Professional Documents
Culture Documents
1 s2.0 S0167404821000675 Main
1 s2.0 S0167404821000675 Main
Comments on biometric-based
non-transferable credentials and their application
in blockchain-based identity management
a r t i c l e i n f o a b s t r a c t
Article history: In IT-ecosystems, access to unauthorized parties is prevented with credential-based ac-
Received 20 December 2020 cess control techniques (locks, RFID cards, biometrics, etc.). Some of these methods are
Revised 17 February 2021 ineffective against malicious users who lend their credentials to other users. To obtain
Accepted 19 February 2021 non-transferability, Adams proposed a combination of biometrics encapsulated in Pedersen
Available online 26 February 2021 commitment with Brands digital credential. However, Adams’ work does not consider the
Zero Knowledge Proof-of Knowledge (ZKPoK) system for Double Discrete Logarithm Rep-
Keywords: resentation of the credential. Besides, biometrics is used directly, without employing any
Biometrics security biometric cryptosystem to guarantee biometric privacy, thus Adams’ work cannot be GDPR-
Non-transferability compliant. In this paper, we construct the missing ZKPoK protocol for Adam’s work and
Digital credentials show its inefficiency. To overcome this limitation, we present a new biometric-based non-
Anonymous credentials transferable credential scheme that maintains the efficiency of the underlying Brands cre-
Fuzzy vault dential. Secondly, we show the insecurity of the first biometric-based anonymous credential
Fuzzy extractors scheme designed by Blanton et al.. In this context, we present a brute-force attack against
Double discrete logarithm (DDL) Blanton’s biometric key generation algorithm implemented for fuzzy vault. Next, we inte-
Brands DLRep grate an Oblivious PRF (OPRF) protocol to solve the open problem in Blanton’s work and
Selective disclosure improve its efficiency by replacing the underlying signature scheme with PS-signatures. Fi-
Blockchain nally, we evaluate application scenarios for non-transferable digital/anonymous credentials
Identity management in the context of Blockchain-based Identity Management (BBIM). We show that our modi-
fied constructions preserve biometric privacy and efficiency, and can easily be integrated
into current BBIM systems built upon efficient Brands and PS-credentials.
1
The author is also a visiting lecturer on Blockchain Technologies in ITU, Informatics Institute.
https://doi.org/10.1016/j.cose.2021.102243
0167-4048/© 2021 Elsevier Ltd. All rights reserved.
2 computers & security 105 (2021) 102243
which leads to credential revocation since the malicious soft- of biometrics to compare the fresh biometrics to the stored
ware can use them without the consent of the user. Bind- template based on a distance measure. Example schemes
ing the credential to the owner by means of biometrics is an of this category are (Adams, 2011; Brands, 2000; Impagliazzo
effective solution against these issues, i.e. credential trans- and More, 2003), which are earlier approaches sharing the
fer. As opposed to (Adams, 2011; Impagliazzo and More, 2003; same common weakness, namely biometric is directly used
Paquin and Zaverucha, 2011), privacy preserving biometric ap- and thus privacy is not protected. Adams (2011) is based on
proaches in ABC (Bissessar et al., 2014; Blanton and Hudel- Brands credential and requires the biometric template to be
son, 2009) ensure non-transferability by removing the use of stored directly on a simple device, whereas (Impagliazzo and
directly embedded biometrics stored in a tamperproof smart- More, 2003) deploys a more expensive device to prevent cre-
card. This way, biometric privacy, (thus GDPR-compliance), is dential transfer, namely a tamper-resistant smart card stor-
guaranteed even if the smart card is lost/tamper-proofness ing the entity’s biometric data directly. Both systems lack any
is eliminated since biometric data itself does not need to be template protection mechanism such as secure sketches and
used and divulged anymore. General Data Protection Regula- fuzzy extractors.
tion (GDPR) assumes biometrics as sensitive data, which re- The protocol of (Bissessar et al., 2014) is also based on
quires provably secure biometric template protection tech- (Adams, 2011) with the minor difference of replacing the di-
niques. Here, Secure Sketches/Fuzzy Extractors can prevent leak- rect use of the biometric data with a biometric key extracted
age of user biometrics and thus preserve the user’s privacy for from the biometrics of the user via a fuzzy extractor simi-
GDPR. lar to Blanton and Hudelson (2009). In fact, (Bissessar et al.,
Recently, authentication systems allow users to carry their 2014; Blanton and Hudelson, 2009) both remove the tamper-
personal data/credentials on a device while a hash of this proofness assumption by using fuzzy extractors (Dodis et al.,
data is signed by a trusted authority and then put on a 2004). In (Blanton and Hudelson, 2009), it is claimed that an
blockchain to be compared against, since blockchain tech- attacker cannot recover the biometric data and authenticate
nology enables persistent, consistent, distributed storage of succesfully even if the the attacker breaks the integrity of
information. However, achieving conflicting goals of GDPR- the device holding the credentials. To achieve this guarantee,
compliance and biometric-based non-transferability on a public a trusted biometric sensor that erase any biometric data af-
blockchain is challenging. In this paper, we focus on privacy ter each authentication session should be integrated in the
preserving ABCs -preventing credential transfer through the card. Hence, a fresh reading of biometric data is captured by
use of biometrics- and their employment in identity manage- this sensor, which communicates with the card through a se-
ment systems designed for public, i.e. permissionless block- cure channel (Blanton and Hudelson, 2009). As different from
hains. Bissessar et al. (2014), Blanton and Hudelson (2009) applies
only to anonymous credentials similar to Impagliazzo and
More (2003).
1.1. Related work
Specifically, (Blanton and Hudelson, 2009) propose an ex-
tension to anonymous credentials (Camenisch and Lysyan-
Credential schemes classified based on the underlying sig-
skaya, 2004), which uses fuzzy extractors (Dodis et al., 2004),
nature scheme result in three categories: Brands creden-
verifiable random functions and zero knowledge proofs.
tials (Brands, 2000), CL credentials Camenisch and Lysyan-
Non transferability is enforced using biometrically derived
skaya (2004) and the recently introduced PS credentials
data. Blanton and Hudelson (2009) uses fuzzy extractors
(Pointcheval and Sanders, 2016). Brands’ scheme outperforms
(Dodis et al., 2004) to generate a cryptographic key based on
the other constructions as shown in (Chase et al., 2014).
the retrieved biometric features. This key is never stored and
Brands credential constructions: Microsoft’s U-Prove
the tamperproof device is trusted to erase the value after au-
(Paquin and Zaverucha, 2011) is based on the Brands cre-
thentication. Fresh biometric readings are required to recon-
dential scheme (Brands, 2000). Brands (2000) presented the
struct the cryptographic key. Prevention of abuse through theft
digital credentials scheme, where the same credential, sig-
and sharing is guaranteed.
natures and parameters are used in each instance of the
CL and PS-signature based credential constructions:
showing protocol resulting in a single-show credential sys-
Camenisch and Lysyanskaya (2004) presented a credential
tem. Thus, Brands credentials are linkable, and identical to
system using Zero-Knowledge Proof of Knowledge (ZKPoK)
Bitcoin, pseudonymity instead of anonymity can be achieved
named as ’Anonymous Credentials’. The most well known ap-
for them. Similarly, U-Prove (Paquin and Zaverucha, 2011)
plication of CL credentials (Camenisch and Lysyanskaya, 2004)
does not allow unlinkable reuse of credentials: To unlink-
is IBM’s idemix (IBM, 2010). In (Blanton and Hudelson, 2009),
ably use a credential again, a user must get it reissued.
CL credential is extended to be non-transferable through the
However, from the efficiency point of view, Microsoft U-
use of biometric key generation techniques. The recently
Prove (Paquin and Zaverucha, 2011) (based on Brands’ work
introduced PS-signatures (Pointcheval and Sanders, 2016)
Brands (2000)) is evaluated as the most efficient construction
outperforms the CL-signatures (Camenisch and Lysyan-
and thus Adams (2011), Bissessar et al. (2014) combined it
skaya, 2004). They maintain the same functionality of
with biometrics to obtain non-transferability.
CL-signatures but due to their significant efficiency im-
Biometric-based Non-transferable credentials: Credential sys-
provement, PS-signatures are shown to be the main building
tems with embedded biometrics data require the direct use
block of efficient anonymous credentials in (Pointcheval and
Sanders, 2016). Besides, they are employed in recently intro-
computers & security 105 (2021) 102243 3
duced identity management systems of (Sonnino et al., 2019) can be achieved using tamper-proof user hardware that store
and (Yu et al., 2020), which are designed for Blockchain. the private credential data. Earlier systems employ these
Identity Management on the Blockchain (BBIM): The first De- smartcards to prevent malicious users from accessing the
centralized Anonymous Credential (DAC) scheme on a dis- stored secret data. This way, colluding users are prevented
tributed ledger like Bitcoin is described in (Garman et al., from copying and sharing the credential data with other users.
2014a). It is based on the same cryptographic technique used Similar non-effective approaches to limit credential transfer
in Zerocoin (Miers et al., 2013). Hence, both schemes share the integrate some valuable/personal data such as a credit card
same disadvantage: Zerocoin requires a Double Discrete Log- number into the credential key, so that the user will be unwill-
arithm (DDL) proof to prove that the committed value is actu- ing to lend her credential to another one. However, a malicious
ally a commitment to a serial number. Unfortunately, the DDL user can lend his smartcard to a close friend for a short pe-
proof is inefficient, i.e. the proof is of size λ·2k, where k is 1024- riod of time, for instance when the card is not needed, which
bits and λ is the soundness parameter of the proof. For 1024-bit may result in a security breach despite the efforts summa-
commitments and an 80 bit security level, one obtains the run- rized above. Thus, the most effective solution is biometric-
time in O(λk ) both for verification and generation of the proof based anonymous credentials requiring possession of the cre-
and 20KB DDL proof size (Garman et al., 2014b). Besides, the dential owner’s biometric on the fly. It assures that users are
first user-centric Identity Management system on the Bitcoin physically present when their credentials are used, hindering
blockchain (Augot et al., 2017a) allows for credential revoca- credential sharing and abuse by theft. Hence, most of the cur-
tion, where the credential is based on the DL-Rep scheme of rent credential systems including blockchain-based solutions
Brands. However, the system does not prevent lending of the are not sufficient for non-transferability. Here, one should be
credentials and is not GDPR compliant. careful about the way biometrics is used. If biometric data is
Augot et al. (2017b) introduced an efficient Identity Man- employed directly, i.e. without using any biometric cryptosys-
agement system on the Bitcoin Blockchain using Brands’ DL- tem such as Secure Sketches/Fuzzy Extractors (Dodis et al.,
Rep without on chain storage of credentials. Instead, the sys- 2004; Sarier, 2018), privacy is not protected especially when
tem publishes the commitment to the root of the Merkle tree the smartcard is lost /the tamper-proofness is eliminated. We
in a Bitcoin transaction, where each leaf is associated to a cre- note that even though some recent systems such as (Bissessar
dential. Despite the improvements on scalability and transac- et al., 2014; Blanton and Hudelson, 2009) integrate fuzzy ex-
tion costs compared to (Augot et al., 2017a), still the system tractors to preserve the privacy of biometric data, (Bissessar
lacks anonymity, multi-show unlinkability and requires high et al., 2014; Blanton and Hudelson, 2009) cannot achieve pri-
bandwidth as a result of the Merkle trees, where each mem- vacy of biometrics against the authority/issuer, who performs
bership witness is of size log(N), N denoting the number of the enrollment and biometric key generation phase required
the users of the system. Sarier (2021) attempts to solve the for the credential issuing. This is left as an open/future prob-
above issues by employing accumulators. Finally, (Augot et al., lem in (Blanton and Hudelson, 2009). Thus, privacy of user data
2019) introduces modifications to (Augot et al., 2017a) to make should be guaranteed against all the parties in the system in-
it more cost efficient while preserving its potential (particu- cluding the issuer if we want to achieve GDPR-compliance.
larly for revocation) by allowing for coin swapping between GDPR, i.e. Right to Erasure requires that no personal data should
two compatible blockchains. be stored on the blockchain itself but kept private from the
Recently Sonnino et al. presented an Ethereum-based blockchain in an ǣoff-chainǥ data store (Sarier, 2021).
anonymous credential scheme with a threshold issuance Finally, except for (Impagliazzo and More, 2003) and (Augot
protocol (Sonnino et al., 2019). The scheme allows a user et al., 2017a; 2019; Yu et al., 2020), where the latter group is
to aggregate and selectively disclose anonymous credentials defined on public Blockchains, none of the above approaches
but does not support credential revocation. To solve this consider credential revocation. Besides, (Adams, 2011; Bisses-
issue, recently (Yu et al., 2020) introduced BASS, again an sar et al., 2014) lack the necessary zero-knowledge proof-of
Ethereum-based selectively disclose anonymous credential knowledge (ZKPoK) protocol that works both for attributes
scheme that combines a pairing based accumulator and Co- defined to be elements of the exponent group and for at-
conut (Sonnino et al., 2019) scheme (sacrificing the thresh- tributes represented as a Pedersen commitment. Obtaining
old issuance property). Finally, (Bernal Bernabe et al., 2019) re- a zero knowledge system with this feature is not immedi-
views the main permissioned blockchains platforms of uPort, ate and may in fact be very inefficient in practice as we will
Sovrin, ShoCard, Civic designed for Privacy-Preserving Identity show in Section 2. Thus, the efficiency gain through the use
Management by analyzing their main features, their compli- of Brands DLRep employed in (Adams, 2011; Bissessar et al.,
ance with the GDPR principles and privacy aspects. In this 2014) would be lost. Similarly, CL-signatures (Camenisch and
paper, we focus only on BBIM systems for public, i.e. per- Lysyanskaya, 2004) used in anonymous credential construc-
missionless blockchain. Hence, the BBIM systems reviewed in tion of (Blanton and Hudelson, 2009) are inefficient compared
(Bernal Bernabe et al., 2019) are out of scope. to recently introduced PS-signatures. Briefly, PS-signatures
(Pointcheval and Sanders, 2016) are designed to replace CL-
1.2. Motivation signatures without any modification.
Except from the papers of (Adams, 2011; Bissessar et al., 2014; 1.3. Contributions
Blanton and Hudelson, 2009; Impagliazzo and More, 2003), cre-
dential systems summarized in Section 1.1 do not guarantee After presenting a brief review on various credential schemes
non-transferability. One may argue that non-transferability and the underlying biometric cryptosystems, we focus on two
4 computers & security 105 (2021) 102243
Fig. 1 – Brute force attack of (Mihăilescu et al., 2015) against the fuzzy vault implementation of (Uludag and Jain, 2006). a)
describes a failure, whereas b) is a successful attack.
Fig. 2 – Unlocking of a secret data from the vault (Mihăilescu et al., 2015; Nandakumar et al., 2007).
h to a verifier V, a prover P performs the following protocol the other attributes remain hidden due to the selective disclo-
steps (Brands, 2000). The disclosed attributes with their in- sure protocol.
dexes ( j, X j ) for the subset of indexes j ∈ D ⊆ {1, . . . , n − 1}.
Let the set of concealed attributes be C = {1, . . . , n − 1}\D.
For convenience, we introduce the following notations for 2. The inefficiency of Adams’ and Bissessar
the products of DL commitments to the closed and disclosed et al.’s biometric-based digital credential scheme
Xj Xj X
attributes: hC = g j and hD = g j and h = g0 0 hC hD .
j∈C j∈D
As discussed in Section 1.1 and in (Chase et al., 2014), Brands
Knowing ( j, X j ) for j ∈ D, both P and V can calculate hD . The
signature based U-prove digital credential is shown to be the
following protocol proves to V the DL representation of H =
X most efficient among the existing credential constructions.
h(hD )−1 = g0 0 hC with respect to gi ’s where i ∈ C is known by P.
However, when combined with biometric attributes either di-
rectly (Adams, 2011) or via a fuzzy extractor (Bissessar et al.,
1. P generates random, secret numbers a0 ∈ Zq , a j ∈ Zq for
a
aj 2014) encapsulated as a Pedersen commitment within the
j ∈ C. Let A = g00 g j . P sends A to V.
j∈C Brands digital credential scheme, the resulting biometric-
2. V provides a challenge number c. based non-transferable credential requires zero-knowledge
3. P computes b0 = a0 + cX0 , and b j = a j + cX j for j ∈ C ⊆ protocols involving Double Discrete Logarithms (DDL), which
{1, . . . , n − 1} and sends them to V. is not taken into account in (Adams, 2011; Bissessar et al.,
b
bj
4. The verifier V checks that A = g00 g j H−c holds. 2014). Hence, starting from currently the most efficient dig-
j∈C
ital credential scheme, one ends up in an inefficient non-
P knows all of the X j s to perform step 3. Here, X0 is gener- transferable construction as shown below.
ated randomly by the entity to be used as a secret key. Assum- In a DDL-based proof for Adams’ credential scheme
ing that the P does not know two DL representations with re- (Adams, 2011; Bissessar et al., 2014), we use the Pedersen Com-
spect to this set, the verifier can be convinced that the claimed mitment, where on input a value X ∈ Zq , the committer ran-
revealed attributes are indeed embedded in the certificate. All domly chooses r ∈ Zq , outputs commitment C = gr0 gX1 as the
6 computers & security 105 (2021) 102243
commitment of value X. To reveal commitment C, the com- (Commitment.) The prover randomly generates ρr ,
mitter outputs (X, r), which denotes an opening of the com- R
ρX1 , . . . , ρXn−1 , ρcI ← Zq , computes and sends T =
mitment C. Everyone can test if C = gr0 gX1 . Recall that Pedersen ρX ρX ρc
gρ0r g1 1 n−1
· · · gn−1 gn I ∈ G
Commitment is perfect hiding and computationally binding
R
provided that the g0 and g1 are randomly and independently (Challenge.) The verifier returns a random challenge d ←
λ
{0, 1} k .
generated and that relative discrete logarithm of g0 to base g1
is unknown. Commitment of a block of values (X1 , . . . , Xn ) is (Response.) The prover, treating d as an element in Zq , com-
X
achieved by setting the commitment C = gr0 g1 1 · · · gXn n with ad- putes zr = ρr − dr ∈ Zq ,
ditional random generators g0 , g1 , . . . , gn of G (Au et al., 2010). zX1 = ρX1 − dX1 ∈ Zq , · · · , zXn−1 = ρXn−1 − dXn−1 ∈ Zq , zcI =
ρcI − dcI ∈ Zq , and returns (zr , zX1 , . . . , zXn−1 , zcI ) to the verifier.
(Verify.) Verifier accepts if and only if T =
zX zX zc
kd gz0r g1 1 · · · gn−1
n−1
gn I .
The second part combines the ZKPoK of double-discrete
2.1. Zero-knowledge proof-of-knowledge protocolof
logarithm with ZKPoK of equality of discrete logarithm
representation of committed value
(Au et al., 2010).
X X c
n−1 I
(Commitment.) For i = 1 to λk , the prover randomly gener-
Let k = gr0 g1 1 ···gn−1 gn be a commitment of cI with randomness R
r and let cI = gb hs ∈ G p be the commitment of b with random- ates ρri , ρsi , ραi , ρbi , ρX1,i , . . . , ρXn−1,i ← Zq
ρX ρX ρ ρ
R α ρr 1,i
n−1,i g bi h si
ness s ← Z p . Similarly, let cF = cI h = gb hs h sα = gb hs+
sα = gb hs ∈ Then the prover computes T1,i = g0 i g1 · · · gn−1 gn
ρ ρα λk
G p be a commitment of cI ’s representation (to base g, denoted and T2,i = g bi hρsi h i After that, the prover sends T1,i , T2,i i=1
R to the verifier.
as b) with randomness α ← Z p as defined in (Au et al., 2010). R
Here, s = s + sα. (Challenge.) The verifier returns a random challenge d ←
We note that the variables k, cI , b are used in (Adams, 2011) {0, 1}λk .
identically, cI denoting issue-time embedded commitment of (Response.) Denote d[i] as the ith bit of d. That is, d[i] ∈ {0, 1}.
biometric data b, cF denoting the fresh commitment for the For i = 1 to λk , the prover computes
showing protocol on the same biometric data. Similarly, CRI zbi = ρbi − d[i]b ∈ Z p ,
and CRS in (Bissessar et al., 2014) corresponds to the same zsi = ρsi − d[i]s ∈ Z p ,
variables cI and cF in (Adams, 2011). Only the credential rep- zαi = ραi − d[i]α ∈ Z p ,
z
resented by k is denoted by h in (Bissessar et al., 2014). zri = ρri − d[i]g bi hzsi r ∈ Zq ,
z
At the same time, gb hs ∈ G p is another commitment on the zX1,i = ρX1,i − d[i]g bi hzsi X1 ∈ Zq ,...,
zb
same value b as defined in (Adams, 2011). We note that h ∈ G p zXn−1,i = ρXn−1,i − d[i]g i hzsi Xn−1 ∈ Zq ,
λ
is another generator that we compute using the generator of The prover sends (zbi , zsi , zαi , zri , zX1,i , . . . ,Xn−1,i )i=1
k
to the
h ∈ G p as follows: verifier.
Let G p = h be a cyclic group of order p − 1. For any s, hs is (Verify.) The verifier accepts if the following equations hold
a generator of G p iff gcd( s, p − 1) =1. Since we already know a for i = 1 to λk .
d[i] z zα
generator h of G p , we pick a random s from the set of elements T2,i = cF g bi hzsi h i
s, p − 1) =1 and compute h
z
that satisfy gcd( s = h so that the z
g bi h si zri zX1,i zX
n−1,i
T1,i = gn g0 g1 · · · gn−1 if d[i] = 0
value h is a generator of G p . Once we compute h, we pick a zb zs z
r zX zX
α
random α and compute h to construct the commitment of T1,i = kg i h i g0 i g1 1,i
n−1,i
· · · gn−1 if d[i] = 1
cI ’s representation (to bases g and h) with randomness α as The two parts should be executed in parallel using the
defined in (Au et al., 2010). same challenge as in (Au et al., 2010).
We construct a ZKPoK protocol of (cI , b), denoted as PKRCV .
2.1.1. Security analysis of PKRCV
Our protocol (as in (Au et al., 2010)) is an argument sys-
Technically, our protocol is an argument system rather than
tem rather than a proof system. The adversaries against the
a proof system in the sense that soundness in our system
PKRCV are modeled as Probabilistic Polynomial Time (PPT) al-
only holds against a PPT cheating prover as in (Au et al., 2010).
gorithms. PKRCV for k, cI can be abstracted as:
This is sufficient for all our purposes when adversaries in the
PKRCV {(cI , r, s, b) :
X Xn−1 cI α applications of our PKRCV are modeled as PPT algorithms. In
k = gr0 g1 1 · · · gn−1 gn ∧ cF = cI h ∧ cI = gb hs }
(Au et al., 2010), the original PKRCV for C, D is abstracted for
In fact, this argument directly corresponds to the Adams’
L = 1. Hence, taking m1 = b and s = s in PKRCV :
biometric based credential scheme of (Adams, 2011) and the
PKRCV {(x, r, s, b) : C = gx0 gr ∧ D = xhs ∧ x = hb1 }
same relation is denoted as PoK : DLRepWithPC(), where the
This argument corresponds to PoK : DLRepWithPC() in
public information is the credential and the show-time (i.e.
Adams’ biometric based credential (Adams, 2011), where the
fresh) commitment on the biometrics.
public information is the credential and the show-time (i.e.
The construction of PKRCV consists of two parts. Note that
fresh) commitment on the biometrics. For better readability,
while we describe them separately, they can be executed in
in PKRCV with L = 2, we replace g0 with gn , g with g0 , and as
parallel in its actual implementation.
defined in Section 2.1, s = s + s˜α and h = hs˜ is a generator of
We construct a -Protocol of PKRCV . Let λk be a security pa-
G p . Hence, PKRCV {(cI , r, s, b) :
rameter. The first part of PKRCV is a zero-knowledge proof-of- X X
n−1 I c α
k = gr0 g1 1 · · · gn−1 gn ∧ cF = cI h ∧ cI = gb hs }
knowledge of representation of an element, and we adapt the
protocol from Au et al. (2010). Theorem 2.1. PKRCV is a -Protocol.
computers & security 105 (2021) 102243 7
Fig. 3 – Integration of the modified Brands’ DLRep of Section 2.2 into the BBIM scheme of (Augot et al., 2017a). H: a
cryptographic hash, R: (fuzzy) extracted random string defined in Section 1.4, whose hash is assigned to X1 as an (hidden)
attribute. The transactions are identical to (Augot et al., 2017a).
Fig. 4 – Locking of a secret data in the vault (Mihăilescu et al., 2015; Nandakumar et al., 2007).
Modified Credential Showing phase is almost identical to and the credential scheme of (Blanton and Hudelson, 2009)
the showing protocol of Section 1.4.3 except that the user must is based on secure sketch and fuzzy extractor constructions.
regenerate the biometric attribute X1 from the fresh biomet- The unlocking algorithm in the fuzzy vault implementation of
rics using his smartcard before executing the showing protocol of (Uludag and Jain, 2006) produces many potential keys locked
Section 1.4.3. We note that the biometric attribute X1 remains by the vault. Uludag and Jain (2006) solves this problem by
hidden for each verification of the credential but its existence adding some structure (i.e., redundancy) to the secret be-
guarantees the non-transferability of the credential, since a ing locked, i.e. CRC codes for error correction in order to
fresh reading is required on each credential show. Hence, the have increased tolerance to biometric intra-class variations. In
verification cost is identical to (Chase et al., 2014) for Brands (Blanton and Hudelson, 2009), the authors prevent this weak-
credential based U-Prove. Finally, we emphasize that no bio- ening of the hiding properties of the fuzzy vault construc-
metric template/data is stored on the smartcard of the user tion by shipping the helper data with a verification value that
U, only the credential h and helper data for the fuzzy extrac- will permit confirmation of the correct key. The authors of
tor is required to be stored. This way, even if the credential (Blanton and Hudelson, 2009) claim that adding a verifica-
h is stored on the smart card that is lost/compromised, there tion value computed using the one-way PRF function fsec ow (x ) =
is no way to link the (unstored) biometric data to the iden- g1/(sec+x ) of Dodis-Yampolski (Jarecki and Liu, 2009) can avoid
tity/credential of the user although Brands digital credentials additional information leakage.
do not provide multi-show unlinkability. The enrolling function BKG-Enroll executes P , K ← Gen
and applies the one-way function f to the random string K
to obtain the verification data V = f ow (K ||0) = fK (0). The out-
put is P, K, where P = (P , V) and K = f ow (K ||1) = fK (1). The
3. Insecurity and inefficiency of
key reconstruction function BKG-KeyRec uses w and P from
biometric-based anonymous credentials
P to find a set K of candidate keys for K . For each key ∈ K, if
f ow (key||0) = V, set key = K and output K = f ow (K ||1).
In (Blanton and Hudelson, 2009), fuzzy vault is evaluated as
a secure sketch construction for the set intersection metric,
computers & security 105 (2021) 102243 9
puting a pseudorandom function fsec ow (·), on key sec contributed tion data V using public input= x0 from A and secret input=K
by S and input x contributed by R, in such a way that receiver from the user U. The secret input of U is computed using the
R learns only the value fsec ow (x ) while sender S learns nothing biometrics of U under the supervision of A. Similarly, a sec-
from the interaction (Jarecki and Liu, 2009). The domain of ond OPRF protocol fsecow (x ) = g1/(sec+x ) is applied to compute the
f ow (sec, x ) is polynomially-sized, which is suitable for biomet- biometric attribute K using public input= x1 from A and se-
ric keys having limited entropy. Finally, since the input values cret input=K from U. The output is P, K with P = (P , V ) and
of 0 and 1 are public values we do not need to employ the pro- K, where only V and K are known to the authority A so that
tocol of (Jarecki and Liu, 2009) extended to computing on com- the authority can generate the attribute based credential us-
mitted inputs. In our modified protocol, we replace x = 0 and ing the final biometric attribute K in step 5 of AC-Enroll algo-
x = 1 with public values x0 , x1 from the same domain of sec. rithm described in Section 4.1 of (Blanton and Hudelson, 2009)
In particular, f ow (sec, x ) = fsec ow (x ) = g1/(sec+x ) where sec = K and or in any other anonymous credential construction such as
x = x0 or x = x1 depending on the computation of the verifi- (Camenisch and Lysyanskaya, 2004) or in the more efficient PS-
cation data f ow (K ||x0 ) = V or the biometric key K = f ow (K ||x1 ). signature based credentials (Pointcheval and Sanders, 2016).
An OPRF protocol for fsec ow (x ) = g1/(sec+x ) in group G generated The key reconstruction function BKG-KeyRec is identical as
by g of composite order n is given in (Jarecki and Liu, 2009) as it is performed only by the user during the showing protocol
shown in Algorithm 1 . Here, (Jarecki and Liu, 2009) employs of the anonymous credential. The one time additional cost of
an additively homomorphic encryption scheme allowing for OPRF protocol between the issuing authority A and the user
shared decryption on message domain Zn , like Camenisch- U can be estimated according to Jarecki and Liu (2009) as fol-
Shoup version of Paillier encryption. lows: In the honest-but-curious model, N evaluations of the
By plugging in for the sender S = U, the receiver R = A, OPRF contributes to 32000Nm if m is the cost of a single mul-
as the secret extracted biometric key sec = K and the verifi- tiplication (or squaring) modulo a 1024-bit modulus, whereas
cation value for x = x0 , the secure computation of fKow (x0 ) = in the malicious model this cost grows by only a factor of 2
g1/(K +x0 ) = V in Algorithm 1 returns the authority only the (Jarecki and Liu, 2009). Hence, two evaluations of the OPRF pro-
computed value of the verification data V. Similarly, plugging tocol (one for the computation of V and one for K) contributes
in for x = x1 (remaining parameters as above), the secure com- to the additional cost of 2·32000m for the oblivious computa-
putation of fKow 1/(K +x1 ) = K returns the authority only K,
(x1 ) = g tion for V and K in total (both for the issuer A and the user
which is used directly in the AC-Enroll protocol of (Blanton and U).
10 computers & security 105 (2021) 102243
3.3. Improving the efficiency of Blanton et al.’s paper: 2017) gives a lower percentage of FAR and FRR errors. Hence,
a neural network converter (Malygin et al., 2017) can be a se-
The non-transferable anonymous credential protocol of rious alternative to a fuzzy extractor, which also formed the
(Blanton and Hudelson, 2009) builds upon the Camenisch- basis of standards for biometric security products in Russia
Lysyanskaya (CL) signature scheme (Camenisch and Lysyan- (GOST R 52633). In summary, the combination of the solu-
skaya, 2004), which has a linear size in the number of mes- tions presented in this paper with neural network transduc-
sages to be signed limiting its use in many situations. In ers (by replacing the fuzzy extractors) could be an interest-
(Pointcheval and Sanders, 2016) a new signature scheme ing future work. The reader is referred for the details to (Jana
with more efficient algorithms and the same features as CL- et al., 2020; Malygin et al., 2017), where (Jana et al., 2020) is an-
signatures is proposed but without the linear-size drawback: other promising direction. Finally, since the cryptographic op-
Independent of the message length (i.e. attribute size), the erations are applied after and/or on top of the biometric tem-
PS-signature consists of only two elements. The data sent in plate protection scheme as in (Bissessar et al., 2014; Blanton
the original CL-signatures (Camenisch and Lysyanskaya, 2004) and Hudelson, 2009), the performance of the latter remains
employed in (Blanton and Hudelson, 2009) for r messages con- unaffected and identical to (Bissessar et al., 2014; Blanton and
sist of 3 + 2r elements of G, whereas the short signature of Hudelson, 2009), if fuzzy extractors are employed. Hence, sim-
(Pointcheval and Sanders, 2016) only requires 2 elements of ilar to Adams (2011); Bissessar et al. (2014); Blanton and Hudel-
G, whatever r is. Here, r denotes the number of messages (at- son (2009); Impagliazzo and More (2003), performance metrics
tributes), namely context-specific user privileges, which could of FRR, FAR, EER, etc. are beyond the scope of this paper.
be the access privileges, i.e. attributes of an employee such as
being a US-citizen etc. that are issued by the authority in the 4.1. Application scenarios for credential schemes on
anonymous credential. However, replacing the CL-signatures blockchain-based identity management (BBIM)
with PS-signatures in (Blanton and Hudelson, 2009) reduces
the cost of the issuer during generation of a credential in the Table 2 presents a comparison of the digital and anony-
AC-Enroll algorithm and the cost of the user U in AC-Auth al- mous credential systems including our proposed solutions
gorithm by 2r + 2 exponentiations in G. Finally, the verifier’s in Sections 2.2 and 3.3 and their applications in current
cost in AC-Auth algorithm is reduced by 4r + 2 Pairing compu- BBIM systems. Our modified Brands Credential scheme of
tations. Here, r refers to the number of attributes to be certified Section 2.2 can be easily adapted by the Identity Management
as before. systems of (Augot et al., 2017a; 2017b; 2019), all of which are
based on original Brands credentials integrated into Bitcoin
Blockchain. An example integration without any modification
4. Discussion to the authentication flow and transaction structure is pre-
sented in Fig. 3 for the BBIM of (Augot et al., 2017a).
The theoretical work on biometric key generation cannot Besides, our modified anonymous credential based on the
tolerate realistic variations in the biometric signal such as PS-signatures and the new algorithm of Section 3.2 can di-
variable-length representations, unordered or unaligned rep- rectly be employed in Coconut (Sonnino et al., 2019) and BASS
resentations (Blanton and Hudelson, 2009). The authors of (Yu et al., 2020) if an independent authority A performs the
(Blanton and Hudelson, 2009) suggest that one should reduce new algorithms of Section 3.2 and returns the private bio-
the noise by acquiring multiple samples and performing ma- metric attribute (αi in (Yu et al., 2020), m in (Sonnino et al.,
jority decoding to create a single image with low noise or by 2019)) using the Pedersen commitment scheme to the single
scanning both eyes instead of a single one for iris recogni- credential authority CA in (Yu et al., 2020) or to n authori-
tion to achieve lower error rates. This means that the entropy ties who perform the threshold issuance of the credential in
loss will become tolerable when the error rate is reduced to a (Sonnino et al., 2019), respectively. Hence, our modified ver-
rather small value. Nevertheless, it is still not easy for systems sions of digital credentials and anonymous credentials can
employing fuzzy extractors to achieve highly accurate solu- directly be employed in current Identity Management sys-
tions (i.e., very low FAR values for an acceptable FRR value) tems designed for public Blockchains shown in Table 2. Be-
and high key lengths at the same time. Thus, new methods sides, GDPR requires that no personal data should be stored
based on artificial neural networks (Jana et al., 2020; Maly- on the blockchain itself but kept private from the blockchain
gin et al., 2017) could be considered in place of fuzzy extrac- in an ǣoff-chainǥ data store to comply with the right to era-
tors. An extractor for secret keys and long passwords can be sure. Since, the only BBIM with offchain data storage is pre-
built on the basis of automatically trained neural networks. sented in (Augot et al., 2017b), integrating our modified Brands’
Here, there exists two directions: A neural network converter credential system to (Augot et al., 2017b) results in a non-
(Malygin et al., 2017) (-a wide neural network is a complete transferable and GDPR-compliant system while maintaining
alternative to a fuzzy extractor-) and a hybrid of a fuzzy ex- efficiency. Moreover, there is tradeoff between efficiency and
tractor and a deep neural network (Jana et al., 2020). Techni- multi-show unlinkability, since Brands digital credentials are
cally, (Malygin et al., 2017) is strictly related to neural network by design single use. If unlinkability of credentials are re-
based biometric to code converters, whereas (Jana et al., 2020) quired, then the credential must be reissued in digital creden-
is a hybrid approach. Also, (Malygin et al., 2017) differs in that tials, otherwise an anonymous credential scheme should be
the fuzzy extractor is not used there at all, thus, (Malygin et al., employed at the cost of decreased efficiency. As a final note,
2017) eliminates the disadvantages of employing a fuzzy ex- we emphasize that (Augot et al., 2017a; 2019; Yu et al., 2020)
tractor. Besides, the neural network converter (Malygin et al., provide credential revocation feature. Therefore, if we inte-
computers & security 105 (2021) 102243 11
Table 2 – Credential schemes with Selective Disclosure including the Modified versions in Section 2.2 and 3.3 and their
applications on BBIM, + : for biometric attributes and Right to Erasure, NC: Non-comparable,∗ : Yes for (Bissessar et al.,
2014), † :Private Blockchain, DDL: Double Discrete Log.
grate our modified credential schemes into (Augot et al., 2017a; Thus, we leave it as a future work to implement our modified
2019; Yu et al., 2020), we achieve both non-transferability and schemes using different extractors and suitable biometrics.
credential revocation features, simultaneously.
R E F E R E N C E S Jana, A., Sarker, M. K., Ebrahimi, M., Hitzler, P., Amariucai, G. T.,
2020. Neural fuzzy extractors: a secure way to use artificial
neural networks for biometric user authentication.
2003.08433.
Adams C. Achieving non-transferability in credential systems
Jarecki S, Liu X. Efficient oblivious pseudorandom function with
using hidden biometrics. Secur. Commun. Netw.
applications to adaptive OT and secure computation of set
2011;4(2):195–206.
intersection. In: TCC’09. Springer; 2009. p. 577–94.
Au MH, Susilo W, Mu Y. Proof-of-knowledge of representation of
Li Q, Sutcu Y, Memon ND. Secure Sketch for biometric templates.
committed value and its applications. In: ACISP’10. Springer;
In: ASIACRYPT’06. Springer; 2006. p. 99–113.
2010. p. 352–69.
Malygin A, Seilova N, Boskebeev K, Alimseitova Z. Application of
Augot D, Chabanne H, Chenevier T, George W, Lambert L. A
artificial neural networks for handwritten biometric images
user-centric system for verified identities on the bitcoin
recognition. Comput. Modell. New Technol. 2017;21(1):31–8.
blockchain. In: CBT’17. Springer; 2017. p. 390–407.
Miers I, Garman C, Green M, Rubin AD. Zerocoin: anonymous
Augot D, Chabanne H, Clémot O, George W. Transforming
distributed e-cash from bitcoin. In: SP’13. IEEE; 2013.
face-to-face identity proofing into anonymous digital identity
p. 397–411.
using the bitcoin blockchain. In: PST’17. IEEE; 2017. p. 25–34.
Mihăilescu P, Munk A, Tams B. Security considerations in
Augot D, Chabanne H, George W. Practical solutions to save
minutiae-based fuzzy vaults. IEEE TIFS 2015;10(5):985–98.
bitcoins applied to an identity system proposal. In: ICISSP’19.
Nandakumar K, Jain AK, Pankanti S. Fingerprint-based fuzzy
SciTePress; 2019. p. 511–18.
vault: implementation and performance. IEEE TIFS
Bernal Bernabe J, Canovas JL, Hernandez-Ramos JL, Torres
2007;2(4):744–57.
Moreno R, Skarmeta A. Privacy-preserving solutions for
Paquin C, Zaverucha G. In: Technical Report. U-Prove
blockchain: review and challenges. IEEE Access
Cryptographic Specification V1.1. Microsoft Corporation; 2011.
2019;7:164908–40.
Pointcheval D, Sanders O. Short randomizable signatures. In:
Bissessar D, Adams C, Liu D. Using biometric key commitments
CT-RSA’16. Springer; 2016. p. 111–26.
to prevent unauthorized lending of cryptographic credentials.
Sarier N. Efficient biometric-based identity management on the
In: PST’14. IEEE; 2014. p. 75–83.
blockchain for smart industrial applications. Pervasive Mob.
Blanton M, Hudelson WMP. Biometric-based non-transferable
Comput. 2021;71(1):101322.
anonymous credentials. In: ICICS’09. Springer; 2009. p. 165–80.
Sarier ND. Multimodal biometric identity based encryption.
Brands SA. Rethinking Public Key Infrastructures and Digital
Future Gener. Comp. Syst. 2018;80:112–25.
Certificates: Building in Privacy. MIT Press; 2000.
Sonnino A, Al-Bassam M, Bano S, Meiklejohn S, Danezis G. In:
Camenisch J, Lysyanskaya A. Signature schemes and anonymous
NDSS’19. Coconut: threshold issuance selective disclosure
credentials from bilinear maps. In: CRYPTO’04. Springer; 2004.
credentials with applications to distributed ledgers; 2019.
p. 56–72.
Uludag U, Jain A. In: CVPRW’06. Securing fingerprint template:
Chase M, Meiklejohn S, Zaverucha G. Algebraic MACs and
fuzzy vault with helper data. IEEE; 2006.
keyed-verification anonymous credentials. In: ACM
Yu Y, Zhao Y, Li Y, Wang L, Du X, Guizani M. Blockchain-based
SIGSAC’14. ACM; 2014. p. 1205–16.
anonymous authentication with selective revocation for
Dodis Y, Reyzin L, Smith A. Fuzzy extractors: how to generate
smart industrial applications. IEEE Trans. Ind. Inf.
strong keys from biometrics and other noisy data. In:
2020;16(5):3290–300.
EUROCRYPT’04. Springer; 2004. p. 523–40.
Fabric, H., 2019. Msp implementation with identity mixer. In:
Available at: https://hyperledger-fabric.readthedocs.io/en/
release-1.4/idemix.html. N. Deniz Sarier received her M.Sc. degree
Garman C, Green M, Miers I. Decentralized anonymous in Media Informatics from RWTH Aachen,
credentials. In: NDSS’14; 2014. p. 459–74. and Ph.D. degree in Computer Science from
Garman C, Green M, Miers I, Rubin AD. Rational zero: economic B-IT, cosec of Bonn University, Germany in
security for zerocoin with everlasting anonymity. In: FC’14. 2007 and 2013, respectively. She is currently
Springer; 2014. p. 140–55. an external researcher at the computer se-
IBM. In: IBM Research Report RZ 3730. Specification of the identity curity group of B-IT and a visiting lecturer
mixer cryptographic library (revised version 2.3.0); 2010. in ITU on Blockchain Technologies. Her re-
Impagliazzo R, More SM. Anonymous credentials with search interests include biometric security,
biometrically-enforced non-transferability. In: WPES ’03. ACM; public-key cryptography, in particular, inte-
2003. p. 60–71. gration of biometrics into cryptographic ap-
plications.