computers & security 105 (2021) 102243

Available online at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

Comments on biometric-based
non-transferable credentials and their application
in blockchain-based identity management

Neyire Deniz Sarier1

cosec, b-it Endenicher Allee 19A, Bonn D-53115, Germany

a r t i c l e i n f o a b s t r a c t

Article history: In IT-ecosystems, access to unauthorized parties is prevented with credential-based ac-
Received 20 December 2020 cess control techniques (locks, RFID cards, biometrics, etc.). Some of these methods are
Revised 17 February 2021 ineffective against malicious users who lend their credentials to other users. To obtain
Accepted 19 February 2021 non-transferability, Adams proposed a combination of biometrics encapsulated in Pedersen
Available online 26 February 2021 commitment with Brands digital credential. However, Adams’ work does not consider the
Zero Knowledge Proof-of Knowledge (ZKPoK) system for Double Discrete Logarithm Rep-
Keywords: resentation of the credential. Besides, biometrics is used directly, without employing any
Biometrics security biometric cryptosystem to guarantee biometric privacy, thus Adams’ work cannot be GDPR-
Non-transferability compliant. In this paper, we construct the missing ZKPoK protocol for Adam’s work and
Digital credentials show its inefficiency. To overcome this limitation, we present a new biometric-based non-
Anonymous credentials transferable credential scheme that maintains the efficiency of the underlying Brands cre-
Fuzzy vault dential. Secondly, we show the insecurity of the first biometric-based anonymous credential
Fuzzy extractors scheme designed by Blanton et al.. In this context, we present a brute-force attack against
Double discrete logarithm (DDL) Blanton’s biometric key generation algorithm implemented for fuzzy vault. Next, we inte-
Brands DLRep grate an Oblivious PRF (OPRF) protocol to solve the open problem in Blanton’s work and
Selective disclosure improve its efficiency by replacing the underlying signature scheme with PS-signatures. Fi-
Blockchain nally, we evaluate application scenarios for non-transferable digital/anonymous credentials
Identity management in the context of Blockchain-based Identity Management (BBIM). We show that our modi-
fied constructions preserve biometric privacy and efficiency, and can easily be integrated
into current BBIM systems built upon efficient Brands and PS-credentials.

© 2021 Elsevier Ltd. All rights reserved.

cally, an Attribute Based Credential (ABC) is generated by a

1. Introduction trusted identity provider/issuer and issued to the user/entity
to encode access rights to a service or some user data via
Privacy-preserving access control is realized using crypto-
the issuing protocol. The user’s ABC contains his personal
graphic credentials that should be stored in the strongest stor-
attributes, similar to physical identity documents. An ABC
age available, ideally in trusted hardware. Anonymous cre-
scheme allows an entity to prove ownership of these at-
dentials that limit the disclosure of identity encode an (hu-
tributes to a verifier using a Showing/Presentation protocol. In
man) entity’s access rights to an organization’s assets. The
any access-control system, users cannot be prevented from
entity/individual can then prove possession of a credential
sharing their credentials by copying and distributing them.
anonymously, i.e. the user’s proof is zero-knowledge. Specifi-
Moreover, credentials can be abused by malicious software,

1
The author is also a visiting lecturer on Blockchain Technologies in ITU, Informatics Institute.
https://doi.org/10.1016/j.cose.2021.102243
0167-4048/© 2021 Elsevier Ltd. All rights reserved.
2 computers & security 105 (2021) 102243
which leads to credential revocation since the malicious soft-
ware can use them without the consent of the user. Bind-
ing the credential to the owner by means of biometrics is an
effective solution against these issues, i.e. credential trans-
fer. As opposed to (Adams, 2011; Impagliazzo and More, 2003;
Paquin and Zaverucha, 2011), privacy preserving biometric ap-
proaches in ABC (Bissessar et al., 2014; Blanton and Hudel-
son, 2009) ensure non-transferability by removing the use of
directly embedded biometrics stored in a tamperproof smart-
card. This way, biometric privacy, (thus GDPR-compliance), is
guaranteed even if the smart card is lost/tamper-proofness
is eliminated since biometric data itself does not need to be
used and divulged anymore. General Data Protection Regula-
tion (GDPR) assumes biometrics as sensitive data, which re-
quires provably secure biometric template protection tech-
niques. Here, Secure Sketches/Fuzzy Extractors can prevent leak-
age of user biometrics and thus preserve the user’s privacy for
GDPR.
Recently, authentication systems allow users to carry their
personal data/credentials on a device while a hash of this
data is signed by a trusted authority and then put on a
blockchain to be compared against, since blockchain tech-
nology enables persistent, consistent, distributed storage of
information. However, achieving conflicting goals of GDPR-
compliance and biometric-based non-transferability on a public
blockchain is challenging. In this paper, we focus on privacy
preserving ABCs -preventing credential transfer through the
use of biometrics- and their employment in identity manage-
ment systems designed for public, i.e. permissionless block-
hains.
1.1. Related work
Credential schemes classified based on the underlying sig-
nature scheme result in three categories: Brands creden-
tials (Brands, 2000), CL credentials Camenisch and Lysyan-
skaya (2004) and the recently introduced PS credentials
(Pointcheval and Sanders, 2016). Brands’ scheme outperforms
the other constructions as shown in (Chase et al., 2014).
Brands credential constructions: Microsoft’s U-Prove
(Paquin and Zaverucha, 2011) is based on the Brands cre-
dential scheme (Brands, 2000). Brands (2000) presented the
digital credentials scheme, where the same credential, sig-
natures and parameters are used in each instance of the
showing protocol resulting in a single-show credential sys-
tem. Thus, Brands credentials are linkable, and identical to
Bitcoin, pseudonymity instead of anonymity can be achieved
for them. Similarly, U-Prove (Paquin and Zaverucha, 2011)
does not allow unlinkable reuse of credentials: To unlink-
ably use a credential again, a user must get it reissued.
However, from the efficiency point of view, Microsoft U-
Prove (Paquin and Zaverucha, 2011) (based on Brands’ work
Brands (2000)) is evaluated as the most efficient construction
and thus Adams (2011), Bissessar et al. (2014) combined it
with biometrics to obtain non-transferability.
Biometric-based Non-transferable credentials: Credential sys-
tems with embedded biometrics data require the direct use
of biometrics to compare the fresh biometrics to the stored
template based on a distance measure. Example schemes
of this category are (Adams, 2011; Brands, 2000; Impagliazzo
and More, 2003), which are earlier approaches sharing the
same common weakness, namely biometric is directly used
and thus privacy is not protected. Adams (2011) is based on
Brands credential and requires the biometric template to be
stored directly on a simple device, whereas (Impagliazzo and
More, 2003) deploys a more expensive device to prevent cre-
dential transfer, namely a tamper-resistant smart card stor-
ing the entity’s biometric data directly. Both systems lack any
template protection mechanism such as secure sketches and
fuzzy extractors.
The protocol of (Bissessar et al., 2014) is also based on
(Adams, 2011) with the minor difference of replacing the di-
rect use of the biometric data with a biometric key extracted
from the biometrics of the user via a fuzzy extractor simi-
lar to Blanton and Hudelson (2009). In fact, (Bissessar et al.,
2014; Blanton and Hudelson, 2009) both remove the tamper-
proofness assumption by using fuzzy extractors (Dodis et al.,
2004). In (Blanton and Hudelson, 2009), it is claimed that an
attacker cannot recover the biometric data and authenticate
succesfully even if the the attacker breaks the integrity of
the device holding the credentials. To achieve this guarantee,
a trusted biometric sensor that erase any biometric data af-
ter each authentication session should be integrated in the
card. Hence, a fresh reading of biometric data is captured by
this sensor, which communicates with the card through a se-
cure channel (Blanton and Hudelson, 2009). As different from
Bissessar et al. (2014), Blanton and Hudelson (2009) applies
only to anonymous credentials similar to Impagliazzo and
More (2003).
Specifically, (Blanton and Hudelson, 2009) propose an ex-
tension to anonymous credentials (Camenisch and Lysyan-
skaya, 2004), which uses fuzzy extractors (Dodis et al., 2004),
verifiable random functions and zero knowledge proofs.
Non transferability is enforced using biometrically derived
data. Blanton and Hudelson (2009) uses fuzzy extractors
(Dodis et al., 2004) to generate a cryptographic key based on
the retrieved biometric features. This key is never stored and
the tamperproof device is trusted to erase the value after au-
thentication. Fresh biometric readings are required to recon-
struct the cryptographic key. Prevention of abuse through theft
and sharing is guaranteed.
CL and PS-signature based credential constructions:
Camenisch and Lysyanskaya (2004) presented a credential
system using Zero-Knowledge Proof of Knowledge (ZKPoK)
named as ’Anonymous Credentials’. The most well known ap-
plication of CL credentials (Camenisch and Lysyanskaya, 2004)
is IBM’s idemix (IBM, 2010). In (Blanton and Hudelson, 2009),
CL credential is extended to be non-transferable through the
use of biometric key generation techniques. The recently
introduced PS-signatures (Pointcheval and Sanders, 2016)
outperforms the CL-signatures (Camenisch and Lysyan-
skaya, 2004). They maintain the same functionality of
CL-signatures but due to their significant efficiency im-
provement, PS-signatures are shown to be the main building
block of efficient anonymous credentials in (Pointcheval and
Sanders, 2016). Besides, they are employed in recently intro-
 computers & security 105 (2021) 102243
duced identity management systems of (Sonnino et al., 2019)
and (Yu et al., 2020), which are designed for Blockchain.
Identity Management on the Blockchain (BBIM): The first De-
centralized Anonymous Credential (DAC) scheme on a dis-
tributed ledger like Bitcoin is described in (Garman et al.,
2014a). It is based on the same cryptographic technique used
in Zerocoin (Miers et al., 2013). Hence, both schemes share the
same disadvantage: Zerocoin requires a Double Discrete Log-
arithm (DDL) proof to prove that the committed value is actu-
ally a commitment to a serial number. Unfortunately, the DDL
proof is inefficient, i.e. the proof is of size λ·2k, where k is 1024-
bits and λ is the soundness parameter of the proof. For 1024-bit
commitments and an 80 bit security level, one obtains the run-
time in O(λk ) both for verification and generation of the proof
and 20KB DDL proof size (Garman et al., 2014b). Besides, the
first user-centric Identity Management system on the Bitcoin
blockchain (Augot et al., 2017a) allows for credential revoca-
tion, where the credential is based on the DL-Rep scheme of
Brands. However, the system does not prevent lending of the
credentials and is not GDPR compliant.
Augot et al. (2017b) introduced an efficient Identity Man-
agement system on the Bitcoin Blockchain using Brands’ DL-
Rep without on chain storage of credentials. Instead, the sys-
tem publishes the commitment to the root of the Merkle tree
in a Bitcoin transaction, where each leaf is associated to a cre-
dential. Despite the improvements on scalability and transac-
tion costs compared to (Augot et al., 2017a), still the system
lacks anonymity, multi-show unlinkability and requires high
bandwidth as a result of the Merkle trees, where each mem-
bership witness is of size log(N), N denoting the number of
the users of the system. Sarier (2021) attempts to solve the
above issues by employing accumulators. Finally, (Augot et al.,
2019) introduces modifications to (Augot et al., 2017a) to make
it more cost efficient while preserving its potential (particu-
larly for revocation) by allowing for coin swapping between
two compatible blockchains.
Recently Sonnino et al. presented an Ethereum-based
anonymous credential scheme with a threshold issuance
protocol (Sonnino et al., 2019). The scheme allows a user
to aggregate and selectively disclose anonymous credentials
but does not support credential revocation. To solve this
issue, recently (Yu et al., 2020) introduced BASS, again an
Ethereum-based selectively disclose anonymous credential
scheme that combines a pairing based accumulator and Co-
conut (Sonnino et al., 2019) scheme (sacrificing the thresh-
old issuance property). Finally, (Bernal Bernabe et al., 2019) re-
views the main permissioned blockchains platforms of uPort,
Sovrin, ShoCard, Civic designed for Privacy-Preserving Identity
Management by analyzing their main features, their compli-
ance with the GDPR principles and privacy aspects. In this
paper, we focus only on BBIM systems for public, i.e. per-
missionless blockchain. Hence, the BBIM systems reviewed in
(Bernal Bernabe et al., 2019) are out of scope.
1.2. Motivation
Except from the papers of (Adams, 2011; Bissessar et al., 2014;
Blanton and Hudelson, 2009; Impagliazzo and More, 2003), cre-
dential systems summarized in Section 1.1 do not guarantee
non-transferability. One may argue that non-transferability
3
can be achieved using tamper-proof user hardware that store
the private credential data. Earlier systems employ these
smartcards to prevent malicious users from accessing the
stored secret data. This way, colluding users are prevented
from copying and sharing the credential data with other users.
Similar non-effective approaches to limit credential transfer
integrate some valuable/personal data such as a credit card
number into the credential key, so that the user will be unwill-
ing to lend her credential to another one. However, a malicious
user can lend his smartcard to a close friend for a short pe-
riod of time, for instance when the card is not needed, which
may result in a security breach despite the efforts summa-
rized above. Thus, the most effective solution is biometric-
based anonymous credentials requiring possession of the cre-
dential owner’s biometric on the fly. It assures that users are
physically present when their credentials are used, hindering
credential sharing and abuse by theft. Hence, most of the cur-
rent credential systems including blockchain-based solutions
are not sufficient for non-transferability. Here, one should be
careful about the way biometrics is used. If biometric data is
employed directly, i.e. without using any biometric cryptosys-
tem such as Secure Sketches/Fuzzy Extractors (Dodis et al.,
2004; Sarier, 2018), privacy is not protected especially when
the smartcard is lost /the tamper-proofness is eliminated. We
note that even though some recent systems such as (Bissessar
et al., 2014; Blanton and Hudelson, 2009) integrate fuzzy ex-
tractors to preserve the privacy of biometric data, (Bissessar
et al., 2014; Blanton and Hudelson, 2009) cannot achieve pri-
vacy of biometrics against the authority/issuer, who performs
the enrollment and biometric key generation phase required
for the credential issuing. This is left as an open/future prob-
lem in (Blanton and Hudelson, 2009). Thus, privacy of user data
should be guaranteed against all the parties in the system in-
cluding the issuer if we want to achieve GDPR-compliance.
GDPR, i.e. Right to Erasure requires that no personal data should
be stored on the blockchain itself but kept private from the
blockchain in an ǣoff-chainǥ data store (Sarier, 2021).
Finally, except for (Impagliazzo and More, 2003) and (Augot
et al., 2017a; 2019; Yu et al., 2020), where the latter group is
defined on public Blockchains, none of the above approaches
consider credential revocation. Besides, (Adams, 2011; Bisses-
sar et al., 2014) lack the necessary zero-knowledge proof-of
knowledge (ZKPoK) protocol that works both for attributes
defined to be elements of the exponent group and for at-
tributes represented as a Pedersen commitment. Obtaining
a zero knowledge system with this feature is not immedi-
ate and may in fact be very inefficient in practice as we will
show in Section 2. Thus, the efficiency gain through the use
of Brands DLRep employed in (Adams, 2011; Bissessar et al.,
2014) would be lost. Similarly, CL-signatures (Camenisch and
Lysyanskaya, 2004) used in anonymous credential construc-
tion of (Blanton and Hudelson, 2009) are inefficient compared
to recently introduced PS-signatures. Briefly, PS-signatures
(Pointcheval and Sanders, 2016) are designed to replace CL-
signatures without any modification.
1.3. Contributions
After presenting a brief review on various credential schemes
and the underlying biometric cryptosystems, we focus on two
4 computers & security 105 (2021) 102243
types of biometric-based credentials, digital (Adams, 2011;
Bissessar et al., 2014) and anonymous (Bissessar et al., 2014;
Blanton and Hudelson, 2009) credentials. For the former, we
construct the missing ZKPoK protocol for Double Discrete Log-
arithm (DDL) by applying the ZKPoK protocol of Representa-
tion of Committed Value described in (Au et al., 2010). Next, we
analyze the efficiency of (Adams, 2011; Bissessar et al., 2014)
based on the adapted ZKPoK protocol. In Section 2, we show
that the DDL-based systems in (Adams, 2011; Bissessar et al.,
2014) turn out to be inefficient constructions, although the
underlying Brands credential is currently the most efficient
primitive as shown in (Chase et al., 2014).
-Instead of modifying existing Brands-based non-
transferable digital credential constructions of (Adams,
2011; Bissessar et al., 2014), we present a simple modification
to the original Brands digital credential that is summarized in
Section 1.4.3. This way, we obtain an efficient non-transferable
digital credential stored on a smart card. The device is only
responsible for capturing a fresh reading of biometrics (and
erase it afterwards). Even if an adversary obtains full access
to all data on the smartcard, no biometric attribute is com-
promised due to the fuzzy extractors that allows the entity to
extract and reproduce a random string (biometric attribute)
from noisy biometric images. Hence, the requirements on the
smart card are minimal as in (Blanton and Hudelson, 2009).
-For the second category, i.e. biometric based anonymous
credential, we focus on the work of Blanton and Hudel-
son (2009), and solve the open problem in their work. First,
we present our new attack against the biometric key gener-
ation scheme of (Blanton and Hudelson, 2009) implemented
for fuzzy vault-based secure sketch. By integrating an effi-
cient Oblivious Pseudorandom Function (OPRF) (Jarecki and
Liu, 2009), we prevent the security breach against the authority
A, i.e. credential issuer, who learns the biometric data of the
enrolled users and their fuzzy extracted keys. We also improve
the efficiency of the credential by replacing the CL-signature
with the PS-signature.
Finally, we show different applications of our modified
credential schemes for current Blockchain-based Identity
Management (BBIM) systems, all of which lack the non-
transferability feature. However, by adopting our biometric-
based Brands DLRep into the systems of (Augot et al., 2017a;
2017b; 2019), we obtain non-transferability in BBIM immedi-
ately. Similarly, our modified version of Blanton et al.’s anony-
mous credentials can be employed in current BBIM systems of
(Sonnino et al., 2019; Yu et al., 2020) if an independent author-
ity A is integrated into (Sonnino et al., 2019; Yu et al., 2020) to
perform our modified algorithms.
1.4. Preliminaries
Let G be a cyclic group of prime order q and G p ⊂ Z∗q be a cyclic
group of prime order p. Here, we set q to be a prime of the form
q = γ p+ 1 for some integer γ and set G p to be the group gener-
R Credential Showing: The showing protocol is a presentation
ated by an element of order p in Zq . Let g0 , g1 , g2 , . . . , gn ← G be
R
random elements of G and g, h ← G p be random elements of
G p (Here, none of them is the identity element of their respec-
tive group). Since G and G p are of prime order, those elements
are generators of their respective groups (Au et al., 2010).
1.4.1. Fuzzy vault
Fuzzy vault is a cryptographic primitive used to lock a secret
data (i.e. cryptographic key) using an unordered set of locking
elements (i.e. biometric features) such that a user who pos-
sesses a substantial amount of the locking elements will re-
cover the secret (Mihăilescu et al., 2015). A fuzzy vault scheme
V = V (k, t, r, Fq ) consists of three phases:
-Setup: Choose a finite field Fq of order q and set the pa-
rameters of t and r, where t is the number of genuine points G
hidden in the vault and r denotes the cardinality of the vault
points V ⊂ F2q .
-Lock: A secret data S such as an 128-bit AES key is hidden
in the vault as shown in Fig. 4 in Appendix.
-Unlock: Given an unlocking set L and a vault V, the algo-
rithm returns the secret data as shown in Fig. 2.
The reader is referred to (Nandakumar et al., 2007; Uludag
and Jain, 2006) for example applications on fingerprint. In
(Mihăilescu et al., 2015), the author presents a brute force at-
tack against the fuzzy vault implementation of (Uludag and
Jain, 2006) and this attack is further investigated with a pro-
posal to improve the security of fingerprint fuzzy vault using
additional minutia information. The attack for a fingerprint
vault V = V (k, t, r, Fq ) is as shown in Fig. 1.
1.4.2. Fuzzy extractors
Fuzzy extractors (Dodis et al., 2004) allow one to extract
randomness from biometrics w (for use in cryptographic
schemes) and later reproduce it exactly using different w from
any value close to the original w. A fuzzy extractor is gener-
ated by Gen that, on input w, outputs extracted random string
R and a helper string P; and can be reproduced by Rep that
on input w and P outputs R that was generated using Gen if
dis(w, w ) ≤ d. The generating function Gen executes a secure
sketch scheme S ← SS and applies a strong extractor Ext to w
to extract a random string R. Here, S and random coins used
by Ext form the helper data P. Let r2 denote the random coins
used by Ext (i.e., execution is of the form Ext(w; r2 )). We obtain
P= (S, r2 ). The reproduction function Rep uses S from P to re-
cover the original w given that dis(w, w ) ≤ d and extracts R by
computing Ext(w; r2 ).
1.4.3. Brands selective disclosure scheme (DLRep)
Brands selective disclosure scheme (Brands, 2000) enables se-
lective disclosures involving an identity with n − 1 fields,
(X1 , . . . , Xn−1 ). Let q be a prime number and G a group of order
q, which could be the same group used for the Bitcoin signa-
ture protocol.
Credential Issuance: Let g0 , g1 , . . . , gn ∈ G. X0 prevents an at-
tacker with a priori knowledge on the X j attributes of an en-
tity from performing a dictionary attack where she guesses
values for the remaining X j s (Augot et al., 2017b). The tuple
(X0 , X1 , . . . , Xn−1 ) ∈ Znq is called a Discrete Logarithm Represen-
n−1 X j
tation (DLRep) of h = g j with respect to (g0 , g1 , . . . , gn−1 ).
j=0
of a credential with selective disclosure. This scheme is a proof
of knowledge of those attributes the entity does not want to
reveal. The proof can be carried out if those attributes are
indeed the same ones that are committed in the credential
stored in the smart card. To prove knowledge of a DLRep of
 computers & security 105 (2021) 102243 5

Fig. 1 – Brute force attack of (Mihăilescu et al., 2015) against the fuzzy vault implementation of (Uludag and Jain, 2006). a)
describes a failure, whereas b) is a successful attack.

Fig. 2 – Unlocking of a secret data from the vault (Mihăilescu et al., 2015; Nandakumar et al., 2007).

h to a verifier V, a prover P performs the following protocol the other attributes remain hidden due to the selective disclo-
steps (Brands, 2000). The disclosed attributes with their in- sure protocol.
dexes ( j, X j ) for the subset of indexes j ∈ D ⊆ {1, . . . , n − 1}.
Let the set of concealed attributes be C = {1, . . . , n − 1}\D.
For convenience, we introduce the following notations for 2. The inefficiency of Adams’ and Bissessar
the products of DL commitments to the closed and disclosed et al.’s biometric-based digital credential scheme
 Xj  Xj X
attributes: hC = g j and hD = g j and h = g0 0 hC hD .
j∈C j∈D
As discussed in Section 1.1 and in (Chase et al., 2014), Brands
Knowing ( j, X j ) for j ∈ D, both P and V can calculate hD . The
signature based U-prove digital credential is shown to be the
following protocol proves to V the DL representation of H =
X most efficient among the existing credential constructions.
h(hD )−1 = g0 0 hC with respect to gi ’s where i ∈ C is known by P.
However, when combined with biometric attributes either di-
rectly (Adams, 2011) or via a fuzzy extractor (Bissessar et al.,
1. P generates random, secret numbers a0 ∈ Zq , a j ∈ Zq for
a
 aj 2014) encapsulated as a Pedersen commitment within the
j ∈ C. Let A = g00 g j . P sends A to V.
j∈C Brands digital credential scheme, the resulting biometric-
2. V provides a challenge number c. based non-transferable credential requires zero-knowledge
3. P computes b0 = a0 + cX0 , and b j = a j + cX j for j ∈ C ⊆ protocols involving Double Discrete Logarithms (DDL), which
{1, . . . , n − 1} and sends them to V. is not taken into account in (Adams, 2011; Bissessar et al.,
b
 bj
4. The verifier V checks that A = g00 g j H−c holds. 2014). Hence, starting from currently the most efficient dig-
j∈C
ital credential scheme, one ends up in an inefficient non-
P knows all of the X j s to perform step 3. Here, X0 is gener- transferable construction as shown below.
ated randomly by the entity to be used as a secret key. Assum- In a DDL-based proof for Adams’ credential scheme
ing that the P does not know two DL representations with re- (Adams, 2011; Bissessar et al., 2014), we use the Pedersen Com-
spect to this set, the verifier can be convinced that the claimed mitment, where on input a value X ∈ Zq , the committer ran-
revealed attributes are indeed embedded in the certificate. All domly chooses r ∈ Zq , outputs commitment C = gr0 gX1 as the
6 computers & security 105 (2021) 102243

commitment of value X. To reveal commitment C, the com- (Commitment.) The prover randomly generates ρr ,
mitter outputs (X, r), which denotes an opening of the com- R
ρX1 , . . . , ρXn−1 , ρcI ← Zq , computes and sends T =
mitment C. Everyone can test if C = gr0 gX1 . Recall that Pedersen ρX ρX ρc
gρ0r g1 1 n−1
· · · gn−1 gn I ∈ G
Commitment is perfect hiding and computationally binding
R
provided that the g0 and g1 are randomly and independently (Challenge.) The verifier returns a random challenge d ←
λ
{0, 1} k .
generated and that relative discrete logarithm of g0 to base g1
is unknown. Commitment of a block of values (X1 , . . . , Xn ) is (Response.) The prover, treating d as an element in Zq , com-
X
achieved by setting the commitment C = gr0 g1 1 · · · gXn n with ad- putes zr = ρr − dr ∈ Zq ,
ditional random generators g0 , g1 , . . . , gn of G (Au et al., 2010). zX1 = ρX1 − dX1 ∈ Zq , · · · , zXn−1 = ρXn−1 − dXn−1 ∈ Zq , zcI =
ρcI − dcI ∈ Zq , and returns (zr , zX1 , . . . , zXn−1 , zcI ) to the verifier.
(Verify.) Verifier accepts if and only if T =
zX zX zc
kd gz0r g1 1 · · · gn−1
n−1
gn I .
The second part combines the ZKPoK of double-discrete
2.1. Zero-knowledge proof-of-knowledge protocolof
logarithm with ZKPoK of equality of discrete logarithm
representation of committed value
(Au et al., 2010).
X X c
n−1 I
(Commitment.) For i = 1 to λk , the prover randomly gener-
Let k = gr0 g1 1 ···gn−1 gn be a commitment of cI with randomness R
r and let cI = gb hs ∈ G p be the commitment of b with random- ates ρri , ρsi , ραi , ρbi , ρX1,i , . . . , ρXn−1,i ← Zq
ρX ρX ρ ρ
R α ρr 1,i
n−1,i g bi h si
ness s ← Z p . Similarly, let cF = cI h = gb hs h sα = gb hs+
sα = gb hs ∈ Then the prover computes T1,i = g0 i g1 · · · gn−1 gn
ρ ρα  λk
G p be a commitment of cI ’s representation (to base g, denoted and T2,i = g bi hρsi h i After that, the prover sends T1,i , T2,i i=1
R to the verifier.
as b) with randomness α ← Z p as defined in (Au et al., 2010). R
Here, s = s +  sα. (Challenge.) The verifier returns a random challenge d ←
We note that the variables k, cI , b are used in (Adams, 2011) {0, 1}λk .
identically, cI denoting issue-time embedded commitment of (Response.) Denote d[i] as the ith bit of d. That is, d[i] ∈ {0, 1}.
biometric data b, cF denoting the fresh commitment for the For i = 1 to λk , the prover computes
showing protocol on the same biometric data. Similarly, CRI zbi = ρbi − d[i]b ∈ Z p ,
and CRS in (Bissessar et al., 2014) corresponds to the same zsi = ρsi − d[i]s ∈ Z p ,
variables cI and cF in (Adams, 2011). Only the credential rep- zαi = ραi − d[i]α ∈ Z p ,
z
resented by k is denoted by h in (Bissessar et al., 2014). zri = ρri − d[i]g bi hzsi r ∈ Zq ,
z
At the same time, gb hs ∈ G p is another commitment on the zX1,i = ρX1,i − d[i]g bi hzsi X1 ∈ Zq ,...,
zb
same value b as defined in (Adams, 2011). We note that h ∈ G p zXn−1,i = ρXn−1,i − d[i]g i hzsi Xn−1 ∈ Zq ,
λ
is another generator that we compute using the generator of The prover sends (zbi , zsi , zαi , zri , zX1,i , . . . ,Xn−1,i )i=1
k
to the
h ∈ G p as follows: verifier.
Let G p = h be a cyclic group of order p − 1. For any  s, hs is (Verify.) The verifier accepts if the following equations hold
a generator of G p iff gcd( s, p − 1) =1. Since we already know a for i = 1 to λk .
d[i] z zα
generator h of G p , we pick a random  s from the set of elements T2,i = cF g bi hzsi h i
s, p − 1) =1 and compute h
z
that satisfy gcd( s = h so that the z
g bi h si zri zX1,i zX
n−1,i
T1,i = gn g0 g1 · · · gn−1 if d[i] = 0
value h is a generator of G p . Once we compute h, we pick a zb zs z
r zX zX
α
random α and compute h to construct the commitment of T1,i = kg i h i g0 i g1 1,i
n−1,i
· · · gn−1 if d[i] = 1
cI ’s representation (to bases g and h) with randomness α as The two parts should be executed in parallel using the
defined in (Au et al., 2010). same challenge as in (Au et al., 2010).
We construct a ZKPoK protocol of (cI , b), denoted as PKRCV .
2.1.1. Security analysis of PKRCV
Our protocol (as in (Au et al., 2010)) is an argument sys-
Technically, our protocol is an argument system rather than
tem rather than a proof system. The adversaries against the
a proof system in the sense that soundness in our system
PKRCV are modeled as Probabilistic Polynomial Time (PPT) al-
only holds against a PPT cheating prover as in (Au et al., 2010).
gorithms. PKRCV for k, cI can be abstracted as:
This is sufficient for all our purposes when adversaries in the
PKRCV {(cI , r, s, b) :
X Xn−1 cI α applications of our PKRCV are modeled as PPT algorithms. In
k = gr0 g1 1 · · · gn−1 gn ∧ cF = cI h ∧ cI = gb hs }
(Au et al., 2010), the original PKRCV for C, D is abstracted for
In fact, this argument directly corresponds to the Adams’
L = 1. Hence, taking m1 = b and s = s in PKRCV :
biometric based credential scheme of (Adams, 2011) and the
PKRCV {(x, r, s, b) : C = gx0 gr ∧ D = xhs ∧ x = hb1 }
same relation is denoted as PoK : DLRepWithPC(), where the
This argument corresponds to PoK : DLRepWithPC() in
public information is the credential and the show-time (i.e.
Adams’ biometric based credential (Adams, 2011), where the
fresh) commitment on the biometrics.
public information is the credential and the show-time (i.e.
The construction of PKRCV consists of two parts. Note that
fresh) commitment on the biometrics. For better readability,
while we describe them separately, they can be executed in
in PKRCV with L = 2, we replace g0 with gn , g with g0 , and as
parallel in its actual implementation.
defined in Section 2.1, s = s + s˜α and h = hs˜ is a generator of
We construct a -Protocol of PKRCV . Let λk be a security pa-
G p . Hence, PKRCV {(cI , r, s, b) :
rameter. The first part of PKRCV is a zero-knowledge proof-of- X X
n−1 I c α
k = gr0 g1 1 · · · gn−1 gn ∧ cF = cI h ∧ cI = gb hs }
knowledge of representation of an element, and we adapt the
protocol from Au et al. (2010). Theorem 2.1. PKRCV is a -Protocol.
 computers & security 105 (2021) 102243
Table 1 – Runtime and Bandwidth Cost of PKRCV .
Runtime Cost
Prover Verifier
G multi-EXP n/3λk + n/3 n/3λk + n/3
G p multi-EXP λk (2/3 + 1) + 1 λk (2/3 + 2)
Bandwidth Cost
Interactive Non-Interactive
G 2 λk + 1 0 commitment, we directly encode the biometric attribute in
Zq nλk + 2 + n − 1 nλk + 2 + n − 1
Zp 3 λk 3 λk
Since the original PKRCV of (Au et al., 2010) and PKRCV share
the same ZKPoK structure, the proof remains identical to Ap-
pendix A of (Au et al., 2010).
2.1.2. Performance analysis of PKRCV
Following the analysis in (Au et al., 2010), we breakdown
the runtime cost of PKRCV into the number of multi-
exponentiations (multi-EXPs). A multi-EXP computes the
product of exponentiations faster than performing the ex-
ponentiations separately. Normally, a multi-based exponen-
tiation takes only 10% more time compared with a single-
based exponentiation (Au et al., 2010). We assume that one
multi-EXP operation multiplies up to 3 exponentiations as in
(Au et al., 2010). The most dominant operation in PKRCV is the
Multi-EXPs in group G and the largest number of multi-EXP oc-
curs during the computation of k. For the elliptic curve group
equipped with pairing, the authors of (Au et al., 2010) find out
that one multi-EXP in G takes about 25ms. G is taken to be
an elliptic curve group equipped with type A1 pairing and the
prime q is 1048 bits. In a nutshell, the authors of (Au et al.,
2010) measured the time required by the verifier for verifying
the proof PKRCV around 2 s (Au et al., 2010) for L = 1 or L = 3,
which results in 2n seconds for verifying the proof PKRCV ap-
plied to (Adams, 2011; Bissessar et al., 2014). Here, n denotes
the total number of attributes of the credential identical to
(Chase et al., 2014), where the exact time measurement for the
original Brands credential based U-Prove is found as 12.43ms
for n = 10 (Chase et al., 2014). Hence, if we compare the two
constructions without selective disclosure, i.e. 2∗ 10=20 s and
12.43 milliseconds for n = 10 (Chase et al., 2014), we see that
the original Brands credential based systems outperforms the
non-transferable credential schemes of (Adams, 2011; Bisses-
sar et al., 2014) that are based on the combination of Brands
digital credential and DDL.
As for the bandwidth cost, the non-interactive version is
more space-efficient. In practice, we can take λk = 80 and q
(resp. p) to be a 1024-bit (resp. 160-bit) prime. Thus, Zq , Z p , and
G will take 1024, 160 and roughly 1024 bit, respectively. The
non-interactive form (of which PKRCV employ) takes up around
(12 + 3 + n − 1)kB as shown in Table 1.
In summary, the construction of (Adams, 2011; Bissessar
et al., 2014) is λk times the complexity of the underlying Brands
digital credential due to the DDL representation. The ZKPoK
protocol for DDL and λk factor was not considered both in
(Adams, 2011) and (Bissessar et al., 2014) resulting in an in-
7
efficient construction as opposed to Brands credential based
U-Prove analyzed in (Chase et al., 2014).
2.2. A simple modification
Instead of combining the Blind signature based digital creden-
tial scheme with biometric data encapsulated as a Pedersen
the Brands’ DLRep scheme as a private attribute that is never
going to be revealed to any party but their existence guaran-
tee the non-transferability of the credential during the show-
ing/presentation protocol with the verifier. Brands selective
disclosure scheme (Brands, 2000) enables selective disclosures
involving an identity with n −1 fields, (X1 , . . . , Xn−1 ). In our sim-
ple modification, let X1 represent a user’s biometric attribute,
X2 her name,..., and Xn−1 be the nationality.
We also need a smartcard that requires a fresh biomet-
ric reading on each authentication attempt. The card stores
the credential and helper data for fuzzy extractor. As op-
posed to (Adams, 2011; Impagliazzo and More, 2003), the user’s
biometric data is not stored on the card, hence there is no
check whether the biometrics of the current holder of the
card match those stored inside it before an authentication re-
quest as in (Impagliazzo and More, 2003). We reserve X1 for
the biometric attribute, which is extracted by the credential
issuer from the user’s biometrics using a biometric key bind-
ing/generation technique based on fuzzy extractors described
in Section 1.4. Specifically, the random string R is hashed us-
ing a cryptographic hash function H to assign R to X1 via
X1 = H(R ), which represents the biometric attribute of the en-
tity as shown in Fig. 3. Also, P= (S, r2 ) is stored in the smart-
card of the entity. No biometric template data, or biometric
image is stored in this device and one cannot obtain any in-
formation about X1 or biometrics of the entity either from P
or from the stored credential. The smart card extracts R by
computing Ext(w; r2 )) to compute the biometric attribute X1
required during the showing protocol to prove knowledge of
undisclosed attributes based on the interactive ZKPoK proto-
col with selective disclosure. If the credential issuer is not as-
sumed to be trusted, then, the user U can employ a smart card
with integrated sensor that captures the fresh biometrics, ex-
tracts the features and computes the hidden attribute X1 us-
ing a fuzzy extractor, under the supervision of the credential
issuer, i.e. the issuer can observe that the user applied his own
biometrics. This way, the authority cannot learn the extracted
attribute (i.e. the fuzzy extracted secret attribute) X1 , although
the raw biometrics is assumed as public data. Here, the smart-
card of the user U is trusted to process the biometrics correctly
and generating a unique key X1 identical for each session of
showing phase with the help of the hidden helper data.
Thus, the Modified Credential Issuance phase is almost
identical to the issuance protocol of Section 1.4.3 except for
reserving X1 for the biometric attribute and X0 as the se-
cret parameter of the user. Assuming the User’s encoded se-
X X
cret key g0 0 g1 1 similar to the user’s encoded secret key gα of
(Brands, 2000), the set of disclosed attributes, which is a sub-
set of (X2 , . . . , Xn−1 ), are common input to the parties and they
can both construct DLRep of H identical to the issuance pro-
tocol of Section 1.4.3.
8 computers & security 105 (2021) 102243

Fig. 3 – Integration of the modified Brands’ DLRep of Section 2.2 into the BBIM scheme of (Augot et al., 2017a). H: a
cryptographic hash, R: (fuzzy) extracted random string defined in Section 1.4, whose hash is assigned to X1 as an (hidden)
attribute. The transactions are identical to (Augot et al., 2017a).

Fig. 4 – Locking of a secret data in the vault (Mihăilescu et al., 2015; Nandakumar et al., 2007).

Modified Credential Showing phase is almost identical to
the showing protocol of Section 1.4.3 except that the user must
regenerate the biometric attribute X1 from the fresh biomet-
rics using his smartcard before executing the showing protocol of
Section 1.4.3. We note that the biometric attribute X1 remains
hidden for each verification of the credential but its existence
guarantees the non-transferability of the credential, since a
fresh reading is required on each credential show. Hence, the
verification cost is identical to (Chase et al., 2014) for Brands
credential based U-Prove. Finally, we emphasize that no bio-
metric template/data is stored on the smartcard of the user
U, only the credential h and helper data for the fuzzy extrac-
tor is required to be stored. This way, even if the credential
h is stored on the smart card that is lost/compromised, there
and the credential scheme of (Blanton and Hudelson, 2009)
is based on secure sketch and fuzzy extractor constructions.
The unlocking algorithm in the fuzzy vault implementation of
(Uludag and Jain, 2006) produces many potential keys locked
by the vault. Uludag and Jain (2006) solves this problem by
adding some structure (i.e., redundancy) to the secret be-
ing locked, i.e. CRC codes for error correction in order to
have increased tolerance to biometric intra-class variations. In
(Blanton and Hudelson, 2009), the authors prevent this weak-
ening of the hiding properties of the fuzzy vault construc-
tion by shipping the helper data with a verification value that
will permit confirmation of the correct key. The authors of
(Blanton and Hudelson, 2009) claim that adding a verifica-
tion value computed using the one-way PRF function fsec ow (x ) =

is no way to link the (unstored) biometric data to the iden-
tity/credential of the user although Brands digital credentials
do not provide multi-show unlinkability.
3. Insecurity and inefficiency of
biometric-based anonymous credentials
In (Blanton and Hudelson, 2009), fuzzy vault is evaluated as
a secure sketch construction for the set intersection metric,
g1/(sec+x ) of Dodis-Yampolski (Jarecki and Liu, 2009) can avoid
additional information leakage.
The enrolling function BKG-Enroll executes P , K ← Gen
and applies the one-way function f to the random string K
to obtain the verification data V = f ow (K ||0) = fK (0). The out-
put is P, K, where P = (P , V) and K = f ow (K ||1) = fK (1). The
key reconstruction function BKG-KeyRec uses w and P from
P to find a set K of candidate keys for K . For each key ∈ K, if
f ow (key||0) = V, set key = K and output K = f ow (K ||1).
 computers & security 105 (2021) 102243
3.1. A new attack
Our new attack for BKG= (BKG-Enroll, BKG-KeyRec) imple-
mented for fuzzy vault-based secure sketch V = V (k, t, r, Fq )
is as follows:
1. Choose k distinct points from the vault V uniformly at ran-
dom as in step 1 of Fig. 1 a);
2. Compute the unique degree k − 1 polynomial f ∈ Fq [X] in-
terpolating them as in Fig. 1 a);
3. If the graph of f contains t vault points, compute the can-
didate key from the polynomial f, apply the one-way func-
tion f ow (key||0) = V,
if verified, set key = K and output K = f ow (K ||1).
otherwise go to step 1;
Since the authority A in (Blanton and Hudelson, 2009) veri-
fies the validity of the computation in BKG-Enroll taking place
in the first and third steps of the AC-Enroll algorithm de-
scribed in section 4.1 of (Blanton and Hudelson, 2009), and
computes K = f ow (K ||1), with this setup, authority A learns
biometrics and more importantly the fuzzy extracted secret
key K of users U. A is expected to erase such information
after the enrollment protocol. The authors of (Blanton and
Hudelson, 2009) claim that this does not permit A to distin-
guish between different users at authentication time. Hence,
(Blanton and Hudelson, 2009) leaves preventing A from learn-
ing user biometrics as a future work.
3.2. Solving the open problem in Blanton et al.’s paper
An Oblivious Pseudorandom Function (OPRF) is a two-party
protocol between sender S and receiver R for securely com-
puting a pseudorandom function fsec ow (·), on key sec contributed
by S and input x contributed by R, in such a way that receiver
R learns only the value fsec ow (x ) while sender S learns nothing
from the interaction (Jarecki and Liu, 2009). The domain of
f ow (sec, x ) is polynomially-sized, which is suitable for biomet-
ric keys having limited entropy. Finally, since the input values
of 0 and 1 are public values we do not need to employ the pro-
tocol of (Jarecki and Liu, 2009) extended to computing on com-
mitted inputs. In our modified protocol, we replace x = 0 and
x = 1 with public values x0 , x1 from the same domain of sec.
In particular, f ow (sec, x ) = fsec ow (x ) = g1/(sec+x ) where sec = K and
x = x0 or x = x1 depending on the computation of the verifi-
cation data f ow (K ||x0 ) = V or the biometric key K = f ow (K ||x1 ).
An OPRF protocol for fsec ow (x ) = g1/(sec+x ) in group G generated
by g of composite order n is given in (Jarecki and Liu, 2009) as
shown in Algorithm 1 . Here, (Jarecki and Liu, 2009) employs
an additively homomorphic encryption scheme allowing for
shared decryption on message domain Zn , like Camenisch-
Shoup version of Paillier encryption.
By plugging in for the sender S = U, the receiver R = A,
as the secret extracted biometric key sec = K and the verifi-
cation value for x = x0 , the secure computation of fKow  (x0 ) =

g1/(K +x0 ) = V in Algorithm 1 returns the authority only the
computed value of the verification data V. Similarly, plugging
in for x = x1 (remaining parameters as above), the secure com-
putation of fKow 1/(K +x1 ) = K returns the authority only K,
 (x1 ) = g
which is used directly in the AC-Enroll protocol of (Blanton and
9
Algorithm 1: OPRF of (Jarecki and Liu, 2009).
Input: The sender S’s parameters pks , sks , sec and the receiver R’s
parameters pkr , skr , x
ow
Output: fsec (x ) = g1/(sec+x )
S ↔ R: Exchange of public keys ( pks , pkr )/* The sender S
computes: */
The ’joint key’ pk = pks · pkr from pks , pkr Encrypt sec under pk as
Csec /* The receiver R computes: */
The ’joint key’ pk = pks · pkr from pks , pkr Encrypt x under pk as
Cx . // Homomorphism of the encryption Csec · Cx = Cα where
α = sec + x.
R
Randomize Cα with a ← Zn , compute Cβ = (Cα )a , for β = a · α and
encrypt a under pk, as Ca and partially decrypt Cβ into
(s ) (r )
Cβ // Here, Cv denote the ciphertext which encrypts
variable v under pkr , hence, partial decryption of Cv
(s )
under skr results in Cv .
(s )
Send (Ca , Cβ ) to S./* The sender S computes: */
(s )
Decrypt to get β and compute Cσ = (Ca )1/β , for
Cβ
σ = a/β = 1/α = 1/(sec + x )Pick an additive share σs of σ and
compute vs = gσs Encrypt σs as Cσs , compute Cσr = Cσ /Cσs ,for
(r )
σr = σ − σs and partially decrypt Cσr into Cσr r // Here, Cv
denote the ciphertext which encrypts variable v under
(r )
pks , partial decryption of Cv under sks results in Cv .
Send (vs , Cσr r ) to R./* The receiver R computes: */
Decrypt Cσr r and compute v = vs · gσr = gσs +σr = g1/(sec+x ) with σr .

Hudelson, 2009) after mapping the g1/(K +x1 ) = K ∈ G to the do-
main of Pedersen commitment, i.e. Zq .
The enrolling function BKG-Enroll executes P , K ← Gen on
a trusted device under the supervision of A, who observes that
the user has used his own biometric data, and then applies
the OPRF protocol fsecow (x ) = g1/(sec+x ) to compute the verifica-
tion data V using public input= x0 from A and secret input=K
from the user U. The secret input of U is computed using the
biometrics of U under the supervision of A. Similarly, a sec-
ond OPRF protocol fsecow (x ) = g1/(sec+x ) is applied to compute the
biometric attribute K using public input= x1 from A and se-
cret input=K from U. The output is P, K with P = (P , V ) and
K, where only V and K are known to the authority A so that
the authority can generate the attribute based credential us-
ing the final biometric attribute K in step 5 of AC-Enroll algo-
rithm described in Section 4.1 of (Blanton and Hudelson, 2009)
or in any other anonymous credential construction such as
(Camenisch and Lysyanskaya, 2004) or in the more efficient PS-
signature based credentials (Pointcheval and Sanders, 2016).
The key reconstruction function BKG-KeyRec is identical as
it is performed only by the user during the showing protocol
of the anonymous credential. The one time additional cost of
OPRF protocol between the issuing authority A and the user
U can be estimated according to Jarecki and Liu (2009) as fol-
lows: In the honest-but-curious model, N evaluations of the
OPRF contributes to 32000Nm if m is the cost of a single mul-
tiplication (or squaring) modulo a 1024-bit modulus, whereas
in the malicious model this cost grows by only a factor of 2
(Jarecki and Liu, 2009). Hence, two evaluations of the OPRF pro-
tocol (one for the computation of V and one for K) contributes
to the additional cost of 2·32000m for the oblivious computa-
tion for V and K in total (both for the issuer A and the user
U).
10 computers & security 105 (2021) 102243
3.3. Improving the efficiency of Blanton et al.’s paper:
The non-transferable anonymous credential protocol of
(Blanton and Hudelson, 2009) builds upon the Camenisch-
Lysyanskaya (CL) signature scheme (Camenisch and Lysyan-
skaya, 2004), which has a linear size in the number of mes-
sages to be signed limiting its use in many situations. In
(Pointcheval and Sanders, 2016) a new signature scheme
with more efficient algorithms and the same features as CL-
signatures is proposed but without the linear-size drawback:
Independent of the message length (i.e. attribute size), the
PS-signature consists of only two elements. The data sent in
the original CL-signatures (Camenisch and Lysyanskaya, 2004)
employed in (Blanton and Hudelson, 2009) for r messages con-
sist of 3 + 2r elements of G, whereas the short signature of
(Pointcheval and Sanders, 2016) only requires 2 elements of
G, whatever r is. Here, r denotes the number of messages (at-
tributes), namely context-specific user privileges, which could
be the access privileges, i.e. attributes of an employee such as
being a US-citizen etc. that are issued by the authority in the
anonymous credential. However, replacing the CL-signatures
with PS-signatures in (Blanton and Hudelson, 2009) reduces
the cost of the issuer during generation of a credential in the
AC-Enroll algorithm and the cost of the user U in AC-Auth al-
gorithm by 2r + 2 exponentiations in G. Finally, the verifier’s
cost in AC-Auth algorithm is reduced by 4r + 2 Pairing compu-
tations. Here, r refers to the number of attributes to be certified
as before.
4. Discussion
The theoretical work on biometric key generation cannot
tolerate realistic variations in the biometric signal such as
variable-length representations, unordered or unaligned rep-
resentations (Blanton and Hudelson, 2009). The authors of
(Blanton and Hudelson, 2009) suggest that one should reduce
the noise by acquiring multiple samples and performing ma-
jority decoding to create a single image with low noise or by
scanning both eyes instead of a single one for iris recogni-
tion to achieve lower error rates. This means that the entropy
loss will become tolerable when the error rate is reduced to a
rather small value. Nevertheless, it is still not easy for systems
employing fuzzy extractors to achieve highly accurate solu-
tions (i.e., very low FAR values for an acceptable FRR value)
and high key lengths at the same time. Thus, new methods
based on artificial neural networks (Jana et al., 2020; Maly-
gin et al., 2017) could be considered in place of fuzzy extrac-
tors. An extractor for secret keys and long passwords can be
built on the basis of automatically trained neural networks.
Here, there exists two directions: A neural network converter
(Malygin et al., 2017) (-a wide neural network is a complete
alternative to a fuzzy extractor-) and a hybrid of a fuzzy ex-
tractor and a deep neural network (Jana et al., 2020). Techni-
cally, (Malygin et al., 2017) is strictly related to neural network
based biometric to code converters, whereas (Jana et al., 2020)
is a hybrid approach. Also, (Malygin et al., 2017) differs in that
the fuzzy extractor is not used there at all, thus, (Malygin et al.,
2017) eliminates the disadvantages of employing a fuzzy ex-
tractor. Besides, the neural network converter (Malygin et al.,
2017) gives a lower percentage of FAR and FRR errors. Hence,
a neural network converter (Malygin et al., 2017) can be a se-
rious alternative to a fuzzy extractor, which also formed the
basis of standards for biometric security products in Russia
(GOST R 52633). In summary, the combination of the solu-
tions presented in this paper with neural network transduc-
ers (by replacing the fuzzy extractors) could be an interest-
ing future work. The reader is referred for the details to (Jana
et al., 2020; Malygin et al., 2017), where (Jana et al., 2020) is an-
other promising direction. Finally, since the cryptographic op-
erations are applied after and/or on top of the biometric tem-
plate protection scheme as in (Bissessar et al., 2014; Blanton
and Hudelson, 2009), the performance of the latter remains
unaffected and identical to (Bissessar et al., 2014; Blanton and
Hudelson, 2009), if fuzzy extractors are employed. Hence, sim-
ilar to Adams (2011); Bissessar et al. (2014); Blanton and Hudel-
son (2009); Impagliazzo and More (2003), performance metrics
of FRR, FAR, EER, etc. are beyond the scope of this paper.
4.1. Application scenarios for credential schemes on
blockchain-based identity management (BBIM)
Table 2 presents a comparison of the digital and anony-
mous credential systems including our proposed solutions
in Sections 2.2 and 3.3 and their applications in current
BBIM systems. Our modified Brands Credential scheme of
Section 2.2 can be easily adapted by the Identity Management
systems of (Augot et al., 2017a; 2017b; 2019), all of which are
based on original Brands credentials integrated into Bitcoin
Blockchain. An example integration without any modification
to the authentication flow and transaction structure is pre-
sented in Fig. 3 for the BBIM of (Augot et al., 2017a).
Besides, our modified anonymous credential based on the
PS-signatures and the new algorithm of Section 3.2 can di-
rectly be employed in Coconut (Sonnino et al., 2019) and BASS
(Yu et al., 2020) if an independent authority A performs the
new algorithms of Section 3.2 and returns the private bio-
metric attribute (αi in (Yu et al., 2020), m in (Sonnino et al.,
2019)) using the Pedersen commitment scheme to the single
credential authority CA in (Yu et al., 2020) or to n authori-
ties who perform the threshold issuance of the credential in
(Sonnino et al., 2019), respectively. Hence, our modified ver-
sions of digital credentials and anonymous credentials can
directly be employed in current Identity Management sys-
tems designed for public Blockchains shown in Table 2. Be-
sides, GDPR requires that no personal data should be stored
on the blockchain itself but kept private from the blockchain
in an ǣoff-chainǥ data store to comply with the right to era-
sure. Since, the only BBIM with offchain data storage is pre-
sented in (Augot et al., 2017b), integrating our modified Brands’
credential system to (Augot et al., 2017b) results in a non-
transferable and GDPR-compliant system while maintaining
efficiency. Moreover, there is tradeoff between efficiency and
multi-show unlinkability, since Brands digital credentials are
by design single use. If unlinkability of credentials are re-
quired, then the credential must be reissued in digital creden-
tials, otherwise an anonymous credential scheme should be
employed at the cost of decreased efficiency. As a final note,
we emphasize that (Augot et al., 2017a; 2019; Yu et al., 2020)
provide credential revocation feature. Therefore, if we inte-
 computers & security 105 (2021) 102243 11

Table 2 – Credential schemes with Selective Disclosure including the Modified versions in Section 2.2 and 3.3 and their
applications on BBIM, + : for biometric attributes and Right to Erasure, NC: Non-comparable,∗ : Yes for (Bissessar et al.,
2014), † :Private Blockchain, DDL: Double Discrete Log.

Multi-show Blockhain Biometric GDPR- On-chain Underlying Computa-

Scheme Unlinkable type Non-transferability Compliance+ Storage Crypto-primitives tional Cost
U-prove No NC No NC NC Blind Signature Low
(Paquin and (Brands, 2000)
Zaverucha, 2011)
Adams (2011); No NC Yes No∗ NC Blind Signature High
Bissessar et al. (2014) (Brands, 2000)+DDL
Modified ” No NC Yes Yes NC Blind Signature Low
(Brands, 2000)
Idemix Yes NC No NC NC CL-signatures High
(IBM, 2010) (Camenisch and
Lysyanskaya, 2004)
Blanton and Yes NC Yes Yes NC CL-signatures High
Hudelson (2009) (Camenisch and
Lysyanskaya, 2004)
Modified ” Yes NC Yes Yes NC PS-signatures Medium
(Pointcheval and
Sanders, 2016)
DAC Yes Bitcoin No NC Yes Zerocoin (Miers et al., High
(Garman et al., 2013) (DDL)
2014a)
Identity Mixer Yes Hyperledger No NC NC† Idemix (Camenisch High
(Fabric, 2019) and Lysyanskaya,
2004; IBM, 2010)
Coconut Yes Ethereum Yes, if modified No Yes PS-signatures Medium
(Sonnino et al., (Pointcheval and
2019) Sanders, 2016)
BASS (Yu et al., Yes Ethereum Yes, if modified No Yes PS-signatures Medium
2020) (Pointcheval and
Sanders, 2016)
No Bitcoin Yes, if modified No Yes DLRep (Brands, 2000) Low
Augot et al. (2017a)
No Bitcoin Yes, if modified Yes No DLRep Brands (2000) Low
Augot et al. (2017b)
Augot et al. (2019) No Bitcoin Yes, if modified No Yes DLRep Brands (2000) Low

grate our modified credential schemes into (Augot et al., 2017a; Thus, we leave it as a future work to implement our modified
2019; Yu et al., 2020), we achieve both non-transferability and schemes using different extractors and suitable biometrics.
credential revocation features, simultaneously.

Declaration of Competing Interest

5. Conclusion
In this paper, we evaluated two different approaches for
biometic-based non-transferable credentials and show their
limitations in terms of efficiency and security. The main dif-
ference in those two methods results from the underlying
credential scheme that can be categorized either as digital
or anonymous credential. The former is a single-show cre-
dential whereas the latter is a multi-show credential provid-
ing unlinkability at the cost of efficiency. Hence, construct-
ing multi-show unlinkable credentials based on Brands DL-
Rep could be an interesting future work. Finally, our modi-
fied schemes are by design generic: they can work with ex-
isting secure sketches/fuzzy extractors implemented on var-
ious biometrics (Dodis et al., 2004; Li et al., 2006; Mihăilescu
et al., 2015; Nandakumar et al., 2007; Uludag and Jain, 2006).
The authors declare that they have no known competing fi-
nancial interests or personal relationships that could have ap-
peared to influence the work reported in this paper.
Acknowledgement
The author is grateful to Prof. Dr. Joachim von zur Gathen for
his valuable support and interest. The author would like to
thank all the editors and reviewers for their comments on ar-
tificial neural networks and security/performance analysis.
In this section, we review the Oblivious Pseudorandom
Function (OPRF) scheme of (Jarecki and Liu, 2009) summarized
in Algorithm 1 and the fuzzy vault for fingerprints shown in
Fig. 4.
12 computers & security 105 (2021) 102243

R E F E R E N C E S Jana, A., Sarker, M. K., Ebrahimi, M., Hitzler, P., Amariucai, G. T.,
2020. Neural fuzzy extractors: a secure way to use artificial
neural networks for biometric user authentication.
2003.08433.
Adams C. Achieving non-transferability in credential systems
Jarecki S, Liu X. Efficient oblivious pseudorandom function with
using hidden biometrics. Secur. Commun. Netw.
applications to adaptive OT and secure computation of set
2011;4(2):195–206.
intersection. In: TCC’09. Springer; 2009. p. 577–94.
Au MH, Susilo W, Mu Y. Proof-of-knowledge of representation of
Li Q, Sutcu Y, Memon ND. Secure Sketch for biometric templates.
committed value and its applications. In: ACISP’10. Springer;
In: ASIACRYPT’06. Springer; 2006. p. 99–113.
2010. p. 352–69.
Malygin A, Seilova N, Boskebeev K, Alimseitova Z. Application of
Augot D, Chabanne H, Chenevier T, George W, Lambert L. A
artificial neural networks for handwritten biometric images
user-centric system for verified identities on the bitcoin
recognition. Comput. Modell. New Technol. 2017;21(1):31–8.
blockchain. In: CBT’17. Springer; 2017. p. 390–407.
Miers I, Garman C, Green M, Rubin AD. Zerocoin: anonymous
Augot D, Chabanne H, Clémot O, George W. Transforming
distributed e-cash from bitcoin. In: SP’13. IEEE; 2013.
face-to-face identity proofing into anonymous digital identity
p. 397–411.
using the bitcoin blockchain. In: PST’17. IEEE; 2017. p. 25–34.
Mihăilescu P, Munk A, Tams B. Security considerations in
Augot D, Chabanne H, George W. Practical solutions to save
minutiae-based fuzzy vaults. IEEE TIFS 2015;10(5):985–98.
bitcoins applied to an identity system proposal. In: ICISSP’19.
Nandakumar K, Jain AK, Pankanti S. Fingerprint-based fuzzy
SciTePress; 2019. p. 511–18.
vault: implementation and performance. IEEE TIFS
Bernal Bernabe J, Canovas JL, Hernandez-Ramos JL, Torres
2007;2(4):744–57.
Moreno R, Skarmeta A. Privacy-preserving solutions for
Paquin C, Zaverucha G. In: Technical Report. U-Prove
blockchain: review and challenges. IEEE Access
Cryptographic Specification V1.1. Microsoft Corporation; 2011.
2019;7:164908–40.
Pointcheval D, Sanders O. Short randomizable signatures. In:
Bissessar D, Adams C, Liu D. Using biometric key commitments
CT-RSA’16. Springer; 2016. p. 111–26.
to prevent unauthorized lending of cryptographic credentials.
Sarier N. Efficient biometric-based identity management on the
In: PST’14. IEEE; 2014. p. 75–83.
blockchain for smart industrial applications. Pervasive Mob.
Blanton M, Hudelson WMP. Biometric-based non-transferable
Comput. 2021;71(1):101322.
anonymous credentials. In: ICICS’09. Springer; 2009. p. 165–80.
Sarier ND. Multimodal biometric identity based encryption.
Brands SA. Rethinking Public Key Infrastructures and Digital
Future Gener. Comp. Syst. 2018;80:112–25.
Certificates: Building in Privacy. MIT Press; 2000.
Sonnino A, Al-Bassam M, Bano S, Meiklejohn S, Danezis G. In:
Camenisch J, Lysyanskaya A. Signature schemes and anonymous
NDSS’19. Coconut: threshold issuance selective disclosure
credentials from bilinear maps. In: CRYPTO’04. Springer; 2004.
credentials with applications to distributed ledgers; 2019.
p. 56–72.
Uludag U, Jain A. In: CVPRW’06. Securing fingerprint template:
Chase M, Meiklejohn S, Zaverucha G. Algebraic MACs and
fuzzy vault with helper data. IEEE; 2006.
keyed-verification anonymous credentials. In: ACM
Yu Y, Zhao Y, Li Y, Wang L, Du X, Guizani M. Blockchain-based
SIGSAC’14. ACM; 2014. p. 1205–16.
anonymous authentication with selective revocation for
Dodis Y, Reyzin L, Smith A. Fuzzy extractors: how to generate
smart industrial applications. IEEE Trans. Ind. Inf.
strong keys from biometrics and other noisy data. In:
2020;16(5):3290–300.
EUROCRYPT’04. Springer; 2004. p. 523–40.
Fabric, H., 2019. Msp implementation with identity mixer. In:
Available at: https://hyperledger-fabric.readthedocs.io/en/
release-1.4/idemix.html. N. Deniz Sarier received her M.Sc. degree
Garman C, Green M, Miers I. Decentralized anonymous in Media Informatics from RWTH Aachen,
credentials. In: NDSS’14; 2014. p. 459–74. and Ph.D. degree in Computer Science from
Garman C, Green M, Miers I, Rubin AD. Rational zero: economic B-IT, cosec of Bonn University, Germany in
security for zerocoin with everlasting anonymity. In: FC’14. 2007 and 2013, respectively. She is currently
Springer; 2014. p. 140–55. an external researcher at the computer se-
IBM. In: IBM Research Report RZ 3730. Specification of the identity curity group of B-IT and a visiting lecturer
mixer cryptographic library (revised version 2.3.0); 2010. in ITU on Blockchain Technologies. Her re-
Impagliazzo R, More SM. Anonymous credentials with search interests include biometric security,
biometrically-enforced non-transferability. In: WPES ’03. ACM; public-key cryptography, in particular, inte-
2003. p. 60–71. gration of biometrics into cryptographic ap-
plications.