Claims:
A processor implemented method (200), the method comprising:
receiving(202), by one or more hardware processors of a server, a ciphertext from a client, wherein the ciphertext is computed by the client by encrypting a plaintext based on a Fully Homomorphic Encryption (FHE) using a public key (Pk) of the client, wherein the plaintext is a biometric information of a user;
computing (204), by the one or more hardware processors of the server, a resultant value E(RES) of the ciphertext by utilizing a resultant value computation technique; and
authenticating (206) the client by the one or more hardware processors of the server, based on the resultant value E(RES) by using at least one of a plurality of proof of decryption based authentication techniques, wherein the plurality of proof of decryption based authentication techniques comprises a commitment based authentication, a matrix based authentication and a determinant based authentication.
The method as claimed in claim 1, wherein the method for commitment based authentication comprises:
transmitting by the client, a commitment key (Ck) to the server before initiating a transaction, wherein the commitment key (Ck) is computed by the client based on a plurality of random variables, a modulus value and a hash value (Hkey) of a private key (K) of the client;
receiving by the client, the encrypted resultant value E(RES) and the commitment key (Ck) from the server;
simultaneously computing by the client, the hash value (Hkey) to obtain the corresponding private key (K) from a client database;
decrypting by the client, the encrypted resultant value E(RES) using the private key (K);
computing by the client, a proof of decryption value based on the ciphertext, the resultant value E(RES), the hash value (Hkey) and the private key (K), wherein the proof of decryption value is set to one if the plaintext decrypted from the encrypted resultant value E(RES) using the private key (K) and the plaintext are equal;
transmitting by the client, the decrypted resultant value D(RES) and the proof of decryption value to the server; and
receiving by the client, an authentication value from the server computed based on the E(RES) and the commitment key (Ck), wherein the authentication value is set to one if the plaintext decrypted from the encrypted resultant value E(RES) using the commitment key (Ck) is equal to the plaintext and the proof decryption value is set to one, and wherein the client is authenticated only if the authentication value is set to one.
The method as claimed in claim 1, wherein the method for matrix based authentication comprises:
segmenting by the server, the ciphertext E(RES) into a plurality of cipher segments (C1,C2,….Cd), wherein a count associated with the plurality of cipher segments is a pre-configured by the server;
simultaneously generating by the server, a first random matrix M(dxd) based on a plurality of random elements, wherein the size of the first random matrix is pre-configured by the server;
computing by the server, a first matrix product (CS1,CS2,...,CSd) of the plurality of cipher segments by multiplying the first random matrix with the plurality of cipher segments (C1,C2,….Cd);
transmitting by the server to the client, the first matrix product (CS1,CS2,...,CSd) of the plurality of cipher segments (C1,C2,….Cd);
receiving by the server, a plurality of decrypted cipher segments corresponding to the ciphertext (Q1,Q2,...Qd) = D(CS1,CS2,...,CSd) decrypted by the client and the decrypted resultant value D(RES), wherein the client decrypts the cipher segments based on the private key of the client (K); and
authenticating the client by the server by:
segmenting the received decrypted resultant value D(RES) into a plurality of segments (T1,T2...Td);
computing a second matrix product (Z1,Z2...Zd)=(T1,T2...Td)* M;
computing a first sum value based on the second matrix product by adding each element of the matrix product;
computing a second sum value based on the cipher segments (Q1,Q2,...Qd) received from the client by adding each element of the cipher segments (Q1,Q2,...Qd); and
authenticating the client based on a comparison between the first sum value and the second sum value, wherein the client is authenticated if the first sum value and the second sum value are equal.
The method as claimed in claim 1, wherein the method for determinant based authentication comprises:
generating a second random matrix N(dxd) by the server by uniformly selecting a plurality of elements from a predetermined set of elements;
computing a cipher matrix by the server based on the second random matrix and the ciphertext encrypted using the FHE;
swapping by the server, a random element from the cipher matrix with the encrypted resultant value E(RES) to obtain a swapped matrix N’;
computing by the server, a determinant for the swapped matrix Det(N’);
transmitting by the server to the client, the determinant of the swapped matrix Det(N’) and the encrypted resultant value E(RES);
receiving by the server, a decrypted resultant value D(RES) and the decrypted determinant of the swapped matrix Det(N’) decrypted by the client, wherein the decrypted resultant value D(RES) is obtained by the client by computing a determinant of the N', and wherein the N' comprises at least one element of random matrix N(dxd) swapped with the encrypted resultant value E(RES); and
authenticating the client by the server, based on a comparison between the received determinant Det(N') and the transmitted determinant, wherein the client is authenticated if the computed determinant and the transmitted determinant are equal.
The method as claimed in claim 1, wherein a plurality of biometric templates associated with a plurality of users are registered with the server by the client before initiating transaction.
A system (100) comprising:
a client (102) and a server (104), wherein the server (104) comprises at least one memory (110) storing programmed instructions; one or more Input /Output (I/O) interfaces (118); and one or more hardware processors (108) of the server e (104) operatively coupled to the at least one memory (110), wherein the one or more hardware processors (108) of the server (104) are configured by the programmed instructions to:
receive by of a server, a ciphertext from a client, wherein the ciphertext is computed by the client by encrypting a plaintext based on a Fully Homomorphic Encryption (FHE) using a public key (Pk) of the client, wherein the plaintext is a biometric information of a user;
compute by the server, a resultant value E(RES) of the ciphertext by utilizing a resultant value computation technique; and
authenticate client by the server, based on the resultant value E(RES) by using at least one of a plurality of proof of decryption based authentication techniques, wherein the plurality of proof of decryption based authentication techniques comprises a commitment based authentication, a matrix based authentication and a determinant based authentication.
The system of claim 6, wherein the method for commitment based authentication comprises:
transmitting by the client, a commitment key (Ck) to the server before initiating a transaction, wherein the commitment key (Ck) is computed by the client based on a plurality of random variables, a modulus value and a hash value (Hkey) of a private key (K) of the client;
receiving by the client, the encrypted resultant value E(RES) and the commitment key (Ck) from the server;
simultaneously computing by the client, the hash value (Hkey) to obtain the corresponding private key (K) from a client database;
decrypting by the client, the encrypted resultant value E(RES) using the private key (K);
computing by the client, a proof of decryption value based on the ciphertext, the resultant value E(RES), the hash value (Hkey) and the private key (K), wherein the proof of decryption value is set to one if the plaintext decrypted from the encrypted resultant value E(RES) using the private key (K) and the plaintext are equal;
transmitting by the client, the decrypted resultant value D(RES) and the proof of decryption value to the server; and
receiving by the client, an authentication value from the server computed based on the E(RES) and the commitment key (Ck), wherein the authentication value is set to one if the plaintext decrypted from the encrypted resultant value E(RES) using the commitment key (Ck) is equal to the plaintext and the proof decryption value is set to one, and wherein the client is authenticated only if the authentication value is set to one.
The system of claim 6, wherein the method for matrix based authentication comprises:
segmenting by the server, the ciphertext E(RES) into a plurality of cipher segments (C1,C2,….Cd), wherein a count associated with the plurality of cipher segments is a pre-configured by the server;
simultaneously generating by the server, a first random matrix M(dxd) based on a plurality of random elements, wherein the size of the first random matrix is pre-configured by the server;
computing by the server, a first matrix product (CS1,CS2,...,CSd) of the plurality of cipher segments by multiplying the first random matrix with the plurality of cipher segments (C1,C2,….Cd);
transmitting by the server to the client, the first matrix product (CS1,CS2,...,CSd) of the plurality of cipher segments (C1,C2,….Cd);
receiving by the server, a plurality of decrypted cipher segments corresponding to the ciphertext (Q1,Q2,...Qd) = D(CS1,CS2,...,CSd) decrypted by the client and the decrypted resultant value D(RES), wherein the client decrypts the cipher segments based on the private key of the client (K); and
authenticating the client by the server by:
segmenting the received decrypted resultant value D(RES) into a plurality of segments (T1,T2...Td);
computing a second matrix product (Z1,Z2...Zd)=(T1,T2...Td)* M;
computing a first sum value based on the second matrix product by adding each element of the matrix product;
computing a second sum value based on the cipher segments (Q1,Q2,...Qd) received from the client by adding each element of the cipher segments (Q1,Q2,...Qd); and
authenticating the client based on a comparison between the first sum value and the second sum value, wherein the client is authenticated if the first sum value and the second sum value are equal.
The system of claim 6, wherein the method for determinant based authentication comprises:
generating a second random matrix N(dxd) by the server by uniformly selecting a plurality of elements from a predetermined set of elements;
computing a cipher matrix by the server based on the second random matrix and the ciphertext encrypted using the FHE;
swapping by the server, a random element from the cipher matrix with the encrypted resultant value E(RES) to obtain a swapped matrix N’;
computing by the server, a determinant for the swapped matrix Det(N’);
transmitting by the server to the client, the determinant of the swapped matrix Det(N’) and the encrypted resultant value E(RES);
receiving by the server, a decrypted resultant value D(RES) and the decrypted determinant of the swapped matrix Det(N’) decrypted by the client, wherein the decrypted resultant value D(RES) is obtained by the client by computing a determinant of the N', and wherein the N' comprises at least one element of random matrix N(dxd) swapped with the encrypted resultant value E(RES); and
authenticating the client by the server, based on a comparison between the received determinant Det(N') and the transmitted determinant, wherein the client is authenticated if the computed determinant and the transmitted determinant are equal.
The system of claim 6, wherein a plurality of biometric templates associated with a plurality of users are registered with the server by the client before initiating transaction.
, Description:FORM 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003

COMPLETE SPECIFICATION
(See Section 10 and Rule 13)

Title of invention:
METHOD AND SYSTEM FOR PROOF OF DECRYPTION BASED BIOMETRIC AUTHENTICATION

Applicant:
Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th Floor,
Nariman Point, Mumbai 400021,
Maharashtra, India

The following specification particularly describes the invention and the manner in which it is to be performed.
TECHNICAL FIELD
The disclosure herein generally relates to the field of cryptography and, more particular, to a method and system for proof of decryption based biometric authentication.
BACKGROUND
Authentication is a key requirement in any information system. The efficiency of password based authentication methods are less due to password based attacks. Hence alternative authentication method like a multi-factor authentication are needed in the present scenario. The multi-factor authentication includes bio-metric features like face, iris, fingerprint, etc. Due to the unique features and less resistant to loss, the biometric features are widely used for authentication purposes.
Conventional methods of authentication include a trusted third-party authentication server. The trusted third-party server stores biometric templates of users and it is matched against the biometric information provided by the users during authentication process. The trusted third-party server-based authentication system is less efficient since compromising of the trusted third-party server leads to loss of authentication data and leads to security vulnerability. Further, the conventional authentication systems are utilizing single layer security authentication checking which may lead to security vulnerability. Hence, it is challenging to authenticate the users without using the trusted third-party authentication server and with more than one layer of authentication checking.
SUMMARY
Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one embodiment, a method for proof of decryption based biometric authentication is provided. The method includes receiving, by one or more hardware processors of a server, a ciphertext from a client, wherein the ciphertext is computed by the client by encrypting a plaintext based on a Fully Homomorphic Encryption (FHE) using a public key (Pk) of the client, wherein the plaintext is a biometric information of a user. Further, the method includes computing, by the one or more hardware processors of the server, a resultant value E(RES) of the ciphertext by utilizing a resultant value computation technique. Finally, the method includes authenticating the client by the one or more hardware processors of the server, based on the resultant value E(RES) by using at least one of a plurality of proof of decryption based authentication techniques, wherein the plurality of proof of decryption based authentication techniques includes a commitment based authentication, a matrix based authentication and a determinant based authentication.
In another aspect, a system for proof of decryption based biometric authentication is provided. The system includes at least one memory storing programmed instructions, one or more Input /Output (I/O) interfaces, and one or more hardware processors operatively coupled to the at least one memory, wherein the one or more hardware processors of a server are configured by the programmed instructions to receive a ciphertext from a client, wherein the ciphertext is computed by the client by encrypting a plaintext based on a Fully Homomorphic Encryption (FHE) using a public key (Pk) of the client, wherein the plaintext is a biometric information of a user. Further, the one or more hardware processors of the server are configured by the programmed instructions to compute a resultant value E(RES) of the ciphertext by utilizing a resultant value computation technique. Finally, the one or more hardware processors of the server are configured by the programmed instructions to authenticate the client, based on the resultant value E(RES) by using at least one of a plurality of proof of decryption based authentication techniques, wherein the plurality of proof of decryption based authentication techniques includes a commitment based authentication, a matrix based authentication and a determinant based authentication.
In yet another aspect, a computer program product including a non-transitory computer-readable medium having embodied therein a computer program for proof of decryption based biometric authentication is provided. The computer readable program, when executed on a computing device (server), causes the server to receive a ciphertext from a client, wherein the ciphertext is computed by the client by encrypting a plaintext based on a Fully Homomorphic Encryption (FHE) using a public key (Pk) of the client, wherein the plaintext is a biometric information of a user. Further, the computer readable program, when executed on a computing device (server), causes the server to compute, a resultant value E(RES) of the ciphertext by utilizing a resultant value computation technique. Finally, the computer readable program, when executed on a computing device (server), causes the server to authenticating the client, based on the resultant value E(RES) by using at least one of a plurality of proof of decryption based authentication techniques, wherein the plurality of proof of decryption based authentication techniques includes a commitment based authentication, a matrix based authentication and a determinant based authentication.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:
FIG. 1A is a functional block diagram of a system for proof of decryption based biometric authentication, according to some embodiments of the present disclosure.
FIG. 1B is a functional block diagram of a computing device associated with the system of FIG. 1A, according to some embodiments of the present disclosure.
FIG. 2 is an exemplary flow diagram for a processor implemented method for proof of decryption based biometric authentication, implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure.
FIG. 3 is an exemplary flow diagram for a processor implemented method for the commitment based authentication, implemented by the system of FIG. 1 according to some embodiments of the present disclosure.
FIG. 4 is an exemplary flow diagram for a processor implemented method for the matrix based authentication, implemented by the system of FIG. 1 according to some embodiments of the present disclosure.
FIG. 5 is an exemplary flow diagram for a processor implemented method for the determinant based authentication, implemented by the system of FIG. 1 according to some embodiments of the present disclosure.
FIGS. 6A, 6B, 6C and 6D illustrate swim lane diagrams associated with the method for proof of decryption based biometric authentication, implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure.

DETAILED DESCRIPTION OF EMBODIMENTS
Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments. It is intended that the following detailed description be considered as exemplary only, with the true scope being indicated by the following claims.
Embodiments herein provide a method and system for proof of decryption based biometric authentication. The method and system for proof of decryption based biometric authentication provides a three tier authentication system between a client and a server in the absence of a trusted third-party server. Initially, a plurality of clients registers with the server using a plurality of biometric templates which are encrypted using Fully Homomorphic Encryption (FHE). Whenever, a user tries to login to a client, the client transmits the biometric information of the user in an FHE encrypted format. The server receives the FHE encrypted biometric information and compares with the stored template. If it matches with the stored template, the server computes a resultant value of the FHE encrypted biometric information and authenticates the client based on the resultant value using at least one of a plurality of proof of decryption based authentication techniques. The plurality of proof of decryption based authentication techniques includes a commitment based authentication, a matrix based authentication and a determinant based authentication. In an embodiment, the authentication process is performed as a three tier authentication technique, wherein if the client satisfies the commitment based authentication, then the client is authenticates using the matrix based authentication technique. When the client satisfies the commitment based authentication and the matrix based authentication, the client is authenticated using the determinant based authentication. The number of authentication techniques are chosen based on the level of security required for a system.
Referring now to the drawings, and more particularly to FIGS. 1A through 6D, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
FIG. 1A is a functional block diagram of a system 100 for Privacy preserving multifactor biometric authentication, according to some embodiments of the present disclosure. The system 100 includes a client 102, a server 104 and a network 106. The client 102 and the server 104 are connected by the network 106.
In an embodiment, the network 106 can be a wireless or a wired network, or a combination thereof. In an example, the network 106 can be implemented as a computer network, as one of the different types of networks, such as virtual private network (VPN), intranet, local area network (LAN), wide area network (WAN), the internet, and such. The network 106 may either be a dedicated network or a shared network, which represents an association of the different types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), and Wireless Application Protocol (WAP), to communicate with each other. Further, the network 106 may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices. The network devices within the network 106 may interact with the system 102 through communication links.
In an embodiment, the client 102 and the server 104 may be implemented in a computing device as shown in FIG. 1B. The client 102 can be a hand-held device, a laptop or other portable computer, a tablet computer, a mobile phone, a PDA, a smartphone, and a desktop computer. The client 102 and the server 104 may also be implemented in a workstation, a mainframe computer, a server, and a network server. The client 102 is connected with one or more biometric devices (not shown in FIG. 1A) including a fingerprint device, palmprint device, face recognition device and an iris recognition device through a wired or a wireless network 106.
FIG. 1B is a functional block diagram of a computing device 107 associated with the system of FIG. 1A implementing the server 104, according to some embodiments of the present disclosure. The computing device 107 is otherwise in communication with hardware processors 108, at least one memory such as a memory 110, an I/O interface 118. The hardware processors 108, memory 110, and the Input /Output (I/O) interface 118 may be coupled by a system bus such as a system bus 116 or a similar mechanism. In an embodiment, the hardware processors 108 can be one or more hardware processors.
The I/O interface 118 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/O interface 118 may include a variety of software and hardware interfaces, for example, interfaces for peripheral device(s), such as a keyboard, a mouse, an external memory, a printer and the like. Further, the interface 118 may enable the server 104 to communicate with other devices, such the client 102 via the network 106, web servers and external databases and the like.
The I/O interface 118 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, local area network (LAN), cable, etc., and wireless networks, such as Wireless LAN (WLAN), cellular, or satellite. For the purpose, the I/O interface 118 may include one or more ports for connecting a number of computing systems with one another or to another server computer. The I/O interface 118 may include one or more ports for connecting a number of devices to one another or to another server.
The one or more hardware processors 108 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the one or more hardware processors 108 is configured to fetch and execute computer-readable instructions stored in the memory 110.
The memory 110 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, the memory 110 includes a plurality of modules 112. The memory 110 also includes a data repository 114 for storing data processed, received, and generated by the plurality of modules 112.
The plurality of modules 112 include programs or coded instructions that supplement applications or functions performed by the server 104 for privacy preserving multifactor biometric authentication. The plurality of modules 112, amongst other things, can include routines, programs, objects, components, and data structures, which performs particular tasks or implement particular abstract data types. The plurality of modules 112 may also be used as, signal processor(s), state machine(s), logic circuitries, and/or any other device or component that manipulates signals based on operational instructions. Further, the plurality of modules 112 can be used by hardware, by computer-readable instructions executed by the one or more hardware processors 108, or by a combination thereof. The plurality of modules 112 can include various sub-modules (not shown). The plurality of modules 112 may include computer-readable instructions that supplement applications or functions performed by the system 100 for proof of decryption based biometric authentication.
The data repository 114 may include a plurality of abstracted piece of code for refinement and data that is processed, received, or generated as a result of the execution of the plurality of modules in the module(s) 112. The data repository may also include biometric templates and biometric information associated with a plurality of users.
Although the data repository 114 is shown internal to the system 100, it will be noted that, in alternate embodiments, the data repository 114 can also be implemented external to the system 100, where the data repository 114 may be stored within a database (not shown in FIG. 1) communicatively coupled to the system 100. The data contained within such external database may be periodically updated. For example, new data may be added into the database (not shown in FIG. 1) and/or existing data may be modified and/or non-useful data may be deleted from the database (not shown in FIG. 1). In one example, the data may be stored in an external system, such as a Lightweight Directory Access Protocol (LDAP) directory and a Relational Database Management System (RDBMS).
As understood by ordinary person skilled in the art, the client 102 has functional components similar to functional components of server 104 as depicted by computing device 107 in FIG. 2 and not repeated herein for brevity. The components perform functions in accordance with instructions stored in memory block of the client device enabling the client device to communicate with the server 104.
FIG. 2 is an exemplary flow diagram for a processor implemented method for proof of decryption based biometric authentication implemented by the system of FIG. 1 according to some embodiments of the present disclosure. In an embodiment, the computing device 107, implementing the server 104, comprises one or more data storage devices or the memory 110 operatively coupled to the one or more hardware processor(s) 108 and is configured to store instructions for execution of steps of the method 200 by the one or more hardware processors 108. The steps of the method 200 of the present disclosure will now be explained with reference to the components or blocks of the system 107 as depicted in FIG. 1B and the steps of flow diagram as depicted in FIG. 2, FIG. 3, FIG. 4 and FIG. 5. The method 200 may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, etc., that perform particular functions or implement particular abstract data types. The method 200 may also be practiced in a distributed computing environment where functions are performed by remote processing devices that are linked through a communication network. The order in which the method 200 is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the method 200, or an alternative method. Furthermore, the method 200 can be implemented in any suitable hardware, software, firmware, or combination thereof.
At step 202 of the method 200, the one or more hardware processors 108 of the server receive a ciphertext from a client. The ciphertext is computed by the client by encrypting a plaintext based on a Fully Homomorphic Encryption (FHE) using a public key (Pk) of the client. The plaintext is a plurality of biometric templates associated with a user. The plurality of biometric templates associated with the plurality of users are registered with the server by the client before initiating transaction. For example, the server receives the ciphertext E(B=[1,1,1,1]) from the client.
At step 204 of the method 200, the one or more hardware processors 108 of the server, compute a resultant value E(RES) of the ciphertext by utilizing a resultant value computation technique.
In an embodiment, the RES is computed by computing inner product of two vectors. Consider vectors B=[1,1,1,1] and T=[2,2,2,2]. Score RES = B*T where ‘*’ is the inner product operation. For example,
RES = [1,1,1,1]*[2,2,2,2]
RES = [1*2+1*2+1*2+1*2]
RES = [2+2+2+2]
RES = 8
The server retrieves the encrypted template E(T=[2,2,2,2])registered by the corresponding client before transaction and computes a score between the received template and the stored templates, wherein the stored templates is the plurality of biometric templates of the plurality of users associated with the client. The plurality of biometric templates are registered in the server by the client before initiating transaction with the server. For example, let the score be 8, i.e., E(RES)= E(8). The server transmits the E(8) to the client.
At step 206 of the method 200, the one or more hardware processors 108 of the server authenticate the client based on the resultant value E(RES) by using at least one of a plurality of proof of decryption based authentication techniques. The plurality of proof of decryption based authentication techniques includes a commitment based authentication, a matrix based authentication and a determinant based authentication.
FIG. 3 is an exemplary flow diagram for a processor implemented method for the commitment based authentication implemented by the system of FIG. 1 according to some embodiments of the present disclosure.
At step 302 of the method 300, the one or more hardware processors 108 of the client transmit, a commitment key (Ck) to the server before initiating a transaction. The commitment key (Ck) is computed by the client based on a plurality of random variables, a modulus value, and a hash value (Hkey) of a private key (K) of the client.
At step 304 of the method 300, the one or more hardware processors 108 of the client receive the encrypted resultant value E(RES) and the commitment key (Ck) from the server.
At step 306 of the method 300, the one or more hardware processors 108 of the client simultaneously compute, the hash value (Hkey) to obtain the corresponding private key (K) from a database comprised in the client.
At step 308 of the method 300, the one or more hardware processors 108 of the client decrypt, the encrypted resultant value E(RES) using the private key (K). For example, the client decrypts the RES = 8 using private key (Key) and generate proof of decryption.
At step 310 of the method 300, the one or more hardware processors 108 of the client compute a proof of decryption value for the generated proof of decryption based on the ciphertext, the resultant value E(RES), the hash value (Hkey) and the private key (K), wherein the proof of decryption value is set to one only if the plaintext decrypted from the encrypted resultant value E(RES) using the private key (K) and the plaintext are equal.
At step 312 of the method 300, the one or more hardware processors 108 of the client transmit the decrypted resultant value D(RES) and the proof of decryption value to the server.
At step 314 of the method 300, the one or more hardware processors 108 of the client receive an authentication value from the server, computed based on the E(RES) and the commitment key (Ck). The authentication value is set to one only if the plaintext decrypted from the encrypted resultant value E(RES) using the commitment key (Ck) is equal to the plaintext and the proof decryption value is set to one. The client is authenticated only if the authentication value is set to one. For example, the server computes the plaintext from the E(8) using the commitment key (Ck). The authentication value is set to one when the plaintext obtained from the E(8) using the commitment key (Ck) is equal to the plaintext and when the proof of decryption value is also set to one.
FIG. 4 is an exemplary flow diagram for a processor implemented method for the matrix based authentication implemented by the system of FIG. 1 according to some embodiments of the present disclosure.
At step 402 of the method 400, the one or more hardware processors 108 of the server segment the ciphertext E(RES) into a plurality of cipher segments (C1,C2,…,Cd), wherein a count associated with the plurality of cipher segments is a pre-configured by the server. For example, the E(8) is segmented into E(5) and E(3).
At step 404 of the method 400, the one or more hardware processors 108 of the server simultaneously generate a first random matrix M(dxd) based on a plurality of random elements. The size of the first random matrix is pre-configured by the server. For example, the first random matrix is M=[¦(1&1@2&3)].
At step 406 of the method 400, the one or more hardware processors 108 of the server compute a matrix product (CS1,CS2,...,CSd) of the plurality of cipher segments by multiplying the first random matrix M with the plurality of cipher segments (C1,C2,…,Cd). For example, [¦(E(5)&E(3))]*[¦(1&1@2&3)] = [¦(E(11)&E(14))].
At step 408 of the method 400, the one or more hardware processors 108 of the server transmit to the client, the matrix product (CS1,CS2,...,CSd) of the plurality of cipher segments (C1,C2,…,Cd). For example, the server transmits the [¦(E(11)&E(14))] and the E(8) to the client.
At step 410 of the method 400, the one or more hardware processors 108 of the server receive a plurality of decrypted cipher segments corresponding to the ciphertext (Q1,Q2,...Qd) = D(CS1,CS2,...,CSd) decrypted by the client and the decrypted resultant value D(RES), wherein the client decrypts the cipher segments based on the secret key of the client (K). For example, the client decrypts the [¦(E(11)&E(14))] and the E(8).
At step 412 of the method 400, the one or more hardware processors 108 of the server authenticate the client by: (i) segmenting the received D(RES) into a plurality of segments (T1,T2,...,Td) (ii) computing a second matrix product (Z1,Z2,...,Zd)=(T1,T2,...,Td)* M (iii) computing a first sum value based on the second matrix product by adding each element of the second matrix product (iv) computing a second sum value based on the cipher segments (Q1,Q2,...,Qd) received from the client by adding each element of the plurality of cipher segments (Q1,Q2,...,Qd) and (v) authenticating the client based on a comparison between the first sum value and the second sum value, wherein the client is authenticated only if the first sum value and the second sum value are equal.
For example, server segments E(8) into [T1,T2] = [5,3] and computes the second matrix product(Z1,Z2,...,Zd)=(T1,T2,...,Td)* M which is = [5,3]*[¦(1&1@2&3)]= [11,14]. The first sum value is 11+14 = 25 and the second sum value is the sum of decrypted segments which is 11+14=5. Since the first sum value and the second sum value are equal, the client is authenticated.
FIG. 5 is an exemplary flow diagram for a processor implemented method for the determinant based authentication implemented by the system of FIG. 1 according to some embodiments of the present disclosure.
At step 512 of the method 500, the one or more hardware processors 108 of the server generate a random matrix N(dxd) by uniformly selecting a plurality of elements from a set of elements. For example, the second random matrix can be [¦(1&1@2&3)].
At step 512 of the method 500, the one or more hardware processors 108 of the server compute a cipher matrix based on the second random matrix and the ciphertext encrypted using the FHE.
At step 512 of the method 500, the one or more hardware processors 108 of the server swap a random element from the cipher matrix with the encrypted resultant value E(RES) to obtain a swapped matrix N’. For example, the swapped matrix N’= [¦(E(8)&1@2&3)].
At step 512 of the method 500, the one or more hardware processors 108 of the server compute a determinant for the swapped matrix Det(N’). For example Det(N’)= E(8)x3 – 1x2= E(24)-2= E(22).
At step 512 of the method 500, the one or more hardware processors 108 of the server transmit to the client, the determinant of the swapped matrix Det(N’) and the encrypted resultant value E(RES)
At step 512 of the method 500, the one or more hardware processors 108 of the server receive the decrypted resultant value D(RES) and the decrypted determinant of the swapped matrix Det(N’) decrypted by the client, wherein the decrypted resultant value D(RES) is obtained by the client by computing a determinant of the N', wherein the N' includes at least one element of random matrix N(dxd) swapped with the encrypted resultant value E(RES). For example, the client decrypts D(RES) and the Det(N’) as 8 and 22 using the secret key and transmits to the server.
At step 512 of the method 500, the one or more hardware processors 108 of the server authenticate the client by the server, based on a comparison between the received determinant Det(N') and the transmitted determinant, wherein the client is authenticated if the computed determinant and the transmitted determinant are equal. Here the received determinant value is 22 and the determinant of the swapped matrix of the server Det(N')=22. Since both are equal, the client is authenticated.
FIGS. 6A, 6B, 6C and 6D illustrate swim lane diagrams associated with the method for proof of decryption based biometric authentication, implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure.
FIG. 6A illustrates the swim lane diagram of the overall method for proof of decryption based biometric authentication, implemented by the system 100 of FIG. 1, in accordance with some embodiments of the present disclosure. Now referring to FIG. 6A, the client 102 gathers biometric templates from a plurality of users before initiating the transaction. Further, the client 102 encrypts the gathered biometric templates using Fully Homomorphic Encryption (FHE) technique. In FHE based techniques, calculation is performed on the encrypted data without decrypting. Hence the result of a computation is in encrypted form. Here the output of the calculation performed on the encrypted data is similar to the output of the calculation performed on the unencrypted data. The client 102 transmits the FHE encrypted biometric templates to the server 104 and completes registration process. The server 104 receives the FHE encrypted biometric templates from the client 102 and stores in a server database. Whenever, a user login the client 102 using biometric information, the client 102 sends the biometric information of the user to the server 104. The server 104 computes a resultant value E(RES) for the received biometric information when it matches with at least one of the plurality of biometric templates stored in the database of the server 104. Further, the server 104 computes an authentication value for the server based on the E(RES) using at least one of the plurality of proof of encryption based authentication techniques. The plurality of proof of encryption based authentication techniques includes a commitment based authentication, a matrix based authentication and a determinant based authentication.
FIG. 6B illustrates the swim lane diagram of the commitment based authentication method, implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure. Now referring to FIG. 6B, the client 102 computes a commitment key (Ck) and transmits to the server 104 before initiating a transaction. The commitment key (Ck) is computed by the client based on a plurality of random variables, a modulus value, and a hash value (Hkey) of a private key (K) of the client. The server 104 receives the commitment key (Ck) and transmits E(RES) and the commitment key (Ck) to the client 102. The client 102 receives the E(RES) and the commitment key (Ck) from the server 104. The client 104 simultaneously computes, the hash value (Hkey) to obtain the corresponding private key (K) from client database. The client 102 decrypts the encrypted resultant value E(RES) using the private key (K). Further the client 102 computes a proof of decryption value based on the ciphertext, the resultant value E(RES), the hash value (Hkey) and the private key (K). The proof of decryption value is set to one only if the plaintext decrypted from the encrypted resultant value E(RES) using the private key (K) and the plaintext are equal. The client 102 further transmits the decrypted resultant value D(RES) and the proof of decryption value to the server. The server 104 computes the authentication value based on the E(RES) and the commitment key (Ck). The authentication value is set to one only if the plaintext decrypted from the encrypted resultant value E(RES) using the commitment key (Ck) is equal to the plaintext and the proof decryption value is set to one. The client is authenticated only if the authentication value is set to one.
FIG. 6C illustrates the swim lane diagram of the matrix based authentication method, implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure. Now referring to FIG. 6C, the server 104 segments the ciphertext E(RES) into a plurality of cipher segments (C1,C2,…,Cd). The count associated with the plurality of cipher segments is a pre-configured by the server. Simultaneously the server 104 generates a first random matrix M(dxd) based on a plurality of random elements. The size of the first random matrix is pre-configured by the server. Further the server 104 computes a first matrix product (CS1,CS2,...,CSd) of the plurality of cipher segments by multiplying the first random matrix with the plurality of cipher segments (C1,C2,…,Cd) and transmits the first matrix product (CS1,CS2,...,CSd) of the plurality of cipher segments (C1,C2,…,Cd) and the ciphertext E(RES) to the client 102. The client 102 receives the first matrix product (CS1,CS2,...,CSd) and the ciphertext E(RES). Further the client 102 decrypts the first matrix product (CS1,CS2,...,CSd)and the ciphertext E(RES) and transmits the decrypted cipher segments and decrypted resultant value D(RES) to the server 104. The client 102 decrypts the cipher segments based on the secret key of the client (K). The server 104 receives the plurality of decrypted cipher segments corresponding to the ciphertext (Q1,Q2,...,Qd) = D(CS1,CS2,...,CSd) decrypted by the client and the decrypted resultant value D(RES). The server 104 authenticates the client by performing the following steps: (i) segmenting the received D(RES) into a plurality of segments (T1,T2,...,Td). (ii) computing a second matrix product (Z1,Z2,...,Zd)=(T1,T2,....,Td)* M. (iii) computing a first sum value based on the second matrix product by adding each element of the second matrix product (iv) computing a second sum value based on the cipher segments (Q1,Q2,...,Qd) received from the client by adding each element of the plurality of cipher segments (Q1,Q2,...,Qd) and (v) authenticating the client based on a comparison between the first sum value and the second sum value, wherein the client is authenticated only if the first sum value and the second sum value are equal.
FIG. 6D illustrates the swim lane diagram of the determinant based authentication method, implemented by the system of FIG. 1, in accordance with some embodiments of the present disclosure. Now referring to FIG. 6D, the server 104 generates the second random matrix N(dxd) by the server by uniformly selecting a plurality of elements from the set of elements. Further, the server 104 swaps a random element from the second random matrix with the encrypted resultant value E(RES) to obtain a swapped matrix N’. Further the server 104 computes the determinant for the swapped matrix Det(N’) and transmits to the client along with the encrypted resultant value E(RES). The client 102 receives and decrypts the determinant for the swapped matrix Det(N’) and the encrypted resultant value E(RES) and transmits to the server 104. The decrypted resultant value D(RES) is obtained by the client by computing a determinant of the N'. The N' comprises at least one element of random matrix N(dxd) swapped with the encrypted resultant value E(RES). The server 104 receives the decrypted resultant value D(RES) and the decrypted determinant of the swapped matrix Det(N’) decrypted by the client. Further, the server 104 authenticates the client 102 based on the comparison between the received determinant Det(N') and the transmitted determinant. The client 104 is authenticated only if the computed determinant and the transmitted determinant are equal.
Further, the one or more processors of the server 104 are configured to receive a ciphertext from the client. The ciphertext is computed by the client by encrypting a plurality of biometric templates based on a FHE using a public key (Pk) of the client.
Further, the one or more processors of the server 104 are configured to compute a resultant value E(RES) of the ciphertext by utilizing a resultant value computation technique.
Further, the one or more processors of the server 104 are configured to authenticate the client based on the resultant value E(RES) by using at least one of a plurality of proof of decryption based authentication techniques. The plurality of proof of decryption based authentication techniques includes the commitment based authentication, the matrix based authentication and the determinant based authentication.
In an embodiment, the method 200 of the present disclosure is executed based on the below mentioned Pseudocode 1:
CLIENT encrypts its biometric data D using a FHE-ENC scheme and sends E(D) to SERVER.
SERVER computes on E (D) and obtains output RES in the encrypted form as C1 = E(RES)
SERVER invokes Pseudocode 2 and if it returns TRUE then CONTINUE, else ABORT.
SERVER invokes Pseudocode 3 and if it returns TRUE then CONTINUE, else ABORT.
SERVER invokes Pseudocode 4 and if it returns TRUE then accept C1 as correct decryption, else reject.
For example, the pseudocode for the commitment based authentication is explained using the Pseudocode 2:
Pseudocode 2: Commitment based authentication
CLIENT sends CKey = Commitment(HKey) to the SERVER, where HKey = Hash(Key) before authentication begins.
The SERVER sends E(RES) encrypted using FHE and CKey given previously by the CLIENT.
CLIENT decommits CKey ,obtains the hash value HKey that was committed upon, uses it as a key to obtain the corresponding data item (Key) stored in the database.
CLIENT computes the decryption of D(RES) using Key and generates proof of decryption PROOF using VC. The decryption function using VC is as follows:
int Decyrpt(ctxt, E(RES), hash HKey)
{
int sk = getdata(HKey);
ptxt = D(E(RES),Key)
return ptxt;
}
CLIENT sends RES to the SERVER along with the corresponding PROOF.
Return TRUE if the value of Key used in the computation matches with HKey that the CLIENT initially commits to.
Return FALSE if the verification fails, denoting that the key Key was either modified or an incorrect computation was run.
In an embodiment, the constraints of the above commitment based authentication are represented as polynomials called as Quadratic Arithmetic Polynomial (QAP). These are generated using the input and output variables of each instruction in the program. When the decryption program is run by the client, the values generated by the polynomials due to input values is stored as PROOF. These PROOF values are used by the server to verify the QAP.
For example, commitment scheme is two party prover verifier game wherein prover commits on its input values as commitments. Let ‘m’ be a message Commit(m,CKey) = (c,d), where CKey is commitment key, the values c acts as commit value and d acts as open value. The prover set of (c,d) to the verifier. Now the verifier chooses one pair among the lot and verifies it as Open(CKey,c,d) = m^'. The verifier can be sure the commitment is correct if m == m^'. A sample commitment scheme is presented below:
Commit(m) = (c,(r,m)), where r is a random value and c is commitment as in c = (g^r y^m) mod p. Here g and y are random variables and p is modulus.
Open(c,(r,m)) = m^' where m^'= m, if computed as c = (g^r y^m) mod p otherwise m^' is a random value.
In an embodiment, the pseudocode for the matrix based authentication is explained using the Pseudocode 3:
Pseudocode 3: Matrix based authentication
SERVER partitions C_1 into C_1^1,…,C_1^d such that C_1^1+…+ C_1^d= C.
SERVER randomly chooses a d^2elements a_ij ? F and computes A_ij= E(a_ij). Then SERVER constructs d × d matrix M = [A_ij]
SERVER computes CS1,CS2,...CSd =(C_1^1,…,C_1^d).M
SERVER sends C_1 andCS1,CS2,...CSd to client.
CLIENT computes decryptions P_1 = D(C_1), and also Q_1 = D?(C?_2^1), ...,Q_d = D(C_2^d)
CLIENT sends P_1 and (Q_1,...,Q_d) to SERVER.
SERVER partitions P_1 into (T_1,...,T_d) such that T_i=D(C_1^i)
SERVER computes(Z_1,...,Z_d) = (T_1,...,T_d) ·N, where N = a_ijis d×d matrix.
SERVER verifies Z_1+...+ Z_d = Q_1 +_...+ Q_dand if correct then returns TRUE, else returns FALSE.
In an embodiment, the method of proof of correctness is explained below:
D(CS1,CS2,...CSd ) = D{(C_1^1,…….,C_1^d).M}
= D(C_1^1,…….,C_1^d)D(M)
=(D(C_1^1,…….,D(C_1^d)) [D(A_ij])
= (Q_1,...,Q_d · N = (T_1,...,T_d)
In an embodiment, if #F = O(2^?)for some ? > 0. In order to cheat an attacker (malicious CLIENT) will have to construct P_1^' and Q_1^',…….,Q_d^' such that
(T_1^',…….,T_d^' )= Q_1^',…….,Q_d^' and T_1^'+?….+ T_d^'=P_1^' …………. (1)
In an embodiment, P_1^' and Q_1^',……., Q_d^' corresponds to an outcome of authentication protocol that is more acceptable to the client than the original outcome P1. The client knows only P_1^' and Q_1^',……., Q_d^' and has no knowledge of the matrix N except that it is a random d×d matrix with elements from F. The client can fix P_1^' then choose Q_1^',……., Q_d^' and define a matrix N^'randomly over F satisfying equation 1. Since the elements of the matrix N^' are chosen uniformly from F, the total number of possible choices for N^' are ?O(2^?)?^(d^2 )=?O(2^?d?^2), wherein ? . is the order of field F Thus, the probability that an attacker can succeed is:
1/?2^?d?^2 ………………………… (2)
which is negligible for suitably chosen values of ? and d.
In another example, if ? = 32. Choose a 32 bit prime p, then #F =O(2^32) O(232). Fix d = 2. then the attacker needs to “guess” a 2×2 matrix consisting of 4 elements. Hence the probability of success for an attacker is 1/2^32.4 =1/2^128 , which is negligible.
In an embodiment, the pseudocode for the determinant based authentication is explained using the Pseudocode 4:
Pseudocode 4: Determinant based authentication
SERVER Constructs a d × d matrix N with elements ai,j chosen uniformly from F.
SERVER computes A_(i,j) = E(a_(i,j)). Then picks one element A_(l,t)randomly and replaces it with RES.
SERVER constructs d × d matrix N ^= [ A_(i,j)]], where A_(l,t) = RES. [SERVER keeps N and hence N ^ as secret.]
SERVER computes DET=det?(N ^)
SERVER sends C_1and DET to client.
CLIENT computes decryptions P_1= D(C_1), and d = D(DET).
CLIENT sends P_1 and d to SERVER.
SERVER verifies d = det(N) with a_(l,t) = P1 and if correct then returns TRUE, else returns FALSE.
In an embodiment, the proof of correctness is explained below: The value of DET = det?(N ^) and hence
D(DET) = D(det?(N ^ )) ………………………………(3)
Here, the determinant of a matrix is a polynomial function in terms of elements of the matrix. Hence (3) implies that
D(det?(N ^ )) = det(D?(¦)) = det(N)
Thus, if the encryption and decryption functions associated with the FHE encryption/decryption are error free then the server will be able to obtain correct output.
In an embodiment if #F = O(2^?) for some ? > 0. In order to cheat an attacker (malicious CLIENT) will have to construct P_1^' and d^' such that
det(M) = d^' where A_(i,j)=P_1^' (Step 10 of pseudocode 3) …………… (4)
The client knows only P_1,d and has no knowledge of elements of the matrix N except that it is a random d × d matrix with elements from F, and that one of the element is P_1. To succeed, he will have to guess
d^2-1elements of N
The exact position, i.e., the indices (l,t) of P_1 in N
Since the elements of the matrix M are chosen uniformly from F the total number of possible choices for N’ are O(?2^?)?^(d^2-1)) = O(2^(?(d^2-1))). Thus the probability that an attacker can guess the d^2-1elements correctly is
1/2^(?(d^2-1)) …………………………… (5)
which is negligible for suitably chosen values of ? and d. Further, for the Item 2, the probability that the attacker can successfully guess the coordinates (l,t) is 1/d^2. Thus, the probability that an attacker can get both item 1, and item 2 correct is given by 1/(d^2.2^(?(d^2-1)) ) ………………. (6)
In another embodiment, if ? = 32. A 32 bit prime p is chosen, then #F = O(2^32). By fixing d = 3. then the attacker needs to “guess” 8(= 32 - 1) elements of a 3 × 3 matrix and also guess the correct position (l,t) of the element P_1^'. Hence the probability of success for an attacker is 1/(3^2.2^32.8 )=1/(9.2^256 ), which is negligible.
The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
The embodiments of present disclosure herein address the unresolved problem of proof of decryption based biometric authentication system. Here, the client needs to prove the method of operation each time it requests authentication from server. Rather than using a single authentication method, the present disclosure provides three tier authentication process to make the system more secure. Further, the present disclosure is devoid of a third-party authentication server which increases it efficiency.
It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein such computer-readable storage means contain program-code means for implementation of one or more steps of the method when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs, GPUs and edge computing devices.
The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise. Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e. non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.