Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Biometrics-Based Authenticated Key Exchange with Multi-Factor Fuzzy Extractor

Hong Yen Tran, Jiankun Hu, Wen Hu

TL;DR

Biometric authentication suffers spoofing risks and permanent identity loss when biometrics are compromised. The authors propose a lattice-based, multi-factor fuzzy extractor (MFFE) that binds a secret $\alpha$ with biometrics to produce a cryptographic key $\beta$, enabling reusable identity credentials. They embed this into a multi-factor authenticated key exchange (MFAKE) that achieves mutual authentication, removes dependence on a central identity authority for ongoing sessions, and resists privileged-insider attacks, with formal semantic security under a discrete logarithm with sketch framework and Leftover Hash Lemma. The approach is validated on the SDUMLA finger-vein dataset, achieving $EER=0.04\%$, ~0.93 s authentication, and 448 bytes of communication, demonstrating practical viability for secure biometrics-based key exchange. This work advances practical, reusable multi-factor authentication by integrating lattice-based MFFE with MFAKE and providing rigorous security and empirical evaluation.

Abstract

Existing fuzzy extractors and similar methods provide an effective way for extracting a secret key from a user's biometric data, but are susceptible to impersonation attack: once a valid biometric sample is captured, the scheme is no longer secure. We propose a novel multi-factor fuzzy extractor that integrates both a user's secret (e.g., a password) and a user's biometrics in the generation and reconstruction process of a cryptographic key. We then employ this multi-factor fuzzy extractor to construct personal identity credentials which can be used in a new multi-factor authenticated key exchange protocol that possesses multiple important features. First, the protocol provides mutual authentication. Second, the user and service provider can authenticate each other without the involvement of the identity authority. Third, the protocol can prevent user impersonation from a compromised identity authority. Finally, even when both a biometric sample and the secret are captured, the user can re-register to create a new credential using a new secret (reusable/reissued identity credentials). Most existing works on multi-factor authenticated key exchange only have a subset of these features. We formally prove that the proposed protocol is semantically secure. Our experiments carried out on the finger vein dataset SDUMLA achieved a low equal error rate (EER) of 0.04%, a reasonable averaged computation time of 0.93 seconds for the user and service provider to authenticate and establish a shared session key, and a small communication overhead of only 448 bytes.

Biometrics-Based Authenticated Key Exchange with Multi-Factor Fuzzy Extractor

TL;DR

Biometric authentication suffers spoofing risks and permanent identity loss when biometrics are compromised. The authors propose a lattice-based, multi-factor fuzzy extractor (MFFE) that binds a secret with biometrics to produce a cryptographic key , enabling reusable identity credentials. They embed this into a multi-factor authenticated key exchange (MFAKE) that achieves mutual authentication, removes dependence on a central identity authority for ongoing sessions, and resists privileged-insider attacks, with formal semantic security under a discrete logarithm with sketch framework and Leftover Hash Lemma. The approach is validated on the SDUMLA finger-vein dataset, achieving , ~0.93 s authentication, and 448 bytes of communication, demonstrating practical viability for secure biometrics-based key exchange. This work advances practical, reusable multi-factor authentication by integrating lattice-based MFFE with MFAKE and providing rigorous security and empirical evaluation.

Abstract

Existing fuzzy extractors and similar methods provide an effective way for extracting a secret key from a user's biometric data, but are susceptible to impersonation attack: once a valid biometric sample is captured, the scheme is no longer secure. We propose a novel multi-factor fuzzy extractor that integrates both a user's secret (e.g., a password) and a user's biometrics in the generation and reconstruction process of a cryptographic key. We then employ this multi-factor fuzzy extractor to construct personal identity credentials which can be used in a new multi-factor authenticated key exchange protocol that possesses multiple important features. First, the protocol provides mutual authentication. Second, the user and service provider can authenticate each other without the involvement of the identity authority. Third, the protocol can prevent user impersonation from a compromised identity authority. Finally, even when both a biometric sample and the secret are captured, the user can re-register to create a new credential using a new secret (reusable/reissued identity credentials). Most existing works on multi-factor authenticated key exchange only have a subset of these features. We formally prove that the proposed protocol is semantically secure. Our experiments carried out on the finger vein dataset SDUMLA achieved a low equal error rate (EER) of 0.04%, a reasonable averaged computation time of 0.93 seconds for the user and service provider to authenticate and establish a shared session key, and a small communication overhead of only 448 bytes.
Paper Structure (19 sections, 4 theorems, 30 equations, 10 figures, 7 tables, 1 algorithm)

This paper contains 19 sections, 4 theorems, 30 equations, 10 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Fuzzy Data Setting
  4. Fuzzy Data Setting with a Lattice
  5. Conditional Collision Entropy, Statistical Distance, Universal Hash Functions and Leftover Hash Lemma
  6. Multi-Factor Fuzzy Extractor
  7. Definition
  8. A Multi-Factor Fuzzy Extractor with a Lattice
  9. Comparisons to Related Works on Fuzzy Extractor and Its Similar Schemes
  10. An Authenticated Key Exchange Based on Multi-Factor Fuzzy Extractor
  11. System overview
  12. Description of the proposed scheme
  13. Analysis of the proposed scheme
  14. Correctness
  15. Security
  16. ...and 4 more sections

Key Result

Proposition 1

In the lattice-based $(\mathcal{F},A,D_A,B,\epsilon, \Delta)$-MFFE described above, let $(\beta, \bm{\delta}, w) \gets \mathsf{Gen}(\mathsf{pp_{MFFE}}, \bm{x}, g^\alpha)$ and assume that $\bm{x}'\in \mathsf{AR}_{\mathcal{L}}(\bm{x})$. Then $\mathsf{Rep}(\mathsf{pp_{MFFE}}, \bm{x}', \alpha, \bm{\delt

Figures (10)

  • Figure 1: An overview of our multi-factor authenticated key exchange protocol, which is based on a novel multi-factor fuzzy extractor (MFFE) that allows a client to use a secret $(\alpha)$ in combination with her bio-data $(\bm{x}\text{ and } \bm{x}_0)$ to generate a cryptographic key $(\beta)$. The secret is also involved in the creation of a common password between the client and a service provider, which can then be employed in a standard password-based authenticated key exchange abdalla2005simple. The presence of the secret prevents an impersonation attack from a semi-honest registration centre, who knows the biometric data $\bm{x}_0$, and also makes the protocol reusable from biometric and secret leakage.
  • Figure 2: Registration Center Setup
  • Figure 3: User Identity Credential Registration. Note that RC does not know $\alpha$ and only needs $z=g^\alpha$ to run $\mathsf{Gen}$.
  • Figure 4: Service Provider Credential Registration
  • Figure 5: Password Creation. Note that the user must know the secret $\alpha$ and have $\bm{x} \in \mathsf{AR}_{\mathcal{L}}(\bm{x}_0)$ to recover the key $\beta$.
  • ...and 5 more figures

Theorems & Definitions (11)

  • Definition 1: Multi-factor fuzzy extractor
  • Definition 2: $\mathsf{DL}^{\sf sketch}$ assumption
  • Proposition 1: MFFE Correctness
  • proof
  • Proposition 2: MFFE Security
  • proof
  • Theorem 1: Correctness
  • proof
  • Theorem 2
  • proof
  • ...and 1 more