Novel and Efficient Privacy-Preserving Continuous Authentication

Abstract

Continuous authentication enhances security by re-verifying a user’s validity during the active session. It utilizes data about users’ behavioral actions and contextual information to authenticate them continuously. Such data contain information about user-sensitive attributes such as gender, age, contextual information, and may also provide information about the user’s emotional states. The collection and processing of sensitive data cause privacy concerns. In this paper, we propose two efficient protocols that enable privacy-preserving continuous authentication. The contribution is to prevent the disclosure of user-sensitive attributes using partial homomorphic cryptographic primitives and reveal only the aggregated result without the explicit use of decryption. The protocols complete an authentication decision in a single unidirectional transmission and have very low communication and computation costs with no degradation in biometric performance.

1. Introduction

Computing technology is growing rapidly; mobile devices are now commonly used for different applications and services. The rapid advancement of technology also invites various security threats in different domains. Security breaches, including unauthorized access to user accounts, malware attacks, insider attacks, brute-force attacks, etc., are happening every day. Authentication is considered a fundamental aspect of digital security; it ensures whether the identity claimer is the right person or not. Verifying user identity with a weak authentication mechanism is one of the reasons for such security breaches. User authentication is usually accomplished in a static way, where the user is authenticated only once at the beginning of a session. Security problems likely occur when the PINs/passwords are stolen, or the device remains unattended for a while and somebody else uses it. To reduce security vulnerabilities, a second-factor authentication may be employed so that the user validity can be verified persistently. In this regard, continuous authentication may help to prevent unauthorized access by continuously authenticating the user during the session. It can be accomplished by collecting and monitoring user contextual information such as user physical location by GPS, logical location IP addresses, etc., or authenticating users using their behavioral traits.

Both behavioral biometrics and context-aware modalities offer passive and seamless authentication; therefore, they do not reduce usability. But, sometimes, they may face problems, and to address such problems, one should carefully choose the mode of continuous authentication. Different modalities solve different problems; for example, monitoring users by their location data, IP addresses, or other context-aware data only enhances security when an attacker tries to breach security from a different place with different devices, etc. Still, the limitation of this particular mechanism is that it gives no protection when the user leaves the device unattended and an imposter uses it. Behavioral biometric modalities may overcome this problem because users are authenticated based on the behavioral patterns they perform while using a device [1]. The limitation can be overcome because the imposter can be identified immediately. In this regard, keystroke dynamics or swipe gestures are the most suitable modes for continuous authentication.

Continuous authentication may have different applications, such as it can be used to secure mobile devices, financial services, IoT and smart homes, E-commerce, healthcare, cloud-based services, etc. Continuous authentication for such applications is also crucial because it requires outsourcing user data. Continuous authentication can be performed locally in the device, but devices have limited storage and computation resources, and there is a possibility of malicious or compromised client [2,3].

Continuous authentication modalities use user behavioral data such as keystroke patterns, swipe gestures, gait dynamics, and contextual data, including user location data, IP addresses, carrier data, user calendars, Bluetooth connectivity, or other personal data [1]. Such data are enormous and contain sensitive information about the user’s appearance, biometric information, and other user-sensitive and demographic information that may be induced from such features [4]. Outsourcing such personal data to a third party raises privacy concerns. These data contain biometric traits and contain identifiable and sensitive attributes. As per GDPR [5,6], these data must be stored and processed in a privacy-preserving manner.

Efficiency is another important concern in continuous authentication that requires attention. Continuous authentication works actively throughout the session; therefore, it requires low transmission overhead and efficient performance. The privacy-preserving continuous authentication protocols in the literature are either very inefficient [7,8] or proven insecure in [9]. For instance, in most cases, the authentication decision is made by performing many rounds of interaction between the client and the authentication server. This causes communication and computation overhead, as mentioned in the later Section 8.

Our contribution

To solve privacy and efficiency issues, this article makes the following contributions:

• Using the additive homomorphic encryption property, we propose two efficient protocols that protect the privacy of user behavioral features (enrollment vector and probe vector). Protocol 1 assumes an honest client and a malicious authentication server, and protocol 2 assumes a compromised client and malicious authentication server.
• Low communication and computation costs. Taking high communication and computation costs into consideration, we propose very efficient authentication protocols that avoid rounds of communication between the client and the authentication server; the protocols complete the authentication in a single unidirectional (client/server) transmission.
• The biometric performance (accuracy) of the proposed protocols is the same as is in the plaintext domain. In other words, there is no degradation in accuracy.

The rest of the paper is organized as follows: we discuss the related work in Section 2; the preliminaries are discussed in Section 3; the adversarial model is presented in Section 5; security requirements are discussed in Section 5.4; privacy-preserving protocol 1 is presented in Section 6; an extended protocol, taking a compromised client into account, is presented in Section 7; computation cost and communication is assessed in Section 8; a biometric evaluation is shown in Section 9; and Section 10 concludes the paper and discusses the future work.

2. Related Work

This section presents the literature review of privacy-preserving continuous authentication schemes. We only consider privacy-preserving solutions that utilize only cryptographic primitives to achieve privacy. Govindarajan et al. [7] proposed protocols for privacy-preserving continuous authentication. They use additive homomorphic encryption and computed encrypted Scaled Euclidean Distance (SED) and Scaled Manhattan Distance (SMD) to determine the dissimilarity between a reference template and a fresh input probe.

Safa et al. [10] proposed a generic implicit authentication scheme for contextual data. They used additive homomorphic encryption accompanied by order-preserving symmetric encryption. The final result is based on the dissimilarity scores of Average Absolute Deviation (AAD) between the enrollment and probe vector. Domingo-Ferrer et al. [11] presented an implicit authentication protocol using an additively homomorphic encryption primitive and computed a private set intersection between a set of enrollment features and a set of probes. Sitová et al. [8] used the idea of a fuzzy commitment scheme proposed by Juels and Wattenberg [12] to propose a touch dynamics-based authentication scheme. However, such techniques face certain limitations related to data reversibility and data distinguishability and do not achieve privacy [13]. Balagani et al. [14] presented privacy-preserving keystroke dynamics-based protocols for implicit authentication. Like Govindarajan et al., they also used additive homomorphic with a secure comparison protocol presented by Damgård et al. [15,16].

Acar et al. [17] proposed a second-factor hybrid privacy-preserving authentication protocol using keystroke dynamics. Their multi-factor authentication mechanism uses two types of cryptographic primitives: fully homomorphic encryption (FHE) [18] and fuzzy hashing [19].

Wei et al. [20] proposed a privacy-preserving continuous authentication protocol using the Paillier cryptosystem. The cosine similarity is used to determine the similarity between the encrypted reference template and the probe. The enrollment features are encrypted using the public key of the authentication server, and privacy is achieved using secret random numbers (secret key), such as each element is blinded with a secret blinding factor that is only known to the client. However, it is shown by Eskeland and Baig [9] that the Wei et al. scheme is insecure and not privacy preserving. They showed that the honest and curious authentication server obtains not only the plaintext of biometric features, but also the secret key vector. Moreover, they also showed that the Wei et al. scheme is vulnerable to active adversarial attacks.

Loya and Bana [21] used fully homomorphic encryption proposed by Cheon et al. [22] with differential privacy to propose a privacy-preserving protocol for keystroke analysis. Their solution trains neural networks utilizing differential privacy and evaluates the encrypted data.

Baig and Eskeland [23] proposed a privacy-preserving keystroke dynamics-based continuous authentication that computes penalty and reward functions defined by Bours [24]. Their privacy-preserving solution uses additive homomorphic encryption with a secure comparison protocol and completes authentication in five rounds.

Baig et al. [25] utilized an oblivious transfer protocol (OT) with homomorphic encryption to propose two privacy-preserving continuous authentication protocols. Their proposed protocols protect user biometric data and user activities and complete authentication in four rounds. Their proposed protocols provide communication efficiency as they compute similarity based on k actions and make interaction after k actions.

3. Preliminaries

This section discusses the building blocks.

Building Blocks

Our privacy-preserving continuous authentication protocols use the following building blocks:

(a) The Paillier cryptosystem [26,27] can be explained as follows: During a key generation phase, two large random prime numbers $p,q$ of equal length are selected and RSA product $n=pq$ is computed.The public and private keys are generated, of which $(n,g)$ is the public key, where $g=1+n$, and $(\mathit{\lambda },n)$ is the private key, where $\mathit{\lambda }=\mathit{\lambda }\left(n\right)=lcm(p-1,q-1)$, respectively. Encryption is performed as $c=(1+mn)r^{n}mod{n}^2$, where r is chosen randomly in $0<r<n$. Decryption is performed as $m=L(c^{\mathit{\lambda }}mod{n}^2)·{\mathit{\lambda }}^{-1}modn$, where L is a function $L\left(x\right)=\frac{x-1}{n}$.

Homomorphic encryption schemes enable the algebraic plaintext computations in the encrypted domain. The Paillier cryptosystem supports the following homomorphic properties: $E\left(x_1\right)·E\left(x_2\right)=E(x_1+x_2)$ and scalar multiplication can be stated as $E{\left(x\right)}^k=E(k·x)$, where notation $E\left(x\right)$ represents the encryption of x. The notation is presented in

Table 1. Notation.

$\overrightarrow{x}$	Reference feature vector	$\overrightarrow{y}$	Probe vector
$\overrightarrow{c}$	Encrypted reference feature vector	$\overrightarrow{d}$	Encrypted probe
C	Client	$AS$	Authentication server
$\mathit{\lambda }$	$AS$ private key-pair	$n,g$	$AS$ public key-pair

.

(b) The cosine similarity. Assume $\overrightarrow{x}=(x_1,\dots ,x_m)$ and $\overrightarrow{y}=(y_1,\dots ,y_m)$ are two vectors, where the cosine similarity between $(\overrightarrow{x},\overrightarrow{y})$ is defined as

$$\cos (\overrightarrow{x},\overrightarrow{y})=\frac{{\sum }_{j=1}^m{x}_j{y}_j}{\sqrt{{\sum }_{j=1}^m{x}_j^2}\sqrt{{\sum }_{j=1}^m{y}_j^2}}$$

(1)

The cosine similarity of 1 indicates that vector $\overrightarrow{x}$ and vector $\overrightarrow{y}$ are exactly similar, where 0 indicates complete dissimilarity between two vectors.

4. Generic Continuous Authentication Algorithm Based on Cosine Similarity

User authentication is accomplished in two phases: an enrollment phase and an authentication phase. A generic authentication scenario is presented in Algorithm 1. In the enrollment phase, biometric features $\overrightarrow{a}=(a_1,\dots ,a_m)$ are sampled, and in accordance with the cosine similarity, a reference feature vector (template) $\overrightarrow{x}=(x_1,\dots ,x_m)$ is created by computing $A=\sqrt{{\sum }_{j=1}^m{a}_j^2}$, where $x_j=a_j/A$, $1\le j\le m$.

Algorithm 1

Enrollment phase $\overrightarrow{a}=(a_1,\dots ,a_m)$ $A=\sqrt{{\sum }_{j=1}^m{a}_j^2}$ $x_j=a_j/A$, $1\le j\le m$ $\overrightarrow{x}=(x_1,\dots ,x_m)$  Authentication phase $\overrightarrow{b}=(b_1,\dots ,b_m)$ $B=\sqrt{{\sum }_{j=1}^m{b}_j^2}$ $y_j=b_j/B$, $1\le j\le m$ $\overrightarrow{y}=(y_1,\dots ,y_m)$ $s={\sum }_{j=1}^m{x}_j{y}_j$   if $(s>T)$ then  Accept  end if

Authentication features $\overrightarrow{b}=(b_1,\dots ,b_m)$ are sampled in the authentication phase, where $B=\sqrt{{\sum }_{j=1}^m{b}_j^2}$, $y_j=b_j/B$, $1\le j\le m$, are precomputed in the same way as stated above to construct the probe vector $\overrightarrow{y}=(y_1,\dots ,y_m)$, where m indicates the total elements in a vector. The cosine similarity s between the template vector $\overrightarrow{x}$ and the probe vector $\overrightarrow{y}$ is computed as a dot product:

$$s=\overrightarrow{x}·\overrightarrow{y}=\sum _{j=1}^m{x}_j{y}_j$$

(2)

Finally, to make an authentication decision, s is compared to a predefined threshold $\mathit{\tau }$. If $s>\mathit{\tau }$ is true, then the user is accepted.

5. Adversarial Model

Different types of adversaries are considered in biometric authentication systems, such as malicious parties, semi-honest parties, etc.; malicious parties are considered strong adversaries, whereas semi-honest parties follow the protocol honestly. The protocols presented in the later sections do not take external adversaries into account and assume that communication between the user and the server is secure and that external threats, such as replay attacks and other similar attacks, are mitigated by applying other security techniques. Note that the enrollment phase is completed in a trusted environment. The proposed authentication protocols consider the following adversaries.

5.1. Trusted Client

A trusted client in a biometric system is considered fully reliable and honest. In this regard, Protocol 1 assumes that the client’s device is secure and that the client is trusted and honestly follows the protocol, and the trusted client is not even curious about the protocol working.

5.2. Malicious Authentication Server

The malicious parties may deviate from the protocol and may act as an active adversary. We assume the authentication server is a malicious party and may deviate from the protocol. The goals of a malicious authentication server may include attempting to learn the stored enrollment data or authentication features by any means. The malicious $AS$ may send false messages to the client to extract additional information [28].

5.3. Malicious Client

A malicious client is a type of adversary that may also deviate from the protocol. This type of adversary may try to learn enrollment data or may forge the biometric data and try to gain unauthorized access. In the extended protocol, protocol 2, we assume that the client is malicious and can deviate from the protocol [28].

5.4. Security Requirements

To preserve the privacy of biometric features, we assume that a privacy-preserving protocol fulfills the following privacy requirements (PR):

• PR1: The authentication server must not learn the reference features stored during the enrollment phase.
• PR2: The authentication server must not learn the probe during the authentication phase.
• PR3: The authentication server should only learn the outcome but nothing more.
• PR4: The identity claimer should not learn the enrollment feature vector.

6. The Novel Privacy-Preserving Authentication Protocol

In this section, we propose a novel privacy-preserving authentication protocol that protects the enrollment feature vector and the probe vector. It consists of three phases: A setup phase, an enrollment phase, and an authentication phase. The privacy-preserving protocol is shown in Figure 1.

6.1. Setup Phase

The authentication server $\left(AS\right)$ generates a Paillier public key $(g,n)$, that is shared with the client $\left(C\right)$.

6.2. Enrollment Phase

During the enrollment phase, C is registered to $AS$ by providing reference biometric features (template) in a privacy-preserving way.

This phase samples biometric features as $\overrightarrow{a}=(a_1,\dots ,a_m)$ and prepares the template vector $\overrightarrow{x}=(x_1,\dots ,x_m)$, in accordance with the cosine similarity, as stated in Section 4. C randomly selects a vector $\overrightarrow{r}$ and computes $c_j=g^{r_j}(1+x_{j}n)mod{n}^2$, where the secret encryption factor $g^{r_j}$ is an element in $Z_{n^2}^{*}$, $1\le j\le m$. Note that the encryption factor $g^{r_j}$ is computed differently from the Paillier encryption scheme. The encryption factor $g^{r_j}$ is removed using $\mathit{\alpha }$ and $\mathit{\beta }$ in the authentication phase without a private key while the enrollment features remain protected. C computes an encrypted reference template vector $\overrightarrow{c}=(c_1,\dots ,c_m)$ and sends $\overrightarrow{c}$ to $AS$. $AS$ stores the encrypted reference template $\overrightarrow{c}$, and C stores $(\overrightarrow{x},\overrightarrow{r})$ locally.

6.3. Authentication Phase

During the authentication phase, the similarity between the probe and the reference template is determined. The probe vector $\overrightarrow{b}=(b_1,\dots ,b_m)$ is sampled for each behavioral action, and C computes $B=\sqrt{{\sum }_{j=1}^m{b}_j^2}$ and $y_j=b_j/B$, $1\le j\le m$ in accordance with the cosine similarity.

C randomly chooses $k_j\in {\mathbb{Z}}_n^{*}$ for blinding the probe elements as $d_j=y_j+k_j$, $1\le j\le m$, where $\overrightarrow{d}=(d_1,\dots ,d_m)$. C retrieves the reference enrollment template $\overrightarrow{x}$ and secret vector $\overrightarrow{r}$, and computes

$$\mathit{\alpha }=g^{-{\sum }_{j=1}^m{r}_j{d}_j}mod{n}^2$$

and

$$\mathit{\beta }=\sum _{j=1}^m{x}_j{k}_{j}mod{n}^2$$

$\mathit{\alpha }$ and $\mathit{\beta }$ are computed for subsequent elimination of the encryption factors $g^{r_j}$ of $c_j$ and $k_j$ of $d_j$, such that $AS$ obtains only the result of dot product s (Equation (2)), but learns nothing about $(\overrightarrow{x}$, $\overrightarrow{y}$, $\overrightarrow{r}$, $\overrightarrow{k})$.

C sends an authentication request message $(\mathit{\alpha },\mathit{\beta },\overrightarrow{d})$ to the $AS$ for the authentication. Upon receiving $(\mathit{\alpha },\mathit{\beta },\overrightarrow{d})$ from C, $AS$ retrieves encrypted reference template $\overrightarrow{c}$ and computes

$$\begin{array}{c}\hfill S=\mathit{\alpha }\prod _{j=1}^m{c}_j^{d_j}-\mathit{\beta }n\end{array}$$

(3)

The correctness can be verified as

$$\begin{array}{cc}\hfill S=& \mathit{\alpha }\prod _{j=1}^m{c}_j^{d_j}-\mathit{\beta }nmod{n}^2\hfill \\ \hfill =& \mathit{\alpha }\prod _{j=1}^m{\left(g^{r_j}(1+x_{j}n)\right)}^{d_j}-\mathit{\beta }nmod{n}^2\hfill \\ \hfill =& \mathit{\alpha }\prod _{j=1}^m{g}^{r_j{d}_j}(1+x_j{d}_{j}n)-\mathit{\beta }nmod{n}^2\hfill \\ \hfill =& \mathit{\alpha }\prod _{j=1}^m{g}^{r_j{d}_j}\prod _{j=1}^m(1+x_j{y}_{j}n+x_j{k}_{j}n)-\mathit{\beta }nmod{n}^2\hfill \\ \hfill =& \mathit{\alpha }{\mathit{\alpha }}^{-1}\prod _{j=1}^m(1+x_j(y_j+k_j)n)-\mathit{\beta }nmod{n}^2\hfill \\ \hfill =& 1+n\sum _{j=1}^m{x}_j{y}_j+n\sum _{j=1}^m{x}_j{k}_j-\mathit{\beta }nmod{n}^2\hfill \\ \hfill =& 1+n\sum _{j=1}^m{x}_j{y}_j+\mathit{\beta }n-\mathit{\beta }nmod{n}^2\hfill \\ \hfill =& 1+n\sum _{j=1}^m{x}_j{y}_{j}mod{n}^2\hfill \\ \hfill =& 1+sn\hfill \end{array}$$

(4)

Finally, the dot product $s=L\left(S\right)=\frac{S-1}{n}={\sum }_{j=1}^m{x}_i{y}_i$ is restored. $AS$ checks $s>\mathit{\tau }$. If this is true, then $AS$ accepts the request.

6.4. Security Analysis

Note that protocol 1 does not deal with the malicious client (privacy requirement 4 $PR4$). The proposed protocol fulfills the privacy requirements mentioned in Section 5.4 as follows:

• $PR1$. The authentication server must not learn the reference feature vector $\overrightarrow{x}$ stored during the enrollment phase.

The client sends $\overrightarrow{c}$ to the authentication server during the enrollment phase, and the elements of the reference template vector $\overrightarrow{c}$ are created as $c_j=g^{r_j}(1+x_{j}n)$, $1\le j\le m$. Each element $x_j$ is protected with $g^{r_j}$, which is randomly chosen. As $x_j$ and $g^{r_j}$ are unknown to the adversary, it is hard to determine $x_j$.

$AS$ has knowledge of $(\overrightarrow{c},\overrightarrow{d},\mathit{\alpha },\mathit{\beta })$. Since $\mathit{\alpha }=g^{-{\sum }_{j=1}^m{r}_j{d}_j}$, $\mathit{\beta }={\sum }_{j=1}^m{x}_j{k}_j$, are aggregated values, they do not reveal information about the elements of $(\overrightarrow{x},\overrightarrow{y},\overrightarrow{r})$.

• $PR2$. The authentication server must not learn the probe vector $\overrightarrow{y}$ during the authentication phase.

In the authentication phase, C blinds each element of the probe vector $\overrightarrow{y}$ as $d_j=y_j+k_j$, $1\le j\le m$, with a secret random integer $k_j\in {\mathbb{Z}}_n^{*}$. Due to the blinding, it is impossible to determine $y_j$ or $k_j$ from $\overrightarrow{d}$. However, $k_j$, $1\le j\le m$, occur in the computation of the dot product $\mathit{\beta }={\sum }_{j=1}^m{x}_j{k}_{j}mod{n}^2$. Thus, no information about $\overrightarrow{y}$ from $\mathit{\beta }$ could be learned.

• $PR3$. The authentication server should only learn the outcome but nothing more.

The reference template vector and probe vector are blinded by the mean of random secret elements $(\overrightarrow{r}$, $\overrightarrow{k})$, which are canceled out by means of $\mathit{\alpha }$ and $\mathit{\beta }$ in a privacy-persevering way. $AS$ can only see the final result of the dot product, which is the cosine similarity between the probe and the reference template.

7. Extended Scheme w.r.t a Malicious Client

The privacy-preserving scheme in Section 6 requires that the enrollment template vector $\overrightarrow{x}$ and the random vector $\overrightarrow{r}$ are stored unprotected in the device. Considering that the client is a malicious adversary who can potentially obtain access to the enrollment template vector $\overrightarrow{x}$. To deal with this problem, we extend the previous protocol w.r.t protecting the enrollment template vector $\overrightarrow{x}$. The extended protocol is presented in Figure 2 and solves.

7.1. Setup Phase

The authentication server shares the public key with the client C and keeps $\mathit{\lambda }$ secret, as stated in Section 6.1.

7.2. Enrollment Phase

During this phase, C prepares an encrypted reference template $\overrightarrow{c}$ in the same way as stated in Section 6.2. C randomly selects a vector $\overrightarrow{r}$, where $g^{r_j}$ is an element in $Z_{n^2}^{*}$ and blinds each element of $\overrightarrow{x}$ as $c_j=g^{r_j}(1+x_{j}n)mod{n}^2$. Note that the encryption factor $g^{r_j}$ is computed differently from the Paillier encryption scheme, as stated in protocol 1. C sends $\overrightarrow{c}$ to $AS$. C stores $\overrightarrow{r}=(r_1,\dots ,r_m)$ locally in the device.

To protect the reference template $\overrightarrow{x}$, each element is encrypted using an $AS$ public key in agreement with the Paillier cryptosystem. C randomly chooses $r_j^{\prime }\in {\mathbb{Z}}_n^{*}$ and computes the Paillier encryption $c_j^{\prime }=r_j^{\prime n}(1+x_{j}n)mod{n}^2,1\le j\le m$, and stores the encrypted vector $\overrightarrow{c^{\prime }}=(c_1^{\prime },\dots ,c_m^{\prime })$ locally.

7.3. Authentication Phase

The probe vector $\overrightarrow{b}=(b_1,\dots ,b_m)$ is sampled and C randomly chooses $k_j\in {\mathbb{Z}}_n^{*}$ for blinding the probe elements as $d_j=y_j+k_j$, $1\le j\le m$, where $\overrightarrow{d}=(d_1,\dots ,d_m)$, and computes $\mathit{\alpha }=g^{-{\sum }_{j=1}^m{r}_j{d}_j}mod{n}^2$ in the same way as in Section 6.3. C computes $\mathit{\gamma }={\prod }_{j=1}^m{c_j^{\prime }}^{k_j}mod{n}^2$, where $k_j\in {\mathbb{Z}}_n^{*}$ is an element of random vector $\overrightarrow{k}$, which is also used in $\overrightarrow{d}$. C sends $(\mathit{\alpha },\mathit{\gamma },\overrightarrow{d})$ to the $AS$ for the authentication.

Upon receiving the message from C, $AS$ first decrypts $\mathit{\gamma }$ in agreement with the Paillier cryptosystem by first computing

$$\begin{array}{cc}\hfill {\mathit{\gamma }}^{\prime }=& {\mathit{\gamma }}^{\mathit{\lambda }}=\prod _{j=1}^m{c_j^{\prime }}^{k_j\mathit{\lambda }}mod{n}^2\hfill \\ \hfill =& \prod _{j=1}^m{r_j^{\prime }}^{k_j\mathit{\lambda }n}{(1+x_{j}n)}^{k_j\mathit{\lambda }}mod{n}^2\hfill \\ \hfill =& \prod _{j=1}^{m}1+x_j{k}_j\mathit{\lambda }nmod{n}^2\hfill \\ \hfill =& 1+n\mathit{\lambda }\sum _{j=1}^m{x}_j{k}_{j}mod{n}^2\hfill \end{array}$$

(5)

where ${r_j^{\prime }}^{k_j\mathit{\lambda }n}\equiv 1mod{n}^2$, $AS$ restores

$$\mathit{\beta }=L\left({\mathit{\gamma }}^{\prime }\right)·{\mathit{\lambda }}^{-1}modn=\sum _{j=1}^m{x}_j{k}_j$$

which is same as $\mathit{\beta }$, as stated in the Section 6.3,

After that, $AS$ retrieves the encrypted template $\overrightarrow{c}$ and computes

$$S=\mathit{\alpha }\prod _{j=1}^m{c}_j^{d_j}-\mathit{\beta }n$$

The correctness is in agreement with Equation (4).

The dot product $s=L\left(S\right)=\frac{S-1}{n}={\sum }_{j=1}^m{x}_i{y}_i$ is restored. $AS$ verifies whether $s>\mathit{\tau }$ is true, then C is accepted.

7.4. Security Analysis

This section presents the security analysis of $PR4$; the rest of the privacy requirements ($PR1,PR2,$ and $PR3$) are in agreement with the security analysis presented in Section 6.4. Since both protocols do not send anything back to the client, the malicious $AS$ cannot send any false messages to the client. Any message from $AS$ will considered as a false message.

• $PR4$. The identity claimer should not learn the enrollment feature vector.

The device stores the encrypted reference template vector $\overrightarrow{c^{\prime }}$ by the public key of $AS$; due to that, C cannot access the unencrypted reference template vector. Hence, if the device gets compromised, the adversary cannot access $\overrightarrow{x}$. Moreover, C sends the blinded probe to $AS$, where $AS$ determines the similarity between the encrypted reference template and the blinded probe in a privacy-preserving way without a second interaction.

8. Computation Cost Analysis and Comparison

The computation and communication efficiency of the proposed protocol are determined by comparing them with the existing protocols proposed in a similar domain. We analyze the computation cost of encrypted operations, the number of rounds required to complete the authentication decision, and the transmitted encryptions in each transmission.

The proposed protocols complete an authentication decision in a single unidirectional transmission between the client $\left(C\right)$ and the authentication server $\left(AS\right)$. C blinds each element of the probe vector and sends it the $AS$. Using a homomorphic property, $AS$ computes m scalar products.

The abbreviations used in

Table 2. Complexity comparison.

Protocol	Number of Rounds	Number of Encryptions	Cryptographic Primitives
Safa et al. [10]	3	$3m$	Paillier + OPE
Domingo-Ferrer et al. [11]	2	$2m$	Paillier, PSI
Baig et al. [25]	4	$km+4$	Paillier Threshold Decryption + OT
Proposed protocol (s)	1	$m+2$	Modified Paillier

are denoted as SE: Symmetric encryption, PSI: Private set intersection, OPE: Order preserving encryption, and OT: Oblivious transfer protocol.

The protocol proposed by Govindarajan et al. [7] completes the authentication decision by performing four round transmissions between the client and the server, whereas in the first transmission, a vector of the m encrypted element is transmitted to the client. Then, the client and the server invoke the privacy-preserving comparison protocol proposed by Damgård et al. [15,16] to compute the Scaled Manhattan Distance. Note that the Damgård et al. [15,16] protocol compares integers in privacy-preserving manners without compromising their confidentiality. They computed the Squared Euclidean distance based on the Erkin et al. protocol [29]. Due to computational and communication inefficiencies of the sub-protocol proposed by Damgård et al. [15,16], the Govindarajan et al. protocols [7,14] are very inefficient.

The Wei et al. protocol [20] completes an authentication decision by making three rounds of transmissions between the client and the server. In each interaction, m encrypted elements are transmitted. Each party computes m scalar multiplication in each interaction.

The Baig et al. [25] protocols complete the authentication decision for k activities in four rounds. Other means of continuous authentication, such as utilizing user physical location data, cookies, IP addresses, etc., proposed in [10,11,30], are also very inefficient. Domingo-Ferrer et al. [11] protocol takes two rounds, where each round sends an encryption of m elements. Similarly, Shahandashti et al. [30] protocol also takes three rounds to complete the authentication decision, and each round transmits m encryptions.

In comparison to the protocols in [7,20,23,25], our proposed protocols are very efficient in terms of computation cost and communication costs.

Considering the scenario of continuous authentication, the authentication decision is made periodically, such as instead of making the authentication decision based on a single behavioral action, it should be decided on the basis of more than one action, such as $\left(k\right)$ actions; for such scenarios, the protocols in [7,20] take $4k$, $3k$ interactions, respectively. Meanwhile, for k actions, our protocols require only k round transmissions. The comparison is presented in Table 2.

9. Performance Evaluation

To analyze the performance of the proposed protocols, we perform the biometric analysis of the proposed protocols and determine the running time in milliseconds (ms).

9.1. Biometric Evaluation

Table 3. Biometric evaluation of the proposed protocols.

T	FNMR	FMR	EER
0.90	0.247	0.334	0.291
0.91	0.275	0.282	0.279
0.92	0.313	0.236	0.274
0.93	0.355	0.198	0.277
0.94	0.396	0.165	0.281
0.95	0.423	0.138	0.280
0.96	0.462	0.109	0.286

presents the biometric analysis of the proposed protocols. To determine the biometric performance of the proposed protocols, we used a publicly available dataset [4] (Available at: https://www.ms.sapientia.ro/~manyi/bioident.html, accessed on 15 June 2023) to evaluate the biometric performance. The touch gestures data are collected from 51 participants, 42 male and 9 female. A swipe gesture contains the following feature elements [4]:

“stroke-duration, start-x, start-y, stop-x, stop-y, direct-end-to-end-distance, mean-resultant-length, up-down-left-right-flag, direction-of-end-to-end line, largest-deviation-from-end-to-end-line, average-direction, length-of-trajectory, average-velocity, mid-stroke-pressure, mid-stroke-area”.

Each user provides l samples in different sessions and on different devices. The biometric performance is analyzed by determining the false match rate (FMR), false non-match rate (FNMR), and equal error rate (EER). We randomly select one sample and make it a reference template. For each user, a template is created by following the steps stated in the enrollment phase of proposed protocols; for example, we created 51 reference templates (one for each user). The rest of the $l-1$ samples are utilized for the testing. FNMR determines the similarity between the reference template and the remaining samples.

For FMR, we construct (l) imposter samples by choosing different samples from different users. FMR is determined by computing the similarity between the reference template of each user and the imposter samples. The similarity is computed by following steps mentioned in the proposed protocols.

The performance on the blinded features is the same as the performance of the baseline in the plaintext domain. We achieved different performances on different thresholds (T). The lower threshold gives lower FNMR but also gives high FMR. The highest FNMR of $0.462$ has been achieved on $T=0.96$, whereas the lowest FNMR has been $0.275$ on $T=0.91$. The best FNMR $0.275$ and FMR $0.282$ are achieved on $T=0.91$. Note that the accuracy of the proposed protocols is the same as without privacy presented in Algorithm 1. Adding cryptography does not degrade the accuracy.

9.2. Running Time

The running time of the proposed protocols is measured on Intel(R) Core(TM) i5-7440 HQ [email protected] GHz, 32 GB RAM in Python 3.10. The running time of the proposed protocols is tested on different security levels $(k=112,128,192)$. The running time of the proposed protocol 1 is shown in Figure 3a.

Figure 3b shows the running time of the proposed protocol, protocol 2; due to the decryption, protocol 2 has a slightly higher running time than protocol 1. This analysis does not include the communication costs.

10. Conclusions and Future Work

In this paper, we have proposed two efficient privacy-preserving continuous authentication protocols that protect user biometric features. The proposed protocol 1, provides privacy protection under the malicious authentication server and honest client, and the proposed protocol 2, considers malicious parties. The biometric evaluation on a publicly available dataset has shown that the proposed protocols have good performance. The privacy-preserving protocols provide the same accuracy as without encryption. The proposed protocols offer low communication and computation costs and complete authentication in a single uni-directional transmission. Low costs overhead and good biometric performance prove the practicality of the proposed protocols in real-life applications.

The proposed protocols can be utilized for continuous authentication as well as static authentication, such as authentication using any biometrics or contextual modalities.

In future work, we will consider making the final comparison in a privacy-preserving way.