A Theoretical Analysis of Authentication, Privacy and Reusability Across Secure Biometric Systems

TL;DR

This paper develops a theoretical framework to analyze privacy and security tradeoffs in biometric authentication systems, comparing fuzzy commitment and secure sketches, and examining their security, leakage, and reusability properties.

Contribution

It introduces an information-theoretic analysis of biometric systems, deriving bounds and comparing security and leakage, revealing key differences and tradeoffs between fuzzy commitment and secure sketches.

Findings

Fuzzy commitment and secure sketch systems have similar error and attack probabilities.

Secure sketch systems require less storage than fuzzy commitment.

The analysis highlights tradeoffs between reducing leakage and preventing attacks.

Abstract

We present a theoretical framework for the analysis of privacy and security tradeoffs in secure biometric authentication systems. We use this framework to conduct a comparative information-theoretic analysis of two biometric systems that are based on linear error correction codes, namely fuzzy commitment and secure sketches. We derive upper bounds for the probability of false rejection ($P_{FR}$) and false acceptance ($P_{FA}$) for these systems. We use mutual information to quantify the information leaked about a user's biometric identity, in the scenario where one or multiple biometric enrollments of the user are fully or partially compromised. We also quantify the probability of successful attack ($P_{SA}$) based on the compromised information. Our analysis reveals that fuzzy commitment and secure sketch systems have identical $P_{FR}, P_{FA}, P_{SA}$ and information leakage, but secure sketch systems have lower storage requirements. We analyze both single-factor (keyless) and two-factor (key-based) variants of secure biometrics, and consider the most general scenarios in which a single user may provide noisy biometric enrollments at several access control devices, some of which may be subsequently compromised by an attacker. Our analysis highlights the revocability and reusability properties of key-based systems and exposes a subtle design tradeoff between reducing information leakage from compromised systems and preventing successful attacks on systems whose data have not been compromised.