Cryptanalysis of a privacy-preserving authentication scheme based on private set intersection

Sigurd Eskeland

doi:10.1515/jmc-2023-0032

Article Open Access

Cryptanalysis of a privacy-preserving authentication scheme based on private set intersection

Sigurd Eskeland

Published/Copyright: March 8, 2024

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information Explore this Subject

From the journal Journal of Mathematical Cryptology Volume 18 Issue 1

Abstract

Continuous and context-aware authentication mechanisms have been proposed as complementary security mechanisms to password-based authentication for computer devices that are handled directly by humans, such as smart phones. Such authentication mechanisms incur some privacy issues as user-dependent features are revealed to the authentication server, which is assumed to be untrusted. Domingo-Ferrer et al. proposed a privacy-preserving protocol for context-aware user authentication on the basis of private set intersection and Paillier homomorphic encryption. This approach enables user authentication based on establishing the number of similarities between sampled user context data and reference context data, without revealing any plaintext data to either party. The authors claim that their scheme is secure against malicious adversaries. In this article, we show that Domingo-Ferrer et al.’s scheme is insecure by means of two undetectable attacks that reveal all user information despite the encryption. The Paillier encryption primitive has a homomorphic property that we observe not only lacks relevance but, indeed, incurs a vulnerability that is exploited in the proposed cryptanalysis. This means that special care needs to be taken considering homomorphic properties of cryptographic primitives used in cryptographic protocols. Our cryptanalysis may therefore have a general interest regarding the design of cryptographic protocols.

Keywords: cryptanalysis; cryptographic protocols; homomorphic encryption; private set intersection; continuous authentication

MSC 2010: 68P27; 94A60

1 Introduction

Continuous authentication, sometimes referred to as implicit authentication, has been proposed as a complementary security measure for computer devices that are handled directly by humans, such as smart phones, in addition to common authentication methods, such as passwords, iris recognition, etc. The supposed advantage is a passive and seamless authentication mechanism that does not require user attention and user action, such as re-typing of passwords or holding the phone in front of the face for iris recognition. While conventional authentication methods are session-oriented, meaning that the device remains unlocked during the time period of the session, the time-window of access for continuous authentication methods is smaller than for session-oriented approaches. Continuous authentication is realized by continuously monitoring and collecting certain user feature data and checking whether they are consistent with reference template data collected during user enrollment. One purported benefit of continuous authentication over session-oriented approaches is that if a smart phone for a moment becomes accessible to someone else while it is unlocked, the continuous authentication mechanism will not recognize the other person. This will cause the authentication to fail, and the phone will lock.

Categories of continuous authentication modalities include behavioral authentication and context-aware authentication. The premise of behavioral authentication is that there is a uniqueness to the way that a person moves and acts, such as walking style, typing style, or handling of devices, and recognizing such unique patterns is sufficient for identifying the person. Behavioral modalities (or modes) include gait, screen touch (known as touch dynamics), and typing (keystroke dynamics). Biometric authentication modalities such as face and iris recognition are often considered to be continuous authentication modalities as well. Since such modalities require some user attention and are not entirely passive and seamless, they cannot be considered true continuous authentication mechanisms. Regarding context-aware user authentication, user device-specific data and location data such as GPS data, Wi-Fi access points, and cellular data may constitute the basis for user authenticity.

Continual user- and device-specific monitoring and data collection can indeed, be considered invasive as they reveal certain user actions and whereabouts while the user is in contact with the device. Concerns and skepticism have been raised in this regard. To mitigate for such privacy challenges, several privacy-preserving continuous authentication schemes have been proposed using homomorphic encryption techniques [1–7]. Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. Using such encryption mechanism during enrollment, the user device encrypts the reference template data. The encryptions are transmitted to the authentication server that stores them. During the ongoing authentication, the device samples and encrypts feature data that is transmitted to the authentication server. The homomorphic encryption enables the authentication server to verify whether the encrypted authentication-time data are consistent with the encrypted reference template data, while disclosure of any other information is prevented.

Domingo-Ferrer et al. [1] proposed a privacy-preserving protocol for continuous (implicit) authentication based on private set intersection. Using private set intersection, a comparison is carried out showing the (dis)similarity between the encrypted reference template and the encrypted authentication-time features. No decryption takes place and no private keys are required, and thus, no plaintext data are revealed to any party. The authors claim that their scheme “remains robust in the malicious scenario,” in which a participant may deviate from the protocol.

In this article, we show that Domingo-Ferrer et al.’s scheme is insecure against a misbehaving authentication server and external adversaries. The scheme uses the Paillier encryption algorithm as a cryptographic primitive. It has a homomorphic property that we observe not only lacks relevance but, indeed, incurs a vulnerability that is exploited in the proposed cryptanalysis. This means that special care needs to be taken considering homomorphic properties of cryptographic primitives used in cryptographic protocols.

We present two attacks that, respectively, reveal reference template features and authentication-time features in plaintext. We believe that our cryptanalysis has a general interest due to the fact that the Paillier cryptosystem is commonly used as primitive in cryptographic protocols.

2 Related work

A few privacy-preserving schemes have been proposed for different types of modalities of behavior-based and context-based user authentication.

Domingo-Ferrer et al.’s privacy-preserving authentication scheme [1] is using user context feature similarities as a basis for authentication. These features are encrypted and compared by means of private set intersection comparison, using the Paillier cryptosystem [8] as a primitive. This enables us to determine (dis)similarities between encrypted reference data and input data. This scheme seems to be inspired by the private set intersection comparison scheme proposed by Freedman et al. [9]. Similar to the former, set elements are represented by polynomial roots (or coefficients), which are protected using homomorphic encryption, based on the Paillier encryption system. Their scheme is secure in the honest-but-curious adversarial model, while also an extension with regard to the malicious adversary model is proposed.

Govindarajan et al. [6] proposed a privacy-preserving protocol for touch dynamics-based authentication. Their scheme uses a private comparison protocol proposed by Erkin et al. [10] and the homomorphic DGK encryption algorithm proposed by Damgård et al. [11,12]. It could be noted that the privacy-preserving comparison is bitwise, and as such, it is inefficient.

Safa et al. [3] proposed a generic framework for privacy-preserving implicit authentication using context data, such as location data, device-specific data, wifi connection, and browsing history. It is based on homomorphic encryption (the authors suggest the Paillier encryption scheme) and order-preserving encryption to compute the similarity between encrypted input and encrypted reference templates (by means of average absolute deviation).

The privacy-preserving authentication scheme proposed by Shahandashti et al. [4] assumes context features and is based on order-preserving symmetric encryption (OPSE) and additive homomorphic encryption. The cryptographic primitives are generic, but the authors suggest the OPSE scheme proposed by Boldyreva et al. [5] and the Paillier public key scheme.

A potential limitation with context-aware modes [1,3,4] is the inability to determine whether the user is present or not. For example, if the device is stolen within a specified area, then it cannot be distinguished between a legitimate and illegitimate user.

Balagani et al. [13] proposed a periodic keystroke dynamics-based privacy-preserving authentication scheme. It is similar to the Govindarajan et al.’s protocol [6] but assumes the private comparison protocol proposed by Erkin et al. [10] and the homomorphic DGK encryption algorithm proposed by Damgård et al. [11]. This scheme has the same efficiency problems as Govindarajan et al.

Wei et al. [2] proposed a privacy-preserving authentication scheme for touch dynamics using homomorphic encryption properties. It is based on similarity scores between input and reference features using cosine similarity. The authentication server performs a comparison between the encrypted reference template (provided during enrollment) and encrypted input template sampled during authentication. The authentication server decrypts the similarity scores and compares them with a predefined threshold. The scheme was shown to be insecure in the study by Eskeland et al. [14].

3 Domingo-Ferrer et al.’s privacy-preserving authentication protocol

Domingo-Ferrer et al.’s privacy-preserving authentication protocol [1] conducts privacy-preserving set intersection comparison for finding the (dis)similarity between two encrypted data sets. The enrollment reference template is denoted X , and the authentication-time features is denoted Y . The privacy-preserving scheme in question establishes the similarity or the number of matching elements ∣ X ∩ Y ∣ , of which each set element is encrypted. Note that the study by Domingo-Ferrer et al. [1] and other literature in this area consider dissimilarity rather than similarity, which is the inverse 1 ∕ ∣ X ∩ Y ∣ . A potential user is considered legitimate and is thus authenticated if the dissimilarity stays below a certain threshold; otherwise, the authentication fails.

Enrollment phase. In this phase, the client device samples s secret enrollment values X = { a 1 , … , a s } that constitute the user reference template. These are encrypted and transferred to the carrier. To do so, the client does the following computations:

Generate a public key ( g , n ) in agreement with the Paillier cryptosystem, where g is of order n modulo n 2 . For simplicity, let g = n + 1 . The corresponding private key is not established.
Generate s + 4 random secret integers: ( R ′ , r 0 ′ , d , r i ∣ 0 ≤ i ≤ s ) in Z n .
Given X , compute s + 1 secret polynomial coefficients ( p 0 , p 1 , … , p s ) :
(1) p ( x ) = ∏ i = 1 s ( x − a i ) = ∑ i = 0 s p i x i .
Encrypt ( p 0 , p 1 , … , p s ) in agreement with the Paillier cryptosystem:
E ( p i ) = g p i r i n mod n 2 .
Given ( R ′ , r 0 ′ , X ) , compute the secret integers ( r 1 ′ , … , r s ′ ) , so that
(2) R ′ = ∏ j = 0 s r j ′ a 1 j mod n 2 ∏ j = 0 s r j ′ a 2 j mod n 2 ⋮ ∏ j = 0 s r j ′ a s j mod n 2 .
More on this below.
Compute R i d = ( r i ′ ∕ r i ) d mod n 2 for 0 ≤ i ≤ s .
The client sends the elements
( g , n , E ( p i ) , R i d ∣ 0 ≤ i ≤ s )
to the carrier. The client deletes all data except ( d , R ′ ) , which are kept secret.

The secret integers ( r 0 ′ , r 1 ′ , … , r s ′ ) , cf. equation (2), can be computed by means of the polynomial coefficients of p ( x ) , R ′ , and another random secret integer R . Equation (2) holds if

(3) r 0 ′ = R ′ R p 0 mod n 2 and r i ′ = R p i mod n 2 , 1 ≤ i ≤ s ,

where R is a positive integer. The correctness of equation (2) is shown by:

R ′ = ∏ j = 0 s r j ′ a i j = ( R ′ R p 0 ) ( R p 1 ) a i ( R p 2 ) a i 2 ⋯ ( R p s ) a i s = R ′ R p ( a i ) , 1 ≤ i ≤ s

since R p ( a i ) = R 0 = 1 .

Authentication phase. In this phase, the carrier computes the cardinality of the intersection of the enrollment samples and samples t authentication-time features Y = { b 1 , … , b t } .

The carrier selects a random secret integer θ , computes s + 1 exponentiations E i ′ = E ( p i ) θ mod n 2 , and sends ( g , n , E i ′ , R i d ∣ 0 ≤ i ≤ s ) to the device of the client to be authenticated.
The client generates t random secret integers t i ∈ Z n (these are denoted r ( i ) in [1]), and using the secret integers ( d , R ′ ) , it encrypts the sampled b i :
B i = ∏ j = 0 s E j ′ b i j ⋅ d ⋅ t i mod n 2 , ϒ i = ∏ j = 0 s ( R j d ) b i j ⋅ t i mod n 2 , D i = R ′ d ⋅ t i mod n 2 , 1 ≤ i ≤ t .
The triplets { B i , ϒ i , D i ∣ 1 ≤ i ≤ t } are sent to the carrier in a random order.
The carrier checks each triplet whether
(4) B i ϒ i n ⋅ θ ≡ ? D i n ⋅ θ ( mod n 2 ) , 1 ≤ i ≤ t ,

The correctness of equation (4) is shown as follows. Expanding the left-hand side (L.H.S) gives

B i ϒ i n ⋅ θ = ∏ j = 0 s E j ′ b i j ⋅ d ⋅ t i ∏ j = 0 s ( R j d ) b i j ⋅ t i n ⋅ θ = ∏ j = 0 s ( g p j r j n ) b i j ⋅ θ ⋅ d ⋅ t i r j ′ d r j d b i j ⋅ t i ⋅ n ⋅ θ = ∏ j = 0 s g p j ⋅ b i j ⋅ θ ⋅ d ⋅ t i r j ′ b i j ⋅ d ⋅ t i ⋅ n ⋅ θ = R ′ b i 0 ⋅ d ⋅ t i ⋅ n ⋅ θ ∏ j = 0 s g p j ⋅ b i j ⋅ θ ⋅ d ⋅ t i R n ⋅ p j ⋅ b i j ⋅ d ⋅ t i ⋅ θ = R ′ d ⋅ t i ⋅ n ⋅ θ ∏ j = 0 s ( g R n ) p j ⋅ b i j ⋅ d ⋅ t i ⋅ θ = R ′ d ⋅ t i ⋅ n ⋅ θ ( g R n ) p ( b i ) ⋅ d ⋅ t i ⋅ θ , 1 ≤ i ≤ t ,

since p ( x ) = ∑ j = 0 s p j x j and r 0 ′ = R ′ R p 0 . The right-hand side (R.H.S.) of equation (4) is D i n ⋅ θ = R ′ d ⋅ t i ⋅ n ⋅ θ . Thus, if p ( b i ) = 0 then B i ϒ i n ⋅ θ = R ′ d ⋅ t i ⋅ n ⋅ θ and equation (4) holds.

4 Cryptanalysis

In this section, we present two attacks that reveal all user information that is subject to the enrollment and authentication phases. A significant feature is that the proposed attacks are undetectable.

The adversary is the mainly the authentication server, but could, in principle, be an external party since no private keys are involved. In addition to breeching privacy, the latter could cause additional security breeches. The external adversary could simply use the disclosed enrollment reference template for any subsequent authentication session, enabling him or her to successfully masquerade as the victim.

4.1 Attack #1: Disclosing X

The following attack is used during the authentication phase by the carrier or an external adversary. It reveals the authentication-time features b i for p ( b i ) = 0 . Consequently, the same enrollment features ( a j ∈ X ) = b i are revealed, since p ( a j ) = p ( b i ) = 0 , which, furthermore, expose the polynomial coefficients ( p 0 , p 1 , … , p s ) , cf. equation (1). The adversary is the mainly the authentication server, but could in principle be an external party since no private keys are involved.

Revealing δ i = d t i . The attack follows the prescribed protocol, except in Step 1 of the authentication phase in which the carrier sends a slightly modified encryption g E 0 ′ instead of E 0 ′ . The remaining encryptions ( E 1 ′ , … , E s ′ ) are in agreement with the protocol. Since all encryptions are probabilistic due to the random exponent θ , the attack is undetectable.

In Step 2, the client returns ( B i , ϒ i , D i ) , 1 ≤ i ≤ t , where B i now expands as:

B i = g d ⋅ t i ∏ j = 0 s E j ′ b i j ⋅ d ⋅ t i mod n 2 .

If p ( b i ) = 0 , then

z i = B i ϒ i n ⋅ θ D i n ⋅ θ = g d ⋅ t i R ′ d ⋅ t i ⋅ n ⋅ θ R ′ d ⋅ t i ⋅ n ⋅ θ = g d ⋅ t i = 1 + d t i n ( mod n 2 ) , 1 ≤ i ≤ t ,

since g = n + 1 . This allows us to recover the secret products

(5) δ i = z i − 1 n = ( 1 + d t i n ) − 1 n = d t i , 1 ≤ i ≤ t .

Note that the verification of equation (4) will not hold for p ( b i ) = 0 due to the modification of E 0 ′ .

A note on congruencies in Z n 2 . Recall that t i is selected in the domain Z n 2 in Step 2 of the authentication phase, while the recovered value δ i = d t i is in the smaller domain Z n . The group orders of the multiplicative domains Z n * and Z n 2 * are, respectively, ϕ ( n ) and n ϕ ( n ) , where ϕ ( n ) is the Euler totient function. Given that δ i is in Z n and not Z n 2 , the modular congruencies, indeed, hold modulo n , since the corresponding reduction in group order compared to Z n 2 is thus n times.^[1]

Revealing a i ∈ X . The carrier conducts a simple exhaustive search w.r.t. b i given ( B i , δ i , E 0 ′ , … , E s ′ ) , where b ˆ is a search variable. If

B i ≡ ? ∏ j = 0 s E j ′ b ˆ j ⋅ δ i ( mod n )

holds, then b ˆ = ( b i ∈ Y ) = ( a j ∈ X ) . Given X , the secret ( p 0 , p 1 , … , p s ) are found in agreement with equation (1). The search is feasible due to the limited domain of the sampled values.

4.2 Attack #2: Disclosing Y

While the previous attack only reveals the enrollment reference template X and the pertaining polynomial coefficients ( p 0 , p 1 , … , p s ) , the following attack discloses any element in Y . A prerequisite is a single tuple ( D k * , δ k * ) , where D k * is a genuine element D k = R ′ d ⋅ t k * , 1 ≤ k ≤ s , of a previous session^[2] by which δ k * = d t k * , cf. equation (5), is obtained by means of Attack #1.

The present attack goes like follows. The carrier generates s + 1 large random integers θ j , 0 ≤ j ≤ s , not a single θ . Instead of computing E i ′ = E ( p i ) θ in Step 1 of the authentication phase, the carrier computes and sends

E i ′ = D k * θ i mod n 2 , 0 ≤ i ≤ s ,

to the client together with the genuine elements ( g , n , R i d ∣ 0 ≤ i ≤ s ) , who then responds by sending { B i , ϒ i , D i ∣ 1 ≤ i ≤ t } to the carrier. Thanks to that the exponents θ j , 0 ≤ j ≤ s , are distinct and random, the pertaining elements E j ′ are indistinguishable from genuine encryptions. The attack is therefore not detectable.

Given ( B i , D i , δ k * ) , the carrier conducts a simple exhaustive search, where b ˆ is a search variable. If

(6) B i ≡ ? D i δ k * ⋅ ∑ j = 0 s θ j ⋅ b ˆ j ( mod n ) , 1 ≤ i ≤ t ,

holds, then b ˆ = ( b i ∈ Y ) . The search is feasible since the sampled values are within a small domain.

The correctness of equation (6) is shown as follows. The L.H.S expands as:

B i = ∏ j = 0 s E j ′ b i j ⋅ d ⋅ t i = ∏ j = 0 s ( D k * θ j ) b i j ⋅ d ⋅ t i = R ′ d 2 ⋅ t k * ⋅ t i ⋅ ∑ j = 0 s θ j ⋅ b i j ( mod n ) ,

while the R.H.S of equation (6) expands to:

D i δ k * ⋅ ∑ j = 0 s θ j ⋅ b ˆ j = ( R ′ d ⋅ t i ) δ k * ⋅ ∑ j = 0 s θ j ⋅ b ˆ j ( mod n ) = R ′ d ⋅ t i ⋅ ( d ⋅ t k * ) ⋅ ∑ j = 0 s θ j ⋅ b ˆ j = R ′ d 2 ⋅ t k * ⋅ t i ⋅ ∑ j = 0 s θ j ⋅ b ˆ j ( mod n ) .

Thus, equation (6) is consistent for b ˆ = ( b i ∈ Y ) .

As pointed out in Section 4.1, computations modulo n ensure that equation (6) is congruent regarding that t i is selected in the domain Z n 2 , while the recovered value δ k * = d t k * is in the smaller domain Z n .

5 Comments on Domingo-Ferrer et al.’s protocol

The enrollment security of Domingo-Ferrer et al.’s scheme is based on the secrecy of the elements ( d , R , R ′ , r 0 ′ , … , r s ′ , r 0 , … r s ) , of which r 0 ′ is determined by the secret integers ( R , R ′ , p 0 ) , and ( r 1 ′ , … , r s ′ ) are determined by R and the polynomial coefficients ( p 0 , p 1 , … , p s ) . The latter are eventually defined by the reference template features X . In summary, these features are included in:

The Paillier encryptions E ( p i ) = g p i r i n .
The nominators of the powers R i d = ( r i ′ ∕ r i ) d , where r 0 ′ = R ′ R p 0 , r j ′ = R p j , 1 ≤ j ≤ s , in agreement with equation (2).

The secret integers r i , 0 ≤ i ≤ s , occur in both ( E ( p i ) , R i d ) , and are cancelled out during the verification, cf. equation (4). The secrecy of d prevents attacks aiming to eliminate factors in ( E ( p i ) , R i d ) containing r i , for example, by means of the extended euclidean algorithm.

A security feature is that all encryptions in the authentication phase are cryptographically tied to a specific session, whose security function would be to prevent replay attacks. In Step 1, the encrypted enrollment features E ( p i ) are encrypted by means of a common secret exponent θ , establishing a cryptographic tie to that session. Application of the same θ is therefore necessary during verification, cf. equation (4). In Step 2, the client computes the t triplets ( B i , ϒ i , D i ) , 1 ≤ i ≤ t , using the secret exponents t i , 1 ≤ i ≤ t . This does not only cryptographically link these elements that session, but also establishes a unique link for each triplet. If the protocol is correctly designed, this would prevent an attacker from replaying or reusing cryptographic elements from previous sessions, and to combine such triplets, to mount a successful attack.

Considering a Paillier encryption E ( m ) = g m r n mod n 2 , the plaintext factor g m is protected by the secret encryption factor r n , of which its additive homomorphic property is realized due to that g has group order n . However, the scheme in question neither decrypts anything nor uses the homomorphic property of the Paillier cryptosystem. A key observation is thus that utilizing Paillier encryption not only lacks relevance, but more importantly incurs an insecure protocol design as already shown.

6 Suggested fix

An immediate fix would simply to avoid the Paillier encryption and conduct all computations modulo n . The effect is that the Paillier generator g is discarded and that c i = E ( p i ) becomes c i = r i n mod n . This prevents Attack #1 (disclosure of X and δ i ), which in turn prevents Attack #2. Furthermore, protecting X from disclosure to external adversaries, prevents those adversaries from successfully posing as the victim during subsequent authentication sessions.

The polynomial coefficients ( p 0 , p 1 , … , p s ) are then (via r i ′ , cf. equations 2 and 3) only used for establishing R i d = ( r i ′ ∕ r i ) d mod n , which, indeed, allows us correct polynomial evaluation in the verification step, cf. equation (4):

B i ϒ i n ⋅ θ ≡ ? D i n ⋅ θ ( mod n ) , 1 ≤ i ≤ t ,

of which the L.H.S. expands to B i ϒ i n ⋅ θ = R ′ d ⋅ t i ⋅ n ⋅ θ R n ⋅ p ( b i ) ⋅ d ⋅ t i ⋅ θ ( mod n ) and the R.H.S. expands to D i n ⋅ θ = R ′ d ⋅ t i ⋅ n ⋅ θ ( mod n ) , 1 ≤ i ≤ t .

7 Conclusion

Continuous and context-aware authentication have been proposed as an alternative to password-based authentication. However, such authentication mechanisms have privacy issues as certain user features and context-relevant information are submitted to the authentication server. In this study, we have considered a clever privacy-preserving protocol for context-aware authentication proposed by Domingo-Ferrer et al. that enables authentication, without revealing any user context information to the authentication server. The authors claim that their scheme is secure with regard to malicious participants.

In this study, we have presented two attacks: the first enables the authentication server to obtain the enrollment reference plaintext data despite the encryption, and the authentication-time plaintext data by means of the second attack. Due to the probabilistic nature of these attacks, they are not detectable.

The attacks exploit the fact that computations in Domingo-Ferrer et al.’s scheme are conducted in Z n 2 in compliance with the Paillier encryption scheme. However, a key observation in this article is that the additive homomorphism that the Paillier encryption scheme provide is not really used by the protocol in question. Instead, by rather conducting the computations in Z n , the scheme would no longer be vulnerable to the proposed attacks. This means that special care must be taken when using cryptographic primitives having homomorphic properties in cryptographic protocols, since these may also incur cryptographic vulnerabilities.

Acknowledgement

This work has been accepted for presentation at CIFRIS23, the Congress of the Italian association of cryptography “De Componendis Cifris.”

Funding information: Parts of this research have been supported by basic institute funding at Norsk Regnesentral, RCN Grant Number 342640, and the NORCICS project, RCN Grant Number 310105.
Conflict of interest: The authors state no conflict of interest.

References

[1] Domingo-Ferrer J, Wu Q, Blanco-Justicia A. Flexible and robust privacy-preserving implicit authentication. In: IFIP International Information Security and Privacy Conference. vol 455 of IFIP Advances in Information and Communication Technology. Springer International Publishing; 2015. p. 18–34. 10.1007/978-3-319-18467-8_2Search in Google Scholar

[2] Wei F, Vijayakumar P, Kumar N, Zhang R, Cheng Q. Privacy-preserving implicit authentication protocol using cosine similarity for internet of things. IEEE Internet Things J. 2020;8(7):5599–606. 10.1109/JIOT.2020.3031486Search in Google Scholar

[3] Safa NA, Safavi-Naini R, Shahandashti SF. Privacy-preserving implicit authentication. In: IFIP International Information Security Conference. Springer; 2014. p. 471–84. 10.1007/978-3-642-55415-5_40Search in Google Scholar

[4] Shahandashti SF, Safavi-Naini R, Safa NA. Reconciling user privacy and implicit authentication for mobile devices. Comput Security. 2015;53:215–33. 10.1016/j.cose.2015.05.009Search in Google Scholar

[5] Boldyreva A, Chenette N, Lee Y, O’Neill A. Order-preserving symmetric encryption. In: Proceedings of the 28th Annual International Conference on Advances in Cryptology - EUROCRYPT 2009 - Volume 5479. Berlin, Heidelberg: Springer-Verlag; 2009. p. 224–41. 10.1007/978-3-642-01001-9_13Search in Google Scholar

[6] Govindarajan S, Gasti P, Balagani KS. Secure privacy-preserving protocols for outsourcing continuous authentication of smartphone users with touch data. In: 2013 IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems (BTAS). IEEE; 2013. p. 1–8. 10.1109/BTAS.2013.6712742Search in Google Scholar

[7] Baig AF, Eskeland S. Security, privacy, and usability in continuous authentication: a survey. Sensors. 2021;21(17):5967. 10.3390/s21175967Search in Google Scholar PubMed PubMed Central

[8] Paillier P. Public-key cryptosystems based on composite degree residuosity classes. In: International Conference on the Theory and Aapplications of Cryptographic Techniques. Springer; 1999. p. 223–38. 10.1007/3-540-48910-X_16Search in Google Scholar

[9] Freedman MJ, Nissim K, Pinkas B. Efficient private matching and set intersection. In: Cachin C, Camenisch JL, editors. Advances in Cryptology - EUROCRYPT 2004. Berlin, Heidelberg: Springer; 2004. p. 1–19. 10.1007/978-3-540-24676-3_1Search in Google Scholar

[10] Erkin Z, Franz M, Guajardo J, Katzenbeisser S, Lagendijk I, Toft T. Privacy-preserving face recognition. In: International Symposium on Privacy Enhancing Technologies Symposium. Springer; 2009. p. 235–53. 10.1007/978-3-642-03168-7_14Search in Google Scholar

[11] Damgåard I, Geisler M, Krøigaard M. Homomorphic encryption and secure comparison. Int J Appl Cryptography. 2008 Feb;1(1):22–31. 10.1504/IJACT.2008.017048Search in Google Scholar

[12] Damgård I, Geisler M, Krígaard M. A correction to “Efficient and Secure Comparison for On-Line Auctions”. IACR Cryptol ePrint Archive. 2008 Jan;2008:321. Search in Google Scholar

[13] Balagani KS, Gasti P, Elliott A, Richardson A, O’Neal M. The impact of application context on privacy and performance of keystroke authentication systems. J Comput Security. 2018;26(4):543–56. 10.3233/JCS-171017Search in Google Scholar

[14] Eskeland S, Baig A. Cryptanalysis of a privacy-preserving behavior-oriented authentication scheme. In: Proceedings of the 19th International Conference on Security and Cryptography - SECRYPT 2022. INSTICC. SciTePress; 2022. p. 299–304. 10.5220/0011140300003283Search in Google Scholar

Received: 2023-09-06

Revised: 2023-10-30

Accepted: 2023-10-31

Published Online: 2024-03-08

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2023-0032

Keywords for this article

cryptanalysis; cryptographic protocols; homomorphic encryption; private set intersection; continuous authentication

Creative Commons

BY 4.0