encrypts the user's iris feature information. If the client sends a registration request to the cloud server, the cloud server responds and stores the user iris feature ciphertext in the cloud database. If the client sends an authentication request to the cloud server, the cloud server responds and calls the user iris ciphertext stored in the database, and then performs identification under the iris ciphertext with the current user iris ciphertext, and then calculates the ciphertext identification. The resulting MAC code is sent to the client. After the client responds, the user decrypts the ciphertext identification result and the corresponding MAC code with the secret key that he has mastered and sends it to the cloud server. The cloud server authenticates and returns. The result of the authentication is given to the client.

3.3 System Function Module

As shown in Fig. 6, the overall function of the system is divided into three modules. The first is the login module. When the user inputs the basic information that has been registered, the user can enter the authentication interface. Otherwise, you need to click the registration link to enter the registration interface. Followed by the registration module, its main functions are to generate the public key and secret key, save the key to the mobile memory and encrypt the iris information and store it with the user's basic information in the database; finally the authentication module, its function is encrypted the current iris information and sent to the server. After the server completes the iris authentication, the client decrypts the authentication result by the secret key and prompts the user.

3.4 Development Environment

This system was developed on Windows 10 using the C# programming language. The test used an HP notebook with an Intel Core i5-6200U processor. The homomorphic encryption algorithm library uses SEAL, which is a homomorphic encryption library developed by Microsoft Research using a C++ programming language. It has no external dependencies, so it is easy to compile in many different environments. At present, the homomorphic operations that have been implemented in the SEAL library mainly include Negate, Add, AddMany, Sub, Multiply, MultiplyMany, Square, Exponentiate, AddPlain, and MultiplyPlain.

3.5 Parameter Optimization

The noise ceiling for each ciphertext in the SEAL library is fixed and is called the noise budget. Whenever a homomorphic operation is performed, the noise in the ciphertext increases. When the total amount of noise exceeds the noise budget, the ciphertext cannot be decrypted successfully. Therefore, while improving system efficiency and ensuring safety, it is also necessary to ensure that ciphertext can be decrypted successfully.

In order to encrypt a binary vector of 2048 bits, the polynomial number must be taken as n ≥ 2048. However, when the parameter n is too large, the ciphertext calculation time is too long and the system efficiency is extremely low. Therefore, we study the 2048-bit binary vector segmentation. Table 1 shows the minimum value of [TeX:] $$\log _{2} q$$ under the calculation of the ciphertext Hamming distance at different segments.

From the data in Table 1, it shows that the segmented ciphertext modulus q decreases little, so the segmentation does not significantly improve the efficiency and safety of the system. Also, Table 2 shows the maximum value of [TeX:] $$\log _{2} q$$ for n = 1024, 2048, 4096, 8192, 16384 with a security level of 80 bits [20,21]. Based on the comprehensive analysis of the data in Tables 1 and 2, the final choice of n = 2048, [TeX:] $$q=2^{76}-2^{22}+1$$, at this time to ensure that the security level of 80 or more at the same time, the ciphertext to complete the Hamming distance calculation noise growth does not exceed the noise budget.

4.1 Security Analysis

Network transmission security: An attacker can obtain only the homomorphic encrypted iris feature data or the data generated by the cloud server through random number calculation. Therefore, the network attacker can’t use the acquired data to decipher the original iris feature plaintext data, and also can resist the replay attack.

Server security: Even an attacker can access the server's database. Because the iris templates stored in the server database are encrypted. These ciphertext templates do not reveal any information about the user's iris characteristics. If the user registers in multiple authentication servers based on this protocol, the keys obtained by the user are definitely different, so the user does not leak information when storing multiple templates in multiple server databases. If you suspect that a template has been corrupted, you can generate a new template with a different key.

Client security: Even if an attacker has access to the client system, he cannot obtain the iris feature template and secret key and cannot authenticate. If an attacker uses brute force, the effort required is equal to randomly assigning a bit vector. If the attacker wants to obtain the iris feature information in the server database by modifying the bits to be sent to the server, the OTM authentication method adopted in this paper can solve this problem well. Even an attacker can send a modification (d, T) to pass the authentication test. However, it is basically impossible for an attacker to achieve both iris recognition success and authentication success.

4.2 Homomorphic Performance

The following is the time taken for the system to test the fully homomorphic calculation process. The registration process is shown in Table 3.

The authentication part is used as shown in Table 4.

The test results are as follows:

In the registration part, the average registration time is 1011.1 ms, while the iris template encryption only takes 105.7 ms on average, accounting for 10.5% of the total registration time.

In the authentication part, the total time of authentication is 2476.8 ms on average, while the average of homomorphism is 482.6 ms, accounting for 19.5% of the total authentication time, and the average time of encrypting and decrypting ciphertexts is 355.8 ms, accounting for 14.4% of the total authen-tication time.

Since the tests are conducted locally, the performance of the system depends on the processing power of the notebook CPU. Through analysis, the system loads and communicates part of the graphical interface with the longest time, while the homomorphic encryption and decryption and the total time spent less than 40%. Therefore, the iris ciphertext full homomorphic efficiency is still good.

Below we compare the results with paper [11]. The length of biometric is 630 bits in [11], while the length is 2048 in our scheme. The normal size of irises is 2048 bits. We study the 2048-bit binary vector segmentation. Table 1 shows that the segmented ciphertext modulus q decreases little, so the segmen¬tation does not significantly improve the efficiency and safety of the system. Therefore the 2048-bit binary vector segmentation is a good choice. In order to compare the performance with [11] at the same level, we also take 630 bits biometric of irises in our scheme. Table 5 shows that our results are better than the scheme [11].

5. Conclusion

With the rapid development of information technology, information security has become the most concerned point. The system combines homomorphic encryption with biometrics to ensure the security and integrity of user feature templates. In real life, such as online payment, account login, etc., biometrics can be used for identity verification, and the system can perform ciphertext calculation in the cloud, which greatly improves the security of data processing. It can be seen from the performance analysis that the efficiency of the system is good when the circuit depth of the fully homomorphic encryption cal¬culation is not high. Despite this, the system is still far from the actual complex application requirements, and further research is needed.

Acknowledgement

This paper is supported by the Natural Science Foundation of Zhejiang Province of China (No. LY17F020002), Public Projects of Zhejiang Province (No. 2017C33079, LGG18F020001), Ningbo Natural Science Foundation (No. 2017A610120, 2018A610159), and the State Key Laboratory of Cryptology (No. 2017-MS-18).