THRIVE: threshold homomorphic encryption based secure and privacy preserving biometric verification system

In this paper, we introduce a new biometric verification and template protection system which we call THRIVE. The system includes novel enrollment and authentication protocols based on threshold homomorphic encryption where a private key is shared between a user and a verifier. In the THRIVE system, only encrypted binary biometric templates are stored in a database and verification is performed via homomorphically randomized templates, thus, original templates are never revealed during authentication. Due to the underlying threshold homomorphic encryption scheme, a malicious database owner cannot perform full decryption on encrypted templates of the users in the database. In addition, security of the THRIVE system is enhanced using a two-factor authentication scheme involving user’s private key and biometric data. Using simulation-based techniques, the proposed system is proven secure in the malicious model. The proposed system is suitable for applications where the user does not want to reveal her biometrics to the verifier in plain form, but needs to prove her identity by using biometrics. The system can be used with any biometric modality where a feature extraction method yields a fixed size binary template and a query template is verified when its Hamming distance to the database template is less than a threshold. The overall connection time for the proposed THRIVE system is estimated to be 336 ms on average for 256-bit biometric templates on a desktop PC running with quad core 3.2 GHz CPUs at 10 Mbit/s up/down link connection speed. Consequently, the proposed system can be efficiently used in real-life applications.


I. INTRODUCTION
I N recent years, public and commercial organizations invest on secure electronic authentication (e-authentication) systems to reliably verify identity of individuals.Biometrics is one of the rapidly emerging technologies for e-authentication systems [1].However, it is impossible to discuss biometrics without security and privacy issues [2], [3].Biometrics, which are stored in a smart card or a central database, is under security and privacy risks due to increased number of attacks against identity management systems in recent years [2]- [5].
Security and privacy concerns on biometrics limit their widespread usage in real life applications.The initial solution that occurs to mind for security and privacy problems is to use cryptographic primitives.On the other hand, biometric templates cannot be directly used with conventional encryption techniques (i.e.AES, 3DES) since biometric data are inherently noisy [6].In other words, the user is not able to present exactly the same biometric data repeatedly.Namely, when a biometric template is encrypted during the enrollment stage, it should be decrypted to pass the authentication stage for comparison with the presented biometric.This, however, again leads to security and privacy issues for biometric templates at the authentication stage [6].Another problem with regards to such a solution is the key management, i.e. storage of encryption keys.When a malicious database manager obtains decryption keys, he can perform decryption and obtain biometric templates of all users.Similar problems are valid for cryptographic hashing methods.Since cryptographic hash is a one-way function, when a single bit is changed the hash sum becomes completely different due to the avalanche effect [7].Thus, successful authentication by exact matching cannot be performed even for legitimate users due to the noisy nature of biometric templates.Therefore, biometric templates cannot directly be used with the cryptographic hashing methods.
Biometric systems which use error correction methods are proposed to cope with noisy nature of the biometric templates in the literature [8]- [10].In such systems, the biometric data collected at the enrollment stage is exactly the same with the biometric data collected at the authentication stage since they use error correction methods.In other words, these systems can get error-free biometric templates and thus cryptographic primitives (i.e.encryption and hashing) can successfully be employed without suffering from the avalanche effect [6], [10]- [12].However, high error correcting capability requirements make them impractical for real life applications [13].Furthermore, side information (parity bits) is needed for error correction and this may lead to information leakage and even other attacks (i.e., error correcting code statistics, and nonrandomness attacks) [14].Zhou et al. clearly demonstrate in their works that redundancy in an error correction code causes privacy leakage for biometric systems [15], [16].
Although biometric template protection methods are proposed to overcome security and privacy problems of biometrics [3], [17]- [30], recent research shows that security issues are still valid for these schemes [31]- [37].Furthermore, there are a number of works on privacy leakages of biometric applications [38], [39], and yet more biometrics template protection methods [15], [16], [40].In the literature, Zhou et arXiv:1409.8212v1[cs.CR] 29 Sep 2014 al. propose a framework for security and privacy assessment of biometric template protection methods [15].In addition, Ignatenko et al. analyze the privacy leakage in terms of the mutual information between the public helper data and biometric features in a biometric template protection method.A trade-off between maximum secret key rate and privacy leakage is given in their works [39], [41].
Recently, homomorphic encryption methods are used with biometric feature extraction methods to perform verification via encrypted biometric templates [21], [42]- [44].However, these methods offer solutions in the honest-but-curious model where each party is obliged to follow the protocol, but can arbitrarily analyze the knowledge that it learns during the execution of the protocol to obtain some additional information.The existing systems are not designed for the malicious model where each party can arbitrarily deviate from the protocol and may be corrupted.Moreover, they do not take into account security and privacy issues of biometric templates stored in the database [21], [44].The authors state that their security model will be improved in the future work by applying encryption methods also on the biometric templates stored in the database.Furthermore, some of these systems are just designed for a single biometric modality or a specific feature extraction method which also limits their application areas [42], [43].In addition, an adversary can enroll himself on behalf of any user to their systems since they do not offer any solutions for malicious enrollment.Finally, all these systems suffer from computational complexity.
Biohashing schemes are one of the emerging biometric template protection methods [26]- [30].These schemes offer low error rates and fast verification at the authentication stage.However, they suffer from several attacks reported in the literature [34]- [37].These schemes should be improved to be safely used in a wide range of real life applications.In our work, we develop new enrollment and authentication protocols for biometric verification methods.Our goal is to increase security and enhance privacy of the biometric schemes.The THRIVE system can work with any biometric feature extraction scheme whose outputs are binary or can be binarized.Since biohashing schemes can output binary templates called a biohash, they can be successfully used with the proposed system.

A. Our contributions
In this paper, we address adversary attacks in case of an active attacker who aims to gain access to the system in the malicious attack model.By taking these adversary attacks into account, we develop a new biometric authentication system based on threshold homomorphic cryptosystem.Our main goal is to increase the security of the system and preserve privacy of biometric templates of the users.The contributions of this work can be summarized as follows: • A new biometric authentication system (which we call the THRIVE system) is proposed in the malicious model and the proposed system can be used with any existing biometric modality whose output can be binarized.• Even if an adversary gains an access to the database and steals encrypted biometric templates, he can neither authenticate himself by using these encrypted biometric templates due to the proposed authentication protocol, nor decrypt these encrypted biometric templates due to the (2, 2)-threshold homomorphic encryption scheme.• Only encrypted binary templates are stored in the database and biometric templates are never released even during authentication.Thus, the proposed system offers a new and advanced biometric template protection method without any helper data.In addition, only legitimate users can enroll in the proposed system since a signature scheme is used with the proposed enrollment protocol.• The THRIVE system can be used in the applications where the user does not trust the verifier since she does not need to reveal her biometric template and/or private key to authenticate herself and the verifier does not need to reveal any data to the user with the proposed authentication protocol.• Even if an adversary intercepts the communication channel between the user and the verifier, he cannot obtain any useful information on the biometric template since all exchanged messages are randomized and/or encrypted and he cannot perform decryption due to the (2, 2)threshold homomorphic encryption scheme.Furthermore, he cannot use the obtained data from message exchanges in this communication channel since nonce and signature schemes are used together in the authentication.• The THRIVE system is a two-factor authentication system (biometric and secret key) and is secure against illegal authentication attempts.In other words, a malicious adversary cannot gain access to the proposed system without having the biometric data and the private key of a legitimate user by performing adversary attacks described in [45] as well as hill-climbing attacks [46]- [49].• In the THRIVE system, the generated protected biometric templates are irreversible since templates are encrypted they are irreversible by definition as soon as decryption key is not stolen.• The THRIVE system can generate a number of protected templates from the same biometric data of a user due to the randomized encryption and biohashing.Thus, it ensures diversity.Besides, they are also cancelable i.e. when they are stolen, they can be re-generated.• A THRIVE authentication protocol run requires only 336 ms on average for 256 bit biohash vectors and 671 ms on average for 512 bit biohash vectors on a desktop PC with quad-core 3.2 GHz CPUs at 10 Mbit/s up/down link connection speed.Therefore, the proposed system is sufficiently efficient to be used in real-world applications.The paper is structured as follows.Related work is addressed in Section 2. Preliminaries are described in Section 3. The proposed biometric authentication system is introduced in Section 4. Security proof of the proposed protocols are given in Section 5. Complexity analysis of the proposed system is discussed in Section 6. Section 7 concludes the paper.

II. RELATED WORK
Biometric template protection schemes are proposed to mitigate the security and privacy problems of biometrics [3], [18]- [25].However, various vulnerabilities of these technologies are reported in the literature [31]- [33].Jain et al. classify biometric template protection schemes into two main categories [3]: 1) Feature transformation based schemes, 2) Biometric cryptosystems as illustrated in Figure ??.
The main idea behind biometric cryptosystems (also known as biometric encryption systems) is either binding a cryptographic key with a biometric template or generating the cryptographic key directly from the biometric template [50].Thus, the biometric cryptosystems can be classified into two main categories: 1) Key binding schemes, 2) Key generation schemes.The biometric cryptosystems use helper data, which is public information, about the biometric template for verification.Although helper data are supposed not to leak any critical information about the biometric template, Rathgeb et al. show that helper data is vulnerable to statistical attacks [51].Furthermore, Ignatenko et al. show how to compute a bound on possible secret rate and privacy leakage rate for helper data schemes [52].Adler performs hill-climbing attack against biometric encryption systems [32].In addition, Stoianov et al. propose several attacks (i.e., nearest impostors, error correcting code statistics, and non-randomness attacks) to biometric encryption systems [14].
In the literature, fuzzy commitment [10] and fuzzy vault schemes [25] are categorized under the key binding schemes.These schemes aim to bind a cryptographic key with a biometric template.In ideal conditions, it is infeasible to recover either the biometric template or the random bit string without any knowledge of the user's biometric data.However, this is not the case in reality because biometric templates are not uniformly random.Furthermore, error correction codes (ECC) used in biometric cryptosystems lead to statistical attacks (i.e., running ECC in a soft decoding or erasure mode and ECC Histogram attack) [14], [53].Ignatenko et al. show that fuzzy commitment schemes leak information in cryptographic keys and biometric templates which lead to security flaws and privacy concerns [39], [41].In addition, Zhou et al. argue that fuzzy commitment schemes leak private data.Chang et al. describe a non-randomness attack against fuzzy vault scheme which causes distinction between the minutiae points and the chaff points [54].Moreover, Kholmatov et al. perform a correlation attack against fuzzy vault schemes [55].
Keys are generated from helper data and a given biometric template in key generation schemes [3].Fuzzy key extraction schemes are classified under key generation schemes and use helper data [56]- [60].These schemes can be used as an authentication mechanism where a user is verified via her own biometric template as a key.Although fuzzy key extraction schemes provide key generation from biometric templates, repeatability of the generated key (in other words stability) and the randomness of the generated keys (in other words entropy) are two major problems of them [3].Boyen et al. describe several vulnerabilities (i.e.improper fuzzy sketch constructions may lead information on the secret, biased codes may cause majority vote attack, and permutation leaks) of the fuzzy key extraction schemes from outsider and insider attacker perspectives [61].Moreover, Li et al. mention that when an adversary obtains sketches, they may reveal the identity of the users [62].
Biohashing schemes are simple yet powerful biometric template protection methods [26]- [30] which can be classified under salting based schemes.It is worth pointing out that biohashing is completely different from cryptographic hashing.Although biohashing schemes are proposed to solve security and privacy issues, there are still security and privacy issues associated with them [34]- [37].In these works, the authors claim that biohashes can be reversible under certain conditions and an adversary can estimate biometric template of a user from her biohash.Consequently, when biohashes are stored in the databases and/or smart cards in their plain form, they can threaten the security of the system as well as the privacy of the users.Moreover, an adversary can use an obtained biohash to threaten the system security by performing malicious authentication.Furthermore, when the secret key is compromised, an adversary can recover the biometric template since these schemes are generally invertible [3].
Non-invertible transform based schemes use a non-invertible transformation function, which is a one-way function, to make the biometric template secure [63]- [65].User's secret key determines the parameters of non-invertible transformation function and this secret key should be provided at the authentication stage.Even if an adversary obtains the secret key and/or the transformed biometric template, it is computationally hard to recover the original biometric template.On the other hand, these schemes suffer from the trade-off between discriminability and non-invertibility which limits their recognition performance [3].
Another security approach is the use of cryptographic primitives (i.e.encryption, hashing) to protect biometric templates.These works generally focus on fingerprint-based biometric systems.Tuyls et al. propose the fingerprint authentication system which incorporates cryptographic hashes [66].They use an error correction scheme to get exactly the same biometric template from the same user in each session which is similar to the fuzzy key extraction schemes.They store cryptographic hashes of biometric templates in the database and make comparison in the hash domain.However, there is no guarantee to get exactly the same biometric templates from the user even if the system incorporates an error correction scheme in real life applications since it is limited with the pre-defined threshold of error correction capacity.They also use helper data which are sent over a public channel and this may lead to security flaws as well.Moreover, an adversary can threaten the security of the system when he performs an attack against the database since he can obtain the user id, helper data and the hashed version of the secret which is generated by the biometric data and the helper data.Although the adversary cannot obtain the biometric data itself in its plain form, he can get all needed credentials (i.e.hash values of the secrets) to gain access to the system.
Kerschbaum et al. propose a protocol to compare fingerprint templates without actually exchanging them by using secure multi-party computation in the honest-but-curious model [67].At the enrollment stage, the user gives her fingerprint template, minutiae pairs and PIN to the system.Thus, the verifier knows the fingerprint templates which are collected at the enrollment stage.Although the user does not send her biometric data at the authentication, the verifier already has the user's enrolled biometric data and this threatens the privacy of the user in case of a malicious verifier.In addition, a malicious verifier can use these fingerprint templates for malicious authentication.Furthermore, since the fingerprint comparison reveals the matching scores (i.e.Hamming distance [68]), the attacker can perform a hill climbing attack against this system.Apart from these security and privacy flaws, the authors just focus on secure comparison in their protocol and they do not develop any solutions for the malicious model.
Erkin et al. [42] propose a privacy preserving face recognition system for the eigen-face recognition algorithm [69].They design a protocol that performs operations on encrypted images by using the Pailler homomorphic encryption scheme.Later, Sadeghi et al. improve the efficiency of this system [43].In both works, they use the eigen-face recognition algorithm together with homomorphic encryption schemes.However, they limit the recognition performance of the system with the eigen-face method although there are various feature extraction methods which perform better than it.Unfortunately, their system cannot be used for any other feature extraction method for face images.Moreover, they do not use a threshold cryptosystem which prevents from a malicious party aiming to perform decryption by himself.Storing face images (or corresponding feature vectors) in the database in plain is the most serious security flaw of this system.An adversary, who gains access to the database, can obtain all face images.Therefore, the adversary can perform the sixth attack type -attack against the database which definitely threatens the security of the system and the privacy of the users.
Barni et al. [21], [44] propose a privacy preservation system for fingercode templates by using homomorphic encryption in the honest-but-curious model.They, however, do not propose any security and privacy solutions on the biometric templates stored in the database.This issue is mentioned as a future work in their paper.In addition, they do not use threshold encryption which would prevent from a malicious party aiming to perform decryption by himself.Therefore, their proposed system is open to adversary attacks against the database as stated in their work.They do not address the malicious enrollment issue as well.Moreover, the user must trust the server in their system.Although they achieve better performance than [42], [43] in terms of bandwidth saving and time efficiency, they do not address the applications where the user and the verifier do not trust each other (e.g. the malicious model).
There are also some works on secure Hamming distance calculation by using cryptographic primitives [70]- [73].These papers, however, limit their works only with secure Hamming distance calculation.These methods do not address biometric authentication as a whole and fails to satify security, privacy, template protection at the same time by taking into account computational efficiency which is very critical for real-world applications.Osadchy et al. [70] propose Pailler homomorphic encryption based secure Hamming distance calculation for face biometrics.The system is called SCiFI.Although they claim that SCiFI is computationally efficient, it mostly uses pre-computation techniques.Its pre-computation time includes processing time that must be done locally by each user before using the system each time.They report that SCiFI's online running time takes 0.31 seconds for a face vector of size 900 bits however its offline computation time takes 213 seconds.Since these computations should be done by the user just before each attempt to use the system, the protocol is not that much efficient.Besides, SCiFI is only secure for semi-honest adversaries.Rane et al. [71] also propose secure Hamming distance calculation for biometric applications.However, their proposed method fails to ensure biometric database security since biometric templates are stored in plain format in the database.Thus, a malicious verifier can threaten a user's security and privacy.Bringer et al. [72] propose a secure Hamming distance calculation for biometric application.The system is called SHADE and it is based on committed oblivious transfer [74].However, they also cannot guarantee biometric database security since biometric templates are stored in plain form in the database.Kulkarni et al. [73] propose a biometric authentication system based on somewhat homomorphic encryption scheme of Boneh et al. [75] which allows an arbitrary number of addition of ciphertexts but supports only one multiplication operation between the ciphertexts.Although the values stored on the enrollment server are the XORed values of the biometric template vector with the corresponding user's key, the user first extracts and sends her biometric features to the trusted enrollment server.Again this system uses a trusted enrollment server and fails to protect security and to preserve privacy of a user against a malicious database manager.In addition, the system is not efficient since 58 sec are required for successful authentication of a 2048 bit binary feature vector.

A. Threshold Homomorphic Cryptosystem
In this section, we briefly describe underlying cryptographic primitives of the protocols.Given a public key encryption scheme, let m ∈ M denote its message or plaintext space, c ∈ C the ciphertext space, and r ∈ R its randomness.Let c = Enc pk (m; r) depict an encryption of m under the public key pk where r is a random value.Let sk be its corresponding private key, which allows the holder to retrieve a message from a ciphertext.The decryption is done with the private key sk as m = Dec sk (c).
In a (t, n)-threshold cryptosystem, the knowledge of a private key is distributed among parties P 1 , . . ., P n .Then, at least t of these parties are required for successful decryption.On the other hand, there is a public key to perform encryption.More formally, let P 1 , . . ., P n be the participants.We define a (t, n)-threshold encryption scheme with three phases as follows: • In the key generation phase, each participant P i receives a pair (pk i , sk i ), where pk i and sk i are the shares of the public and secret key, respectively.Then, the overall public key pk is constructed by collaboratively combining the shares.Finally pk is broadcast to allow anyone to encrypt messages in M. The shares of this public key are also broadcast which allow all parties to check the correctness of the decryption process.
• The encryption phase is done as in any public key encryption cryptosystem.If m ∈ M is the message, a (secret) random value r from R is chosen and c = Enc pk (m; r) is broadcast under a public key pk.• In the threshold decryption phase, given that t (or more) participants agree to decrypt a ciphertext c, they follow two steps.First, each participant produces a decryption share by performing S j i = Dec sk j i (c), j = 1, . . ., t.
After broadcasting S j i , they all can apply a reconstruction function F on these shares so that they can recover the original message by performing m = F(S 1 i , . . ., S t i ) where P 1 i , . . ., P t i represent the group of t participants willing to recover m.
In case of a (t, n)-threshold scheme, the additional requirement is that if less than t parties gather their correct shares of the decryption of a given ciphertext, they will get no information whatsoever about the plaintext.In the proposed system, we use the (2, 2)-threshold cryptosystem between the claimer (the user) and the verifier where both players must cooperate to decrypt.
In the proposed protocol, we use a variant of the threshold decryption protocol which is the so-called private threshold decryption [80].The requirement of this protocol is that one of the t parties will be the only party who will recover the secret.All t − 1 other parties follow the protocol and broadcast their shares to achieve this requirement.The party who will learn the plaintext proceeds with the decryption process privately, collects all decryption shares from the t − 1 other parties, and privately reconstructs the message.The remaining parties will not get any information about this message.

B. Biometric Verification Scheme
Biometric verification schemes perform an automatic verification of a user based on her specific biometric data (e.g., face, fingerprint, iris).They have two main stages: 1) Enrollment stage, and 2) Authentication stage.The user is enrolled to the system at the enrollment stage.Then, she again provides her biometric data to the system at the authentication stage to prove her identity.Any biometric scheme, which provides binary outputs or whose outputs can be binarized, can work with the proposed threshold homomorphic cryptosystem.The THRIVE system can work with any biometric feature extraction method which produces fixed size vectors as templates and perform verification with distance calculations between the enrolled and the provided template at the authentication stage.When the output of a biometric feature extraction method is not binary, locality sensitive hashing can be used to binarize the feature vector [81].After binarization, the binary templates can successfully be used with the proposed system.In this paper, we use biohashing as an example algorithm for extracting binary biometric templates.Although biohashing has its own security and privacy preservation mechanism, we do not rely on these for the security or the privacy preservation features.Thus it can be replaced with any other binary feature extraction method.
Biohashing schemes are simple yet powerful biometric template protection methods [26]- [30].Biohash is a binary and pseudo-random representation of a biometric template.Biohashing schemes use two inputs: 1) Biometric template, 2) User's secret key.A biometric feature vector is transformed into a lower dimension sub-space using a pseudo-random set of orthogonal vectors which are generated from the user's secret key.Then, the result is binarized to produce a pseudorandom bit-string which is called the biohash.In an ideal case, the Hamming distance between the biohashes belonging to the biometric templates of the same user is expected to be relatively small.On the other hand, the distance between the biohashes belonging to different users is expected to be sufficiently high to achieve higher recognition rates.
We descibe the random projection (RP) based biohashing scheme proposed by Ngo et al. [82].In this scheme, there are three main steps: 1) Feature extraction, 2) Random projection, 3) Quantization.These steps are explained for face biometrics.
1) Feature Extraction: The feature extraction is performed on the face images, which are collected at the enrollment stage, belonging to the users, I i,j ∈ m×n where i = 1, . . ., n and n denotes number of users, j = 1, . . ., L and L denotes number of training images per user.The face images are lexicographically re-ordered and the training face vectors, x i,j ∈ (mn)×1 , are obtained.Then, Principle Component Analysis (PCA) [69] is applied.
where A ∈ k×(mn) is the PCA matrix trained by the face images in the training set, w is the mean face vector, and y i,j ∈ k×1 is vector containing PCA coefficients belonging to the j th training image of the i th user.
2) Random Projection: At this phase, a RP matrix, R ∈ ×k , is generated to reduce the dimension of the PCA coefficient vectors.The RP matrix elements are independent and identically distributed (i.i.d) and generated from a Gauss distribution with zero mean and unit variance by using a Random Number Generator (RNG) with a seed derived from the user's secret key.The Gram-Schmidt (GS) procedure is applied to obtain an orthonormal projection matrix R GS ∈ ×k to have more distinct projections.Finally, PCA coefficients are projected onto a lower -dimensional subspace.
where z i,j ∈ ×1 is an intermediate biohash vector belonging to the j th training image of the i th user.
3) Quantization: At this phase, the intermediate biohash vector z i,j elements are binarized with respect to the threshold.
where λ i,j ∈ {0, 1} denotes biohash vector of the j th training image of the i th user and β denotes the mean value of the intermediate biohash vector z i,j .A biohash vector, B enrolli , for the i th user is stored in the database at the enrollment stage for verification purpose during the authentication stage.Note that, B enrolli can be any vector among λ i,j vectors in a real-world application.For simulation purposes, we take into account all possible biohashes for a user by computing λ i,j .The user is authenticated if the Hamming distance between B enrolli and B authi is below a threshold µ.
where B k enrolli denotes the k th bit of B enrolli , B k authi denotes the k th bit of B authi , and ⊕ denotes the binary XOR (exclusive OR) operator.Consequently, the verifier decides whether the claimer is a legitimate user or not according the threshold.

IV. THE PROPOSED BIOMETRIC AUTHENTICATION
SYSTEM In this section, the proposed biometric authentication system is introduced.In the proposed system, there are two major roles: 1. User (U i ) and 2. Verifier (V).The user has control of the biometric sensor, the feature extractor, and the biohash generator whereas the verifier has control of the database and the matcher.We assume that there is a trusted third party (TTP) which initially sets up the system public/private keys.
The TTP distributes the keys in the proposed system.There are public-private key pairs (pk i , (sk 1 i , sk 2 i )) which are shared between the user and the verifier.pk i is the public key of the i th user, U i , and both the user and the verifier have it.Recall that, when an enrollment biometric template is encrypted by pk i , this can solely be decrypted using the private key shares of the user (sk 1 i ) and the verifier (sk 2 i ) collaboratively since the proposed system is based on the (2, 2)-threshold homomorphic cryptosystem.Here, sk 1 i is the private key share of the i th user, U i , and sk 2 i is the private key share of the verifier.Besides, there is a public-private key pair (pk Ui , sk Ui ) which belongs to the i th user, U i , where pk Ui is the public key and sk Ui is its associated private key to perform the signature operation.The verifier also has the public key pk Ui of the i th user, U i .

A. Enrollment Stage
At this stage, the i th user U i has control over the biometric sensor, the feature extractor, and the biohash generator whereas the verifier has control over the database as illustrated in Figure 1.It is worth mentioning that biometric sensor authentication must be achieved in the proposed system before executing the enrollment protocol to prevent unauthorized sensors to be used as clients in the system by malicious users.This, however, is not explicitly indicated in the protocol in order not to clutter the paper.The proposed enrollment protocol is illustrated in Figure 2 and steps of it are introduced as follows: 1) Step 1: The i th user, U i , computes her biohash, B enrolli = B 1 enrolli . . .B n enrolli where B j enrolli ∈ {0, 1}, j = 1, . . ., n. Next, the user encrypts her biohash, C j i =Enc pki B j enrolli ∀j = 1, . . ., n, by using the public key pk i .Then, the user signs her encrypted biohash, Sign sk U i (< C j i : j = 1, . . ., n >), and sends it to the verifier.

2)
Step 2: The verifier V verifies Sign sk U i (< C j i : j = 1, . . ., n >) by using pk Ui and stores the signature and encrypted biohash in the database.These data will be used for verification at the authentication stage.Note that the proposed enrollment protocol uses the (2, 2)threshold homomorphic cryptosystem.Namely, both the user and the verifier have to cooperate to decrypt a ciphertext.Furthermore, the signature ensures that the data stored in the database are generated by a legitimate user.Proof.(Sketch) At the enrollment stage, the i th user U i first encrypts her biohash and then signs it.After these computations, U i sends her encrypted and signed biohash Sign sk U i (< C j i : j = 1, . . ., n >) to the verifier.Since the user's biohash is not sent in plain form, biohashes are not revealed to the verifier at the enrollment stage.
Lemma 2. An adversary cannot register as a legitimate user at the enrollment stage.
Proof.(Sketch) At the enrollment stage, the i th user U i encrypts her biohash by using the public key pk i and then signs her encrypted biohash by using her private key sk Ui .Thus, U i sends encrypted and signed biohash Sign sk U i (< C j i : j = 1, . . ., n >) to the verifier.The verifier knows pk Ui of the users.Since the verifier verifies the signature of the user, an adversary cannot register himself as a genuine user without having the private key of her sk Ui for computing Sign sk U i (< C j i : j = 1, . . ., n >).

B. Authentication Stage
At this stage, the i th user U i , has control over the biometric sensor, the feature extractor, and the biohash generator whereas the verifier has control over the database, the matcher and the decision maker as illustrated in Figure 4. U i tries to prove herself to the verifier by executing the proposed authentication protocol shown in Figure 3. Similar to the enrollment case, the biometric sensor must be authorized by the system before the authentication protocol is carried out.Steps of the proposed authentication protocol are as introduced as follows: 1) Step 1: U i wants to verify her identity by using her biohash and sends a connection request to the verifier.Then, U i computes her biohash authi where B j authi ∈ {0, 1}, j = 1, . . ., n.Note that the user cannot produce exactly the same biometric template at each attempt and this results in different biohashes computed by the same user.Therefore, B enrolli and B authi are different biohashes although they are generated by the same user at different sessions (enrollment and authentication).First, U i chooses a random vector r j i ∈ R {0, 1} ∀ j = 1, . . ., n.She computes R j i = r j i ⊕ B j authi ∀j = 1, . . ., n.Then, U i generates a nonce, nonce Ui , which is uniquely defined and contains information about user id, session id and timestamp.Finally, the user sends < R j i : j = 1, . . ., n >, nonce Ui to the verifier.

2)
Step 2: The verifier retrieves Sign sk U i (< C j i : j = 1, . . ., n >) from the database where C j i = Enc pki B j enrolli ∀ j = 1, . . ., n.Then, it generates a nonce nonce Vi which contains information about the verifier, session id and timestamp.Finally, it sends Sign sk U i (< C j i : j = 1, . . ., n >), nonce Vi to the user.3) Step 3: The user verifies Sign sk U i (< C j i : j = 1, . . ., n >) by using public key pk Ui .She computes i )/4 mod N i , ∀ j = 1, . . ., n using her private key share sk 1 i .Finally, she sends Sign sk U i (< Enc pki (r j i ), T 1,j i : j = 1, . . ., n >, nonce Ui , nonce Vi ) to the verifier.4) Step 4: V verifies the signature Sign sk U i (< Enc pki (r j i ), T 1,j i : j = 1, . . ., n >, nonce Ui , nonce Vi ) by using the public key pk Ui .Then, it computes C j i =Enc pki (r j i ) • C j i (this is done to assure correctness of the result and will prevent a malicious user computing different values than expected.).Next, the verifier performs the full decryption by computing mod N i .Finally, the verifier computes the decrypted j th bits T j i = (1 − T 1,j i T 2,j i T 3,j i mod N i )/2 and the Hamming distance between R j i and T j i is calculated as follows: where µ is the distance threshold.Therefore, the verifier decides whether the user is authentic with respect to the pre-defined distance threshold.Note that the Hamming distance between r j i ⊕ B j enrolli and r j i ⊕ B j authi is equal to the Hamming distance between B j enrolli and B j authi .Finally, the verifier sends its decision (either Accept or Reject) to the user.However, the user may get dummy output if there is an error or an attack (i.e., override response attack) in the communication channel.The proposed system can easily be updated to cope with such an attack, for instance, by allowing the verifier to sign its decision including the nonces generated during the authentication session (i.e., either Sign(Accept, nonce Ui , nonce Vi ) or Sign (Reject, nonce Ui , nonce Vi ) and then sends it to the user.In this way, authenticity, integrity and origin of the data can easily be verified.Besides, signing the nonces (nonce Ui and nonce Vi ) also makes the communication unique and avoids replay attacks.Lemma 3. Biohashes are not revealed at the authentication stage.
Proof.Authentication is performed in a randomized domain.In other words, the authentication is determined by comparing R j i and T j i .An adversary can only obtain R j i and T j i which are revealed at the authentication stage.Recall that these are randomized biohashes.Thus, from the adversary's perspective, there are three unknowns (r j i , B j enrolli and B j authi ) and two equations which are shown in the below.
where r j i is the random bit generated by the U i for the j th bit.Since this is a system of linear equations with fewer equations Fig. 4. Illustration of the THRIVE authentication stage: the user has control over the biometric sensor, the feature extractor and the biohash generator whereas the verifier has control over the database, the matcher and the decision maker.
than unknowns, the system has infinitely many solutions.Consequently, it is impossible for the adversary to obtain a legitimate user's biohash by using T j i and R j i which are revealed at the authentication stage.As a result, the proposed biometric authentication system ensures security and privacy.

PROTOCOL
In this section, we prove that the proposed authentication protocol shown in Figure 3 is secure against malicious user and verifier.In this proof, there exists a probabilistic polynomialtime simulator that produces a protocol transcript which is statistically indistinguishable from the one resulting from a real execution of the authentication protocol.The simulator must perform its task without knowing the private information of the party who proves her identity [83].We show that given a party is corrupted (either a user or verifier), there exists a simulator that can produce a view which is statistically indistinguishable from the view of that party interacting with the other honest party.Assuming that one party is corrupted, we build an efficient simulator that has access to the public input and private secret shares of the secret key of the corrupted party.Besides, the simulator knows the public output.We want to point out that the simulator already knows the shares of the secret key of the corrupted party before the simulation is run.Since the threshold cryptosystem is set up before the protocol starts, we assume that the simulator extracts this information when the distributed key generation is run.
It is worth mentioning that the proposed authentication protocol gives computational privacy to both the user and the verifier due to the semantic security of the underlying cryptosystem.Furthermore, it is shown that the proposed authentication protocol is simulatable for both parties and these simulations produce views which are statistically indistinguishable from the views in the real protocol executions.
Theorem 1.The proposed authentication protocol, which is shown in Figure 3, is secure in the presence of static malicious adversaries.
Proof.We show that given a party is corrupted, there exists a simulator that can produce a view to the adversary that is statistically indistinguishable from the view in the real protocol execution based on its private decryption share as well as public information.
Case 1 -User U i is corrupted.In this case, we prove the security for the case where U i is corrupted.The simulator has the private key share of the user sk 1 i , the user's private key sk Ui , and the user's biohash B j authi apart from the user's public information (i.e., pk Ui and pk i ) as described in the proposed authentication protocol.The simulator constructs a view for the user which is statistically close to the one the user observes when interacting with the honest verifier by using this information.The simulator proceeds as follows: 1) The simulator first obtains < R j i : j = 1, . . ., n > ,nonce Ui .As in the second round of the real protocol, the simulator needs to output the signature of the encrypted biohash of the user.To do so, the simulator computes Cj i = Enc pki (B j authi ) ∀ j = 1, . . ., n by using the user's public key pk i , and then computes Sign sk U i Cj i : j = 1, . . ., n .The simulator also generates a nonce called ñonce Vi .The values Sign sk U i Cj i : j = 1, . . ., n and ñonce Vi are the simulated outputs.Note that the simulator uses Bauth instead of B enroll since it is the only available biohash to him.2) The simulator obtains Sign sk U i (< Enc pki (r j i ), T 1,j i : j = 1, . . ., n >,nonce Ui , ñonce Vi ) as in the second round of the protocol.The simulator next verifies the signature Sign sk U i (< Enc pki (r j i ), T 1,j i : j = 1, . . ., n > ,nonce Ui , ñonce Vi ) that U i would run.Next, it computes i , its plaintext and the share of private key sk 2 i of the user U i the decryption shares T 2,j i can be simulated as follows: The simulator computes b0 = [ C j i ] (N −p0−q0+1)/4 mod N from the public information and computes b1 = [ C j i ] (−p1−q1)/4 mod N since it knows sk 1 i (i.e., p 1 , q 1 ).Let's denote b for the plaintext of C j i .Then, the simulator can compute b2 mod N ≡ (1− 2b)/( b0 b1 ) mod N (which is T 2,j i in the real protocol).Note that in the real setting this is not possible since the plaintext inside the ciphertext is unknown C j i .Similarly, T 3,j i can also be simulated since p 0 i and q 0 i are known by the simulator.The simulator finally computes k j=1 R j i ⊕ T j i .Each step of the proposed authentication protocol for the simulator is simulated and this completes the simulation for the malicious user.The transcript is consistent and statistically indistinguishable from the user's view when interacting with the honest verifier.
Case 2 -The verifier V is corrupted.We now prove the security for the case where the verifier is corrupted.The simulator has the private key share of the verifier (sk 2 i ) apart from the verifier's public information ( i.e., pk Ui , pk i , and Sign sk U i (< C j i : j = 1, . . ., n >)) as described in the proposed authentication protocol.The simulator constructs a view for the verifier which is statistically close to the one when interacting with the honest user by using this information.The simulator proceeds as follows: 1) Note that the simulator already knows < C j i : j = 1, . . ., n > because of the knowledge of Sign sk U i (< C j i : j = 1, . . ., n >).The simulator chooses a random bit rj i and arbitrary Bj authi ∈ R {0, 1} and computes Recall that the simulator must perform its task without knowing the private information of the honest user in this case.Thus, although it does not have real r j i and B j authi it can successfully execute the simulated conversation since Rj i is uniformly random.
2) The simulator obtains Sign sk U i (< C j i : j = 1, . . ., n >).The simulator verifies the signature Sign sk U i (< C j i : j = 1, . . ., n >) (by using the user's public key pk Ui ) that V would run.Next, it next computes ) and the share of private key sk 2 i of the verifier V the decryption share T 1,j i can also be simulated as follows: The simulator computes b0 = [ C j i ] (N −p0−q0+1)/4 mod N from the public information and computes b2 = [ C j i ] (−p2−q2)/4 mod N since it knows sk 2 i (i.e., p 2 , q 2 ).Let's denote b for the plaintext of C j i .Then, the simulator can compute b1 mod N ≡ (1 − 2b)/( b0 b2 ) mod N (which is T 1,j i in the real protocol).Note that in the real setting this is not possible since the plaintext inside the ciphertext is unknown C j i .4) Finally, the simulator needs to simulate the signature Sign sk U i (< Enc pki (r j i ), T 1,j i : j = 1, . . ., n > ,nonce Ui ,nonce Vi ).However, this is not possible since the simulator does not know sk Ui .In order to successfully simulate this final step, we need to provide additional information to the simulator.For example, performing a following modification over the the key generation phase in the real protocol the simulation will be possible: • During the key generation in the real protocol, the private key sk Ui is distributed to the user U i and V in a threshold fashion.For example, distributed RSA setting can be used for the signature algorithm (note that for an RSA setting (e, n) denotes the public key and (p, q, d) denotes the private key where n = pq and ed ≡ 1 mod (p−1)(q−1)).Namely, the private key d can be divided into d 1 and d 2 such that the ciphertext c can be decrypted together with U i and V as m ≡ c d ≡ c d1+d2 mod n. • In order to simulate, instead of signing procedures, U i will compute an encryption, compute its partial decryption and finally will send to the verifier.This will assure that the user indeed used its private decryption key over the encrypted value.Next, the verifier will also compute its partial decryption and will compute the decrypted value privately.Hence, with this modified version the decryption share can be simulated in a similar way as described at the third step of the simulation.Consequently, each step of the proposed authentication protocol for the simulator is simulated and this completes the simulation for the malicious verifier.The transcript is consistent and statistically indistinguishable from the verifier's view when interacting with the honest user.

VI. COMPLEXITY ANALYSIS OF THE PROPOSED SYSTEM
In this section, we discuss the complexity of the THRIVE enrollment and authentication protocols.The complexity of the THRIVE enrollment and authentication protocols are examined in terms of protocol steps for the round complexity, the number of cryptographic operations for the computational complexity and the number of messages exchanged by the two parties for the communication complexity.Without loss of generality, we will provide complexity of the THRIVE protocols using the (2,2)-threshold homomorphic GM cryptosystem as an instance [79].In the protocol we use (2,2)-threshold XOR homomorphic GM cryptosystem for confidentiality (i.e., encryption and decryption) while for signature generation and verification a conventional cryptosystem such as RSA (using the key pair (pk Ui , sk Ui )) is employed.
The round complexity of the enrollment protocol is only one.For the computational complexity, the enrollment protocol requires n XOR-homomorphic encryptions, and one conventional signature generation for a user, but one signature verification for the server.For the communication complexity, the user sends a conventional signature and n ciphertexts (i.e., C j i for j = 1, . . .n).
In the authentication protocol, there are only four rounds.For the computational complexity of the authentication protocol, the user generates one conventional signature and verifies another, computes n XOR-homomorphic encryptions and n XOR-homomorphic decryptions, and performs n modular multiplications over homomorphic ciphertexts (i.e., Enc pki (r j i ) • C j i for j = 1, . . .n).The verifier verifies one conventional signature, computes n + 2 modular multiplications, 2n decryptions, and performs n Jacobi computations to check Enc pki (r j i ) for j = 1, . . .n.In total, there are n XORhomomorphic encryptions, 3n XOR-homomorphic decryptions, two signature verifications, one signature generation, n Jacobi computations, and 2n + 2 modular multiplications during the entire authentication protocol.
For the communication complexity of the authentication protocol, the user sends 2n homomorphic ciphertexts, one conventional signature and one nonce value.The verifier sends one conventional signature, n homomorphic ciphertexts, and one nonce to the user.In total, 3n homomorphic ciphertexts, two conventional signatures, and two nonce values are exchanged.
Fig. 5. Comparison between the THRIVE system and the existing solutions.denotes that the system satisfies the property whereas denotes that the system does not satisfies the property.
In the following, we provide timing estimates for the entire protocol for 80-bit security level, on a desktop computer, which has Intel processor with various clock speeds (2.4 GHz and 3.2 GHz).On the computer one modular multiplication using Montgomery arithmetic takes about 2000 clock cycles.Furthermore, one decryption operation in XOR homomorphic GM cryptosystem takes only a single modular multiplication.On the other hand, one decryption in XOR homomorphic GM cryptosystem requires one modular exponentiation operation which takes about 3.2 million clock cycles.In addition, one signature generation and verification operation in conventional cryptosystem such as RSA are equivalent to one modular exponentiation operation.
The bandwidth usage of the proposed protocol for various lengths of biohashes of the user are given in Table I.The required bandwidth for the proposed protocol increases with the increasing length of the biohashes.Bandwidth usage also affects the overall connection time.The computation times for the user and the verifier at 2.4 GHz for the proposed protocol with different biohash lengths are given in Table II.Naturally, it is expected that the required computation times of the proposed protocol increase as lengths of the biohashes increase.
We compare the communication complexity of the proposed system with the existing systems in the literature assuming that all systems run on a computer platform with 2.4 GHz clock speed.Erkin et al.'s system [42] requires 56.25 ms, Barni et al.'s system [21], [44] requires 50 ms and Sadeghi et al.'s system [43] requires 25 ms for authentication at the server side for single user with 112 bit binary feature vector  [21].On the other hand, our solution requires 449 ms for the same authentication set-up.Although existing solutions seem faster than the proposed system, they propose their solutions in the semi-honest model whereas our solution is secure under malicious adversary model.The comprehensive comparison between the proposed system and existing systems are shown in Figure 5.It is clearly seen in Figure 5 that the proposed THRIVE system offers superior security and privacy preservation solutions under malicious attack model.The similar timing estimations are also computed for 3.2 GHz as shown in Table III.We compare the communication complexity of the proposed system with the existing systems at 3.2 GHz in the literature.Kulkarni et al.'s system [73] requires 58 s at the server side, 10 ms at the user side and 400 Kbit bandwidth usage for authentication of single user with 2048-bit binary feature vector at 3.2 GHz.Our proposed system requires 6146 ms at the server side, 2051 ms at the user side and 6296 Kbit bandwidth usage for the same authentication set-up.Thus, it is faster than Kulkarni et al.'s system.In addition, our proposes system offers other advantages such as that it is secure under malicious adversary model, that the biometric is protected via both a template protection method (e.g., biohash) and cryptographic primitives (e.g.threshold homomorphic encryption).On the other hand, Kulkarni et al.'s system offers solution for semi-honest model which also means that it is insecure for the malicious model.The comprehensive comparison between the proposed system and existing systems are shown in Figure 5.

VII. CONCLUSION
In this work, we propose a novel biometric authentication system.The aim of the proposed system is to increase security against adversary attacks defined in [45] when an adversary wants to gain access to the system as a legitimate user.We propose novel enrollment and authentication protocols to increase the security against attacks reported in the literature and preserve the privacy of users.The proposed system can be used with any biometric feature extraction method which can produce binary templates or whose outputs can be binarized.The biohashing is chosen as an example binary biometric template generation system since it offers satisfactory error rates and fast authentication.The comparison is performed in a randomized domain in the authentication stage and the binary templates (e.g., biohashes) are never released.In addition, only encrypted binary templates are stored in the database.Since we use the (2, 2)-threshold cryptosystem, the verifier cannot decrypt the data stored in the database by himself.Namely, the user and the verifier both has to cooperate to decrypt the encrypted binary templates.The proposed system can be used in applications where the user is not willing to reveal her biometrics to the verifier although she needs to proof her physical presence by using biometrics.The THRIVE system is suitable for applications where the user and the verifier do not necessarily trust each other.Furthermore, the proposed system appears to be sufficiently efficient compared to the existing scheme and can be used in real-life applications.

Fig. 1 .
Fig. 1.Illustration of the THRIVE enrollment stage: the user has control over the biometric sensor, the feature extractor and the biohash generator whereas the verifier has control over the database.

TABLE II COMPUTATION
TIME FOR THE USER AND THE VERIFIER AT 2.4 GHZ.

TABLE III COMPUTATION
TIME FOR THE USER AND THE VERIFIER AT 3.2 GHZ.