IACR News item: 26 June 2014
Mehmet Sabır Kiraz, Ziya Alper Genç, Süleyman Kardaş
ePrint Reportand Patey proposed two biometric authentication schemes between
a prover and a verifier where the verifier has biometric
data of the users in plain form. The protocols are based on secure
computation of Hamming distance in the two-party setting. Their
first scheme uses Oblivious Transfer (OT) and provides security
in the semi-honest model. The other scheme uses Committed
Oblivious Transfer (COT) and is claimed to provide full security
in the malicious case.
In this paper, we show that their protocol against malicious
adversaries is not actually secure. We propose a generic attack
where the Hamming distance can be minimized without knowledge
of the real input of the user. Namely, any attacker can
impersonate any legitimate user without prior knowledge. We
propose an enhanced version of their protocol where this attack
is eliminated. We provide a simulation based proof of the security
of our modified protocol. In addition, for efficiency concerns, the
modified version also utilizes Verifiable Oblivious Transfer (VOT)
instead of COT. The use of VOT does not reduce the security of
the protocol but improves the efficiency significantly.
Additional news items may be found on the IACR news page.