I Introduction
In the digital and increasingly interconnected world we live in, establishing individuals’ identity is a pressing need. For this reason, in the last decades, we have seen an increasing interest in biometricbased recognition systems. Biometric recognition can be split into two main categories: authentication and identification. In the first scenario, also referred to as verification, the user is interested in demonstrating that he/she is who he/she claims to be, while in the second one, the goal is to determine the identity of the user submitting the biometric template among those known by the system
. Usually, in both verification and identification protocols, a single biometric trait is used to extract a feature vector. The feature vector then is matched with one or more templates stored in the system database. In this work we focus on an authentication protocol.
More recently, the security of biometric systems has become a very active research area, due to the necessity of impeding newly emerging cybercrimes like identity theft, privacy violation, unauthorized access to sensitive information and so on [3]. Protocols allowing to process encrypted biometric signals without decrypting them are among the most widely studied solutions to enhance the security of biometric systems [4, 5]. According to such an approach, verification or identification is carried out by the system by relying only on encrypted biometric templates, thus avoiding the risk that sensitive information is leaked during the protocol.
The possibility of processing a comparing encrypted biometric templates relies on a number of cryptographic tools [6, 7, 8, 9], broadly referred to as MultiParty Computation (MPC) [10]
. Generally speaking, MPC protocols can be classified according to the adopted security model. The most common distinction considers protocols which are secure only against
semihonest adversaries, and those which can be proven to be secure also against malicious adversaries. To be specific, according to the semihonest model, all the parties execute the protocol without deviating from it, but meanwhile they try to obtain as much information as possible about the other parties’ data. Protocols developed in the semihonest model are very efficient and, for this reason, are adopted in the majority of the works proposed so far [4, 5]. On the contrary, in the malicious model, the parties can arbitrarily deviate from the protocol in their attempt to get access to sensitive information. While security against malicious parties is desirable, in many real world applications, the resulting protocols have a very high complexity and their use in real systems is often impractical. The great majority of the attempts made so far to devise efficient biometric recognition protocols in the malicious setting, focused on the development and use of innovative and efficient MPC and cryptographic primitives. A much less investigated approach consists in the adoption of biometric recognition protocols which are better suited to be implemented in a MPC framework. Yet, as highlighted in [5], working on the signal processing side of the problem may help to reduce significantly the complexity of the resulting MPC protocol, e.g. by efficiently trading off between accuracy and complexity.Ia Contribution
In this work, we follow the above strategy and present SEMBA: a SEcure MultiBiometric Authentication protocol which achieves a better tradeoff between efficiency and accuracy with respect to the single modality subsystems composing it. This represents a major departure from most works on multimodal biometric systems, in which the availability of multiple biometric modalities is exploited to decrease interclass variability and improve intraclass similarity in the presence of acquisition noise and any other kind of distortion [11]. In this framework, the main contributions of the paper are the following: i) we design a multimodal biometric system that combines face and iris templates and that can be easily implemented by relying on Secure Multiparty Computation protocols; ii) we propose a privacy preserving multibiometric authentication protocol secure against a malicious party. SEMBA is based on the SPDZ tool [1, 2] and discloses only the final binary decision; iii) we compare our multibiometric protocol with single biometric protocols, showing that by using a properly simplified representation of the two biometric traits, backed by a rigorous signal processing analysis, the multimodal protocol can reach the same accuracy of the corresponding singlemodality systems based on more accurate  and more complicated  representations of iris and face templates, but with significantly lower computational complexity. In particular, SEMBA obtains the same accuracy of the stand alone iris authentication protocol described in [12]. Of course, system designers could also decide to exploit the superior performance allowed by multimodal authentication to improve authentication accuracy with the same complexity of the single modality protocols.
Ii Prior works
In the last years, many cryptographic tools, including oblivious transfer [6], homomorphic encryption [8, 13], and garbled circuits [7], have been used for privacy protection of biometrics templates. In most works, such tools are used in such a way to achieve security in the semihonest model. Many privacy preserving authentication protocols have been proposed in the literature making use of a wide variety of biometric traits. Since, in this work, we present a privacy preserving multibiometric authentication protocol based on face and iris, we focus on the state of art relative to those biometries, then we discuss the few works achieving privacy protection in the malicious model and finally we discuss the main characteristics of multimodal (or fusion) biometric systems.
Iia Biometric recognition in the semihonest model
As pointed in [4, 5], many prior works on biometric recognition are designed to be secure against semihonest adversaries. Some examples are [14, 15]
for face recognition and
[16, 17, 18] for iris recognition. In order to guarantee security, the above papers are based on many cryptographic techniques such as Pailler additive homomorphic cryptosystem (HE), Oblivious Transfer (OT) or Garbled Circuit (GC). For efficiency reasons, such protocol are mainly based on the eigenface [19] and iriscode [20] representation of iris and face respectively. More accurate protocols exist, but their privacy preserving implementation has such a high complexity to make them impractical.IiB Biometric recognition in malicious setting
There are few works on privacy preserving biometric authentication secure under a malicious model. Kantarcioglu and Kardes [21] present a way to implement some primitives, specifically the dot product and equality check, in the malicious model, by also analyzing the corresponding computational cost. Even if this work is not directly related to biometrics, the proposed solutions can be adapted to them. In [22], Abidin presents a general framework for biometric authentication that uses a homomorphic encryption scheme to evaluate the distance between two encrypted biometric templates. In his work, Abidin proves security against malicious attacks, but does not provide results about the practical implementation of the protocol. In [23], Pathak and Raj present two speechbased authentication protocols. The first one is an interactive protocol based on Pailler cryptosystem which is secure against a semihonest adversary, the second one is a noninteractive protocol based on BNG [24]
cryptosystem, which allows to perform an arbitrary number of additions and one multiplication between ciphertexts, and is secure against malicious attacks. In both cases the output is a probability value and the client checks if such a value is equal to zero or not in the plain domain. From the tests and the analysis reported in
[23] it is clear that the interactive protocol is more efficient than the malicious one.A large number of approaches [25, 26, 27, 28, 29] have been proposed to make Yao’s garbled circuit techniques secure in the malicious model through Zero Knowledge proof, cut and choose, or other techniques. Such approaches can also be used for biometric authentication protocols, but their complexity is so high to make them impractical. Gasti et al. [30] propose a lightweight biometric authentication protocol based on simple garbled circuits and secure against malicious adversaries by relying on an untrusted third party (the cloud). The goal of the protocol is to minimize the amount of computation performed by the biometric owner’s device (a smartphone), while also reducing the protocol execution time and without the necessity to rely on cutandchoose techniques. In the protocol, the biometric owner acts as circuit constructor, the cloud as circuit evaluator, while the server verifies the correctness of the circuit. The approach is secure against colluding biometric owner and cloud, but not against colluding server and cloud.
IiC Multimodal biometric recognition
Given the recent technological advances, novel devices are often equipped with numerous sensors, opening the way to multibiometric authentication. In [31] Ross, Nandakumar, and Jain present an overview of the possible fusion scenarios and their applications in real life. For our protocol we choose a multimodal system, that combines information from face and iris.
Biometric signals are usually processed in four stages. First a sensor captures the traits of an individual as a raw biometric data. Second, raw data are processed and a compact representation of the physical traits, called features, is extracted. Then the feature template is matched with the templates stored in a database. Finally the matching score is used to determine an identity or to validate a claimed identity. Information can be merged at any time during a multibiometric recognition protocol. For further information about this topic readers may refer to [31]. The choice of fusion depends on the intended application, its specific characteristics and the multiparty computation tool chosen to guarantee privacy. Fusing the biometric signals at an early stage results in a higher accuracy of the protocol at the expenses of a higher complexity. For this reason, the most used approach, and the one we use in this paper, is score level fusion, whereby the match scores from each biometric trait involved in the process are combined to obtain the final result. Score level fusion combines good accuracy and relatively easy implementation.
To the best of our knowledge, GomezBarrero et al. [32] have proposed the only previous work on multibiometric privacy protection operating in the encrypted domain. In their work, the authors present a general framework for multibiometric template protection based on Pailler cryptosystem, in which only encrypted data is handled. The authors examine the outcome of the fusion of online signature and fingerprints, at three different levels of fusion: feature, score and decision levels. The system presented by Gomez et al. has a low computational cost (only one decryption on the server side and no encryptions at verification time), moreover they obtained a good accuracy (EER = 0.12%), with a required time for a single comparison of about . A drawback with the system described in [32], is that comparison is carried out on plain data by the server, thus introducing a breach into the security of the system. On the contrary, in our work we implement also the final comparison step within the SPDZ framework, to prevent any security loss, even if this choice has a nonnegligible cost in terms of complexity (see Section VI). As a further difference, in [32] an Euclidean distance computation (in case of twomodal system) requires exponentiations, where is the number of enrolled samples and the feature’s total number considering all the modalities. In our work, instead, thanks to the SPDZ system and to the possibility of using integer numbers, we need only (the length of the feature vector) squares, one of our most expensive operations.
Iii Tools
In this section, we present the cryptographic and biometrical tools used in our protocol.
Iiia Cryptographic tools: SPDZ system
Damgård et al. [1, 2] proposed the MPC framework named SPDZ, a two  or multiparty  computation protocol secure against an active adversary corrupting up to of the players. This method uses multiplicative triples generated offline by using Somewhat Homomorphic Encryption (SHE) to efficiently perform online secret sharing operations.
We assume the computation is performed over a fixed finite field of characteristic ; where is a prime number. Each player has an uniform share of a secret key such that (in the following we omit the indication of the modulus operation for simplicity). In this paper we focus on secure twoparty computation protocols, then and . An item is shared if the player holds a tuple such that and . In other words, and are additive secret shares of and . The value represents the Message Authentication Code (MAC) of . Any operation involving some variables is also performed on their MAC, so that, at the end of the protocol, the MAC is checked before revealing the outcome. If one of the parties has a different MAC from the others, the procedure aborts. During the description of the protocol, we say that a  shared value is partially opened if each party reveals to the other one the value but not the associated .
An SPDZ protocol can be divided into two major phases. The preprocessing phase, sometimes referred to as the offline phase, where the system is set up, and the online phase, where the actual computation is performed. In the offline phase, parties generate a public key and a shared secret key for the SHE scheme. Then, relying on the homomorphic properties of the SHE, the preprocessing protocol generates and ’s shares, input shares, shares of tuples for multiplications and squares, and the random share values necessary to evaluate the comparison [2]. Finally each party decrypts his set of preprocessed data by using his secret key share. In this paper, we assume that the generation of tuples and inputs has been already made in the encrypted domain before the protocol starts and we focus our efforts on the analysis of the online part of the system.
By using SPDZ, linear operations, such as additions and scalar multiplications (see Table I), can be performed on the shares without interaction; while products between ciphertexts and comparisons need data transmission and proper subprotocols.
operation  party 1  party 2 

Products and square operations are evaluated through interactive protocols that use multiplication triples generated during the preprocessing phase. Due to lack of space we refer to [1, 2] for implementation details. Each multiplication requires two transmissions from each party to the other, while each square operation requires only one transmission.
IiiA1 Comparison
Here we show how to compute the outcome of a secure comparison , for any two elements , according to the protocol proposed in [33], that has the lowest computational complexity among all the secure comparison protocols proposed so far.
The comparison computation is based on the observation that is determined by the truth values of , , and , where indicates the share values of the outcome of . By choosing so large that both inputs are lower than , it is sufficient to evaluate only .
Given , then can be easily computed as . We observe that if then . Since we work on , we have that
and it is odd; else if
than and it will be even because we do not need any modular operation. Therefore, to establish if is larger or smaller than we need to determine only the last significant bit of . To compute the last significant bit of , we use a value shared by parties both as integer and as a bit array. The value along with its bit decomposition are precomputed off line. We indicate as the bits of and with their shared values.First of all we compute , then is partially opened. If then the last significant bit of is equal to , otherwise it is equal to .
Since we work in the field , iff . By recalling that is known to both parties, we can easily obtain a share of , the truth value of (i.e. ) working on the bits of and on the shared bits of . Then we use the following procedure to calculate .

[nosep,noitemsep]

If then else .

For all

if then

else .
Now can be easily calculated as
(1) 
Since is known in our implementation,
(2) 
Complexity. This protocol requires one multiplication for each iteration plus one for the last step in (1). Therefore the complexity depends on the bit length of and it is equal to multiplications, which require transmissions.
IiiB Biometrics tools
In our work we compare two different authentication systems: an iris authentication protocol and a multimodal system relying on the fusion at the score level of iriscode and eigenfaces. Both protocols are developed in the encrypted domain by relying on the SPDZ framework. Different and more accurate protocols exist, but their privacy preserving implementation have such a high complexity to make them impractical. In the following subsections, we first describe the standalone iris (Section IIIB1) and face (Section IIIB2) protocols in the plain domain, then the main characteristics of a general multimodal recognition protocol (Section IIIB3).
IiiB1 Iris recognition
In our implementation, we use the iriscode template proposed for the first time by Daugman in [20] and then modified by Masek in [12]. The description of the entire extraction process is out of the scope of this paper, therefore we limit the presentation to the details which are relevant for the current work.
An iriscode is a bit vector of length depending on the radial and angular resolutions used during template extraction. The extraction process outputs also a bitwise noise mask. The noise mask represents the regions of the iris altered by noise, e.g. by eyelashes end eyelid. To compare two templates (the query and the probe enrolled in the database) the authentication process relies on a weighted Hamming distance, where the weights depend on the noise mask bits. In this way only significant bits are used to calculate the distance between the two templates. Given the template length , we indicate by and the iris templates and and the corresponding noise masks. We assume that the value in the mask vector indicates that the bit is affected by noise and must be excluded from the computation. Moreover, we indicate with the negation of a feature bit . The weighted Hamming Distance (HD) can be calculated as:
(3)  
IiiB2 Face recognition
Face templates can be generated by relying on the eigenfaces method proposed by Tuck and Pentland in [19] providing a set of facial characteristics that can be used to describe all the faces into the database (the facespace
), as eigenvectors do in linear algebra. The template associated to a face
, is the projection of on the face space . Each describes the contribution of the corresponding eigenface, , in representing the input image. In order to find the image that best matches with , the algorithm looks for the projection vector among all database images, that minimizes the Euclidean distance(4) 
IiiB3 Multibiometric score level fusion
In this work we choose to use multimodal fusion (face and iris) at score level. This is motivated by the fact that, following the considerations in Section IIB, face and iris recognition protocols allow to easily compute the match score in the encrypted domain. Moreover, we underline that both iris and face can be acquired at the same time in real applications, for example by using a smartphone camera. We summarize our fusion system in Figure 1.
Match scores generated by iris and face classifiers are characterised by a different range of values: the output of the iris protocol is a real number in , while the output of the face recognition protocol is a squared number in . Many ways have been proposed to overcome the problems generated by the differences between the scores provided by different biometric recognition systems (see [31] for more details). Among them, due to the characteristics of our MPC system, we choose a linear combination of the scores. Furthermore, to normalize the face matching score, we choose to use a min  max normalization method [31].
(5) 
where , indicate the minimum and maximum values of the face range. Since , if is the Hamming distance resulting from iris match, the Euclidean distance between faces, and the maximum value of the face recognition system, multimodal recognition corresponds to checking if the following inequality holds:
(6) 
where are proper weights and is the threshold.
Iv Proposed Protocol
In this section, we describe the details of SEMBA implementation. We start by presenting the security model (Section IVA), then we present the implementation of the iris and face authentication protocols (Sections IVB and IVC) and the multimodal biometric protocol (Section IVD). Finally, we discuss the security of the SPDZ protocols in Section IVE.
Iva Security model
All the protocols involve a client (the biometric owner) and a server that authenticates the identity of the client. Since in our computation we have only two parties, from now on, the SPDZ protocol is described for . On one hand the client does not want to reveal his biometric templates, on the other hand the server does not want to dislocate its records. Both client and server can be malicious, i.e. they may be interested in gaining as much information as possible on the other party even by deviating from the protocol. Considering that the SPDZ protocol involving parties is secure up to malicious parties, we assume that only one between the client and the server can act maliciously. We underline that if both act maliciously, they obtain no real information about the counterpart. We also assume that the parties are connected through a secure channel providing privacy against eavesdroppers and any third party that can compromise the transmission.
IvB Iris authentication protocol in encrypted domain
The SPDZ protocol supports operations modulo . Each binary element of an iris feature is encrypted as a modulo integer share. For this reason, to implement the Hamming distance computation as in Equation (3), we must implement logical operations as a combination of integer operations . The correspondence between binary and integer operations is detailed in Table II.
Binary  Integer 

Let and be two binary iris feature templates, where is the number of features, we indicate with the vector containing shares of each element, i.e. the vector for .
In SPDZ, as well as in other MPC protocols, division is a very expensive operation. Hence, instead of evaluating the division and then compare the distance with an acceptance threshold, the denominator is multiplied by the threshold before the comparison. By letting
(8) 
and
(9) 
the authentication check corresponds to
(10) 
As it can be seen from Equation (8), many share multiplications are needed to calculate the numerator, namely, multiplications for each , and . To compute the denominator, we can reuse the already computed for the numerator. Multiplication between shares requires data transmission, slowing down the computation. To optimize the protocol, we split the multiplication protocol into two parts. First we calculate and , for all . Then, to partially open the values, both server and client exchange shares by using a packet for all ’s and one for all ’s. In this way we need only two transmissions for multiplications.
Complexity. Computing and requires multiplications each, one for each element of the template; moreover, multiplications are required to compute . The total cost associated to the computation of is multiplications but, as we explained above, we need only transmissions. Computing (Equation (9)) has a negligible complexity since has already been calculated for all in Equation (8). Moreover, we need a multiplication between and , and multiplications for the comparison, where is the number of bits necessary to represent a modulo integer (see Section IIIA1). Consequently, we need multiplications but only transmissions for the iris protocol.
IvC Face authentication in encrypted domain
As for the iris, we assume that face features have already been computed according to the protocol described in Section IIIB2, obtaining a set of real features that have been rounded to represent them in (in the next we avoid the round operator for simplicity). Given the projection of the query face image, the facebased biometric authentication protocol must evaluate the Euclidean distance as in Equation (4), and check if it is lower than a threshold . Considering that the square root cannot be evaluated efficiently in SPDZ, we instead compare the Squared Euclidean distance (SED) against the squared threshold:
(11) 
In equation (11), indicates an element of the face and the th element of the projection . Moreover, as we did for the Hamming distance, we separate the square computation into two parts, so we need only one transmission to calculate SED.
Complexity. The computation of the Squared Euclidean distance requires the evaluation of squares that can be parallelised, hence only one transmission is necessary. For the comparison we need products, as in the iris authentication protocol. Considering that squares and products have similar complexity, the complexity of the protocol is given by products.
IvD Fusion in encrypted domain
We now describe our solution to implement the fusion protocol in the encrypted domain. As outlined in Equation (6), we use a linear combination of the matching scores; to avoid performing divisions, we evaluate
(12) 
where and stand for the numerator and denominator of the iris Hamming distance, in (6), while SED, and stand for squared Euclidean distance score, face maximum range, and threshold.
The SPDZ framework does not allow the use of noninteger numbers, so , and are scaled and approximated to integers in the interval . We chose this interval because it is accurate enough to obtain the same results achieved in the plain domain, and the resulting bitlength is small enough to make it possibile to represent and in .
Complexity The previous formula requires three multiplications and six transmissions that cannot be run in parallel. Moreover, it needs multiplications for the comparison. In total, the linear fusion requires multiplications and transmissions, plus the multiplications necessary to compute the Hamming and the squared Euclidean distances. The total complexity of the full multimodal protocol is multiplications and squares, while it requires only transmissions.
Multiplication  Squares  Transmissions  

Iris  0  
Face  
Multimodal 
IvE Protocol security
Relying on SPDZ tool, our protocols is secure in the UC model if at least one of the two parties is honest. In fact, according to [2], our SPDZbased protocol is secure against malicious adversaries, where in our twoparty computation scenario. The offline phase does not depend on the functionality evaluated and its security demonstration against active adversaries in the UC model is provided in [2]. The security demonstration of the online protocol is provided in the following theorem.
Theorem 1.
The online SPDZ implementation of SEMBA is computationally secure against any static adversary corrupting at most party if is exponential in the security parameter.
Proof.
The proof follows the security demonstration of the online SPDZ protocol in [2]. We rely on the simulator defined in [2] to work on top of the ideal multibiometric authentication functionality , such that the adversary cannot distinguish among the simulator using the real function and the real SPDZbased implementation using multiplication triples generated offline. Input values broadcasted by both the simulator and honest players are uniform and it is not possible to distinguish among them. During execution, interaction with player is performed only during multiplication and squaring where partial opening reveals uniform values for both honest parties and simulator. Also MACs have similar distribution in both the protocol and the simulation. If the protocol does not abort due to a cheat detection, both the real and the simulated runs output the decision bit. In the simulation the decision bit is obtained by a correct evaluation of the multibiometric function on the inputs provided by the player. In real SPDZbased implementation the adversary can cheat in the MAC check with probability . Hence the probability that the adversary can distinguished the simulated environment from the real one is negligible if is exponential. The adversary is not able to obtain the inputs of the honest player because if the protocol does not abort, he can observe only its input, the input shares received by the other party and the final result. To obtain the original inputs of the honest party, the adversary should be able to solve the inequality in (6), which has unknown variables for the server and for the client, where and are the number of features used to represent iris and face respectively. ∎
V System tuning
In this section, we present the results of the tests performed on plain data. We will use such results to choose the best parameters to build an efficient protocol working in the encrypted domain. Tests have been carried out on the “CASIAIrisV1” database for irises and “CASIAFaceV5 part 1” database for faces, both collected by the Chinese Academy of Sciences’ Institute of Automation (CASIA) [35, 36].
The CASIAIrisV1 database for irises [35] contains greyscale eye images with unique irises (or classes) and images for each of them. As in [12], we used a subset of the database for the tests, retaining only those images in wich the algorithm has well separated iris region from sclera and pupil. The resulting database contains eye images.
The CASIAFaceV5 Databases for faces part 1 [36] contains face images of subjects. The face images are captured using Logitech USB camera in one session. All face images are bit color BMP files and the image resolution is pixels.
We implemented and tested our SPDZbased iris and multibiometric protocols on a desktop equipped with 8GB RAM processor Intel Core i3 CPU 550 @ 3.20 GHz QuadCore running Ubuntu 14.04 LTS (64 bit) operative system. We developed the test using C++ language with GMP free library for arbitrary precision arithmetic, operating on signed integers, rational numbers, and floatingpoint numbers.
To implement the SPDZ protocol we chose the bit prime number , which is big enough to allow all the needed modular operations and comparisons, and guarantee the security of the protocol. Server and client run on the same computer, and we used a socket to simulate the transmission channel.
Va Parameter optimisation
We performed tests on plain data, running the authentication protocol on each single biometric and then by fusing eigenfaces and iriscodes.
Iris
For testing the iris authentication protocol, we have chosen a radial resolution ranging from to and an angular resolution between and (Table IV). As said above, we tested the protocol on eye images and each one has been compared with all the others. To perform the tests in the plain domain, we used the Matlab code provided by L. Masek (iris recognition source code [37]) as part of his work [12]. As we can see from Table IV, the best accuracy is achieved by letting the angular resolution be equal to angles and radial resolution equal to 20 corresponding to an iris feature vector of length 6400.
To reduce the EER, Masek ([12]) shifts times the iris templates keeping the lowest Hamming distance score. In SPDZ this operation is computationally very expensive, so we could not afford it.
Angular Resolution  
100  120  140  160  180  200  
4  8.19  6.43  4.37  3.34  3.31  3.10 
6  6.88  5.05  3.01  2.45  2.71  3.01 
8  6.13  4.42  2.69  2.19  2.58  4.36 
10  6.31  4.03  2.64  2.44  2.54  3.92 
12  5.96  4.10  2.56  2.14  2.59  3.71 
14  5.71  3.85  2.54  2.17  2.58  3.27 
16  5.49  3.79  2.32  2.13  2.51  3.31 
18  5.71  3.61  2.46  2.31  2.41  3.18 
20  5.77  3.74  2.20  2.08  2.41  3.13 
Face
We have implemented the eigenface protocol by using the Open Source Computer Video (openCV) library^{1}^{1}1http://opencv.org/about.html and Matlab. Face images are pixel and we transformed them in grey level images. The protocol has been tested on images. We used the algorithm provided in the openCV library to build eigenfaces with . Each image is thus represented by a projection vector of length . Each projection element is a bit integer and the squared Euclidean distance has been calculated by using Matlab. We observed that the use of more than 5 projections does not provide any significant improvement (see Table V).
EER (%)  EER (%)  

Iris Parameters  Number of Eigenfaces ()  

N  r  iris  1  2  3  4  5  6  7  8  9  10  
6400  20  160  2.08  1.17  1.15  1.02  1.25  1.25  1.24  1.31  1.37  1.4  1.41 
5760  16  180  2.51  1.26  0.98  1.01  1.22  1.38  1.36  1.43  1.47  1.49  1.50 
5600  20  140  2.20  1.20  1.08  1.19  1.18  1.34  1.28  1.36  1.38  1.39  1.40 
4800  20  120  3.74  1.90  1.97  1.65  1.98  2.04  2.15  2.11  2.17  2.2  2.21 
3840  12  160  2.14  1.84  1.52  1.50  1.45  1.63  1.74  1.76  1.77  1.78  1.78 
3600  10  180  2.54  1.36  1.23  0.97  1.65  1.82  1.99  2.07  2.15  2.17  2.19 
3360  12  140  2.56  1.51  1.32  1.38  1.31  1.56  1.61  1.58  1.63  1.67  1.69 
2560  8  160  2.19  1.50  1.24  1.19  1.15  1.39  1.49  1.59  1.6  1.61  1.62 
2400  6  200  3.01  2.01  1.83  1.89  2.13  2.37  2.56  2.66  2.7  2.72  2.73 
2160  6  180  2.71  1.92  1.74  1.82  1.98  2.04  2.09  2.07  2.13  2.16  2.18 
1920  6  160  2.45  1.47  1.42  1.43  1.57  1.66  1.95  1.92  1.95  1.96  1.97 
1600  4  200  3.10  2.01  1.87  1.85  2.41  2.37  2.56  2.67  2.69  2.71  2.71 
1280  4  160  3.34  2.29  1.89  2.22  2.26  2.51  2.80  2.80  2.92  2.98  3.01 
Multimodal
We have evaluated the efficiency of the fusion protocol in the plain domain, by fusing the outcomes of face and iris subalgorithms through a Matlab implementation. From Table IV, we have chosen some relevant iris configurations, based on the achieved EER or number of features. First of all, to better compare with the best iris result, we chose and resulting in , then for each , we looked for the best accuracy under , and finally we chose those configurations with EER similar to the previous ones but less features. Moreover, we varied in the interval and the number of eigenfaces from to . Table VI summarizes our results, showing the EER for each and .
As shown in Table VI, the same accuracy of the stand alone iris protocol (2.08%) can be reached with many different multibiometric configurations, e.g. by using and or even by using only iris features and . For the tests in the encrypted domain, between the two configurations with the same accuracy, we chose the last one, since it has lower bandwidth and computational complexity (see Table III and Table VIII). We can also notice that keeping , but using 2 features for face representation, we can lower both accuracy and complexity. Generally, by using two eigenfaces, the best possibile accuracy is provided with iris features, however the same performance are obtained also by the combination of iris features and three face features. For this reasons, we tested several configurations in the encrypted domain, as summarised in Table VII.
Vi Complexity of the SPDZ protocol
We evaluated the computational complexity of our implementation of the SPDZ protocol (Section IV), by using the parameters chosen in the previous section (see Table IV and Table VII). Execution times are heavily affected by the number of multiplications. As we said in Section IVB, when possible, we performed a single transmission, by packing data. To calculate the execution time, reported in Table IX, we used the clock function, measuring the CPU time of the process.
Iris  EER  Face  Fusion parameters  

N  Iris (%)  Fusion (%)  
1  
2  
3  
2  
2 
In SEMBA the number of transmission rounds depends only on the bitlength of the prime number and not on the feature configuration, as it can be seen from Table III. On the contrary, the amount of data transmitted by each party also depends on the number of features used in the protocol. In fact, the iris authentication protocol has a bandwidth of bits, while the multimodal protocol bandwidth is bits. Since the complexity of the iris protocol is much higher than that of the facebased authentication protocol, the overhead introduced by the multimodal biometric authentication is of few bytes, as it can be seen from Table VIII. For this reason, the communication complexity remains almost constant switching from the iris to the multimodal protocol.
Iris  bandwidth (KB)  Face  

iris  multimodal  overhead  
1600  53.24  53.30  0.06  1 
3600  119.16  119.23  0.07  3 
5760  190.35  190.42  0.07  2 
6400  211.44  211.51  0.07  2 
The main goal of our work was exploiting multimodality to reduce complexity while maintaining the same accuracy of the irisbased protocol. Moreover, our analysis shows that the multimodal protocol can also be used to lower the EER without a significant loss in terms of complexity. In the following, we discuss both cases.
Improved efficiency
The running time of the stand alone iris authentication protocol ranges from s for bits, up to s for a bitlong template in the malicious setting (see Table IX), while Luo et al. protocol [16] with masks needs s for bits and s for bits in the semihonest setting. Moreover from Table VII and Table IX, it is evident that SEMBA can provide the same accuracy of the best stand alone iris protocol, but with lower execution time and computational complexity. As a matter of fact, the best EER for the standalone iris protocol is for features corresponding to multiplications (Table III) in , while in the fusion configuration for iris features and eigenface feature, we need only multiplications (see Table III, where we consider squares as multiplications) to obtain an EER equal to in about seconds. On the contrary, the number of required transmissions increases from to (Table III), but it depends only on the bit length of .
Improved accuracy
As an alternative to improve the computational complexity, the use of two biometries instead of one can be exploited to achieve a higher accuracy, at the cost of a slight increase of complexity with respect to the iriscode protocol. In fact, as shown in Table III, complexity depends heavily on the number of iris features, however by adding two eigenfaces it is possible to decrease the EER rate, while the number of multiplications increases only from to (as usual we consider squaring to be equivalent to multiplication). More generally, when we move to multimodal authentication, the total CPU time slightly increases with respect to the unimodal iris protocol, but the EER always decreases; by adding one more eigenface () to the iris feature configuration considered above, we can have a better EER () with the same time complexity (0.03 seconds). For the case of bit long iris template, the EER passes from from for the unimodal authentication to for the bimodal case with (Table VII). Finally, keeping as target accuracy, we highlight that we can reduce to at the cost of an additional feature in the face representation (). In this case, computational complexity goes from to multiplications and time complexity decreases from s to s (Table VIII and Table IX).
Iris  CPU time  Face  

Iris (s)  multimodal (s)  
1600  0.029s  0.030  1 
1600  0.030  2  
3600  0.048  0.049  3 
5760  0.11s  0.109  2 
6400  0.12s  0.120  2 
Vii Conclusions
In this paper, we have proposed SEMBA, a multimodal authentication system based on the MPC approach SPDZ [2, 1] secure against a malicious party. We have shown that by using a multimodal system it is possible to improve the efficiency of the recognition process in terms of number of multiplications and evaluation time, without any loss of accuracy. In the same way, it is also possible to improve accuracy at the cost of a negligible increase of complexity. As an additional contribution, we adapted the iris and face authentication protocols to work in the SPDZ
setting. A further additional complexity reduction is achieved by resorting to packed transmission of encrypted data involved in the secure multiplication protocol. As future work, we plan to extend our approach to even more biometric traits, like fingerprints, behavioral biometric and many others. Another interesting research direction could be to look for different algorithms and more efficient fusion rules to merge the match scores. We are also interested to test our protocol on mobile devices, in order to measure the complexity of the whole protocol, including also multibiometric acquisition and feature extraction.
References
 [1] I. Damgård, V. Pastro, N. Smart, and S. Zakarias, “Multiparty computation from somewhat homomorphic encryption,” in Advances in Cryptology–CRYPTO 2012. Springer, 2012, pp. 643–662.
 [2] I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, and N. P. Smart, “Practical covertly secure mpc for dishonest majority–or: Breaking the spdz limits,” in European Symposium on Research in Computer Security. Springer, 2013, pp. 1–18.
 [3] “Biometrics security and privacy protection,” IEEE Signal Processing Magazine, vol. 32, no. 5, Sept 2015.
 [4] J. Bringer, H. Chabanne, and A. Patey, “Privacypreserving biometric identification using secure multiparty computation: An overview and recent trends,” IEEE Signal Processing Magazine, vol. 30, no. 2, pp. 42–52, 2013.
 [5] M. Barni, G. Droandi, and R. Lazzeretti, “Privacy protection in biometricbased recognition systems: A marriage between cryptography and signal processing,” IEEE Signal Processing Magazine, vol. 32, no. 5, pp. 66–76, 2015.
 [6] O. R. Michael, “How to exchange secrets by oblivious transfer,” Technical Report TR81, Aiken Computation Laboratory, Harvard University, Tech. Rep., 1981.
 [7] A. C. Yao, “How to generate and exchange secrets,” in Annual IEEE Symposium on Foundations of Computer Science, 1986, pp. 162–167.
 [8] P. Paillier, “Publickey cryptosystems based on composite degree residuosity classes,” in Advances in Cryptology  EUROCRYPT. Springer, 1999, pp. 223–238.
 [9] C. Gentry and S. Halevi, “Implementing Gentry’s fullyhomomorphic encryption scheme,” Advances in Cryptology–EUROCRYPT 2011, pp. 129–148, 2011.
 [10] O. Goldreich, “Secure multiparty computation,” Manuscript. Preliminary version, pp. 86–97, 1998.
 [11] A. Ross, K. Nandakumar, and A. K. Jain, “Introduction to multibiometrics,” in Handbook of Biometrics. Springer, 2008, pp. 271–292.
 [12] L. Masek, “Recognition of human iris patterns for biometric identification,” The University of Western Australia, vol. 2, 2003.
 [13] P. S. Pisa, M. Abdalla, and O. C. M. B. Duarte, “Somewhat homomorphic encryption scheme for arithmetic operations on large integers,” in Global Information Infrastructure and Networking Symposium (GIIS), 2012. IEEE, 2012, pp. 1–8.
 [14] Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, and T. Toft, “Privacypreserving face recognition,” in Privacy Enhancing Technologies. Springer, 2009, pp. 235–253.
 [15] A.R. Sadeghi, T. Schneider, and I. Wehrenberg, “Efficient privacypreserving face recognition,” in Information, Security and Cryptology–ICISC 2009. Springer, 2010, pp. 229–244.
 [16] Y. Luo, S.c. S. Cheung, T. Pignata, R. Lazzeretti, and M. Barni, “An efficient protocol for private iriscode matching by means of garbled circuits,” in International Conference on Image Processing  ICIP. IEEE, 2012, pp. 2653–2656.
 [17] J. Bringer, M. Favre, H. Chabanne, and A. Patey, “Faster secure computation for biometric identification using filtering,” in IAPR International Conference on Biometrics  ICB. IEEE, 2012, pp. 257–264.
 [18] M. Blanton and P. Gasti, “Secure and efficient protocols for iris and fingerprint identification,” in European Symposium on Research in Computer Security  ESORICS. Springer, 2011, pp. 190–209.

[19]
M. A. Turk and A. P. Pentland, “Face recognition using eigenfaces,” in
Conference on Computer Vision and Pattern Recognition  CVPR
. IEEE, 1991, pp. 586–591.  [20] J. Daugman, “How iris recognition works,” IEEE Transactions on circuits and systems for video technology, vol. 14, no. 1, pp. 21–30, 2004.
 [21] M. Kantarcioglu and O. Kardes, “Privacypreserving data mining in the malicious model,” International Journal of Information and Computer Security, vol. 2, no. 4, pp. 353–375, 2008.
 [22] A. Abidin, “On privacypreserving biometric authentication,” in International Conference on Information Security and Cryptology  Inscrypt, 2016, pp. 169–186.

[23]
M. A. Pathak and B. Raj, “Privacypreserving speaker verification and identification using gaussian mixture models,”
IEEE Transactions on Audio, Speech, and Language Processing, vol. 21, no. 2, pp. 397–406, 2013.  [24] D. Boneh, E.J. Goh, and K. Nissim, “Evaluating 2DNF formulas on ciphertexts,” in IACR Theory of Cryptography Conference  TCC, vol. 3378. Springer, 2005, pp. 325–341.
 [25] M. Kiraz and B. Schoenmakers, “A protocol issue for the malicious case of yao’s garbled circuit construction,” in Symposium on Information Theory in the Benelux, 2006, pp. 283–290.
 [26] Y. Lindell, B. Pinkas, and N. P. Smart, “Implementing twoparty computation efficiently with security against malicious adversaries,” in International Conference on Security and Cryptography for Networks. Springer, 2008, pp. 2–20.
 [27] B. Pinkas, T. Schneider, N. P. Smart, and S. C. Williams, “Secure twoparty computation is practical.” in Asiacrypt, vol. 9. Springer, 2009, pp. 250–267.
 [28] J. B. Nielsen, P. S. Nordholt, C. Orlandi, and S. S. Burra, “A new approach to practical activesecure twoparty computation.” in CRYPTO, vol. 7417. Springer, 2012, pp. 681–700.
 [29] Y. Lindell, “Fast cutandchoosebased protocols for malicious and covert adversaries,” Journal of Cryptology, vol. 29, no. 2, pp. 456–490, 2016.
 [30] P. Gasti, J. Šeděnka, Q. Yang, G. Zhou, and K. S. Balagani, “Secure, fast, and energyefficient outsourced authentication for smartphones,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 11, pp. 2556–2571, 2016.
 [31] A. A. Ross, K. Nandakumar, and A. Jain, Handbook of multibiometrics. Springer Science & Business Media, 2006, vol. 6.
 [32] M. GomezBarrero, E. Maiorana, J. Galbally, P. Campisi, and J. Fierrez, “Multibiometric template protection based on homomorphic encryption,” Pattern Recognition, vol. 67, pp. 149–163, 2017.
 [33] T. Veugen, R. de Haan, R. Cramer, and F. Muller, “A framework for secure computations with two noncolluding servers and multiple clients, applied to recommendations,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 3, pp. 445–457, 2015.
 [34] R. Connaughton, K. W. Bowyer, and P. J. Flynn, “Fusion of face and iris biometrics,” in Handbook of Iris Recognition. Springer, 2013, pp. 219–237.
 [35] C. A. of Sciences’ Institute of Automation, “Casiairisv1.” [Online]. Available: http://biometrics.idealtest.org/
 [36] C. A. of Sciences Institute of Automation, “Casiafacev5.” [Online]. Available: http://biometrics.idealtest.org/
 [37] P. K. Libor Masek, “Matlab source code for a biometric identification system based on iris patterns.” The School of Computer Science and Software Engineering, The University of Western Australia., 2003.
Comments
There are no comments yet.