A Statistical Inference Attack on Privacy-Preserving Biometric Identification Scheme

Biometric identification allows people to be identified by their unique physical characteristics. Among such schemes, fingerprinting is well-known for biometric identification. Many studies related to fingerprint-based biometric identification have been proposed; however, they are based purely on heavy cryptographic primitives such as additively homomorphic encryption and oblivious transfer. Therefore, it is difficult to apply them to large databases because of the expense. To resolve this problem, some schemes have been proposed that are based on simple matrix operations rather than heavy cryptographic primitives. Recently, Liu et al. proposed an improved matrix-based scheme using the properties of orthogonal matrices. Despite being more efficient when compared to previous systems, it still fails to provide sufficient security against various types of attackers. In this paper, we demonstrate that their scheme is vulnerable to an attacker who operates with a cloud server by introducing statistical-inference attack algorithms. Moreover, we propose concrete identity confirmation parameters that an adversary must always pass, and present experimental results to demonstrate that our algorithms are both feasible and practical.