A novel privacy-preserving biometric authentication scheme (2024)

Journal List
PLoS One
PMC10212112

As a library, NLM provides access to scientific literature. Inclusion in an NLM database does not imply endorsem*nt of, or agreement with, the contents by NLM or the National Institutes of Health.
Learn more: PMC Disclaimer | PMC Copyright Notice

PLoS One. 2023; 18(5): e0286215.

Published online 2023 May 25. doi:10.1371/journal.pone.0286215

PMCID: PMC10212112

PMID: 37228099

Xuechun Mao, Writing – original draft,¹ Ying Chen, Conceptualization, Funding acquisition, Writing – review & editing,^1,^* Cong Deng, Data curation, Formal analysis, Software,² and Xiaqing Zhou, Conceptualization, Software, Validation³

Pandi Vijayakumar, Editor

Author information Article notes Copyright and License information PMC Disclaimer

Associated Data

Supplementary Materials

Data Availability Statement

Abstract

Most existing secure biometric authentication schemes are server-centric, and users must fully trust the server to store, process, and manage their biometric data. As a result, users’ biometric data could be leaked by outside attackers or the service provider itself. This paper first constructs the EDZKP protocol based on the inner product, which proves whether the secret value is the Euclidean distance of the secret vectors. Then, combined with the Cuproof protocol, we propose a novel user-centric biometric authentication scheme called BAZKP. In this scheme, all the biometric data remain encrypted during authentication phase, so the server will never see them directly. Meanwhile, the server can determine whether the Euclidean distance of two secret vectors is within a pre-defined threshold by calculation. Security analysis shows BAZKP satisfies completeness, soundness, and zero-knowledge. Based on BAZKP, we propose a privacy-preserving biometric authentication system, and its evaluation demonstrates that it provides reliable and secure authentication.

Introduction

Biometric authentication has been popular in services such as access control to authenticate individuals based on their biometrics. In contrast to the passwords or tokens used in conventional authentication systems, biometric data, such as fingerprint, face, or gait, can physically authenticate an individual with high assurance. Biometric data is unique and safe for every individual. With the help of powerful computer and network technology, biometrics offer the advantages of uniqueness, permanence, and reliability.

However, biometric data is prone to diverse variations and distortions due to inherent and environmental noise. Thus, biometric authentication generally employs an error tolerance mechanism. Namely, the service provider uses a biometric vector w as a template stored in a central database, and then the user submits a new vector w′ to the service provider for authentication. The user’s authentication will succeed if w and w′ are close enough under a certain distance metric.

This biometric authentication model above is server-centric, as the service provider is responsible for securing the templates and receiving the user’s biometric information in plain text. This model has several unavoidable drawbacks. First, users must completely trust the service provider to protect their templates. However, malicious service providers may misuse the templates for profit, and security attacks may result in template leakage and violation of user privacy. Second, the templates must be recovered in plaintext for distance computation and comparison, which makes it possible for adversaries to spy on the registered or freshly submitted templates. To meet these challenges, it is necessary to propose a secure, privacy-preserving, and user-centered scheme [1, 2].

To address these issues, we propose a biometric authentication zero-knowledge proof (BAZKP) scheme that preserves the benefits of biometric authentication while enhancing its security. The BAZKP is a security, privacy-protection, and user-centered authentication scheme that combines biometric technology with a zero-knowledge proof (ZKP) protocol to authenticate users while maintaining anonymity. We also provide security proofs to show that our scheme guarantees privacy for users. Moreover, we have developed a privacy-preserving biometric authentication system to accomplish a complete life cycle of BAZKP.

Related work

Zero-Knowledge Proof (ZKP)

Goldwasser et al. [3] first mentioned the ZKP in 1985, which enables a prover to convince a verifier that some statement is true without revealing anything more than the truth of the statement. Then, lots of research on ZKP protocols and many kinds of ZKP protocols were proposed, such as zk-SNARK and range proof. Maller et al. [4] proposed the first zk-SNARK with entirely succulent verification for general arithmetic circuits with SRS, known as Sonic. After that, Gabizon et al. proposed a more efficient zk-SNARK which is called PLONK [5]. To make improvements on the efficiency of zk-SNARK, Lately Bünz et al. proposed Super Sonic [6].

On the other hand, Brickell et al. [7] stated the first correlative algorithm of range proof. After that, in 1998, Chan et al. [8] proposed a kind of range proof whose security depends on modulus. It is called CTF. Using Lagrange’s four-square theorem [9], Lipmaa [10] published a proof of any range for the first time. In 2005, based on Lagrange’s four-square theorem, Groth [11] demonstrated that 4y+ 1 could be represented as the sum of the squares of some three integers if y was a non-negative integer. Bootle et al. [12] improved the efficiency of ZKP by using the inner product method and recursion. In 2018, Bünz et al. proposed a range proof scheme which is called Bulletproofs [13]. Based on these works, Deng et al. [14] presented the Cuproof, a novel range proof scheme for any range. The time, communication costs and proof size of that scheme are maintained within a constant range regardless of how large the proof interval is.

Biometric authentication

The two primary types of biometrics applications [15] are biometric authentication and biometric identification. The existing research mainly focused on privacy-preserving biometric identification [16, 17], in which a server database is assumed to contain the templates of the registered users and their corresponding identities. Barni et al. [16] presented a privacy preserving protocol for fingerprint-based authentication. In 2018, Zhou et al. [18] proposed a user-centric biometric authentication system that allows users to use the proposed lightweight encryption approach to encrypt their templates. To improve the performance of each biometric system, Hammad et al. [19] proposed a secure multimodal biometric system using convolution neural network (CNN) and Q-Gaussian multi-support vector machine (QG-MSVM) based on different level fusion.

Privacy-preserving scheme

In recent years, privacy protection has become a crucial area of research and many researchers conducting extensive studies in this field. Zhang et al. [20] proposed a new privacy-preserving biometric identification scheme, in which they introduced perturb terms in each biometric data. Zhou et al. [18] proposed a user-centric biometric authentication scheme that enabled end-users to encrypt their own templates with the proposed light-weighted encryption scheme. Lee et al. [21] presented a new biometric authentication system based on blockchain which provided a decentralized and distributed mechanism for processing biometric authentication.

In addition, Azees et al. [22] proposed an efficient anonymous authentication scheme to avoid malicious vehicles entering into the VANET. After that, in 2022, Zhou et al. [23] introduced a security-enhanced solution for VANETs, whichj can resist a signature forgery attack. Liu et al. [24] proposed a novel privacy-preserving DSSE scheme for IIoTH system, which was the first DSSE scheme designed for personal health record (PHR) files database with forward security. Yang et al. [25] proposed a novel oblivious data sharing scheme employing the designed 1-out-of-n oblivious transfer protocol to achieve an efficient location-based service for users while effectively hiding location coordinates and protecting the privacy of users and servers. Wei et al. [26] presented a privacy-preserving implicit authentication framework using users’ behavior features sensed by the mobile intelligent terminal based on the artificial intelligence methodology. An efficient affine cipher-based encryption technique is proposed by Azees et al. [27] to offer a high level of confidentiality with smaller key size compared to existing encryption techniques.

To address these security flaws, Subramani et al. [28] proposed a computationally efficient privacy-preserving anonymous authentication scheme for resource-limited WBAN. In 2022, Rajasekaran et al. [29] preserved the privacy and the anonymity of the end-users (patient/doctor) using an anonymous blockchain-based authentication scheme. To overcome IoHT imposes security challenges in maintaining patient data confidentiality and privacy, a novel blockchain-based privacy-preserving authentication scheme is proposed by Rajasekaran et al. [30] as an approach for achieving efficient authentication of the patient without the involvement of a trusted entity. Jegadeesan et al. [31] proposed a public key encryption based computationally efficient mutual authentication protocol for secure data transmission between incubator monitoring systems and doctors or administrators.

Contributions

The main contributions of this paper are summarized as follows:

We employ the inner product to construct the Euclidean Distance Zero-knowledge Proof (EDZKP) protocol and prove that the protocol satisfies perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation.
By combining ZKP with biometric authentication, we construct a novel biometric authentication scheme called BAZKP. In this scheme, the EDZKP protocol guarantees that the secret value v is the Euclidean Distance between the secret vectors w and w′, and the Cuproof protocol proves whether the secret value v is within the range [0, e]. We also provide security proof to show that our scheme guarantees privacy for users.
Based on the proposed scheme, we present a privacy-preserving biometric authentication system enabling users to utilize their biometric data for authentication while preserving users privacy. We show its viability and operational efficacy by implementing the proposed system. The experimental data obtained from our tests show the system’s potential for real-world deployment.

Preliminaries

Before we state our scheme, we first note some underlying tools. In this paper, $A$ is a PPT adversary, which is a probabilistic interactive Turing machine that runs in polynomial time in the security parameter λ.

Assumptions

Groups of unknown order. In order to keep the soundness of our scheme, we use the RSA group $G$ where the order of the group is unknown. The RSA group is generated by a trusted setup.

RSA group. In the multiplicative group $G$ of integers modulo n where n is the product of the large primes p and q. The hardness of computing the order of the group $G$ is as the same as the hardness of factoring n.

Assumption 1 (Discrete Log Relation Assumption)For all PPT adversaries $A$ and for all j ≥ 2, there exists a negligible function μ(λ) such that

$\begin{matrix} P [\begin{matrix} G = Setup (1^{λ}), \\ g_{1}, \dots, g_{j} \overset{$}{\leftarrow} G; \\ a_{1}, \dots, a_{j} \in Z_{n} \leftarrow A (g_{1}, \dots, g_{j}) \end{matrix} : \begin{matrix} \exists a_{i} \neq 0, \\ \prod_{i = 1}^{j} g_{i}^{a_{i}} = 1 \end{matrix}] ⩽ μ (λ) . \end{matrix}$

(1)

As Bünz et al. [13] stated, $\prod_{i = 1}^{j} g_{i}^{a_{i}} = 1$ is a non-trivial discrete log relation between g₁, …, g_j. The discrete log relation assumption ensures that an adversary can’t find a non-trivial relation between randomly selected group elements. This assumption is equivalent to the discrete-log assumption when j ≥ 1.

Assumption 2 (Order Assumption)The Order Assumption holds for Setup if for any efficient adversary $A$ there exists a negligible function μ(λ) such that

$\begin{matrix} P [\begin{matrix} g_{1} \neq 1 \land g_{1}^{a_{1}} = 1 : \end{matrix} \begin{matrix} G \overset{$}{\leftarrow} Setup (λ), \\ (g_{1}, a_{1}) \overset{$}{\leftarrow} A (G), \\ where a_{1} \neq 0 \in Z_{n}, \\ and g_{1} \in G \end{matrix}] \leq μ (λ) . \end{matrix}$

(2)

Lemma 1The Order Assumption implies the Discrete Log Relation Assumption.

Proof. We show that if adversary $A_{O r d}$ breaks the Order Assumption, then we can construct $A_{D L}$ which breaks the Discrete Log Relation Assumption with overwhelming probability. To get a vector $(g_{1}, g_{2}, \dots, g_{j}) \in G^{j}$ and a vector $(a_{1}, a_{2}, \dots, a_{j}) \in Z_{n}^{j}$ such that $g_{1}^{a_{1}} \cdot g_{2}^{a_{2}} \dots g_{n}^{a_{n}} = 1$ where g_i ≠ 1, a_i ≠ 0 and i ∈ {1, 2, …, j}, we run $A_{O r d}$ for n times and it will outputs $g_{j} \in G$ and $a_{j} \in Z$ such that $g_{j}^{a_{j}} = 1$ for j = 1, …, n. And it follows $\prod_{j = 1}^{n} g_{j}^{a_{j}} = 1$ .

Commitments

We adopt the following definitions from [14] for our notation.

Definition 1 (Commitments)A non-interactive commitment scheme consists of a pair of probabilistic polynomial time algorithms (Setup, Com). The setup algorithm pp ← Setup(1^λ) generates the public parameters pp with the security parameter λ. The commitment algorithm Com_ppdefines a function M_pp × R_pp → C_ppfor a message space M_pp, a randomness space R_ppand a commitment space C_ppdetermined by pp. For a message x ∈ M_pp, the algorithm draws $r \overset{$}{\leftarrow} R_{p p}$ uniformly at random, and computes the commitmentcom = Com_pp(x, r).

Definition 2 (hom*omorphic Commitments)A hom*omorphic commitment scheme is a non-interactive commitment scheme such that (M_pp, *), (R_pp, +), and (C_pp, +) are all abelian groups, and for all x₁, x₂ ∈ M_pp, r₁, r₂ ∈ R_pp, we have

$\begin{matrix} Com (x_{1}; r_{1}) * Com (x_{2}; r_{2}) = Com (x_{1} + x_{2}; r_{1} + r_{2}) . \end{matrix}$

(3)

Here (M_pp, *) can be additive or multiplicative. For ease of notation, we drop pp in the subindex.

Definition 3 (Hiding Commitment)A commitment scheme is said to be hiding if for every PPT adversary $A$ there exists a negligible functionμ(λ) such that

$\begin{matrix} |P [\begin{matrix} b = b^{'} & |\begin{matrix} p p \leftarrow Setup (1^{λ}); \\ (x_{0}, x_{1}) \in M_{p p}^{2} \leftarrow A (p p), \\ b \overset{$}{\leftarrow} (0, 1), r \overset{$}{\leftarrow} R_{p p}, \\ c o m = Com (x_{b}; r), \\ b^{'} \leftarrow A (p p, c o m) \end{matrix} \end{matrix}] - \frac{1}{2}| \leq μ (λ), \end{matrix}$

(4)

where the probability is over b, r, Setup and $A$ . If μ(λ) = 0 then we say that the scheme is perfectly hiding.

Definition 4 (Binding Commitment)A commitment scheme is said to be binding if for every PPT adversary $A$ there exists a negligible function μ such that

$\begin{matrix} P [\begin{matrix} \begin{matrix} Com (x_{0}; r_{0}) = Com (x_{1}; r_{1}), \\ x_{0} \neq x_{1} \end{matrix} & |\begin{matrix} p p \leftarrow Setup (1^{λ}), \\ x_{0}, x_{1}, r_{0}, r_{1} \leftarrow A (p p) \end{matrix} \end{matrix}] \leq μ (λ), \end{matrix}$

(5)

where the probability is over Setup and $A$ . If μ(λ) = 0, then we say that the scheme is perfectly binding.

In the following content, to ensure that the discrete log in the groups we used is intractable for PPT adversaries, the order of these groups is implicitly dependent on the security parameter.

Definition 5 (Pedersen Commitment) $M_{p p}, R_{p p} = Z_{n} and C_{p p} = (G, *)$ being a multiplicative group.

$\begin{matrix} Setup : g, h \overset{$}{\leftarrow} G, \end{matrix}$

(6)

$\begin{matrix} Com (x; r) = (g^{x} h^{r}) . \end{matrix}$

(7)

Definition 6 (Pedersen Vector Commitment) $M_{p p} = Z_{n}^{j}, R_{p p} = Z_{n} and C_{p p} = (G, *)$ being a multiplicative group.

$\begin{matrix} Setup : g = (g_{1}, \dots, g_{j}), h \overset{$}{\leftarrow} G, \end{matrix}$

(8)

$\begin{matrix} Com (x = (x_{1}, \dots, x_{j}); r) = h^{r} g^{x} = h^{r} \prod_{i} g_{i}^{x_{i}} \in G . \end{matrix}$

(9)

The Pedersen vector commitment for the group $G$ is perfectly hiding and computationally binding under the discrete logarithm assumption. In the definition, r is chosen at random.

Zero-knowledge arguments of knowledge

In our scheme, we construct the zero-knowledge arguments of knowledge. A zero-knowledge proof of knowledge means a prover can convince a verifier that some statements hold without revealing any information of the knowledge. An argument is a proof that holds when the prover is computationally bounded and certain computational hardness assumptions hold. The formal definitions are as follows.

Zero-knowledge arguments consist of three interactive algorithms (Setup, $P$ , $V$ ), which run in probabilistic polynomial time. Setup is the common reference string generator, $P$ is the prover and $V$ is the verifier. The algorithm Setup produces a common reference string σ on inputting 1^λ. The transcript produced by $P$ and $V$ is denoted by $t r \leftarrow < P (s), V (t) >$ , when they interact on the inputs s and t. We write $[P (s), V (t)] = b$ where b = 0 if verifier rejects, b = 1 if verifier accepts.

We let $R \subset {0, 1}^{*} \times {0, 1}^{*} \times {0, 1}^{*}$ be a polynomial-time-decidable ternary relation. Given a parameter σ, the w is a witness for a statement u only if $(σ, u, w) \in R$ . We define the CRS-dependent language

$\begin{matrix} L_{σ} = {u | \exists w : (σ, u, w) \in R} \end{matrix}$

(10)

as the set of all the statements which have a witness w in the relation $R$ .

Definition 7 (Argument of Knowledge)The triple $(Setup, P, V)$ is called an argument of knowledge for relation R if it satisfies both the Perfect Completeness and Computational Witness-Extended Emulation as defined in [13], respectively.

Definition 8 (Perfect Completeness) $(Setup, P, V)$ has perfect completeness if for all non-uniform polynomial time adversaries $A$

$\begin{matrix} P [\begin{matrix} \begin{matrix} (σ, u, w) \notin R \\ o r [P (σ, u, w), V (σ, u)] = 1 \end{matrix} | & \begin{matrix} σ \leftarrow Setup (1^{λ}) \\ (u, w) \leftarrow A (σ) \end{matrix} \end{matrix}] = 1 . \end{matrix}$

(11)

Definition 9 (Computational Witness-Extended Emulation)For every deterministic polynomial time $P^{*}$ there exists an expected polynomial time emulator ε such that for every pair of interactive adversaries $A_{1} and A_{2}$ , there exists a negligible function μ(λ)

$\begin{matrix} |\begin{matrix} P [\begin{matrix} A_{1} (t r = 1) & |\begin{matrix} σ \leftarrow Setup (1^{λ}), \\ (u, s) \leftarrow A_{2} (σ), \\ t r \leftarrow 〈 P^{*} (σ, u, s), \\ V (σ, u) 〉 \end{matrix} \end{matrix}] - \\ P [\begin{matrix} A_{1} (t r) = 1 \\ \land (t r is accepting \\ \Rightarrow (σ, u, w) \in R) \end{matrix} |\begin{matrix} σ \leftarrow Setup (1^{λ}), \\ (u, s) \leftarrow A_{2} (σ), \\ (t r, w) \leftarrow ε^{O} (σ, u) \end{matrix}] \end{matrix}| \leq μ (λ), \end{matrix}$

(12)

where the oracle is given by $O = 〈 P^{*} (σ, u, s), V (σ, u) 〉$ , and permits rewinding at each round after the prover commits and resuming with fresh randomness for the verifier from this point onwards, then we say $(Setup, P, V)$ has witness-extended emulation.

Definition 10 (Public Coin)An argument of knowledge $(Setup, P, V)$ is called public coin if all messages sent from the verifier to the prover are chosen uniformly at random and independent of the prover’s messages, i.e., the challenges correspond to the randomness ρ.

Definition 11 (Perfect Special Honest-Verifier Zero-Knowledge)A public coin argument of knowledge $(Setup, P, V)$ is a perfect special honest verifier zero knowledge (SHVZK) argument of knowledge for $R$ if there exists a probabilistic polynomial time simulator $S$ such that for every pair of interactive adversaries $A_{1} and A_{2}$ :

$\begin{matrix} \begin{matrix} P [\begin{matrix} (σ, u, w) \in R and A_{1} (t r) = 1 & |\begin{matrix} σ \leftarrow Setup (1^{λ}) \\ (u, w, ρ) \leftarrow A_{2} (σ), \\ t r \leftarrow 〈P (σ, u, w), \\ V (σ, u; ρ)〉 \end{matrix} \end{matrix}] \\ = P [\begin{matrix} (σ, u, w) \in R and A_{1} (t r) = 1 & |\begin{matrix} σ \leftarrow Setup (1^{λ}), \\ (u, w, ρ) \leftarrow A_{2} (σ), \\ t r \leftarrow S (u, ρ) \end{matrix} \end{matrix}] \end{matrix} \end{matrix}$

(13)

where ρ is the public coin randomness used by the verifier. The “transcript” can be simulated by S without knowing w.

In this definition, the adversary chooses a distribution over statements and witnesses. However, the adversary still cannot distinguish between the simulated and the honestly generated transcripts for valid statements and witnesses.

Now we define range proofs. Range proofs are the proofs that the prover knows an opening to a commitment in which the committed value is in a certain range. Range proofs can be used to state that an integer commitment is for a positive number or when two hom*omorphic commitments are added together, it will not overflow when they are taken modulo the given prime, and these two hom*omorphic commitments are the commitments to the elements in a prime field.

Definition 12 (Zero-Knowledge Range Proof)Given a commitment scheme (Setup, Com) over a message space M_ppwhich is a set with a total ordering, a zero-knowledge range proof is a SHVZK argument of knowledge for the relation:

$\begin{matrix} R_{Range} : (p p, (com, l, r), (x, ρ)) \in R_{Range} \leftrightarrow com = Com (x; ρ) \land (l \leq x < r) . \end{matrix}$

(14)

Theorem 1 (Lagrange’s three-square theorem)If x is a positive integer, then 4x + 1 can be written as the sum of three squares.

The proof for Theorem 1 is given in [9, 11] offered an efficient and simple algorithm for finding three such squares. Theorem 1 also means writing 4x + 1 as the sum of three squares implies that x is non-negative.

Notation

Let [N] denote the set {1, …, N−1}. Let p and q denote two prime numbers. Let $G$ denote the multiplicative group of integers modulo n, where n is the product of p and q, i.e. $G$ is a RSA group. Let $Z_{n}$ denote the ring of integers modulo n. Let $Z$ denote the set of all integers. Let $G^{j}$ and $Z_{n}^{j}$ be vector spaces of dimension j over $G$ and $Z_{n}$ , respectively. Let $Z_{n}^{*}$ denote $Z_{n} \ {0}$ . Group elements which represent commitments are capitalized. For example, C = g^ah^α is a Pedersen commitment to a for $g, h \in G$ . $x \overset{$}{\leftarrow} Z_{n}^{*}$ means the uniform sampling of an element from $Z_{n}^{*}$ . In this paper, $a \in F^{j}$ is a vector with elements $a_{1}, \dots, a_{j} \in F$ . For an element $c \in Z_{n}$ and a vector $a \in Z_{n}^{j}$ , we denote by $b = c \cdot a \in Z_{n}^{j}$ the vector with b_i = c⋅a_i. For the two vectors $a, b \in F^{j}$ , let $〈 a, b 〉 = \sum_{i = 1}^{j} a_{i} \cdot b_{i}$ denote the inner product and $a \circ b = (a_{1} \cdot b_{1}, \dots, a_{j} \cdot b_{j}) \in F^{j}$ the Hadamard product, respectively. We define vector polynomials $P (x) = \sum_{i = 0}^{d} p_{i} \cdot x^{i} \in Z^{j} [x]$ where each coefficient p_i is a vector in $Z^{j}$ . The inner product between two vector polynomials l(x) and r(x) is defined as

$\begin{matrix} ⟨ l (x), r (x) ⟩ = \sum_{i = 0}^{d} \sum_{j = 0}^{i} ⟨ l_{i}, r_{j} ⟩ \cdot x^{i + j} \in Z [x] \end{matrix}$

(15)

Let a‖b denote the concatenation of two vectors: if $a \in Z_{n}^{j}$ and $b \in Z_{n}^{m}$ then $a ∥ b \in Z_{n}^{j + m}$ . For 0 ≤ ℓ ≤ s, we use Python notation to denote slices of vectors:

$\begin{matrix} a_{[: ℓ]} = a_{[0 : ℓ]} = (a_{1}, \dots, a_{ℓ}) \in F^{ℓ}, \end{matrix}$

(16)

$\begin{matrix} a_{[ℓ :]} = a_{[ℓ : s]} = (a_{ℓ + 1}, \dots, a_{s}) \in F^{s - ℓ} . \end{matrix}$

(17)

Let t(x) = 〈l(x), r(x)〉, then the inner product is defined such that t(x) = 〈l(x), r(x)〉 holds for all $x \in Z_{n}$ . For vectors $g = (g_{1}, \dots, g_{j}) \in G^{j}$ and $a \in Z_{n}^{j}$ we write $C = g^{a} = \prod_{i = 1}^{j} g_{i}^{a_{i}} \in G$ . For 1 ≤ u we set $\vec{u} = (1, 2, 3, \dots, u) \in Z^{u}$ .

Biometric Authentication Zero-Knowledge Proof (BAZKP) scheme

In this section, we introduce our BAZKP scheme. First, we state the EDZKP protocol and the Cuproof protocol, which are essential components of the BAZKP scheme.

EDZKP protocol

In the EDZKP protocol, The vector w,w′,d is a secret vector encrypted by the prover based on its biometric data, where $w, w^{'} \in Z^{m}$ and d = w′−w. The secret value v is the Euclidean Distance between w and w′, i.e. v = 〈d, d〉. We will use the EDZKP protocol to prove the following relationship:

$\begin{matrix} {(g, h, V \in G; v, r \in Z_{n}; w, w^{'}, d \in Z^{m}) : V = h^{r} g^{v}, ⟨ d, d ⟩ = v, d = w - w^{'}} . \end{matrix}$

(18)

Theorem 2 (EDZKP protocol)The EDZKP protocol presented in this section satisfies perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation.

Proof. The proof for Theorem 2 is given in S2 Appendix.

EDZKP Protocol ( $V \in G; v \in Z_{n}; w, w^{'}, d \in Z^{m}$ )

$P gets d, w, w^{'}, where 〈 d, d 〉 = v, d = w - w^{'};$
$P selects α, β, θ, ϕ \overset{$}{\leftarrow} Z_{n};$
$P computes D = h^{α} g^{d} h^{d} \in G, W = h^{β} g^{w} h^{w} \in G, W^{'} = h^{θ} g^{w^{'}} h^{w^{'}} \in G, K = h^{ϕ} \in G;$
$P selects s_{L}, s_{R} \overset{$}{\leftarrow} Z_{n}^{m}$ , $ρ \overset{$}{\leftarrow} Z_{n};$
$P computes S = h^{ρ} g^{s_{L}} h^{s_{R}} \in G;$
$P \to V : D, W, W^{'}, S, K;$
$V selects y, z, c \overset{$}{\leftarrow} Z_{n}^{*}$
$V \to P : y, z, c;$
$P selects τ_{1}, τ_{2} \overset{$}{\leftarrow} Z_{n};$
$P computes T_{i} = g^{t_{i}} h^{τ_{i}} \in G,$ where t_i can be computed without knowing l and r, i.e. t_i is the coefficient of 〈l(x), r(x)〉, respectively. $i = {1, 2}, e = c (θ + α - β) + ϕ \in Z;$
$P \to V : T_{1}, T_{2}, e;$
$V selects x \overset{$}{\leftarrow} Z_{n}^{*};$
$V \to P : x;$
$P computes l = l (x) = d z - y + s_{L} x \in Z^{m}, r = r (x) = d z + y + s_{R} x \in Z^{m}, \hat{t} = 〈 l, r 〉 = t_{0} + t_{1} x + t_{2} x^{2} \in Z;$
$P computes τ_{x} = τ_{2} \cdot x^{2} + τ_{1} \cdot x + z^{2} r \in Z, μ = α z + ρ x \in Z;$
$P \to V : τ_{x}, μ, \hat{t}, l, r;$
$V computes P = D^{z} \cdot S^{x} \cdot g^{- y} \cdot h^{y} \in G;$
$V checks these equations : P \overset{?}{=} h^{μ} \cdot g^{l} \cdot h^{r} \in G, g^{\hat{t}} h^{τ_{x}} \overset{?}{=} V^{z^{2}} g^{- δ (y)} \cdot T_{1}^{x} \cdot T_{2}^{x^{2}} \in G, \hat{t} \overset{?}{=} 〈 l, r 〉 \in Z, W^{c} h^{e} \overset{?}{=} W^{' c} \cdot D^{c} \cdot K .$

Cuproof protocol

One of the effective range proof protocols is the Cuproof [14] protocol. This protocol can maintain time, communication overhead, and proof size within a fixed range regardless of how large the proof interval is. We use the Cuproof protocol in BAZKP scheme to convince the verifier that the secret number v is in [a, b]. Based on Lagrange three-square theorem, we can find $a, b \in Z_{n}$ and $u = (u_{1}, u_{2}, u_{3}, u_{4}, u_{5}, u_{6}) \in Z_{n}^{6}$ such that the following conditions hold

$\begin{matrix} {\begin{matrix} u_{1}^{2} + u_{2}^{2} + u_{3}^{2} = 4 v - 4 a + 1 = v_{1} \in Z, \\ u_{4}^{2} + u_{5}^{2} + u_{6}^{2} = 4 b - 4 v + 1 = v_{2} \in Z . \end{matrix} \end{matrix}$

(19)

In this protocol, the $δ (y) = 〈 y, y 〉 \in Z and y \in Z^{6}$ . We will prove the following relations:

$\begin{matrix} {(g, h \in G, V \in G^{2}) : V_{j} = h^{r_{j}} g^{v_{j}} \forall j \in {1, 2}, V = g^{v} h^{r} \land v \in [a, b]} \end{matrix}$

(20)

Theorem 3 (Cuproof protocol)The Cuproof protocol presented in this section satisfies perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation.

Proof. The proof for Theorem 3 is given in [14]

Cuproof ( $V \in G; v, a, b \in Z$ ):

$P computes v_{1} = 4 v - 4 a + 1, v_{2} = 4 b - 4 v + 1 \in Z;$
$P selects α \overset{$}{\leftarrow} Z_{n};$
$P computes A = h^{α} \prod_{j = 1}^{2} g_{[3 (j - 1) : 3 j]}^{j \cdot d_{[3 (j - 1) : 3 j]}} \cdot \prod_{j = 1}^{2} h_{[3 (j - 1) : 3 j]}^{j \cdot d_{[3 (j - 1) : 3 j]}} \in G;$ ,
$P selects s_{L}, s_{R} \overset{$}{\leftarrow} Z_{n}^{6}$ , $ρ \overset{$}{\leftarrow} Z_{n};$
$P computes S = h^{ρ} g^{s_{L}} h^{s_{R}} \in G;$
$P \to V : A, S;$
$V selects y, z \overset{$}{\leftarrow} Z_{n}^{*};$
$V \to P : y, z;$
$P selects τ_{3}, τ_{4} \overset{$}{\leftarrow} Z_{n};$
$P computes computes T_{i} = g^{t_{i}} h^{τ_{i}} \in G$ where t_i can be computed without knowing l′ and r′, i.e. t_i is the coefficient of 〈l(x), r(x)〉 respectively. $i = {3, 4}, r_{1} = 4 r \in Z, r_{2} = - 4 r \in Z;$
$P \to V : T_{3}, T_{4};$
$V selects x \overset{$}{\leftarrow} Z_{n}^{*};$
$V \to P : x;$
$P computes l^{'} = z \cdot \sum_{j = 1}^{2} j \cdot (0^{3 (j - 1)} ∥ d_{[3 (j - 1) : 3 j]} ∥ 0^{3 (2 - j)}) - y + s_{L} x \in Z^{6}, r^{'} = z \cdot \sum_{j = 1}^{2} j \cdot (0^{3 (j - 1)} ∥ d_{[3 (j - 1) : 3 j]} ∥ 0^{3 (2 - j)}) + y + s_{R} x \in Z^{6}, \hat{t^{'}} = 〈 l^{'}, r^{'} 〉 \in Z;$
$P computes τ_{x}^{'} = τ_{4} x^{2} + τ_{3} x + z^{2} \sum_{j = 1}^{2} j^{2} \cdot r_{j} \in Z, μ^{'} = α z + ρ x \in Z;$
$P \to V : τ_{x}^{'}, μ^{'}, \hat{t^{'}}, l^{'}, r^{'};$
$V computes : P = A^{z} \cdot S^{x} \cdot g^{- y} \cdot h^{y} \in G, V_{1} = V^{4} \cdot g^{- 4 a} \cdot g = g^{4 v - 4 a + 1} h^{4 r} = g^{v_{1}} h^{r_{1}} \in G, V_{2} = g^{4 b} \cdot V^{- 4} \cdot g = g^{4 b - 4 v + 1} h^{- 4 r} = g^{v_{2}} h^{r_{2}} \in G, V = (V_{1}, V_{2}) \in G^{2};$
$V checks these equations : P \overset{?}{=} h^{μ^{'}} \cdot g^{l^{'}} \cdot h^{r^{'}} \in G, g^{\hat{t^{'}}} h^{τ_{x}^{'}} \overset{?}{=} V^{z^{2} \cdot (\vec{2} \circ \vec{2})} \cdot g^{- δ (y)} \cdot T_{3}^{x} \cdot T_{4}^{x^{2}} \in G, \hat{t^{'}} \overset{?}{=} 〈 l^{'}, r^{'} 〉 \in Z;$

Our scheme

The main idea of BAZKP scheme is set out below. Given three vectors $w, w^{'}, d \in Z^{m}$ , the secret vectors w and w′ are biometric data of $P$ , then the vectors w,w′ and d satisfy the following relation:

$\begin{matrix} w = w^{'} + d . \end{matrix}$

(21)

The objective of BAZKP scheme is to persuade the verifier $V$ that the secret vectors w,w′ belong to the same person, that is, the Euclidean Distance between w,w′ is smaller than e. Let $v = 〈 d, d 〉 \in Z$ , v is the Euclidean Distance between w and w′, the goal of this scheme is to prove that the secret value v ∈ [0, e].

In detail, we will prove the following relations:

$\begin{matrix} {(v \in Z; w, w^{'}, d \in Z^{m}; g, h, V \in G) : V = g^{v} h^{r}, w = w^{'} + d, v = ⟨ d, d ⟩, v \in [0, e]} . \end{matrix}$

(22)

First, we use Pedersen Commitment and Pedersen Vector Commitment to commit v, w,w′,d. Then, let $P, V$ run the EDZKP protocol and the Cuproof protocol to prove the equation w = w′+ d, v = 〈d, d〉, v ∈ [0, e]. The $V$ outputs “accept” only when the two protocols are ran successfully.

BAZKP scheme ( $V \in G; v, 0, e \in Z; w, w^{'}, d \in Z^{m}$ )

$P computes V = g^{v} h^{r} \in G and sends V to V;$
$P, V run$ EDZKP protocol $(V \in G; v \in Z; w, w^{'}, d \in Z^{m}) .$
$P, V run Cuproof protocol (V \in G; v, 0, e \in Z) .$
$V outputs “accept” only when that two protocols are ran successfully.$

Theorem 4 (BAZKP Scheme)The BAZKP scheme presented in this section satisfies perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation.

Proof. Because the EDZKP protocol and the Cuproof protocol satisfy perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation. Therefore, our BAZKP scheme has perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation.

This scheme can also be transformed into a NIZK scheme by using the Fiat-Shamir heuristic. For example, we set y = Hash(D‖W),z = Hash(D‖W′),c = Hash(D‖S),x = Hash(D‖K) in EDZKP protocol. And we set y = Hash(A‖S), z = Hash(τ_x||μ), x = Hash(T1‖T2) in Cuproof protocol.

Privacy-preserving biometric authentication system

In this section, we construct a privacy-preserving biometric authentication system based on BAZKP scheme and evaluate its comprehensive performance using fingerprints. Before anything else, we provide some crucial background information on biometric authentication. Then, we demonstrate how to build biometric authentication systems that protect user privacy using our suggested scheme.

Background

The first critical step in biometric authentication is efficiently transforming biometric traits into feature vectors that are easy to compute. We adopt fingerprint vectors w with length 299, generated from the fingerprint minutiae proposed in [32]. The conversion process consists of two sequential stages: generation of the minutia cylinder-code with the MCC SDK and the kernel principal component analysis (KPCA) transformation. Our experiments are carried out using FVC 2002 and FVC 2004. Each of these datasets has a Set A and Set B. We used Set B to generate the fixed-length vector and Set A for the verification. In the following discussion, we assume that a sensor can capture the user’s biometric trait and transform it into a fixed-length vector on the local side.

System construction

A privacy-preserving biometric authentication system is composed of four phases: setup, registration, query and authentication.

Setup: The user output the public parameters (g, h, g, h).
Registration: The user receives the binary fingerprint vector w from the sensor and stores it in his database. Then, the user generates the commitment of w (we use W to represent the commitment of w) and sends the W to the cloud server. The cloud server stores the tuple (g, h, g, h, W).
Query: The user uses the sensor to get a new binary fingerprint vector w′. Then, The user generates d by using d = w−w′, where the user’s local database contains w. Then the user sends d and ( $A, S, T_{1}, T_{2}, τ_{x}, μ, \hat{t}, l, r,$ $T_{3}, T_{4}, τ_{x}^{'}, μ^{'}, \hat{t^{'}}, l^{'}, r^{'}$ ) to the cloud server.
Authentication: Once the cloud sever receives W, it finds the tuple (W, g, h, g, h). The server runs the BAZKP scheme. Then, the server will output an authentication result.

Fig 1 shows the setup and registration phase, Fig 2 shows the query and authentication phase.

Open in a separate window

Fig 1

The setup and registration phase.

Open in a separate window

Fig 2

The query and authentication phase.

Security analysis

In this section, we briefly analyse the security strength of our proposed system with respect to various security attacks. First, we prove that the BAZKP scheme satisfies perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation. As a result, our proposed system based on BAZKP scheme also satisfies these properties. Referring to the security analysis in [27–31], we prove that our proposed system can effectively withstand various types of attacks, including replay attacks, man in the middle attacks, impersonation attacks, and message modification attacks. Additionally, our system also supports non-traceability, further enhancing its security capabilities.

Replay attack and man in the middle attack

In our proposed system, the cloud server receives the tuple (W, g, h, g, h) before authenticating the user’s identity. Once the data is received, the cloud server maps it to the timestamp and user identity and stores them in the database. This approach allows the cloud server to defend against replay attacks by verifying if the mapped data in the database matches the data sent by the user and if the time difference between them falls within a legal interval.

Additionally, the proposed system enables mutual authentication to be performed securely between the user and the cloud server, ensuring the system can withstand man in the middle attacks.

Impersonation attack and message modification attack

Suppose a malicious attacker sends the tuple ( $A, S, T_{1}, T_{2}, τ_{x}, μ, \hat{t}, l, r, T_{3}, T_{4}, τ_{x}^{'}, μ^{'}, \hat{t^{'}}, l^{'}, r^{'}, W, W^{'}$ ) to the cloud server where $W^{'} \neq h^{θ} g^{w^{'}} h^{w^{'}}$ . Once the attacker pass the authentication with overwhelming probability then it means the BAZKP scheme can not meet soundness. Since we have proven that the BAZKP scheme meets soundness, a message modification attack is impossible in the proposed system. Therefore our proposed system can withstand the message modification attack and impersonation attack.

Non-traceability

In this proposed system, we utilize Pedersen Vector Commitment to preserve the secret values, specifically W = h^θg^wh^w, based on the hardness of the DL assumption. Consider a scenario where an attacker has captured the value w from W. However, it is impossible for the attacker to compute w from W due to the difficulty of solving the DL assumption. Additionally, the user selects random numbers $α, β, θ, ϕ \in Z_{n}$ for each execution in our proposed system, and the BAZKP scheme also meets zero-knowledge. Therefore, our scheme supports non-traceability.

Implementation and performance analysis

In this section, we present the results of our evaluation and prototype implementation. Then, compare it with other existing related biometric authentication schemes.

Implementation

As a user-centric biometric authentication system, our system’s performance is evaluated on a personal laptop and a mobile phone. In the simulation, we utilize a mobile phone with Android 13 operating system, 3123 MHz CPU, and 8 GB RAM. We also use a personal laptop with macOS 11.2.2, Apple M1, and 8 GB RAM. The Java library UJMP and the C++ library Armadillo are used for server emulation of mobile phones and computers, respectively. At the same time, the client is written using React.

We noticed that performance depends on many factors. The system may not operate at its best due to the above choice. The size of the two primes p, q is set to 1024 bits. A Pedersen hash function over an RSA group whose modulo n = p*q is benchmarked. We generate witness refer to literature [9, 10]. We also set e = 7000, in other words, the user can pass the identity authentication only when the Euclidean distance between w and w′ is less than or equal to 4.

The system uses sensors to capture the user’s fingerprints and generate the corresponding vectors. The sensor captures the fingerprint feature points and generates the fingerprint vectors based on the horizontal and vertical coordinates of these fingerprint points, as shown in Fig 3.

Open in a separate window

Fig 3

Details of fingerprint sampling.

The final data is the average of the data we obtained by doing 10000 experiments. It is possible to conclude that our scheme’s communication cost is equal to $11 G + 7 Z_{n} + (2 m + 19) Z$ through computation and analysis, indicating that it is kept constant.

Fig 4 shows the line charts of the proving time and the verification time of the EDZKP protocol, respectively. Fig 5 shows the line charts of the proving time and the verification time of the BAZKP scheme (not including witness generation), respectively. Table 1 shows our system’s proving time and verification time under the different Euclidean distance. The simulation results show that the proving and verification time of the BAZKP scheme remains almost constant with the increase of the Euclidean distance. From this, we can conclude that no matter how extensive the range is, the proving time and the verification time remain almost unchanged.

Table 1

BAZKP Performance.

Length of biometric vector	Euclidean distance	Timing (ms)
Length of biometric vector	Euclidean distance	Prove	Verify
299	2000	76.14	140.44
299	3000	76.03	140.43
299	4000	77.70	140.11
299	5000	76.17	139.71
299	6000	75.70	139.57
299	7000	75.64	139.10

Open in a separate window

Fig 4

The time cost of EDZKP protocol.

Open in a separate window

Fig 5

The time cost of BAZKP scheme.

Performance analysis

Finally, we compare the BAZKP scheme with other similar schemes. Table 2 shows the comparison results between our scheme, literature [20], literature [18], and literature [21]. Lee et al. [21] proposed a biometric authentication scheme that divides the biometric template into fragments and stores them on the blockchain. However, compared with our scheme, the real-time performance of this scheme is low. Similarly, Zhou et al. [18] presented a user-centric biometric authentication scheme, but it encountered an exponential increase in time complexity with the increase in n. In contrast, our solution offers a significant advantage regarding time complexity. Compared with the biometric authentication scheme in [20], our scheme achieves the goal of privacy protection while improving efficiency. In addition, the security of this scheme is based on the RSA assumption and the discrete log assumption, which is relatively secure compared to other schemes.

Table 2

Comparison results of similar schemes.

Schemes	Universal	Untrusted Setup	Assumption	Time Complexity
Literature [20]	•	∘	−	O(n²)
Literature [18]	•	∘	−	O(n²)
Literature [21]	∘	∘	−	O(n)
Our scheme	•	∘	RSA+DL	O(n)

Open in a separate window

Here n represents the length of the fingerprint vector. A black circle for a universal denotes that the scheme can be promoted, and a white circle for an untrusted setup denotes that the scheme is updatable. DL stands for discrete log.

Conclusions and future work

In this paper, we combine biometrics with ZKP protocol to introduce a biometric authentication scheme for privacy-preserving named BAZKP. The security analysis shows that the scheme satisfies the perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation. The evaluation results show that, no matter how big the interval of the range proof is, the proof time and the verification time are nearly constant. Finally, based on the BAZKP scheme, we build a user-centric biometric authentication system.

We will focus on improving the efficiency and safety of the BAZKP scheme in the future. One approach will be to leverage a more efficient proof-of-zero algorithm to refine the accuracy of biometric templates while preserving privacy. Another approach will be to employ multi-factor authentication, which combines biometric data with other authentication methods, such as passwords or tokens, to boost security. Additionally, combining the BAZKP scheme with blockchain technology can provide additional security and transparency to the authentication process.

Supporting information

S1 Data

(ZIP)

Click here for additional data file.^{(32K, zip)}

S1 Appendix

(PDF)

Click here for additional data file.^{(217K, pdf)}

S2 Appendix

(PDF)

Click here for additional data file.^{(198K, pdf)}

Funding Statement

This research is partially supported by the Natural Science Foundation of China (No. 61976149) and the Key Program of the Natural Science Foundation of Zhejiang province of China (No. LZ20F020002). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Data Availability

All relevant data are within the paper and its Supporting information files.

References

1. Jain AK, Nandakumar K, Ross A. 50 Years of Biometric Research: Accomplishments, Challenges, and Opportunities. Pattern Recognition Letters. 2016;79:80–105. doi: 10.1016/j.patrec.2015.12.013 [CrossRef] [Google Scholar]

2. Sarkar A, Singh BK. A Review on Performance, Security and Various Biometric Template Protection Schemes for Biometric Authentication Systems. Multimedia Tools and Applications. 2020;79(37):27721–27776. doi: 10.1007/s11042-020-09197-7 [CrossRef] [Google Scholar]

3. Goldwasser S, Micali S, Racko C. The Knowledge Complexity of Interactive Proof Systems. SIAM Journal on Computing. 1989;18(1):186–208. doi: 10.1137/0218012 [CrossRef] [Google Scholar]

4. Maller M, Bowe S, Kohlweiss M, Meiklejohn S. Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings; 2019.

5. Gabizon A, Williamson ZJ, Ciobotaru O. PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge; 2019.

6. Bunz B, Fisch B, Szepieniec A. Transparent SNARKs from DARK Compilers. Annual International Conference on the Theory and Applications of Cryptographic Techniques; 2020: 677–706.

7. Brickell EF, Chaum D, Damgard IB. Gradual and Verifiable Release of a Secret (Extended Abstract). Advances in Cryptology—CRYPTO’87; 1988: 156–166.

8. Chan A, Frankel Y, Tsiounis Y. Easy Come Easy Go Divisible Cash. Advances in Cryptology—EUROCRYPT’98; 1998: 561–575.

9. Rabin MO, Shallit JO. Randomized Algorithms in Number Theory. Communications on Pure and Applied Mathematics. 1986;39(1):239–256. doi: 10.1002/cpa.3160390713 [CrossRef] [Google Scholar]

10. Lipmaa H. On Diophantine Complexity and Statistical Zero-Knowledge Arguments. Advances in Cryptology—ASIACRYPT 2003; 2003: 398–415.

11. Groth J. Non-interactive Zero-Knowledge Arguments for Voting. Applied Cryptography and Network Security; 2005: 467–482.

12. Bootle J, Cerulli A, Chaidos P. Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting. Advances in Cryptology—EUROCRYPT 2016; 2016: 327–357.

13. Bunz B, Bootle J, Boneh D. Bulletproofs: Short Proofs for Confidential Transactions and More. 2018 IEEE Symposium on Security and Privacy; 2018: 315–334.

14. Deng C, Tang X, You L. Cuproof: A Novel Range Proof with Constant Size; 2021 [PMC free article] [PubMed]

15. Jain A, Bolle R, Pankanti S. Introduction to Biometrics; 1996.

16. Barni M, Bianchi T, Catalano D. Privacy-Preserving Fingercode Authentication. Proceedings of the 12th ACM Workshop on Multimedia and Security; 2010: 231–240.

17. Blanton M, Gasti P. Secure and Efficient Protocols for Iris and Fingerprint Identification. Computer Security; 2011: 190–209.

18. Zhou K, Ren J. PassBio: Privacy-Preserving User-Centric Biometric Authentication. IEEE Transactions on Information Forensics and Security. 2018;13(12):3050–3063. doi: 10.1109/TIFS.2018.2838540 [CrossRef] [Google Scholar]

19. Hammad M, Liu Y, Wang K. Multimodal Biometric Authentication Systems Using Convolution Neural Network Based on Different Level Fusion of ECG and Fingerprint. IEEE Access. 2019;7:26527–26542. doi: 10.1109/ACCESS.2018.2886573 [CrossRef] [Google Scholar]

20. Zhang C, Zhu L, Xu C. PTBI: An Efficient Privacy-Preserving Biometric Identification based on Perturbed Term in the Cloud. Information Sciences. 2017;409:56–67. doi: 10.1016/j.ins.2017.05.006 [CrossRef] [Google Scholar]

21. Lee YK, Jeong J. Securing Biometric Authentication System using Blockchain. ICT Express. 2021;7(3):322–326. doi: 10.1016/j.icte.2021.08.003 [CrossRef] [Google Scholar]

22. Azees M, Vijayakumar P, Deboarh LJ. EAAP: Efficient Anonymous Authentication With Conditional Privacy-Preserving Scheme for Vehicular Ad Hoc Networks. IEEE Transactions on Intelligent Transportation Systems. 2017;18(9):2467–2476. doi: 10.1109/tit*.2016.2634623 [CrossRef] [Google Scholar]

23. Zhou X, Luo M, Vijayakumar P. Efficient Certificateless Conditional Privacy-Preserving Authentication for VANETs. IEEE Transactions on Vehicular Technology. 2022;71(7):7863–7875. doi: 10.1109/TVT.2022.3169948 [CrossRef] [Google Scholar]

24. Liu Y, Yu J, Fan J. Achieving Privacy-Preserving DSSE for Intelligent IoT Healthcare System. IEEE Transactions on Industrial Informatics. 2022;18(3):2010–2020. doi: 10.1109/TII.2021.3100873 [CrossRef] [Google Scholar]

25. Yang H, Vijayakumar P, Shen J. A Location-based Privacy-Preserving Oblivious Sharing Scheme for Indoor Navigation. Future Generation Computer Systems. 2022;137(1):42–52. doi: 10.1016/j.future.2022.06.016 [CrossRef] [Google Scholar]

26. Wei F, Vijayakumar P, Kumar N. Privacy-Preserving Implicit Authentication Protocol Using Cosine Similarity for Internet of Things. IEEE Internet of Things Journal. 2021;8(7):5599–5606. doi: 10.1109/JIOT.2020.3031486 [CrossRef] [Google Scholar]

27. Azees M, Vijayakumar P, Karuppiah M. An Efficient Anonymous Authentication and Confidentiality Preservation Schemes for Secure Communications in Wireless Body Area Networks. Wireless Networks. 2021;27:2119–2130. doi: 10.1007/s11276-021-02560-y [CrossRef] [Google Scholar]

28. Subramani J, Maria A, Rajasekaran AS. Lightweight Privacy and Confidentiality Preserving Anonymous Authentication Scheme for WBANs. IEEE Transactions on Industrial Informatics. 2022;18(5):3484–3491. doi: 10.1109/TII.2021.3097759 [CrossRef] [Google Scholar]

29. Rajasekaran AS, Azees M. An Anonymous Blockchain-Based Authentication Scheme for Secure Healthcare Applications. Security and Communication Networks. 2022. doi: 10.1155/2022/2793116 [CrossRef] [Google Scholar]

30. Rajasekaran AS, Maria A, Rajagopal M. Blockchain Enabled Anonymous Privacy-Preserving Authentication Scheme for Internet of Health Things. Sensors. 2022;23(1):240. doi: 10.3390/s23010240 [PMC free article] [PubMed] [CrossRef] [Google Scholar]

31. Jegadeesan S, Dhamodaran M, Azees M. Computationally Efficient Mutual Authentication Protocol for Remote Infant Incubator Monitoring System. Healthcare Technology Letters. 2019;6(4):92–97. doi: 10.1049/htl.2018.5006 [PMC free article] [PubMed] [CrossRef] [Google Scholar]

32. Jin Z, Lim MH, Teoh ABJ. Generating Fixed-Length Representation From Minutiae Using Kernel Methods for Fingerprint Authentication. IEEE Transactions on Systems, Man, and Cybernetics: Systems. 2016;46(10):1415–1428. doi: 10.1109/TSMC.2015.2499725 [CrossRef] [Google Scholar]

Articles from PLOS ONE are provided here courtesy of PLOS