Professional Documents
Culture Documents
2618
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
2619
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
2.2 Threat Model the closeness of two inputs. We assume that the set of all possible
As in other AKE protocols [19, 21], we only consider active adver- public parameters, the set of all possible public keys, and the set
saries in the network. Note that an honest-but-curious participant of all possible encapsulated messages are implicitly defined in the
may try to learn the other participant’s biometric characteristics algorithms.
from the BAKE protocol. However, this kind of attacks can be im- Definition 3.1 (AFEM). An asymmetric fuzzy encapsulation mech-
plemented by an adversary that only eavesdrops on the network. anism AFEM is a tuple of four Probabilistic Polynomial Time (PPT)
More specifically, we require that the participant’s biometric char- algorithms (Setup, PubGen, Enc, Dec) that satisfies the following
acteristics and the session key are protected under the following syntax with the correctness property.
threat model.
– Setup(1𝜆 , 𝜏) → 𝑝𝑎𝑟 : This setup algorithm takes as input a se-
• Insecure Channel. We assume that adversaries have complete curity parameter 𝜆 ∈ N and a threshold 𝜏 ∈ N. It generates a
control of the channel between two participants in the AKE phase. set of public parameters 𝑝𝑎𝑟 , which is an implicit input to the
That means an adversary can eavesdrop on, tamper with, and following algorithms.
throw away any message in that phase. – PubGen(𝑠𝑘) → 𝑝𝑘: This public key generation algorithm takes
• Safeguarded Terminal. We assume that a terminal processes as input a secret key 𝑠𝑘 ∈ SK. It outputs a public key 𝑝𝑘. (Notably,
a user’s biometric characteristics honestly. Specifically, the ter- this kind of secret key is derived from biometric characteristics.)
minal does not store the captured biometric characteristics or – Enc(𝑝𝑘, 𝑠) → 𝑐: This encapsulation algorithm takes as input a
reveal the biometric characteristics to adversaries. public key 𝑝𝑘 and a plain message 𝑠 ∈ S. It outputs an encapsu-
lated message 𝑐.
2.3 Design Goals – Dec(𝑠𝑘 , 𝑐) → 𝑠/⊥: This deterministic decapsulation algorithm
Our BAKE protocol should have the following properties. takes as input a secret key 𝑠𝑘 ∈ SK and an encapsulated mes-
• Mutual Authentication. Both participants authenticate each sage 𝑐. It returns a plain message 𝑠 if 𝑑𝑖𝑠 (𝑠𝑘, 𝑠𝑘 ) < 𝜏 or a failure
other using biometrics before actual messaging. symbol ⊥ otherwise.
• Secure Key Establishment. A consistent session key is agreed Correctness. For any 𝜆 ∈ N, any 𝜏 ∈ N, any 𝑝𝑎𝑟 generated by
upon between the sender and receiver and is only accessible to Setup, any secret key 𝑠𝑘, 𝑠𝑘 ∈ SK, and any plain message 𝑠 ∈ S,
these two participants. Dec(𝑠𝑘 , Enc(PubGen(𝑠𝑘), 𝑠)) = 𝑠 if 𝑑𝑖𝑠 (𝑠𝑘, 𝑠𝑘 ) < 𝜏.
• Biometric Privacy. An adversary, including the communicat-
ing participant, cannot obtain the biometric characteristics of a Security. The semantic security is defined by an attack game
participant from the protocol. between a challenger C and an adversary A. Particularly, for any
• High Performance. Both the computation and communication PPT adversary A, the advantage of A in the following experiment
overhead of BAKE protocols should be low, which is critical for Exp A (1𝜆 ) is negligible.
constrained environments, e.g., mobile networks. (1) On input a security parameter 1𝜆 , A outputs an appropriate
Note that fuzzy aPAKE [21] also achieves the first three goals and threshold 𝜏 such that it satisfies the privacy and robustness
additionally provides the Universally Composable (UC) security, but properties for the secret key, and sends 𝜏 to C.
fuzzy aPAKE dissatisfies the last goal since it involves heavy com- (2) C executes Setup(1𝜆 , 𝜏) → 𝑝𝑎𝑟 , PubGen(𝑝𝑎𝑟, 𝑠𝑘) → 𝑝𝑘, and
munication and computation overhead. In addition, fuzzy aPAKE sends 𝑝𝑘 to A.
only supports fuzzy vectors (e.g., password) and is not suitable for (3) A is given input 1𝜆 , 𝑝𝑎𝑟 , and oracle access to Enc(·).
asynchronous scenarios. (4) C generates a new secret key 𝑠𝑘 such that 𝑑𝑖𝑠 (𝑠𝑘, 𝑠𝑘 ) < 𝜏. Fur-
ther, C sends the encapsulated message 𝑐 ← AFEM.Enc(𝑝𝑘, 𝑏)
3 ASYMMETRIC FUZZY ENCAPSULATION for 𝑏 ← {0, 1} to A.
MECHANISM (5) A outputs a guess 𝑏 ∈ {0, 1}. The advantage of the adversary
is denoted as |Pr[𝑏 = 𝑏 ] − 1/2|.
The core idea of our BAKE constructions is to derive a session
key from random strings that are only accessible to the participant 3.2 Construction for Biometric Vector
with correct biometric characteristics. To this end, we propose a
cryptographic primitive called Asymmetric Fuzzy Encapsulation We propose the first AFEM construction for secret keys in the form
Mechanism (AFEM), which encapsulates a message with a public of biometric vectors, which means that the biometric characteristics
key that is corresponding to a target secret key. Only the participant of a participant can be converted into a string. Assuming the secret
who possesses a secret key close to the target secret key can obtain key is 𝑠𝑘 = u ∈ F𝑚𝑞 , where 𝑞 is a prime and F𝑞 is a finite field, and
the random string from the encapsulated message. the closeness is defined by Hamming distance, we give the technical
We first introduce the syntax of AFEM and define the security description and construction as follows.
notion for AFEM. Then, we present two constructions for two types 3.2.1 Generating Public Key. The key idea is to exploit the Learning
of biometric secret keys. With Errors (LWE) problem to securely encode a traditional secret
key into a vector with the help of a biometric vector. Specifically, a
3.1 Syntax random vector x ∈ F𝑙𝑞 is encoded by e = Ax + u, where A ∈ F𝑚×𝑙 𝑞 is
Let SK be the set of all possible secret keys, S be the set of all a random matrix and u is the biometric vector. Then, x is mapped
possible plain messages, and 𝑑𝑖𝑠 (·, ·) be a function that calculates to Z𝑞 through a hash function 𝐻 : {0, 1}∗ → Z𝑞 , which allows us
2620
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
Algorithm 1: Decoding algorithm Decode𝜏 𝑝𝑘. Under the decisional-LWE assumption, the uniform e is com-
1 Input A, b
putationally indistinguishable from e = Ax + u with computational
Hy Hy
2 Randomly select rows without replacement distance 𝑛𝑒𝑔𝑙 (𝜆). Thus, we have Adv A 0 (𝜆) ≤ Adv A 1 (𝜆) +𝑛𝑒𝑔𝑙 (𝜆).
𝑗1, . . . , 𝑗2𝑙 ← [1, 𝑚] Hy.2. Hy.2 is identical to Hy.1 except that we use ℎ from the
3 Restrict A, b to rows 𝑗 1 , . . . , 𝑗 2𝑙 and denote as A 1
𝑗 ,...,𝑗2𝑙 ,
uniform to replace 𝐻 (x), and the random oracle guarantees no
b 𝑗 ,...,𝑗
1 2𝑙
𝑗 ,...,𝑗2𝑙 then PPT adversary can distinguish 𝐻 (x) from the uniform. Further, the
4 if there exist 𝑙 linearly independent rows of A 1
discrete-logarithm assumption guarantees no one has the ability to
5 Let A = A 𝑗1 ,...,𝑗2𝑙 , b = b 𝑗1 ,...,𝑗2𝑙
obtain x given 𝑦 and 𝑔, which implies that no PPT adversary can
Compute x = A −1 b
tell the diffidence between 𝑦 = 𝑔𝐻 (x) and 𝑦 = 𝑔ℎ . Thus, we have
6
7 else Hy Hy
8 Abort Adv A 1 (𝜆) ≤ Adv A 2 (𝜆) + 𝑛𝑒𝑔𝑙 (𝜆).
9 if b − Ax has more than 𝜏 nonzero coordinates then Hy.3. Hy.3 is identical to Hy.2 except that we use 𝑧 from the
10 Go to step 2 uniform to calculate 𝑐 1 = 𝑠 ⊕𝑔𝑧 . Under the decisional Diffie-Hellman
11 Output x
(DDH) assumption, 𝑐 1 is computationally indistinguishable from 𝑐 1
Hy
with computational distance 𝑛𝑒𝑔𝑙 (𝜆), thus, we have Adv A 2 (𝜆) ≤
Hy
to adopt an ElGamal-like encryption. Therefore, the public key is Adv A 3 (𝜆) + 𝑛𝑒𝑔𝑙 (𝜆). In Hy.3, all the elements of both the public
(A, e, 𝑦 = 𝑔𝐻 (x) ), where 𝑔 is a generator of a group. key and the ciphertext are uniformly random and independent of
Hy
the message. Hence, Adv A 3 (𝜆) = 1/2.
3.2.2 Encapsulating Message. To encapsulate a message 𝑠, we en- Hy
crypt it with an ElGamal-like encryption. Specifically, for the public Finally, we have Adv A 0 (𝜆) ≤ 1/2+𝑛𝑒𝑔𝑙 (𝜆). Therefore, the adver-
key 𝑦, a random value 𝑟 ∈ Z𝑞 is selected. Then, the encrypted sary A can break the semantic security with negligible advantage.
message is (𝑔𝑟 , 𝑦𝑟 ⊕ 𝑠). This completes the sketched proof.
2621
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
P0 P1
Init Phase
Run AFEM.Setup(𝜆, 𝑡) → 𝑝𝑎𝑟
Set 𝑝𝑝 = 𝑝𝑎𝑟
KeyGen Phase
Generate 𝑠𝑘 0 ∈ SK Generate 𝑠𝑘 1 ∈ SK
Run AFEM.PubGen(𝑠𝑘 0 ) → 𝑝𝑘 0 Run AFEM.PubGen(𝑠𝑘 1 ) → 𝑝𝑘 1
𝑝𝑘 0
-
𝑝𝑘 1
AKE Phase
$ $
Choose 𝑠 0 ← S Choose 𝑠 1 ← S
Run AFEM.Enc(𝑝𝑘 1, 𝑠 0 ) → 𝑐 0 Run AFEM.Enc(𝑝𝑘 0, 𝑠 1 ) → 𝑐 1
𝑐0 -
𝑐1
Generate 𝑠𝑘 0 ∈ SK Generate 𝑠𝑘 1 ∈ SK
Run AFEM.Dec(𝑠𝑘 0 , 𝑐 1 ) → 𝑠 1 Run AFEM.Dec(𝑠𝑘 1 , 𝑐 0 ) → 𝑠 0
Output 𝑘 0 = 𝐻 (𝑝𝑘 0 ||𝑝𝑘 1 ||𝑐 0 ||𝑐 1 ||𝑠 0 ||𝑠 1 ) Output 𝑘 1 = 𝐻 (𝑝𝑘 0 ||𝑝𝑘 1 ||𝑐 0 ||𝑐 1 ||𝑠 0 ||𝑠 1 )
2622
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
P0 P1
AKE Phase
(Session sid0 )
$
Choose 𝑠 0sid0 ← S
Run AFEM.Enc(𝑝𝑘 1, 𝑠 0sid0 ) → 𝑐 0sid0
Output 𝑘 0sid0 = 𝐻 (𝑝𝑘 0 ||𝑝𝑘 1 ||sid0 ||𝑐 0sid0 ||𝑠 0sid0 )
sid0, 𝑐 0sid0
-
sid sid0
Run AFEM.Dec(𝑠𝑘 1 0 , 𝑐 0sid0 ) → 𝑠 0
sid0
Output 𝑘 1sid0 = 𝐻 (𝑝𝑘 0 ||𝑝𝑘 1 ||sid0 ||𝑐 0sid0 ||𝑠 0 )
(Session sid1 )
$
Choose 𝑠 1sid1 ← S
Run AFEM.Enc(𝑝𝑘 0, 𝑠 1sid1 ) → 𝑐 1sid1
Output 𝑘 1sid1 = 𝐻 (𝑝𝑘 0 ||𝑝𝑘 1 ||sid1 ||𝑘 1sid0 ||𝑐 1sid1 ||𝑠 1sid1 )
sid1, 𝑐 1sid1
sid sid1
Run AFEM.Dec(𝑠𝑘 0 1 , 𝑐 1sid1 ) → 𝑠 1
sid1
Output 𝑘 0sid1 = 𝐻 (𝑝𝑘 0 ||𝑝𝑘 1 ||sid1 ||𝑘 0sid0 ||𝑐 1sid1 ||𝑠 1 )
..
.
by running the public key generation algorithm AFEM.PubGen. 𝑘 0sid0 , and then encapsulates 𝑠 0sid0 into 𝑐 0sid0 . When the receiver P1
Finally, P𝑖 sends the public key 𝑝𝑘𝑖 to P1−𝑖 through an authenti- gets online, she/he generates a secret key based on the biometric
cated channel, which means that adversaries cannot modify that characteristics to decapsulate 𝑐 0sid0 and obtain the session key 𝑘 1sid0 .
public key. Note that the requirement of an authenticated channel Then, the sender P1 launches the second session sid1 to send a
is essential for all authenticated key exchange protocols [6]. message to the receiver P0 , where the new session key 𝑘 1sid1 is
In real-world applications, the authenticated channel can be
generated by decapsulating 𝑐 1sid1 . The subsequent session keys could
implemented by Public-Key Infrastructure (PKI) technology [52], in
be negotiated in the same manner, which provides the key rotation
which an authority generates a certificate to bind an identity and
property for our BAKE framework.
a public key. Messaging applications also suggest an out-of-band
fashion to authenticate public keys, such as comparing public key
fingerprints and scanning a Quick Response (QR) code [44]. 4.2 Secret Key from Iris
AKE Phase. This phase enables both participants to authenti- IrisCode [16] is the most widely used iris recognition method due
cate each other and negotiate a session key. Specifically, P𝑖 (𝑖 ∈ to its computational advantages, e.g., high matching speed and
{0, 1}) first chooses a random message 𝑠𝑖 . Then, 𝑠𝑖 is encapsulated accuracy. Over 60 million people are using IrisCode to perform
into 𝑐𝑖 by running the encapsulation algorithm AFEM.Enc and sent iris recognition and many other biometric algorithms are extended
to P1−𝑖 . After receiving 𝑐 1−𝑖 , P𝑖 generates a secret key 𝑠𝑘𝑖 based on from IrisCode [16]. Generally, iris recognition is simply achieved by
the biometric characteristics and decapsulates 𝑐 1−𝑖 using the decap- computing the Hamming distance between two IrisCodes. In BAKE,
sulation algorithm AFEM.Dec to obtain 𝑠 1−𝑖 . Finally, P computes IrisCode is suitable for instantiation by our first AFEM construction
𝑖
a session key 𝑘𝑖 by a hash function 𝐻 . that is illustrated in Section 3.2.
In real-world applications, communicating participants are usu-
4.2.1 Iris Vector from IrisCode. An iris image is transformed into
ally not online at the same time and a participant may want to
random texture after localization, segmentation, and normalization,
leave a message to an offline participant through a service provider.
which is then encoded into a 2048-bit stream [17]. To construct a
To deal with this asynchronous scenario, we design another AKE
valid secret key for the AFEM construction in Section 3.2, a 2048-bit
phase that allows a unidirectional session key at the beginning as
IrisCode should be transformed into a vector. We naturally employ
shown in Figure 3. Roughly speaking, in each session, a session
a simple solution to shard a 2048-bit IrisCode into 𝑚 elements that
key is derived from the session ID, a random string chosen by a
compose an iris vector. As shown in Figure 4, we take the first
participant, and the session key of the last session if it exists. To
2048/𝑚 bits as the first element, and take the second 2048/𝑚 bits
obtain the random string encapsulated by the other participant, a
as the second element, and so on. Finally, we obtain an iris vector
participant needs to generate a fresh secret key based on her/his
v = {𝑣 1, . . . , 𝑣𝑚 }.
biometric characteristics in each session for implicit authentication.
More specifically, for the first session whose ID is sid0 , the sender 4.2.2 Tolerating Iris Noise with Lattice. Due to capture deviation,
P0 first chooses a random message 𝑠 0sid0 to generate the session key the decoding algorithm in Section 3.2 may fail even if the two iris
2623
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
...
... Pointj,1 vecj,1
01011...00010...10100.........10101...01010...01010
10101...01010...10101.........01001...00111...01100 vecj,2 Pointj,2
Pointj,3 vecj,3
11111...01111...01010.........10101...01011...10101 Pointj vecj,4
01001...01010...10100.........10010...10111...11010
10100...10100...10010.........10101...00101...11101 Pointj,4
00101...01001...01000.........01001...01010...00001
01010...10101...00101.........01010...01010...11010
00101...01010...10010.........10100...01010...01010
Figure 5: An illustration of constructing a fingerprint vector.
...
2624
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
Algorithm 2: Minutiae-based Fingerprint Vector Set Con- initializes the whole system and realizes all oracles, then gives all
structing Algorithm public information to A, A then interacts with C via a series of
1 for 𝑃𝑜𝑖𝑛𝑡 𝑗 ∈ {𝑃𝑜𝑖𝑛𝑡 1 , . . . , 𝑃𝑜𝑖𝑛𝑡𝑛 } do queries on 𝐸𝑥𝑒𝑐𝑢𝑡𝑒, 𝑆𝑒𝑛𝑑, 𝑅𝑒𝑣𝑒𝑎𝑙, and 𝐶𝑜𝑟𝑟𝑢𝑝𝑡. In the meanwhile,
2 Set 𝑃𝑜𝑖𝑛𝑡 𝑗 as the center and find the nearest 𝜇 points A issues a 𝑇 𝑒𝑠𝑡 query, and keeps querying other oracles afterward
3 Construct 𝜇 vectors {vec 𝑗,𝜌 } 𝜇 as before. Finally, A terminates this experiment and outputs a guess
4 Compute vector lengths {𝑑 𝑗,𝜌 } 𝜇 for {vec 𝑗,𝜌 } 𝜇 bit 𝑏 for the choice bit 𝑏 in𝑇 𝑒𝑠𝑡. For BAKE, an instance of the sender
5 Compute inter-vector angles {𝜙 𝑗,𝜔} 𝜇·(𝜇−1) in {vec 𝑗,𝜌 }𝜇 represents an online attack if both the following cases are true at the
time of the𝑇 𝑒𝑠𝑡 query, (1) at some point, A queried 𝑆𝑒𝑛𝑑 1 (P0𝑖 , ∗) (vs.
2
6 Represent vector v 𝑗,0 with {𝑑 𝑗,𝜌 }𝜇 and {𝜙 𝑗,𝜔 } 𝜇·(𝜇−1)
𝑗 𝑗
𝑆𝑒𝑛𝑑 2 (P1 , ∗)); (2) at some point, A queried𝑇 𝑒𝑠𝑡 (P0𝑖 ) (vs.𝑇 𝑒𝑠𝑡 (P1 )).
2
7 for 𝜌 ∈ [1, 𝜇] do
8 Set 𝑃𝑜𝑖𝑛𝑡 𝑗,𝜌 as the core and find the nearest 𝜇 points The number of online attacks represents a bound on the number
9 Construct 𝜇 vectors {vec 𝑗,𝜌,𝜎 } 𝜇 of biometric secret keys that A could have tested in an online
10 Compute vector lengths {𝑑 𝑗,𝜌,𝜎 } 𝜇 for {vec 𝑗,𝜌,𝜎 } 𝜇 fashion. A PPT A may succeed with probability 1 by trying all
11 Compute inter-vector angles {𝜙 𝑗,𝜌,𝜔 } 𝜇·(𝜇−1) in biometric secret keys if the size of the biometric dictionary is small.
2
{vec 𝑗,𝜌,𝜎 } 𝜇 Therefore, A is only said to have succeeded if A asks a single 𝑇 𝑒𝑠𝑡
12 Represent vector v 𝑗,𝜌 with {𝑑 𝑗,𝜌,𝜎 }𝜇 and query, outputs a guess bit 𝑏 such that 𝑏 = 𝑏. The advantage of A
{𝜙 𝑗,𝜌,𝜔 } 𝜇·(𝜇−1) in attacking BAKE is formally defined by
2
13 Represent {vec 𝑗,𝜌}𝜇 as vectorv 𝑗 = (v 𝑗,0,v 𝑗,1,v 𝑗,2,v 𝑗,3,v 𝑗,4 ) Adv A (𝜆) = |2 · Pr[𝑏 = 𝑏 ] − 1|. (1)
Definition 5.1. BAKE is said to be secure if for every biometric
dictionary 𝐷 with size 𝐷 and for all PPT A making at most 𝑄𝑠
online dictionary attacks (i.e., the number of 𝑆𝑒𝑛𝑑 queries), it holds
5 SECURITY that Adv A (𝜆) ≤ 𝑄𝑠 /𝐷 + 𝑛𝑒𝑔𝑙 (𝜆).
We detail security analysis with Find-then-Guess (FtG) paradigm
Remark 1. Fuzzy aPAKE [21] is using an ideal cipher as a block
in the Bellare-Pointcheval-Rogaway (BPR) model [7], where the
cipher that takes as input a plaintext or a ciphertext. In our solution,
adversary A is given access to oracles through the following oracle
we instantiate the block cipher using our proposed AFEM instead.
queries. Particularly, users who hold biometrics (from a specific
biometric dictionary) are modeled as PPT algorithms that respond Theorem 5.2. BAKE is secure with the advantage Adv A (𝜆) ≤
𝑗
to queries. P0𝑖 (vs. P1 ) denotes instance 𝑖 (vs. 𝑗) of user P0 (vs. P1 ) 𝑄𝑠 /𝐷 + 𝑛𝑒𝑔𝑙 (𝜆) if AFEM is semantic secure and assuming all
who executes the protocol multiple times with different partners collision-resistant hash functions are random oracles H , where 𝑄𝑠
(we use vs. to simply describe the similar case of the other user). is the number of the online attacks (i.e., the number of 𝑆𝑒𝑛𝑑 queries)
Execute. This oracle models a passive A (e.g., an eavesdropper) and the bit-length of the output of H is ℓ.
who receives all the transcripts of an honest execution between an
𝑗 Proof of Theorem 5.2. We use A to construct a simulator S that
instance of a sender P0𝑖 and an instance of a receiver P1 .
controls all oracles to which A has the ability to access. S executes
Send. This oracle models an active adversary A who can inter-
the Init phase including selecting biometric characteristics for each
cept a message, modify it, create a new one, or simply forward it
user, and answers A’s queries as defined in the 𝐸𝑥𝑒𝑐𝑢𝑡𝑒, 𝑇 𝑒𝑠𝑡, and
to the intended party. For example, A could launch impersonation
𝑆𝑒𝑛𝑑 oracles. Thus, A succeeds in breaking the semantic security
attacks via Send queries. Particularly, we separate three kinds of
𝑗 of AFEM if it can guess the bit 𝑏 that S uses during the 𝑇 𝑒𝑠𝑡-query.
𝑆𝑒𝑛𝑑 oracles in BAKE, 𝑆𝑒𝑛𝑑 0 (P0𝑖 , P1 ) implies that P0 initiates an The proof uses a sequence of hybrids, starting from the real case
𝑗
execution with P1 , 𝑆𝑒𝑛𝑑 1 (P0𝑖 , 𝑚) and 𝑆𝑒𝑛𝑑 2 (P1 , 𝑚) implies a mes- and ending at the ideal (or simulation) case where the advantage
𝑖 𝑗 Hy
sage 𝑚 is sent by A to the instance P0 and P1 , and outputs the first of A is 0. Let Adv A 𝑖 (𝜆) denote the advantage of A in the hybrid
and second message that the instance of the user who generates Hy
Hy.𝑖. To prove the desired bound on Adv A (𝜆) = Adv A 0 (𝜆), we
upon receipt of the messages.
bound the effect of each change in the hybrid on the advantage of
Reveal. This oracle models the misuse of session keys by a user, Hy
and A gets the session key held by the user. A, and then illustrate that Adv A 7 (𝜆) ≤ 𝑄𝑠 /𝐷 .
Test. This oracle models A is given either a session key or a Hy.0. A real hybrid follows BAKE specification. Hy.0 corre-
random value (depending on a choice bit 𝑏) and must distinguish sponds to the real attack that the honest users have their key-pair
𝑗 (𝑝𝑘 0, 𝑠𝑘 0 ) (vs. (𝑝𝑘 1, 𝑠𝑘 1 )). 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 and 𝑆𝑒𝑛𝑑 are answered exactly
them. If no session key for instance P0𝑖 (vs. P1 ) is defined , then
as the honest users with their keys; 𝑅𝑒𝑣𝑒𝑎𝑙 to an instance of the
return the undefined symbol ⊥. Otherwise, return a guess bit 𝑏 ∈ 𝑗
{0, 1} for the choice bit 𝑏. participant P0𝑖 (vs. P1 ) is answered by issuing the session key (i.e.,
Corrupt. This oracle models the client outputs the biometric 𝑘 0 ←𝐻 (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1,𝑠 0 ,𝑠 1 ) vs. 𝑘 1 = 𝐻 (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0, 𝑠 1 )) that
𝑗
secret key, which does not reveal the internal state, but reveals the is generated by P0𝑖 (vs. P1 ) during the execution of the protocol
secret key and can be made at any point during the protocol. (or ⊥ if no session key is set); and 𝑇 𝑒𝑠𝑡 to a fresh instance P0𝑖 (vs.
Advantage of the adversary. Freshness oracle is defined to 𝑗
P1 ) is answered after flipping a coin 𝑏, by either the output of
restrict the queries to a target session. The security experiment is 𝑗 $
performed as a game between a challenger C and an adversary A 𝑅𝑒𝑣𝑒𝑎𝑙 (P0𝑖 ) (vs. 𝑅𝑒𝑣𝑒𝑎𝑙 (P1 )) or 𝑠𝑘 ← {0, 1}∗ . By definition, we
Hy
based on BAKE with a security parameter 𝜆. Concretely, C first have Adv A (𝜆) = Adv A 0 (𝜆) = |2 · Pr[𝑏 = 𝑏 ] − 1|.
2625
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
Hy.1. Hy.1 is identical to Hy.0 on simulating all the instances encrypted under a dummy public key 𝑝𝑘 𝑖 instead of the real 𝑝𝑘𝑖 ←
for 𝑆𝑒𝑛𝑑, 𝐸𝑥𝑒𝑐𝑢𝑡𝑒, 𝑇 𝑒𝑠𝑡 and 𝐶𝑜𝑟𝑟𝑢𝑝𝑡 queries, except that we sim- AFEM.PubGen(𝑠𝑘𝑖 ), thus, 𝑐 0 ← AFEM.Enc(𝑝𝑘 1, 𝑠 0 ) for P0 (vs.
ulate the random oracle H on new queries (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0 , 𝑠 1 ) 𝑐 1 ← AFEM.Enc(𝑝𝑘 0, 𝑠 1 ) for P1 ). This is indistinguishability proof
and (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0, 𝑠 1 ), and we obtain two associated random under the semantic security property of the AFEM scheme, and
outputs as session keys, either 𝑘 0 ← 𝐻 (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0 , 𝑠 1 ) or the adversary B cannot distinguish the encapsulated messages
𝑘 1 ← 𝐻 (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0, 𝑠 1 ) in all of the sessions. For keeping con-
generated in Hy.2 and Hy.1.
sistent, the corresponding valid records (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0 , 𝑠 1 ), 𝑘 0
and (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0, 𝑠 1 ), 𝑘 1 are stored in the list Λ𝐻 that is used Hy.3. In this hybrid, we continue to deal with passive attacks
to give the same answer if the same query is asked twice. This hy- between two incompatible users. Hy.3 is identical to Hy.2 except
brid excludes the collision, the protocol halts and A fails if any that we modify the answered way of 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 on how to compute
instance chooses any input of the random oracle that has been used. the session key. The transcript is computed in the same way as
This is a perfect simulation of the random oracle H , and we have Hy.2 but with independent two session keys. We use the secret
Hy Hy sampled 𝑘 0 and 𝑘 1 from a uniform to replace the random oracle
Claim 1. |Adv A 0 (𝜆) − Adv A 1 (𝜆)| is negligible. H for computing the session keys (i.e., 𝑘 0 and 𝑘 1 ) in all sessions
Proof. This claim is guaranteed by the collision resistance and generated via 𝐸𝑥𝑒𝑐𝑢𝑡𝑒. Below, the record (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0, 𝑠 1 ) is
one-wayness of the hash function.All executions will be halted if a truncated to (𝑠 0, 𝑠 1 ) and for the sake of illustration, where 𝑠 1∗ is
collision occurs in the transcript (𝑝𝑘 0, 𝑐 0 ), (𝑝𝑘 1, 𝑐 1 ) since the in- obtained from AFEM.Dec(𝑠𝑘 0 , 𝑐 1 ) if 𝑐 1 ← AFEM.Enc(𝑝𝑘 0, 𝑠 1 ) can
puts 𝑝𝑘 0, 𝑐 0, 𝑝𝑘 1, 𝑐 1 are simulated and chosen uniformly at random. be decrypted correctly, otherwise, 𝑠 1∗ is sampled from a uniform dis-
Thus, the collision in the transcript is still regarded as negligi- tribution. Then, the session key 𝑘 0 = 𝐻 (𝑠 0 𝑠 1∗ ) for P0 is replaced by
ble for convenience, and the probability is at most Adv A 0 (𝜆) ≤
Hy a random 𝑘¯0 ← {0, 1}ℓ . Likewise, we use 𝑘¯1 for the receiver instead
Hy (𝑄 +𝑄 ) 2 of 𝑘 1 = 𝐻 (𝑠 0∗ 𝑠 1 ) at this stage, where 𝑠 0∗ ← AFEM.Dec(𝑠𝑘 1 , 𝑐 0 ) if
Adv A 1 (𝜆) + 𝑠 2ℓ 𝑒 via the birthday paradox, where 𝑄𝑠 and 𝑄𝑒
𝑐 0 ← AFEM.Enc(𝑝𝑘 1, 𝑠 0 ) can be decrypted correctly, otherwise, 𝑠 0∗
are the numbers of 𝑆𝑒𝑛𝑑 and 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 queries, and ℓ is the bit-length
is sampled from a uniform distribution. Thus, we have
of the output of H .
Hy Hy
Hy.2. 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 queries between compatible users, before corrup- Claim 3. |Adv A 2 (𝜆) − Adv A 3 (𝜆)| is negligible.
tion. In this hybrid, we first deal with the passive attacks between
Proof. In the aforementioned hybrid, A’s probability of guess-
two compatible users because 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 models the behavior of the
ing 𝑏 in 𝑇 𝑒𝑠𝑡 oracle is exactly 1/2 if 𝑇 𝑒𝑠𝑡 query is made to a fresh
passive adversary. Indeed, there is a simple query to the 𝐸𝑥𝑒𝑐𝑢𝑡𝑒
instance that was activated via 𝐸𝑥𝑒𝑐𝑢𝑡𝑒. In the following Hybrids,
oracle (in either Hy.3 or Hy.2), and the transcript (𝑝𝑘 0, 𝑐 0, 𝑝𝑘 1, 𝑐 1 )
𝑗 we deal with active attacks via 𝑆𝑒𝑛𝑑, where A has possibly gener-
is returned to A. In order to respond to 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 (P0𝑖 , P1 ), the pub- ated the inputs of a 𝑆𝑒𝑛𝑑 query. To this end, 𝑆𝑒𝑛𝑑 is modified so that
lic key 𝑝𝑘 0 ← AFEM.PubGen(𝑠𝑘 0 ) for the sender P0 (vs. 𝑝𝑘 1 ← its output is chosen uniformly at random and independently of the
AFEM.PubGen(sk1 ) for the receiver P1 ) with the associated cor- 𝑗
biometric secret key. Notably, 𝑆𝑒𝑛𝑑 0 (P0𝑖 , P1 ) is the start-query for
rect secret key 𝑠𝑘 0 derived from the biometric characteristics (i.e., 𝑗
SK) for the sender P0 (vs. 𝑠𝑘 1 for the receiver P1 ) is replaced by a user to initiate an execution of BAEK, followed by 𝑆𝑒𝑛𝑑 1 (P1 , 𝑝𝑘 0 )
𝑗
encrypting a random sampled 𝑠𝑘 0 (vs. 𝑠𝑘 1 ) from SK. Additionally, (vs. 𝑆𝑒𝑛𝑑 1 (P0𝑖 , 𝑝𝑘 1 )) and 𝑆𝑒𝑛𝑑 2 (P1 , 𝑐 0 ) (vs. 𝑆𝑒𝑛𝑑 2 (P0𝑖 , 𝑐 1 )).
the message 𝑠 0 for P0 (vs. the message 𝑠 1 for P1 ) is encrypted un- 𝑗
der a dummy public key 𝑝𝑘 𝑖 ← AFEM.PubGen(𝑠𝑘 𝑖 ) (for 𝑖 = 0, 1) Hy.4. We deal with active attacks using 𝑆𝑒𝑛𝑑 2 (P1 , 𝑐 0 ) between
𝑗
instead of 𝑝𝑘𝑖 ← AFEM.PubGen(𝑠𝑘𝑖 ). Thus, we obtain 𝑐 0 ← compatible users before corruption. 𝑆𝑒𝑛𝑑 2 (P1 , 𝑐 0 ) represents that
AFEM.Enc(𝑝𝑘 1, 𝑠 0 ) for P0 (vs. 𝑐 1 ← AFEM.Enc(𝑝𝑘 0, 𝑠 1 ) for P1 ). A sends 𝑐 0 to P0 . We modify the behavior of P0 to 𝑆𝑒𝑛𝑑 2 (P0𝑖 , 𝑐 1 ). At
𝑖
Next, random session keys 𝑘 0 ← {0, 1}ℓ for P0 and 𝑘 1 ← {0, 1}ℓ this stage, 𝑐 1 for P0𝑖 is adversarially generated without knowing the
Hy.2
for P1 are drawn uniformly, and the list Λ𝐻 stores the records secret 𝑠𝑘 0 . Upon receiving 𝑆𝑒𝑛𝑑 2 (P0𝑖 , 𝑐 1 ), S checks whether 𝑐 1 for
the instance P0𝑖 is either valid or invalid. If 𝑐 1 is valid, then outputs
(𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0, 𝑠 1 ), 𝑘 0 and (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 1, 𝑠 0 ), 𝑘 1 . Thus,
Hy.2 𝑐 0 and the session key 𝑘 0 is assigned with a special value. If 𝑐 1 is
we consider A wins this hybrid if Λ𝐻 ∩ Λ𝐻 ≠ ∅. To summarize
invalid, then outputs 𝑐 0 and S samples 𝑠 1 and 𝑘 0∗ from a uniform
what has been mentioned above, we utilize Hy.2 to exclude pas-
sive attacks between compatible users by 𝐸𝑥𝑒𝑐𝑢𝑡𝑒, where Hy.2 is and stores the record (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0, 𝑠 1, 𝑘 0∗ ). The inconsistency
indistinguishable from Hy.1 unless the two aforementioned records can be detected if H has been asked with same 𝑐 1 and 𝑠 1 . More
have been queried to H . Thus, we have generally, A wins if a collision occurs. 𝑆𝑒𝑛𝑑 2 (P0𝑖 , 𝑐 1 ) queries are
Hy Hy
proceeded in a similar way, and we omit it here. Thus,
Claim 2. |Adv A 1 (𝜆) − Adv A 2 (𝜆)| is negligible.
Hy Hy
Claim 4. |Adv A 3 (𝜆) − Adv A 4 (𝜆)| is negligible.
Proof. This indistinguishability proof is guaranteed by AFEM
that has been proved in Section 3.2.4, and under the decisional- Proof. If 𝑐 0 is generated by A who used the public key 𝑝𝑘 1 with
LWE assumption and random oracle, the adversary B cannot dis- an associated secret key 𝑠𝑘 1 , and the regenerated secret key is close
tinguish the public key 𝑝𝑘 𝑖 for 𝑖 = 0, 1 generated in Hy.2 from to the previous one, e.g., 𝑑𝑖𝑠 (𝑠𝑘 1, 𝑠𝑘 1 ) < 𝜏, then the decapsulation
the public key 𝑝𝑘𝑖 for 𝑖 = 0, 1 generated in previous hybrid. Ad- oracle will output a correct value. Thus, S can declare A succeeds
ditionally, the message 𝑠 0 for P0 (vs. the message 𝑠 1 for P1 ) is and terminates the hybrid. Otherwise, S selects a session key from
2626
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
𝑗
a uniform distribution. More generally, if 𝑐 0 is generated by A • 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 (P0𝑖 , P1 ): S randomly selects 𝑐¯0 (vs. 𝑐¯1 ) from a uniform
before corruption, then S queries the decapsulation oracle and distribution. If they are compatible, they are given the same
obtains 𝑠 0 ← AFEM.Dec(sk 1 , 𝑐 0 ). Next, if 𝑠 0 = 𝑠 0 , then S declares random session key 𝑘 0 = 𝑘 1 . Otherwise, they are given two
A succeeds. This case can only increase the advantage of A. If independent random keys 𝑘 0, 𝑘 1 ← {0, 1}ℓ .
𝑗
𝑠 0 ≠ 𝑠 0 , then S sets a random sampled key from a uniform instead • 𝑆𝑒𝑛𝑑 0 (P0𝑖 , P1 ) implies that the instance of P0𝑖 initiates an execu-
of 𝑘 0 . This case introduces a negligible difference, guaranteed by tion of BAKE, and S selects a random 𝑠𝑘𝑖 from SK and calculates
the pseudorandomness of random oracle. the public key 𝑝𝑘𝑖 ← AFEM.PubGen(𝑠𝑘𝑖 ).
𝑗
• 𝑆𝑒𝑛𝑑 1 (P1 , 𝑝𝑘 0 ) (vs. 𝑆𝑒𝑛𝑑 1 (P0𝑖 , 𝑝𝑘 1 )) simulates the behavior of
Hy.5. We modify 𝑆𝑒𝑛𝑑 2 between compatible users again to ex- 𝑗
𝑗 P1 (vs. P0𝑖 ) before a corruption. S selects the secret key 𝑠𝑘 1
clude corruptions. To answer 𝑆𝑒𝑛𝑑 2 (P0𝑖 , 𝑐 1 ) (vs. 𝑆𝑒𝑛𝑑 2 (P1 , 𝑐 0 )) where
𝑗 (vs. 𝑠𝑘 0 ), and randomly selects a public key 𝑝𝑘 1 ← {0, 1}∗ (vs.
𝑐 1 (vs. 𝑐 0 ) was used, 𝑆𝑒𝑛𝑑 2 (P0𝑖 , 𝑐 1 ) (vs. 𝑆𝑒𝑛𝑑 2 (P1 , 𝑐 0 )) outputs 𝑐 0 (vs. 𝑝𝑘 0 ← {0, 1}∗ ). Otherwise, S selects 𝑠𝑘 1 (vs. 𝑠𝑘 0 ) and sets 𝑝𝑘 1 ←
𝑐 1 ). To get a session key 𝑘 0 (vs. 𝑘 1 ), S queries H with the appropri- AFEM.PubGen(𝑠𝑘 1 ) (vs. 𝑝𝑘 0 ← AFEM.PubGen(𝑠𝑘 0 )).
ate (𝑝𝑘 0, 𝑝𝑘 1, 𝑐 0, 𝑐 1, 𝑠 0, 𝑠 1 ), if there is a record, A wins. Otherwise, 𝑗
• 𝑆𝑒𝑛𝑑 2 (P0𝑖 , 𝑐 1 ) (vs. 𝑆𝑒𝑛𝑑 2 (P1 , 𝑐 0 )) simulates the behavior of P0𝑖
the session keys are set as 𝑘 0∗, 𝑘 1∗ ← {0, 1}ℓ . 𝑗
(vs. P1 ) in the following cases.
Hy Hy
Claim 5. |Adv A 4 (𝜆) − Adv A 5 (𝜆)| is negligible. – Before a corruption, S outputs a randomly sampled session
key 𝑘 0 (vs. 𝑘 1 ).
Proof. This proof depends on the security of AFEM that is – After a corruption, but 𝑐 1 (vs. 𝑐 0 ) has been generated before
proved in Theorem 3.2. A issues the 𝑆𝑒𝑛𝑑 query, and S’s behavior corruption. Particularly, S selects the message 𝑠 1 (vs. 𝑠 0 ) ran-
is defined in Definition 3.1 and proceeds as follows: domly, and simulates the ciphertext by sampling 𝑐¯0 (vs. 𝑐¯1 )
(1) S is given 𝑝𝑘 0 and 𝑐 0 (vs. 𝑝𝑘 1 and 𝑐 1 ). randomly. After that, S cannot decrypt 𝑐¯0 (vs. 𝑐¯1 ) to a correct
(2) S generates 𝑠, collects and generates 𝑠𝑘 0 (vs. 𝑠𝑘 1 ). value under the re-generated secret key 𝑠𝑘 0 (vs. 𝑠𝑘 1 ), and S
(3) S responds to 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 queries by generating (𝑝𝑘 0, 𝑐 0, 𝑝𝑘 1, 𝑐 1 ), samples a randomly chosen plaintext. Finally, S asks for the
where 𝑝𝑘 (𝑝𝑘 0 and 𝑝𝑘 1 ) is computed by invoking AFEM.PubGen(·) session key 𝑘 0 (vs. 𝑘 1 ) from H on the pair (𝑠 0, 𝑠 1 ) (vs. (𝑠 0 , 𝑠 1 )).
on input a dummy 𝑠𝑘, and 𝑐 (𝑐 0 and 𝑐 1 ) is computed by invoking – After a corruption, S selects a message 𝑠 1 (vs. 𝑠 0 ) randomly and
invokes 𝑐 0 ← AFEM.Enc(𝑝𝑘 1, 𝑠 0 ) (vs. 𝑐 1 ← AFEM.Enc(𝑝𝑘 0, 𝑠 1 )).
AFEM.Enc(·) on input 0 under the dummy 𝑝𝑘. The matching
After that, S decapsulates 𝑐¯0 (vs. 𝑐¯1 ) to a correct value under
session keys are chosen uniformly at random.
(4) S responds to the 𝑖-th 𝑆𝑒𝑛𝑑 0 queries by submitting an 𝑠𝑘 to the the re-generated secret key 𝑠𝑘 0 (vs. 𝑠𝑘 1 ). Finally, S asks for the
session key 𝑘 0 (vs. 𝑘 1 ) from H on the pair (𝑠 0, 𝑠 1 ) (vs. (𝑠 0 , 𝑠 1 )).
PubGen oracle, and receives a public key 𝑝𝑘, then gives it to A. 𝑗
(5) S responds to 𝑆𝑒𝑛𝑑 1 (𝑝𝑘) and 𝑆𝑒𝑛𝑑 2 (𝑐) by checking whether • 𝐶𝑜𝑟𝑟𝑢𝑝𝑡 (P0𝑖 ) (vs. 𝐶𝑜𝑟𝑟𝑢𝑝𝑡 (P1 )) implies that if this is the first
𝑗
(𝑝𝑘, 𝑐) is previously used or adversarially generated. If it is the corruption query involving P0𝑖 (vs. P1 ), one could first obtain a
former, then the session key is calculated as the protocol de- secret key 𝑠𝑘 0 (vs. 𝑠𝑘 1 ), then define the public key 𝑝𝑘 0 (vs. 𝑝𝑘 1 )
scription. Otherwise, the session key is chosen uniformly if via the algorithm AFEM.PubGen(𝑠𝑘 0 ) (vs. AFEM.PubGen(𝑠𝑘 1 )).
𝑑𝑖𝑠 (𝑠𝑘 0, 𝑠𝑘 0 ) > 𝜏, and S declares that A succeeds and termi- • 𝑇 𝑒𝑠𝑡 (𝑏) is answered using the defined session key according to
nates the hybrid if 𝑑𝑖𝑠 (𝑠𝑘 0, 𝑠𝑘 0 ) < 𝜏. the choice bit 𝑏.
(6) At the end of this hybrid, S outputs 1 if and only if A succeeds.
At the very end, or at the time of corruption, the biometric charac-
Let 𝑏 be a choice bit defined in Equation.1. If 𝑏 = 0, then the view teristics are selected at random, and corresponding public keys are
of A in the above execution with S is identical to the view of A calculated via the secret keys. As a consequence, we have
in Hy.4. If 𝑏 = 1, the view of A in the above execution with S is
identical to the view of A in Hy.5. Thus, this claim holds. Hy Hy
Claim 7. |Adv A 6 (𝜆) − Adv A 7 (𝜆)| is negligible.
𝑗
Hy.6. We modify 𝑆𝑒𝑛𝑑 1 (P1 , 𝑝𝑘 0 ) between incompatible users
before a 𝐶𝑜𝑟𝑟𝑢𝑝𝑡 query, where the public key 𝑝𝑘 0 is generated Proof. This claim is guaranteed by the security of AFEM.
by taking as input an incorrect secret key 𝑠𝑘 0 , and the output of
𝑗
𝑆𝑒𝑛𝑑 1 (P1 , 𝑝𝑘 0 ) is 𝑝𝑘 1 ← {0, 1}∗ , we set the session keys 𝑘 0∗, 𝑘 1∗ ← In the final hybrid, A’s view is independent of the real biometric
𝑗
{0, 1}ℓ . 𝑆𝑒𝑛𝑑 1 (P1 , 𝑝𝑘 0 ) is proceeded in a similar manner. Thus, secret keys chosen by S until the following cases happen. 1). A
𝑗 𝑗
Hy Hy queries 𝑅𝑒𝑣𝑒𝑎𝑙 (P0𝑖 ) or 𝑇 𝑒𝑠𝑡 (P0𝑖 ) (vs. 𝑅𝑒𝑣𝑒𝑎𝑙 (P1 ) or 𝑇 𝑒𝑠𝑡 (P1 )) after
Claim 6. |Adv A 5 (𝜆) − Adv A 6 (𝜆)| is negligible. 𝑗
𝑆𝑒𝑛𝑑 1 (P0𝑖 , 𝑝𝑘 1 ) (vs. 𝑆𝑒𝑛𝑑 1 (P1 , 𝑝𝑘 0 )) for a malicious and valid 𝑝𝑘 1
𝑗
Proof. This proof is implied by Claim 2, the difference is that (vs. 𝑝𝑘 0 ); 2) A queries 𝑅𝑒𝑣𝑒𝑎𝑙 (P0𝑖 ) or 𝑇 𝑒𝑠𝑡 (P0𝑖 ) (vs. 𝑅𝑒𝑣𝑒𝑎𝑙 (P1 ) or
the dummy 𝑝𝑘 1 here is sampled from a uniform distribution, but in 𝑗 𝑖 𝑗
𝑇 𝑒𝑠𝑡 (P1 )) after 𝑆𝑒𝑛𝑑 2 (P0, 𝑐 1 ) (vs. 𝑆𝑒𝑛𝑑 2 (P1 , 𝑐 0 )) for a malicious
Claim 2 it is computed by inputting a random secret key. Thus, we Hy
and valid 𝑐 1 (vs. 𝑐 0 ). Thus, it holds that Adv A 7 (𝜆) ≤ 𝑄𝑠 /𝐷 ,
omit the redundant analysis here.
the way the session keys are defined is exactly the same as in the
Hy.7. The secret keys/public keys are not known at the beginning, random or the real cases (chosen at random before corruption). The
Hy
but just at the corruption time or to check whether A wins when probability 𝑏 = 𝑏 is exactly Adv A 0 (𝜆) ≤ 𝑄𝑠 /𝐷 + 𝑛𝑒𝑔𝑙 (𝜆). This
A guesses the correct secret key at the very end only. concludes the proof of Theorem 5.2 with Claim 1 to 7.
2627
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
Table 1: Asymptotic Comparison, where 𝑛 denotes the bit-length of a biometric string, 𝑛 denotes the size of a biometric vector
set, and 𝜁 is a constant. A round means an interaction between two participants, i.e., one participant sends a message to the
other, who then sends another message back. For the researches [19] and [21], the number of rounds is evaluated based on the
building blocks (e.g., aPAKE is regarded as one round), i.e., the actual number of rounds depends on the instantiations, which
may be bigger than the number presented in this table.
Secret Symmetric
Scheme Technique Round Multiplication Exponentiation Hash
Sharing Encryption
sender − 𝑛 +𝜁
3 𝑛 +𝜁
4 − −
fPAKE-1 [19] Garbled Circult 5
receiver − 𝑛 +𝜁
3 𝑛 +𝜁
4 − −
sender PAKE + − 𝑛 +𝜁
2 𝑛
𝜁 −
fPAKE-2 [19] 2
receiver Secret Sharing − 𝑛 +𝜁
2 𝑛
𝜁 −
fuzzy sender Secret Sharing + 𝑛 +𝜁
2 𝑛 +𝜁
4 𝑛 +𝜁
3 1 𝑛 +𝜁
2
2
aPAKE-1 [21] receiver Oblivious Transfer 𝑛+ 𝜁 𝑛 +𝜁
4 𝑛 +𝜁
2 − 𝑛 +𝜁
2
fuzzy sender 𝑛 +𝜁
4 𝑛 +𝜁
5 𝑛 +𝜁
4 − 𝑛
2
aPAKE 2
aPAKE-2 [21] receiver 𝑛 +𝜁
2 𝑛 +𝜁
5 𝑛 +𝜁
2 − 𝑛
sender Random − 𝜁 − − −
BAKE-1 1
receiver Linear Codes 𝜁𝑛2 𝜁 𝜁 − −
sender Secret Sharing + 𝑛2 2𝑛 + 𝜁 𝜁 𝜁 −
BAKE-2 1
receiver Polynomial Interpolation 𝜁 𝑛3 2𝑛 + 𝜁 𝜁 𝜁 −
Table 2: Running Time (ms) on IrisCode and FVC2004. Table 3: Communication Cost (KB) on IrisCode and
FVC2004.
IrisCode FVC2004
Case 1 Case 2 Case 3 Case 4 DB1 DB2 DB3 DB4 IrisCode FVC2004
𝑚/𝑛 16 32 64 128 95 91 138 150 Case 1 Case 2 Case 3 Case 4 DB1 DB2 DB3 DB4
PubGen 54 55 56 58 29 28 43 45 𝑚/𝑛 16 32 64 128 95 91 138 150
Enc 101 110 111 110 151 148 221 232 𝑝𝑘 0.813 3.094 12.156 48.281 2.969 2.844 4.313 4.688
Dec 71 79 85 116 315 293 598 631 𝑐 0.844 3.125 12.188 48.313 2.672 2.566 3.867 4.219
BAKE-1 and BAKE-2 are one-round protocols that are suitable for
For asynchronous BAKE, the security proof is identical to syn- the asynchronous secure messaging setting.
chronous BAKE except for the Session sid0 , which is reduced to
the security of AFEM. 6.2 Experiments
6.2.1 Implementation. To measure the performance of our BAKE
6 EVALUATION protocols, we implemented a prototype in Python using a laptop
We show the asymptotic comparison with the state-of-the-art solu- computer, with the Intel Core i5-8300H CPU @ 2.30 GHz and 8 GB
tions and the experimental results on our implementation. RAM. The group in both solutions is implemented with the elliptic
curve Curve25519. BAKE-1 is implemented with the random linear
6.1 Asymptotic Comparison code provided in Fuller et al. [24] and BAKE-2 is instantiated with
Feldman’s secret sharing [23]. To ensure the biometric keys from
The asymptotic comparison with the state-of-the-art solutions is
the same user are considered close, and the ones from different
shown in Table 1, where our BAKE protocol for biometric vector is
users are considered distant, the parameters (e.g., 𝜏) were chosen
denoted as BAKE-1 and the one for biometric vector set is denoted as
by conducting experiments to obtain appropriate accuracy.
BAKE-2. Note that fPAKE [19] is a symmetric primitive, which gives
biometric characteristics away to the receiver and thus dissatisfies 6.2.2 Results on IrisCode and FVC2004. We first investigate the per-
the design goal of biometric privacy, while fuzzy aPAKE [21] is an formance of our BAKE protocols on two realistic datasets. For iris,
asymmetric primitive that has similar goals to BAKE. we transform an IrisCode into 4 cases: a 16-dimensional vector, a 32-
BAKE-1, fPAKE (instantiated as in [19]), and fuzzy aPAKE (in- dimensional vector, a 64-dimensional vector, and a 128-dimensional
stantiated as suggested in [21]) are designed for an 𝑛 -bit string, vector. For fingerprint, we use four databases from the Third In-
while BAKE-2 is designed for a set of cardinal 𝑛. The computation ternational Fingerprint Verification Competition (FVC2004) [36],
complexities of fPAKE-2 and fuzzy aPAKE-2 heavily rely on the un- in which DB1 and DB2 involve a similar size of fingerprint vector
derlying PAKE and aPAKE solutions. Therefore, in all the solutions set, while the distorted DB3 and synthetic DB4 are extracted more
for an 𝑛
-bit string, BAKE-1 is the most efficient one in terms of the noisy points, leading to big size 𝑛. The fingerprint images are pre-
computation complexity. Moreover, among these solutions, only processed with the OpenCV library and the minutiae points are
2628
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
1000 800
140 900 PubGen Enc Dec Decoding Algorithm
PubGen Enc Dec
800 700
Figure 6: Running time of the AFEM Figure 7: Running time of the AFEM Figure 8: Running time of different op-
construction for biometric vector, as construction for biometric vector, as erations in Dec for biometric vector, as
the size of biometric vector increases the size of biometric vector increases the size of biometric vector increases
from 20 to 140. from 100 to 1000. from 20 to 1000.
700 35 4500
600 PubGen Enc Dec 30 PubGen Enc Dec 4000 VSS.ShareGen
Running Timee (ms)
Figure 9: Running time of the AFEM Figure 10: Running time of the AFEM Figure 11: Running time of different
construction for biometric vector set, construction for biometric vector set, operations in Enc for biometric vector
as the size of biometric vector set in- as the size of biometric vector set in- set, as the size of biometric vector set
creases from 20 to 140. creases from 100 to 1000. increases from 20 to 1000.
extracted as coordinate values. For Algorithm 2, we choose 𝜇 = 4, Figure 8 further depicts the detailed time consumption of Dec, in
i.e., each fingerprint vector is composed of 50 4-bit values. which the decoding algorithm is dominated when 𝑚 ≥ 200.
The computation cost of each algorithm in our BAKE protocols The time consumption of algorithms in BAKE-2 is shown in
is shown in Table 2. Our protocol on IrisCode is more efficient Figure 9 and Figure 10, which implies that the running time of
than that on FVC2004, since there is only one ElGamal-like oper- these three algorithms increases as the size of biometric vector set
ation in the AFEM construction for biometric vector while there 𝑛 grows. The time consumption of Enc and Dec exceeds 1 second
are 𝑛 ElGamal-like operations in the AFEM construction for bio- when 𝑛 = 500 and 𝑛 = 200, respectively, which is more efficient than
metric vector set. However, both protocols are suitable for practical existing tow-factor authentication methods (at least 13 seconds on
applications from the view of computation overhead. average) [41]. We also experimented with different operations in
The communication cost consists of transmitting the public key Enc and Dec, as shown in Figure 11 and Figure 12. As 𝑛 increased,
𝑝𝑘 in the KeyGen phase and transmitting the encapsulated message the most time-consuming operation in Enc is the polynomial inter-
𝑐 in the AKE phase, as shown in Table 3. Again, we can conclude polation. In Dec, secret reconstruction and polynomial evaluation
that the two protocols are efficient in practice, even for the resource- are time-consuming operations when 𝑛 is big.
limited network, in terms of the communication overhead.
6.3 Comparison
We compare the computation and communication costs of BAKE-1
6.2.3 Further Results. We then investigate the computation cost and BAKE-2 with the recent fuzzy aPAKE constructions [21], de-
of our BAKE protocols with the size of biometric secret keys. noted as fuzzy aPAKE-1 and fuzzy aPAKE-2. From a practical point
The time consumption of algorithms in BAKE-1 is illustrated in of view, we set 𝑚 = 64 for the irises in BAKE-1 and employ the
Figure 6 and Figure 7. The running time of PubGen is the smallest average size of fingerprint vector set in DB1, i.e., 𝑛 = 95, in BAKE-2.
and increases slowly and the curve of Enc is smooth as the size of Fuzzy aPAKE-1 and fuzzy aPAKE-2 employ an iris as the “pass-
the biometric vector 𝑚 grows since Enc only involves an ElGamal- word”. Since fuzzy aPAKE-1 and fuzzy aPAKE-2 are designed based
like encryption operation. For Dec, the time consumption grows on oblivious transfer protocols and standard asymmetric PAKE,
substantially as 𝑚 increases and exceeds 0.5 seconds when 𝑚 = respectively, different instantiations cause distinct performance. To
600, which is similar to the general biometric authentication [53]. make the comparison more convincing, as recommended in [21],
2629
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
100000000 100000
16000 VSS.ShareRecon Running Time
Figure 12: Running time of different operations in Dec for Figure 13: Comparison of running time and communication
biometric vector set, as the size of biometric vector set in- cost.
creases from 20 to 1000.
we instantiate fuzzy aPAKE-1 with the oblivious transfer protocol these solutions need to store the (secret) randomness on the other
from [4] and instantiate fuzzy aPAKE-2 with OPAQUE [32]. participant, which may be exploited by an adversary. Another rep-
The results are shown in Figure 13. The running time of fuzzy resentative symmetric solution is presented by Dupont et al. [19],
aPAKE-1 is more than 4000 times cost of BAKE-1, and more than called fuzzy Password-Authenticated Key Exchange (fPAKE), which
2000 times cost of BAKE-2. The running time of fuzzy aPAKE-2 is solved the problem of key exchange from noisy low-entropy pass-
more than 5000 times cost of BAKE-1, and more than 2000 times word strings. However, their solutions need the other participant to
cost of BAKE-2. The communication cost of fuzzy aPAKE-1 is more store the password, which also violates data protection regulations
than 50 times cost of BAKE-1, and more than 230 times cost of when applied to biometrics.
BAKE-2. The communication cost of fuzzy aPAKE-2 is more than As required in General Data Protection Regulation (GDPR), bio-
80 times cost of BAKE-1, and more than 380 times cost of BAKE- metric characteristics should be protected against disclosure. For
2. Therefore, BAKE has an overwhelming advantage over fuzzy this goal, the study on asymmetric solutions, in which a participant
aPAKE in terms of both computation and communication costs. has no access to the biometric characteristics of other participants,
attracts the attention of researchers. To the best of our knowledge,
7 RELATED WORK the only suitable asymmetric solutions are the fuzzy asymmetric
According to whether the input secret is precise, we divide AKE PAKE protocols proposed by Erwig et al. [21]. They considered
into two categories: precise AKE and fuzzy AKE. asymmetric PAKE and fuzzy PAKE simultaneously, and gave two
Precise AKE. In this category, the input secret cannot con- constructions based on secret sharing and standard asymmetric
tain any typo or noise. The most common precise AKE includes PAKE, respectively. However, this primitive is only proposed for
password-based solutions [5, 32, 49] and PKI-based solutions [13, fuzzy vectors (e.g., password). Moreover, their constructions involve
45]. For resource-constrained devices, HB-type authentication pro- frequent interactions and are not suitable for asynchronous messag-
tocols [26, 30, 33] were proposed, whose security mainly relies on ing scenarios. In contrast, BAKE is designed for both fuzzy vectors
the Learning Parity with Noise (LPN) problem. In practice, many and fuzzy sets, and our constructions involve only one-round inter-
messaging applications (e.g., WhatsApp [51]) enable out-of-band action and support both synchronous and asynchronous scenarios.
authentication, assuming that users have access to an external
channel, such as Short Authenticated Strings (SAS) [37, 42, 50]. Un- 8 CONCLUSION
fortunately, these solutions cannot apply to biometric AKE since the
To facilitate secure messaging in social life, we propose a BAKE
captured biometrics (i.e., the input secret) contains unpredictable
framework that supports both synchronous and asynchronous sce-
noises. Moreover, many solutions (e.g., HB-type protocols and SAS-
narios and does no need to store any secret, including biometric
based solutions) require the two participants to share a secret, which
characteristics, in a terminal. We present a cryptographic primitive
violates data protection regulations when applied to biometrics.
called AFEM to enable only the participant with similar biometric
Fuzzy AKE. In this category, the input secret may contain typos
characteristics to obtain a message that is encapsulated with the
or noises when fed into cryptographic algorithms. Existing solu-
corresponding public key. We also give two constructions for AFEM
tions can be classified into two types: symmetric and asymmetric.
and initiates them with the iris and fingerprint in our BAKE frame-
In the symmetric solutions, the two communicating participants
work. The security analysis demonstrates that BAKE is secure and
possess the same secrets to authenticate each other and negotiate
the experimental results show the practicality of BAKE.
a session key. Fuzzy extractor is a typical solution introduced by
Dodis et al. [18]. In their solution, two similar biometric inputs can
be used to extract the same randomness from public information ACKNOWLEDGMENTS
while hiding these biometric inputs. Afterward, various fuzzy ex- This work was supported in part by the National Natural Science
tractor variants emerged [9–11], and multi-factor AKE protocols Foundation of China under grants No. U1836202, 61772383, 62172303,
were constructed based on the fuzzy extractor [38, 39]. However, 61802214, 62076187.
2630
Session 10B: Crypto and Protocol Security CCS ’21, November 15–19, 2021, Virtual Event, Republic of Korea
REFERENCES [29] Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. 2008. An Introduction to
[1] Divesh Aggarwal, Daniel Dadush, and Noah Stephens-Davidowitz. 2015. Solving Mathematical Cryptography. Springer.
the Closest Vector Problem in 2ˆn Time - The Discrete Gaussian Strikes Again!. [30] Nicholas J. Hopper and Manuel Blum. 2001. Secure Human Identification Proto-
In Proc. of FOCS. IEEE Computer Society. cols. In Proc. of ASIACRYPT. Springer.
[2] Muhammad Ejaz Ahmed, Il-Youp Kwak, Jun Ho Huh, Iljoo Kim, Taekkyung Oh, [31] Anil K. Jain, Salil Prabhakar, Lin Hong, and Sharath Pankanti. 1999. FingerCode:
and Hyoungshick Kim. 2020. Void: A Fast and Light Voice Liveness Detection A Filterbank for Fingerprint Representation and Matching. In Proc. of CVPR. IEEE
System. In Proc. of USENIX Security Symposium. USENIX Association. Computer Society.
[3] László Babai. 1986. On Lovász’ Lattice Reduction and the Nearest Lattice Point [32] Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu. 2018. OPAQUE: An Asymmetric
Problem. Comb. 6, 1 (1986), 1–13. PAKE Protocol Secure Against Pre-computation Attacks. In Proc. of EUROCRYPT.
[4] Paulo S. L. M. Barreto, Bernardo David, Rafael Dowsley, Kirill Morozov, and Springer.
Anderson C. A. Nascimento. 2017. A Framework for Efficient Adaptively Secure [33] Ari Juels and Stephen A. Weis. 2005. Authenticating Pervasive Devices with
Composable Oblivious Transfer in the ROM. IACR Cryptol. ePrint Arch. (2017). Human Protocols. In Proc. of CRYPTO. Springer.
http://eprint.iacr.org/2017/993. [34] Xiangyu Liu, Shengli Liu, Dawu Gu, and Jian Weng. 2020. Two-Pass Authenti-
[5] José Becerra, Dimiter Ostrev, and Marjan Skrobot. 2018. Forward Secrecy of cated Key Exchange with Explicit Authentication and Tight Security. In Proc. of
SPAKE2. In Proc. of IEEE ProvSec. ASIACRYPT. Springer.
[6] Mihir Bellare, Ran Canetti, and Hugo Krawczyk. 1998. A Modular Approach to the [35] Davide Maltoni, Dario Maio, Anil K. Jain, and Salil Prabhakar. 2009. Handbook of
Design and Analysis of Authentication and Key Exchange Protocols (Extended Fingerprint Recognition, Second Edition. Springer.
Abstract). In Proc. of TCC. ACM. [36] Biometric System Lab-University of Bologna. 2004. Fingerprint Verification
[7] Mihir Bellare, David Pointcheval, and Phillip Rogaway. 2000. Authenticated Key Competition 2004. http://bias.csr.unibo.it/fvc2004/. (2004).
Exchange Secure against Dictionary Attacks. In Proc. of EUROCRYPT. Springer. [37] Sylvain Pasini and Serge Vaudenay. 2006. SAS-Based Authenticated Key Agree-
[8] Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei P. Skorobogatov, and ment. In Proc. of PKC. Springer.
Ross J. Anderson. 2014. Chip and Skim: Cloning EMV Cards with the Pre-play [38] David Pointcheval and Sébastien Zimmer. 2008. Multi-factor Authenticated Key
Attack. In Proc. of S & P. IEEE Computer Society. Exchange. In Proc. of ACNS. Springer.
[9] Xavier Boyen. 2004. Reusable Cryptographic Fuzzy Extractors. In Proc. of CCS. [39] Mingping Qi, Jianhua Chen, and Yitao Chen. 2018. A Secure Biometrics-based
ACM. Authentication Key Exchange Protocol for Multi-server TMIS using ECC. Comput.
[10] Xavier Boyen, Yevgeniy Dodis, Jonathan Katz, Rafail Ostrovsky, and Adam D. Methods Programs Biomed. 164 (2018), 101–109.
Smith. 2005. Secure Remote Authentication Using Biometric Data. In Proc. of [40] Aditya Singh Rathore, Weijin Zhu, Afee Daiyan, Chenhan Xu, Kun Wang, Feng
EUROCRYPT. Springer. Lin, Kui Ren, and Wenyao Xu. 2020. SonicPrint: a Generally Adoptable and
[11] Ran Canetti, Benjamin Fuller, Omer Paneth, Leonid Reyzin, and Adam D. Smith. Secure Fingerprint Biometrics in Smart Devices. In Proc. of MobiSys. ACM.
2021. Reusable Fuzzy Extractors for Low-Entropy Distributions. J. Cryptol. 34, 1 [41] Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron,
(2021), 2. and Kent E. Seamons. 2019. A Usability Study of Five Two-Factor Authentication
[12] Melissa Chase, Apoorvaa Deshpande, Esha Ghosh, and Harjasleen Malvai. 2019. Methods. In Proc. of SOUPS. USENIX Association.
SEEMless: Secure End-to-End Encrypted Messaging with less</> Trust. In Proc. [42] Lior Rotem and Gil Segev. 2018. Out-of-Band Authentication in Group Messaging:
of CCS. ACM. Computational, Statistical, Optimal. In Proc. of CRYPTO. Springer.
[13] Katriel Cohn-Gordon, Cas Cremers, Benjamin Dowling, Luke Garratt, and Dou- [43] Jörg Schwenk, Marcus Brinkmann, Damian Poddebniak, Jens Müller, Juraj So-
glas Stebila. 2020. A Formal Security Analysis of the Signal Messaging Protocol. morovsky, and Sebastian Schinzel. 2020. Mitigation of Attacks on Email End-to-
J. Cryptol. 33 (2020), 1914–1983. End Encryption. In Proc. of CCS. ACM.
[14] Katriel Cohn-Gordon, Cas Cremers, Luke Garratt, Jon Millican, and Kevin Milner. [44] Signal. 2021. Signal Technical Information. https://signal.org/docs/. (2021).
2018. On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong [45] Dimitrios Sikeridis, Panos Kampanakis, and Michael Devetsikiotis. 2020. Post-
Security Guarantees. In Proc. of CCS. ACM. Quantum Authentication in TLS 1.3: A Performance Study. In Proc. of NDSS. The
[15] Cas Cremers, Jaiden Fairoze, Benjamin Kiesl, and Aurora Naska. 2020. Clone Internet Society.
Detection in Secure Messaging: Improving Post-Compromise Security in Practice. [46] Statista. 2021. Most popular global mobile messenger apps as of January 2021,
In Proc. of CCS. ACM. based on number of monthly active users. https://www.statista.com/statistics/
[16] John Daugman. 1993. High Confidence Visual Recognition of Persons by a Test 258749/most-popular-global-mobile-messenger-apps/. (2021).
of Statistical Independence. IEEE Trans. Pattern Anal. Mach. Intell. 15, 11 (1993), [47] Nirvan Tyagi, Paul Grubbs, Julia Len, Ian Miers, and Thomas Ristenpart. 2019.
1148–1161. Asymmetric Message Franking: Content Moderation for Metadata-Private End-
[17] John Daugman. 2016. Information Theory and the IrisCode. IEEE Trans. Inf. to-End Encryption. In Proc. of CRYPTO. Springer.
Forensics Secur. 11, 2 (2016), 400–409. [48] Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian
[18] Yevgeniy Dodis, Leonid Reyzin, and Adam D. Smith. 2004. Fuzzy Extractors: Goldberg, and Matthew Smith. 2015. SoK: Secure Messaging. In Proc. of S &P.
How to Generate Strong Keys from Biometrics and Other Noisy Data. In Proc. of IEEE Computer Society.
EUROCRYPT. Springer. [49] Mathy Vanhoef and Eyal Ronen. 2020. Dragonblood: Analyzing the Dragonfly
[19] Pierre-Alain Dupont, Julia Hesse, David Pointcheval, Leonid Reyzin, and Sophia Handshake of WPA3 and EAP-pwd. In Proc. of IEEE S & P.
Yakoubov. 2018. Fuzzy Password-Authenticated Key Exchange. In Proc. of EURO- [50] Serge Vaudenay. 2005. Secure Communications over Insecure Channels Based
CRYPT. Springer. on Short Authenticated Strings. In Proc. of CRYPTO. Springer.
[20] Simon Eberz, Kasper Bonne Rasmussen, Vincent Lenders, and Ivan Martinovic. [51] WhatsApp. 2016. WhatsApp Encryption Overview. https://www.whatsapp.com/
2015. Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Move- security/WhatsApp-Security-Whitepaper.pdf. (2016).
ment Biometrics. In Proc. of NDSS. The Internet Society. [52] Wikipedia. 2021. Public Key Infrasstructure. https://en.wikipedia.org/wiki/
[21] Andreas Erwig, Julia Hesse, Maximilian Orlt, and Siavash Riahi. 2020. Fuzzy Public_key_infrastructure. (2021).
Asymmetric Password-Authenticated Key Exchange. In Proc. of ASIACRYPT. [53] Cong Wu, Kun He, Jing Chen, Ziming Zhao, and Ruiying Du. 2020. Liveness
Springer. is Not Enough: Enhancing Fingerprint Authentication with Behavioral Biomet-
[22] Facebook. 2017. Messenger Secret Conversatinos, Technical Whitepa- rics to Defeat Puppet Attacks. In Proc. of USENIX Security Symposium. USENIX
per. https://about.fb.com/wp-content/uploads/2016/07/messenger-secret- Association.
conversations-technical-whitepaper.pdf. (2017). [54] Xiu Xu, Haiyang Xue, Kunpeng Wang, Man Ho Au, and Song Tian. 2019. Strongly
[23] Paul Feldman. 1987. A Practical Scheme for Non-interactive Verifiable Secret Secure Authenticated Key Exchange from Supersingular Isogenies. In Proc. of
Sharing. In Proc. of FOCS. IEEE Computer Society. ASIACRYPT. Springer.
[24] Benjamin Fuller, Xianrui Meng, and Leonid Reyzin. 2013. Computational Fuzzy [55] Chen Yan, Yan Long, Xiaoyu Ji, and Wenyuan Xu. 2019. The Catcher in the Field:
Extractors. In Proc. of ASIACRYPT. Springer. A Fieldprint based Spoofing Detection for Text-Independent Speaker Verification.
[25] Yang Gao, Wei Wang, Vir V. Phoha, Wei Sun, and Zhanpeng Jin. 2019. EarEcho: In Proc. of CCS. ACM.
Using Ear Canal Echo for Wearable Authentication. Proc. ACM Interact. Mob. [56] Jiang Zhang, Zhenfeng Zhang, Jintai Ding, Michael Snook, and Özgür Dagdelen.
Wearable Ubiquitous Technol. 3, 3 (2019), 81:1–81:24. 2015. Authenticated Key Exchange from Ideal Lattices. In Proc. of EUROCRYPT.
Springer.
[26] Henri Gilbert, Matthew J. B. Robshaw, and Yannick Seurin. 2008. HB# : Increasing
[57] Bing Zhou, Jay Lohokare, Ruipeng Gao, and Fan Ye. 2018. EchoPrint: Two-factor
the Security and Efficiency of HB+ . In Proc. of EUROCRYPT. Springer. Authentication using Acoustics and Vision on Smartphones. In Proc. of MobiCom.
[27] Wire Swiss GmbH. 2018. Wire Security Whitepaper. https://wire-docs.wire.com/ ACM.
download/Wire+Security+Whitepaper.pdf. (2018). [58] Kai Zhou and Jian Ren. 2018. PassBio: Privacy-Preserving User-Centric Biometric
[28] Yiliang Han. 2021. Design of An Active Infrared Iris Recognition Device. In Proc. Authentication. IEEE Trans. Inf. Forensics Secur. 13, 12 (2018), 3050–3063.
of IPEC. IEEE Computer Society.
2631