Song* , Chen** *** , and Sun**: Iris Ciphertext Authentication System Based on Fully Homomorphic Encryption

# Iris Ciphertext Authentication System Based on Fully Homomorphic Encryption

Abstract: With the application and promotion of biometric technology, biometrics has become more and more important to identity authentication. In order to ensure the privacy of the user, the biometrics cannot be stored or mani-pulated in plaintext. Aiming at this problem, this paper analyzes and summarizes the scheme and performance of the existing biometric authentication system, and proposes an iris-based ciphertext authentication system based on fully homomorphic encryption using the FV scheme. The implementation of the system is partly powered by Microsoft’s SEAL (Simple Encrypted Arithmetic Library). The entire system can complete iris authentication without decrypting the iris feature template, and the database stores the homomorphic ciphertext of the iris feature template. Thus, there is no need to worry about the leakage of the iris feature template. At the same time, the system does not require a trusted center for authentication, and the authentication is completed on the server side directly using the one-time MAC authentication method. Tests have shown that when the system adopts an iris algorithm with a low depth of calculation circuit such as the Hamming distance com-parison algorithm, it has good performance, which basically meets the requirements of real application scenarios.

Keywords: Fully Homomorphic Encryption , Iris Authentication , One-Time MAC , SEAL

## 1. Introduction

In recent years, the biometric authentication has gradually changed the way people live, the first of which is mobile payment. Compared with traditional password authentication, biological features are not easily lost or forgotten, while ensuring the uniqueness of authentication users. On the other hand, due to the high security of biological characteristics, once biometric data is stolen, it will have more serious consequences than other authentication methods. Therefore, it is very important to develop a solution to the biometric data with stronger protection force for the authentication system.

At present, researchers have put forward many different biological feature template protection schemes, which fall into two broad categories:

(1) Feature transformation method. This method transforms biometric data into random data using client-specific keys or passwords. Typical examples of this method are the Biohashing [1] and Robust Hashing [2]. This method is performance-wise, but it is no longer safe if the client-specific key is compromised.

(2) Biometric encryption method based on ECC. The method includes fuzzy vault (FV) [3] and fuzzy commitment [4]. Since this method requires strong restrictions on the accuracy of the authen¬tication, there are some practical and security issues.

Most of the existing authentication systems are based on the improvement of the above biometric template protection scheme, and there are few authentication systems based on fully homomorphic encryption. Because the fully homomorphic encryption can calculate the ciphertext arbitrarily without knowing the key, the decryption result is the same as the corresponding calculation for the plaintext. Therefore, it is necessary to guarantee the security of the biometric authentication system by combining the protection scheme of biometric template with fully homomorphic encryption technology. Blanton and Gasti [5] proposed a security protocol for iris and fingerprint, homomorphic encryption algorithm using DGK scheme [6], their scheme takes only 150 ms to complete 2048-bit binary iris feature template Hamming distance, but the homomorphic encryption ciphertext is shorter, it is difficult to guarantee the security. Kulkarni et al. [7] proposed an iris authentication scheme based on the SHE scheme [8]. For the 2048 iris, the execution time of the server was 58 seconds, but their agreement was only three rounds. Karabat and Namboodiri [9] proposed an authentication protocol that uses a pure threshold homing encryption, whose scheme runs on the server side for 6.1 seconds, and the client runs for 2.1 seconds. Therefore, the application of fully homomorphic encryption technology still needs to consider the actual problems such as performance and encryption data size. One might consider a simple way to store a hash template in a server through a one-way hash function, such as SHA3 [10]. However, because of the scanning noise, the biological characteristics are not identical in each capture, so it is impossible to have the same hash value, which is not feasible. The authors [11] proposed a biometric authentication method based on fully homomorphic encryption using Helib library. They exploit SIMD operations to split biometric plaintext to small size segments. However, we find the segmented ciphertext modulus de¬creases little and SIMD (single instruction multiple data) operations are cost. Therefore, the segmentation does not significantly improve the efficiency and safety of the system.

In this paper, the scheme of FV and SEAL library implements a design based on the iris features of fully homomorphic encryption ciphertext authentication system, it does not depend on reliable hardware, using one-time MAC authentication, can very good protect user iris feature template and complete the corresponding iris certification, greatly enhance the system security.

## 2. Certification Scheme Design

##### 2.1 FV Scheme

The FV scheme [12,13] is based on the polynomial ring R. It is used [TeX:] $$R=Z[x] /\left(x^{n}+1\right)$$. Not only that the scheme also involves several parameters. n is the degree of the polynomial and it is always a power of two. [TeX:] $$\lambda$$ is the safety parameter. q is a ciphertext modulus, which is used to reduce the coefficients of a ciphertext polynomial. t is a plaintext modulus, used to reduce the coefficients of a plaintext polynomial. Sample [TeX:] $$\alpha \leftarrow S$$ means that S is randomly selected uniformly from the finite set [TeX:] $$\alpha$$ and [TeX:] $$\chi$$ is an error probability distribution on R. [TeX:] $$\omega$$ is the basis of decomposition of the whole coefficient. [TeX:] $$\ell=\left\lfloor\log _{\omega} d\right\rfloor$$ means dividing the integer d into [TeX:] $$\ell$$ parts. The concrete algorithm of the scheme is as follows:

[TeX:] $$\operatorname{Kev} \operatorname{Gen}(\lambda): \text { Sample } s \leftarrow R_{2} \text { and output } s k=s . \text { sample } a_{1} \leftarrow R_{q} \text { and } e \leftarrow \chi, \text { output }(s k, p k)=\left(s,\left(a_{0}, a_{1}\right)\right)$$

[TeX:] \begin{aligned} &\text { EvKeyGen }(s k, \omega) \text { : For } i \in\{0, \ldots, \ell\}, \text { sample } a_{i} \leftarrow R_{q} \text { and } e_{i} \leftarrow \chi, \text { output } e v k=\left(\left(-\left(a_{i} s+e_{i}\right)+\omega^{i} s_{2}\right) m o d\right.\\ &\left.q, a_{i}\right) \end{aligned}).

[TeX:] \begin{aligned} &\text {Encrypt}(\boldsymbol{p k}, m): \operatorname{For} m \in R_{t} \text { let } \boldsymbol{p} \boldsymbol{k}=\left(a_{0}, a_{1}\right), \text { sample } u \leftarrow R_{2} \text { and } e_{1}, e_{2} \leftarrow \chi . \text { Compute } c_{0}=\left(\Delta m+a_{0} u\right.\\ &+e_{1} \text { ) } \bmod q \text { and } c_{1}=\left(a_{1} u+e_{2}\right) \text { mod } q . \text { Output } c t=\left(c_{0}, c_{1}\right) \end{aligned}

[TeX:] $$\text {Decrypt}(s k, c t): \text { Let } c t=\left(c_{0}, c_{1}\right)$$ and [TeX:] $$s k=s, \text { output } m^{\prime}=\left(\left(t / q\left(c_{0}+c_{1} s\right)\right) \bmod q\right) \bmod t$$

[TeX:] $$A d d\left(c t_{0}, c t_{1}\right): \text { Input } c t_{0}, c t_{1,} \text { output } c t_{0}+c t_{1}$$

[TeX:] $$\operatorname{Mul}\left(c t_{0}, c t_{1}\right): \text { Input } c t_{0}, c t_{1}, \text { output } c t_{0} \times c t_{1}$$

##### 2.2 Batching and Automorphism

Batching technique refers to the use of Chinese remainder theorem (CRT) and SIMD [14,15] to pack n numbers into a plaintext polynomial at a time, and to operate the polynomial is equivalent to a combination of the n number of the same operation (i.e., parallel).

The use of batching is conditional: plaintext mode t is prime and t = 1 (mod 2n). This means where t > 2n, which sometimes affects efficiency.

This condition ensures that the multiplicative group of the integer modulus t contains a subgroup with the number of elements 2n. That is: [TeX:] $$\zeta \in Z_{t} \mathrm{m}$$ make [TeX:] $$\zeta^{2 n}=1(\bmod t)$$, and for all 0 < m < 2n. The root of the 2n sub-primitive unit called the modulus t.

It is important to have such a primitive unit root, because the polynomial modulus [TeX:] $$x^{n}+1$$ can be decomposed into the product of the following factors at modulus t:

##### (1)
[TeX:] $$x^{n}+1=(x-\zeta)\left(x-\zeta^{3}\right) \ldots\left(x-\zeta^{2 n-1}\right)(\bmod t)$$

According to the CRT, the ring [TeX:] $$R_{t}$$ can be decomposed into:

##### (2)
[TeX:] $$\begin{array}{c} R_{t}=\frac{Z_{t}[x]}{\left(x^{n}+1\right)}=\frac{Z_{t}[x]}{\prod_{i=0}^{n-1}\left(x-\zeta^{2+1}\right)} \stackrel{C R \tau}{=} \prod_{i=0}^{n-1} \frac{Z_{t}[x]}{\left(x-\zeta^{2+1}\right)} \\ \cong \prod_{i=0}^{n-1} Z_{t}\left[\zeta^{2 t+1}\right] \cong \prod_{i=0}^{n-1} Z_{t} \end{array}$$

All of the isomorphisms are isomorphic on the ring, which means that both the addition and the multiplication structures are kept on both sides of the equation. The [TeX:] $$\prod_{i=0}^{n-1} Z_{t}$$ on the right, which can be expressed as [TeX:] $$Z_{t} \times Z_{t} \ldots \times Z_{t}$$, can also be regarded as an n-dimensional vector. So the addition of the two elements on the right needs to execute the addition of the n corresponding components. According to the isomorphism, the correspondence and the left are only the addition of the two polynomials on the ring [TeX:] $$R_{t}$$. The same multiplication is the same. Let [TeX:] $$\alpha_{i}=\zeta^{2 i+1}$$ have Decompose:

##### (3)
[TeX:] $$R_{t} \rightarrow \sum_{i=0}^{n-1} Z_{t}, m(\alpha) \rightarrow\left[m\left(\alpha_{0}\right) m\left(\alpha_{1}\right), \ldots, m\left(\alpha_{n-1}\right)\right]$$

The same is the same in the opposite direction, which is called Compose. Compose and Decompose can be called packing and unpacking.

Automorphisms technique is a way in which the plaintext corresponding to each plaintext slot can be replaced. When the plaintext is [TeX:] $$m(\alpha)$$, the plaintext corresponding to each plaintext slot is [TeX:] $$m\left(\alpha_{1}\right), m\left(\alpha_{2}\right), \ldots, m\left(\alpha_{n-1}\right)$$. By using Frobenius automorphism, [TeX:] $$m(\alpha) \rightarrow m\left(\alpha^{2}\right)$$ means that the plaintext slot moves i plaintext slots. For example, when i = 1, the plaintext slot of [TeX:] $$m(\alpha)$$ is cyclically moved by one position, and the plaintext corresponding to each plaintext slot becomes [TeX:] $$m\left(\alpha_{1}\right), m\left(\alpha_{2}\right), \ldots, m\left(\alpha_{n-1}\right)$$ [16].

Therefore, batching technique and automorphisms technique can be used to complete the cyclic movement operation of the plaintext in the corresponding plaintext slot in the case of ciphertext.

##### 2.3 OTM Authentication

The message authentication code (MAC) generally uses the hash function of the portable key to verify the integrity of the transmitted data. Commonly used hash functions are MD5, SHA-2, and SHA-3. The storage of the iris feature ciphertext in this paper can use the above method to compress the ciphertext, and then the database only needs to store the ciphertext compressed summary. However, the authentication strategy designed in this paper is that the cloud server decrypts the result after the ciphertext’s homomorphic operation, and the decryption operation can only be completed by the user. Therefore, the use of the hash function does not meet the needs of this design. Therefore, this paper designs a one-time MAC (OTM) authentication method, that is, the key generated by the message key algorithm in the MAC scheme can only be used once, and the user is secret. After decryption, the cloud server can authenticate the decryption result. The specific plan is as follows:

MKGen[TeX:] $$\left(Z_{i}\right)$$: Set [TeX:] $$m k=\left(r_{0}, r_{1}\right), r_{0} \text { and } r_{1}$$ are randomly selected from the [TeX:] $$Z_{I}$$, where [TeX:] $$Z_{I}$$ is a set of I-bit integers.

MACGen(mk, m): The information authentication code [TeX:] $$m_{c}$$ of the information m is obtained by calculating [TeX:] $$m_{c}=m \times r_{0}+r_{1}$$.

Verification(mk, m, [TeX:] $$m_{c}$$): Input mk, x and [TeX:] $$m_{c}$$, verify m is equal to [TeX:] $$\left(m_{c}-r_{0}\right) / r_{1}$$, if so, b is 1, otherwise b is 0.

##### 2.4 Iris Ciphertext Recognition Method

At present, there are few iris recognition products on the market, mainly because the recognition accuracy of iris is largely dependent on the hardware facilities and recognition algorithms of iris acquisition [17,18]. In order to simulate the real iris recognition scene, this paper selects the public iris database, CASIA-Iris [18], to replace the iris acquisition process, using the public MATRIB code provided by the School of Computer Science and Software Engineering of the University of Western Australia [19] to preprocess the iris data, and in order to weigh the performance of the homomorphic calculation, the final use of 2048 The binary vector of bits represents the iris feature template.

The iris recognition method in this paper uses Hamming distance calculation to compare the encoded iris feature templates. It is to measure the distance between the two templates by counting the number of corresponding codes on the two templates [20]. The smaller the distance, the more the two templates match.

80 1024 47.5
80 2048 95.4
80 4096 192
80 8192 392.1
80 16384 799.6
##### 4.1 Security Analysis

Network transmission security: An attacker can obtain only the homomorphic encrypted iris feature data or the data generated by the cloud server through random number calculation. Therefore, the network attacker can’t use the acquired data to decipher the original iris feature plaintext data, and also can resist the replay attack.

Server security: Even an attacker can access the server's database. Because the iris templates stored in the server database are encrypted. These ciphertext templates do not reveal any information about the user's iris characteristics. If the user registers in multiple authentication servers based on this protocol, the keys obtained by the user are definitely different, so the user does not leak information when storing multiple templates in multiple server databases. If you suspect that a template has been corrupted, you can generate a new template with a different key.

Client security: Even if an attacker has access to the client system, he cannot obtain the iris feature template and secret key and cannot authenticate. If an attacker uses brute force, the effort required is equal to randomly assigning a bit vector. If the attacker wants to obtain the iris feature information in the server database by modifying the bits to be sent to the server, the OTM authentication method adopted in this paper can solve this problem well. Even an attacker can send a modification (d, T) to pass the authentication test. However, it is basically impossible for an attacker to achieve both iris recognition success and authentication success.

##### 4.2 Homomorphic Performance

The following is the time taken for the system to test the fully homomorphic calculation process. The registration process is shown in Table 3.

Table 3.

Registration part (unit: ms)
Operations TN 1 TN 2 TN 3
CRT Compose 13.3 12.3 12.2
Encrypt 105.5 107.2 104.5
Total 1047.2 985.4 1000.8

The authentication part is used as shown in Table 4.

Table 4.

Authentication part (unit: ms)
Operation TN 1 TN 2 TN 3
Sequare 275.7 292.1 285.4
Sub 2.8 3.0 2.9
CRT Compose(r0, r1) 28.9 29.8 23.3
ctd * r0+r1 194.3 202.7 188.9
Decrypt (ctd, ctT) 245.1 273.5 231.6
Decompose (ctd, ctT) 24.1 29.0 26.0
Total 2446.5 2544.8 2439.1

The test results are as follows:

In the registration part, the average registration time is 1011.1 ms, while the iris template encryption only takes 105.7 ms on average, accounting for 10.5% of the total registration time.

In the authentication part, the total time of authentication is 2476.8 ms on average, while the average of homomorphism is 482.6 ms, accounting for 19.5% of the total authentication time, and the average time of encrypting and decrypting ciphertexts is 355.8 ms, accounting for 14.4% of the total authen-tication time.

Since the tests are conducted locally, the performance of the system depends on the processing power of the notebook CPU. Through analysis, the system loads and communicates part of the graphical interface with the longest time, while the homomorphic encryption and decryption and the total time spent less than 40%. Therefore, the iris ciphertext full homomorphic efficiency is still good.

Below we compare the results with paper [11]. The length of biometric is 630 bits in [11], while the length is 2048 in our scheme. The normal size of irises is 2048 bits. We study the 2048-bit binary vector segmentation. Table 1 shows that the segmented ciphertext modulus q decreases little, so the segmen¬tation does not significantly improve the efficiency and safety of the system. Therefore the 2048-bit binary vector segmentation is a good choice. In order to compare the performance with [11] at the same level, we also take 630 bits biometric of irises in our scheme. Table 5 shows that our results are better than the scheme [11].

Table 5.

Comparison of two schemes (unit: ms)
Operations Our scheme Ghostshe [11]
Encryption 13.3 16.16
Decryption 105.5 163.72
Addition 0.05 0.05
Multiplication 10.2 14.32

## 5. Conclusion

With the rapid development of information technology, information security has become the most concerned point. The system combines homomorphic encryption with biometrics to ensure the security and integrity of user feature templates. In real life, such as online payment, account login, etc., biometrics can be used for identity verification, and the system can perform ciphertext calculation in the cloud, which greatly improves the security of data processing. It can be seen from the performance analysis that the efficiency of the system is good when the circuit depth of the fully homomorphic encryption cal¬culation is not high. Despite this, the system is still far from the actual complex application requirements, and further research is needed.

## Acknowledgement

This paper is supported by the Natural Science Foundation of Zhejiang Province of China (No. LY17F020002), Public Projects of Zhejiang Province (No. 2017C33079, LGG18F020001), Ningbo Natural Science Foundation (No. 2017A610120, 2018A610159), and the State Key Laboratory of Cryptology (No. 2017-MS-18).

## Biography

##### Xinxia Song
https://orcid.org/0000-0003-4973-8295

She received the B.Sc. degree in mathematics from Kashgar University in 1995, and the M.Sc. degree in mathematics from the Zhejiang Normal University in 2005. She is an associate professor at Zhejiang Wanli University. Her research interests include algebra and cryptography.

## Biography

##### Zhigang Chen
https://orcid.org/0000-0001-5140-7319

He received the B.Sc. degree in mathematics from Kashgar University in 1995, the M.Sc. degree in computer software and theory from the Northwest University in 2004, and received Ph.D. in the Nanjing University of Aeronautics and Astronautics in 2015. From 2013 to 2014, he was an academic visitor at Information Security Group of Royal Holloway, University of London. He is a professor at Zhejiang Wanli University. He is also a visiting researcher at State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences now. Currently his researches focus on fully homomorphic encryption, lattice-based cryptography and blockchain.

## Biography

##### Dechao Sun
https://orcid.org/0000-0003-0771-093X

He received Ph.D. in School of Information Science and Engineering from Ningbo University in 2018. He is an associate professor in Wanli University. His current research interests include artificial intelligence and network security.

## References

• 1 R. Belguechi, V. Alimi, E. Cherrier, P. Lacharme, C. Rosenberger, "An overview on privacy preserving biometrics," in Recent Application in Biometrics. RijekaCroatia: InTech, p. 65-84, 2011.custom:[[[-]]]
• 2 N. K. Ratha, J. H. Connell, R. M. Bolle, "Enhancing security and privacy in biometrics-based authentication systems," IBM Systems Journal, vol. 40, no. 3, pp. 614-634, 2001.doi:[[[10.1147/sj.403.0614]]]
• 3 A. Juels, M. Sudan, "A fuzzy vault scheme," DesignsCodes and Cryptography, vol. 38, no. 2, pp. 237-257, 2006.doi:[[[10.1007/s10623-005-6343-z]]]
• 4 A. Juels, M. Wattenberg, "A fuzzy commitment scheme," in Proceedings of the 6th ACM Conference on Computer and Communications Security, Singapore, 1999;pp. 28-36. custom:[[[-]]]
• 5 M. Blanton, P. Gasti, "Secure and efficient protocols for iris and fingerprint identification," in European Symposium on Research in Computer Security. Heidelberg: Springer, pp. 190-209, 2011.custom:[[[-]]]
• 6 I. Damgard, M. Geisler, M. Kroigard, "Homomorphic encryption and secure comparison," International Journal of Applied Cryptography, vol. 1, no. 1, pp. 22-31, 2008.doi:[[[10.1504/IJACT.2008.017048]]]
• 7 R. Kulkarni, A. Namboodiri, "Secure hamming distance based biometric authentication," in Proceedings of 2013 International Conference on Biometrics (ICB), Madrid, Spain, 2013;pp. 1-6. custom:[[[-]]]
• 8 C. Gentry, "Fully homomorphic encryption using ideal lattices," in Proceedings of the 41st Annual ACM Symposium on Theory of Computing, Bethesda, MD, 2009;pp. 169-178. custom:[[[-]]]
• 9 C. Karabat, M. S. Kiraz, H. Erdogan, E. Savas, "THRIVE: threshold homomorphic encryption based secure and privacy preserving biometric verification system," EURASIP Journal on Advances in Signal Processing, vol. 2015, no. 71, 2015.doi:[[[10.1186/s13634-015-0255-5]]]
• 10 M. J. Dworkin, "SHA-3 Standard: permutation-based hash and extendable-output functions (NIST FIPS-202)," National Institute of Standards and TechnologyGaithersburg, MD, 2015.custom:[[[-]]]
• 11 J. H. Cheon, H. Chung, M. Kim, K. W. Lee, "Ghostshell: secure biometric authentication using Integrity-based homomorphic evaluations," IACR Cryptology ePrint Archive, vol. 2016, no. 484, 2016.custom:[[[-]]]
• 12 J. Fan, F. Vercauteren, "Somewhat practical fully homomorphic encryption," IACR Cryptology ePrint Archive, vol. 2012, no. 144, 2012.custom:[[[-]]]
• 13 H. Chen, K. Laine, R. Player, "Simple encrypted arithmetic library-SEAL v2.1," in Financial Cryptography and Data Security. Cham: Springer, pp. 3-18, 2017.custom:[[[-]]]
• 14 Z. Brakerski, C. Gentry, S. Halevi, "Packed ciphertexts in LWE-based homomorphic encryption," in Public Key Cryptography – PKC 2013. Heidelberg: Springer, pp. 1-13, 2013.custom:[[[-]]]
• 15 N. P. Smart, F. V ercauteren, "Fully homomorphic SIMD operations," DesignsCodes and Cryptography, vol. 71, no. 1, pp. 57-81, 2014.doi:[[[10.1007/s10623-012-9720-4]]]
• 16 J. Deng, C. Xu, H. Yang, "A secure computation scheme of inner product based on fully homomorphic encryption," Journal of University of Electronic Science and Technology of China, vol. 45, no. 5, pp. 808-811, 2016.custom:[[[-]]]
• 17 S. Thavalengal, P. Bigioi, P. Corcoran, "Iris authentication in handheld devices-considerations for constraint-free acquisition," IEEE Transactions on Consumer Electronics, vol. 61, no. 2, pp. 245-253, 2015.custom:[[[-]]]
• 18 CASIA iris database (Online). Available:, http://biometrics.idealtest.org
• 19 L. Masek, P. Kovesi, "MA TLAB source code for a biometric identification system based on iris patterns," School of Computer Science and Software EngineeringUniversity of Western Australia, 2003.custom:[[[-]]]
• 20 Q. Tian, Z. Liu., "Survey of iris recognition," Application Research of Computers, vol. 25, no. 5, pp. 1295-1300, 2008.custom:[[[-]]]
• 21 M. R. Albrecht, "On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL," in Advanced in Cryptology – EUROCRYPT 2017. Cham: Springer, pp. 103-129, 2017.custom:[[[-]]]