Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exploit the Leak: Understanding Risks in Biometric Matchers

Axel Durbet, Kevin Thiry-Atighehchi, Dorine Chagnon, Paul-Marie Grollemund

TL;DR

This paper analyzes information leakage in biometric matchers that use privacy-preserving distance measures, formalizing attacker models and a taxonomy of leakage scenarios. It provides a comprehensive set of complexity bounds for active and passive attacks across leakage types, including distance, error positions, and error values, under both below-threshold and combined leakage conditions. A novel accumulation (passive) attack is introduced, leveraging observations over multiple authentications and framed through coupon-collector analysis to quantify the effort required to recover the enrolled template. The results illuminate the security implications of non-binary leakage in privacy-preserving biometrics and guide future work toward robust defenses and alternative distance metrics.

Abstract

In a biometric authentication or identification system, the matcher compares a stored and a fresh template to determine whether there is a match. This assessment is based on both a similarity score and a predefined threshold. For better compliance with privacy legislation, the matcher can be built upon a privacy-preserving distance. Beyond the binary output (`yes' or `no'), most schemes may perform more precise computations, e.g., the value of the distance. Such precise information is prone to leakage even when not returned by the system. This can occur due to a malware infection or the use of a weakly privacy-preserving distance, exemplified by side channel attacks or partially obfuscated designs. This paper provides an analysis of information leakage during distance evaluation. We provide a catalog of information leakage scenarios with their impacts on data privacy. Each scenario gives rise to unique attacks with impacts quantified in terms of computational costs, thereby providing a better understanding of the security level.

Exploit the Leak: Understanding Risks in Biometric Matchers

TL;DR

This paper analyzes information leakage in biometric matchers that use privacy-preserving distance measures, formalizing attacker models and a taxonomy of leakage scenarios. It provides a comprehensive set of complexity bounds for active and passive attacks across leakage types, including distance, error positions, and error values, under both below-threshold and combined leakage conditions. A novel accumulation (passive) attack is introduced, leveraging observations over multiple authentications and framed through coupon-collector analysis to quantify the effort required to recover the enrolled template. The results illuminate the security implications of non-binary leakage in privacy-preserving biometrics and guide future work toward robust defenses and alternative distance metrics.

Abstract

In a biometric authentication or identification system, the matcher compares a stored and a fresh template to determine whether there is a match. This assessment is based on both a similarity score and a predefined threshold. For better compliance with privacy legislation, the matcher can be built upon a privacy-preserving distance. Beyond the binary output (`yes' or `no'), most schemes may perform more precise computations, e.g., the value of the distance. Such precise information is prone to leakage even when not returned by the system. This can occur due to a malware infection or the use of a weakly privacy-preserving distance, exemplified by side channel attacks or partially obfuscated designs. This paper provides an analysis of information leakage during distance evaluation. We provide a catalog of information leakage scenarios with their impacts on data privacy. Each scenario gives rise to unique attacks with impacts quantified in terms of computational costs, thereby providing a better understanding of the security level.
Paper Structure (18 sections, 8 theorems, 5 equations, 2 figures, 1 table)

This paper contains 18 sections, 8 theorems, 5 equations, 2 figures, 1 table.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Notations and Attacker Models
  4. Typology of Information Leakage
  5. Exploiting the Leakage
  6. Active Attacks
  7. Attack Complexity for the Minimal (One-bit) Leakage
  8. Attack Complexities for Leakage Below the Threshold
  9. Leakage of the Distance
  10. Leakage of the Positions
  11. Leakage of the Positions and the Values
  12. Leakage Below and Above the Threshold
  13. Minimal Leakage (single bit of information leakage)
  14. Leakage of the Distance
  15. Leakage of the Positions
  16. ...and 3 more sections

Key Result

Theorem 1

Given $\varepsilon$ a threshold, $x\in\mathbb{Z}_q^n$ a vector, and $\texttt{Match}_{x,\varepsilon}$ leaks the distance below the threshold, an attacker can retrieve $x$ in the worst case in $\mathcal{O}(q^{n-\varepsilon}+q\varepsilon)$ queries to $\texttt{Match}_{x,\varepsilon}$.

Figures (2)

  • Figure 1: Attack points in a generic biometric recognition system.
  • Figure 2: Exploiting the error position leaked in the case $\mathbb{Z}_4^5$ and the hidden vector or missing coordinates is $(0,1,3,2,2)$.

Theorems & Definitions (18)

  • Theorem 1
  • Proof 1
  • Theorem 2
  • Proof 2
  • Theorem 3
  • Proof 3
  • Theorem 4
  • Proof 4
  • Theorem 5
  • Proof 5
  • ...and 8 more