SviaB: Secure and verifiable multi ‐ instance iris remote authentication using blockchain

Homomorphic encryption (HE) is the most widely explored research area in the construction of privacy ‐ preserving biometric authentication systems because of its advantages over cancellable biometrics and biometric cryptosystems. However, most of the existing privacy ‐ preserving biometric authentication systems using HE assume that the server performs computations honestly. In a malicious server setting, the server may return an arbitrary result to save computational resources, resulting in a false accept/ reject. To address this, secure and verifiable multi ‐ instance iris authentication using blockchain (SviaB) is proposed. Paillier HE provides confidentiality for the iris templates in SviaB. The blockchain offers the integrity of the encrypted reference iris templates as well as the trust of the comparator result. The challenges of using blockchain in bio-metrics are also addressed in SviaB. Extensive experimental results on benchmark iris databases demonstrate that SviaB provides privacy to the iris templates with no loss of accuracy and trust in the comparator result.


| INTRODUCTION
Unlike password or token authentication systems, a biometric authentication system (BAS) has more flexibility because users do not need to carry or remember anything. Fingerprint, iris, face, etc. are the commonly used biometric modalities [1,2]. Properties such as stability and uniqueness make the iris the most widely used of the various biometric applications in comparison with other biometric modalities [3,4]. On the other hand, such benefits are accompanied by challenges. The vast increase in the use of BAS in various applications has raised security and privacy concerns [5]. Because biometric data is unique to each person, it is irrevocable if it becomes compromised. Leakage or disclosure of biometric data to unauthorized persons/servers can cause the consequence of 'Lose it once; it's gone forever'. Several attacks such as hill climbing attack [6], replay attack, masquerade attack [7], and the stolen-token attack [8] occur if templates are stored in an unprotected manner that makes the system vulnerable. In 2018, hackers stole 1 billion Indian users' biometrics from Aadhaar [9]. As a result, a biometric system capable of protecting sensitive biometric information needs to be designed. In general, the templates generated by biometric template protection schemes (BTPS) must satisfy properties such as diversity, irreversibility, and revocability. At the same time, the system's template protection method must retain properties such as performance, storage requirements, and speed that are present on systems without a template protection method. BTPS can be broadly classified as cancellable biometrics, homomorphic encryption (HE), and biometric cryptosystem.
Cancellable biometrics suffer from performance degradation to the unprotected system [10]. Biometric cryptosystems use the auxiliary data (AD), and compromise of the AD leads to leakage of biometric information [11], which results in the entire system becoming vulnerable. HE was introduced as a BTPS to solve the limitations of cancellable biometrics and biometric cryptosystems [12]. HE offers operations such as multiplication and addition on the encrypted data itself; as a result, templates are secure not only during transit but also during computation. HE is categorized as partial HE (PHE), somewhat HE (SHE), and fully HE (FHE). FHE can perform unlimited multiplications and additions on the encrypted data. SHE can perform a limited number of multiplications and additions on the encrypted data. PHE can perform either multiplication or addition, but not both, on the encrypted data. In the literature, several works are proposed to provide the privacy of biometric templates using HE [13][14][15][16][17][18][19][20].
Most state-of-the-art works have assumed that the server performs computations honestly. However, to save computational or storage resources, a server may return an arbitrary result. Confidentiality of the iris templates in state-of-the-art works is achieved because the computations are carried on the encrypted data, but they fail to provide trust to the user/client device that the computed result is correct. This scenario leads to false accept/reject. We utilize the concepts of smart contract and blockchain (BC) to address these issues. Blockchain (BC) with smart contract has been developed to allow decentralized consensus between two non-trusting agents. Mahesh et al. [21] integrated BC with ElGamal HE and proposed BC-based multiinstance iris authentication using additive ElGamal homomorphic encryption (BMIAE) to solve the override comparator attack. The cost and time to authenticate a person are greater in BMIAE. This work solves the limitation of BMIAE [21].

| Contribution
• We introduce a system, secure and verifiable multiinstance iris authentication (MIIA) using BC (SviaB). SviaB combines BC technology and Paillier HE [22]. Paillier HE provides confidentiality for iris templates. BC provides integrity for the encrypted reference iris templates as well as trust in the comparator result. • SviaB addresses the challenges of using BC for biometrics, such as expensive storage cost and privacy [23].
• SviaB solves attacks such as modify templates, intercept channel, and override comparator in BAS, as shown in Figure 1. • SviaB has experimented on publicly available benchmark iris databases and to check the effectiveness, performance measures like Equal Error Rate (EER), separability measures like Kolmogorov-Smirnov (KS)-test and d-prime are considered.

| Organization
The remainder of the article is organized as follows. Section 2 explains the necessary preliminaries. In Section 3, the related work is discussed. Section 4 describes the proposed method. The implementation details and experimental and security analyses are illustrated in Section 5. The paper is concluded in Section 6.

| Autoencoder
An autoencoder is an unsupervised neural network method that optimizes a rebuilding of the input data in the output layer through a hidden layer of chosen dimensions. Similar to stateof-the-art dimensionality reduction techniques such as linear discriminant analysis (LDA), principal component analysis (PCA), isometric mapping (ISOMAP) etc., autoencoder can be used to reduce the high-dimensional feature vector [24]. Input, hidden, and output are the layers present in the autoencoder. The dimensions of the output and input layers are the same, whereas the hidden layer contains fewer dimensions. The autoencoder consists of two phases, (1) encoder and (2) decoder. An encoder converts the input data into a hidden code, and the decoder reconstructs the original input data from the hidden code. The input and output for an autoencoder are mensions. Firstly, the encoder maps the input into hidden (or) latent code, h ∈ [0, 1] d0 , d 0 < d using the transformation given in Equation (1): where S is a sigmoid function, W is a weight matrix, and b is the bias. The hidden code, h is then converted back into O with the same dimension as I by using the decoder. The conversion occurs through the transformation given in Equation (2): where S is a sigmoid function, W 0 is a weight matrix of the reverse mapping, and b is the bias. The average reconstruction error is maximized by optimizing the parameters (W, b, b 0 ). The reconstruction error can be measured by either squared error, L (I, O) = ‖I − O‖ 2 , or binary cross-entropy, To use the autoencoder as a dimensionality reduction technique, use the data obtained in hidden layer and discard the decoder phase.
A brief introduction to BC and the need to use smart contract and BC in biometric authentication can be found in [21].

| Notations
The notations used in SviaB are described in Table 1.

| Homomorphic encryption applied to biometric authentication
Upmanyu et al. [13] proposed a secure protocol for biometric verification named 'Blind Authentication' by using Rivest-Shamir-Adleman and Paillier [22]. The 'blind authentication' protocol considers the enrolment server a trusted entity; as a result, it provides only privacy-preserving classification and fails to provide privacy-preserving enrolment. Osadchy et al. [25] introduced a secure face identification ('Scifi') system using the Paillier cryptosystem [22]. The 'Scifi' system yields results superior to those of existing works, even in illuminationinvariant conditions. Rahulamathavan et al. [26] suggested a method to recognize the expression of a face by using the properties of Paillier and computed the required operations on encrypted data. Pastoriza et al. [14] proposed a secure face verification system in a non-interactive manner that can be applied to lightweight devices. The authors proposed a HE scheme to perform the operations on encrypted data. Sedenka et al. [27] designed a secure biometric authentication in an outsourced environment. Haghighat et al. [28] suggested a biometric verification in a cloud environment. The method uses searching-based instead of distance-based matching.
Xiang et al. [29] introduced secure face recognition with computation in a cloud server using public key encryption and a fully HE algorithm. The client is able to verify the correctness of the computed result by the cloud server. Hahn et al. [30] introduced an efficient and secure identification system using symmetric HE. The system performs better than those of existing works. Gomez et al. [18] proposed a template protection approach for multibiometric recognition using Paillier. The final comparison is performed on the plaintext by the server; as a result, a breach is introduced into the security of the system. Santosh et al. [31] used the Paillier and elliptic curve encryption techniques to provide security of biometric templates stored in a cloud server. Zhu et al. [32] designed a method named efficient fingerprint authentication ('e-Finga') for secure online fingerprint authentication. 'e-Finga' uses lightweight multiparty polynomial aggregation and multiparty random masking techniques to provide security. A lightweight encryption scheme named 'threshold predicate encryption' (TPE) is proposed by Zhou et al. [19]. A privacy-preserving user-centric BAS (PassBio) is proposed using TPE. Barni et al. [33] designed a secure multimodal biometric authentication that combines iris and face templates. Guo et al. [34] used randomness techniques instead of HE to provide the privacy of the face templates result in a good performance.

| Blockchain for biometrics
The limitations and advantages of using biometrics in BC and vice versa are presented in Delgado-Mohatar et al. [23]. The authors extended their work in [35] to store the biometric templates in the BC using Merkle trees, direct hashing, and on-chain. The execution time and storage cost are less for Merkle tree-based storage when compared with direct hashing and onchain. The limitations of BC for biometrics is not addressed. Delgado-Mohatar et al. [36] also analyzed cost and performance factors to store the protected and unprotected biometric templates and on-chain, off-chain biometric matching. Mohsin et al. [37] used BC to achieve availability and integrity in a finger vein verification system. Mahesh et al. [21] used the concepts of BC to provide trust in the computed result. The drawback of their method is the increased time and cost required to authenticate a person.
The literature reveals that privacy-preserving biometric systems based on HE assume that the server/cloud server performs computations honestly. However, because of financial or timing reasons, the server/cloud server assigned to a task may not honestly perform the computation. It may return an arbitrary result that leads to false accept or false reject. Therefore, SviaB is proposed, which provides not only confidentiality for the iris templates but also trust in the comparator result.

| SECURE AND VERIFIABLE MULTI-INSTANCE IRIS AUTHENTICATION USING BLOCKCHAIN
SviaB is the first MIIA system that combines BC technology and Paillier HE [22] to provide not only privacy to the iris templates as well as trust in the computed result. The confidentiality of iris templates is assured in SviaB by using Paillier HE. The BC provides the trust in the computational result by computing the distance in a smart contract. Figure 2 shows the block diagram of SviaB. The client device (CD), trusted authenticator (TA), cloud server (CS) and blockchain (BC) are the entities involved in SviaB. SviaB consists of two phases, namely enrolment and Fused reference iris templates with d dimension.
Fused compressed reference iris templates with m dimension.

| Assumptions
SviaB assumes the following: � The CD is a trusted entity and lacks computational and storage resources. � The CS does not perform computations honestly. � The TA is a trusted entity that produces public and secret keys differently for each user. The secret keys of users are stored securely and broadcast the public keys to the CD. � The CS and CD need not store the entire ledger of the BC network, and the contract address of the smart contract is shared to the CS and CD before the enrolment phase. � The underlying consensus algorithm of the BC is secure and robust against security attacks on the BC. In BC, the storage cost is expensive when compared with computation [23]. To overcome this limitation, SviaB stores only the hash value of the encrypted reference templates in the BC and stores the encrypted reference templates in the CS itself.

| Fusion and reducing the dimensions of iris template
Fusion and reducing the dimensions of iris template are the two phases involved in this section. In the fusion phase, the iris templates from the right and left irises are fused. The size of the fused iris template is reduced using a non-linear dimensionality reduction technique autoencoder in the reduction phase.

| Fusion of iris templates
The CD performs the fusion of iris templates in this phase. The extracted iris codes E L , E R are of size 1 � 10,240. The fused iris template is created by concatenating E L , E R as shown in Equation (3):

| Reducing dimensions of iris template
The performance of the system depends on the size of the iris template. The fused phase produces an iris template of size 1 � 20,480. The computational performance can be improved by reducing the size of the iris template. SviaB uses the autoencoder as a technique to reduce the dimensions of the iris code. Autoencoder is a neural network-based reduction technique and performs better than other existing linear dimensionality reduction techniques such as PCA and non-linear dimensionality reduction techniques such as LDA and ISOMAP [39]. Firstly, the TA trains the autoencoder using both encoder and decoder phases, but after training, the data obtained after the encoder phase-that is, in the hidden layer -is considered as the reduced feature vector and discards the decoder phase. As the iris code, that is, the input data to autoencoder, contains 1s and 0s, SviaB uses the cross-entropy as an error function. The 20,480-bit binary vector is given as an input to the autoencoder compressed into 64, 128, 256, and 512 bits. We considered 64, 128, 256, and 512 nodes in the hidden layer and computed the EER. Table 2 represents the EER values for various sizes of iris template. From Table 2, we can infer that the performance of the latent codes for different sizes of iris template is directly proportional to the number of epochs. An epoch indicates the number of passes of the entire training dataset the autoencoder has completed. We considered the batch size as 16 for all the experiments. The same EER on the uncompressed iris template is obtained for compressed iris template of size 128-bit with 520 epochs, 256-bit with 830 epochs and 512-bit with 940 epochs, respectively. It is also observed that the time required for the process is proportional to the number of epochs. The latent code of 128-bit size gives the same EER as the uncompressed iris template and considers very little time compared with the other latent codes. Thus, SviaB reduces the dimensions to 128 bits using the autoencoder and uses the 128-bit iris template for further operations.

| Assuring confidentiality of iris templates using Paillier HE
The confidentiality of the iris templates is assured in SviaB by using Paillier HE [22]. The security of Paillier HE depends on the decisional composite residuosity assumption (DCRA). To compute the distance, HE must satisfy the additive property. Paillier HE [22] is an additive homomorphic cryptosystem. Key generation, decryption, evaluation, and encryption (EEnc) are the four functions involved in the Paillier HE scheme.
The steps needed to perform key generation, encryption, evaluation, and decryption are shown in Figure 3. The random number present in the encryption function provides the randomness to the encryption result of Paillier. Therefore, Paillier prevents chosen plaintext attacks. The template obtained in Section 4.2.2 is encrypted using the encryption function of the Paillier HE scheme [22]. Properties of Paillier HE:

Compute
Hv=H(ε(X i )). 6 -5 decryption of multiplication of the two encrypted values and is given in the Equation (4): Property 2: Given an encrypted value ε(m) = EEnc(P k , m) for a message m and a constant k, decryption of encrypted value raised to a constant results in the multiplication of the original message and the constant and is given in the Equation (5):

| Distance computation on encrypted data and ensuring the trust in the computed result
This section describes the computation of Manhattan distance on the encrypted data and a smart contract code to ensure the trust in the computed distance.

| Encrypted distance computation
SviaB considers Manhattan distance to compare the reference and probe iris templates. The reasons behind the selection of Manhattan distance than other distance measures such as Euclidean, hamming distance etc. are as follows. (1) The HE used in SviaB to ensure that the confidentiality of iris templates is Paillier HE, which satisfies only the additive property. If we consider the Euclidean distance as a distance measure, it involves the computation of the square root on the encrypted data that Paillier HE fails to achieve. (2) Manhattan distance is usually preferred over Euclidean distance when there is high dimensionality in the data [40]. The distance S man = d man (x, y) can be precisely calculated on the unencrypted values by using Equation (6): The distance can be calculated on the encrypted values by using Equations (4) and (5):

| Ensuring the trust in computed distance and integrity of encrypted reference templates using smart contract
The smart contract running on a BC network helps the SviaB address the override comparator attack of BAS (refer to Figure 1). Therefore, the user or CD can ensure the computed distance is correct without including any third party or centralized server. The integrity of the encrypted reference iris templates is also ensured in SviaB by comparing the hash values in BC. The formal smart contract to ensure the trust in the computed distance and integrity of encrypted reference iris template is given in Figure 4. The CD sends (ε(X i ), UID) to CS and smart contract during the enrolment phase and invokes the Enrolment function of a smart contract. The CS stores (ε(X i ), UID). The hash value of ε(X i ), Hr = H(ε(X i )) is computed and stores Hr in refer[UID] by the smart contract. The limitations of using BC in biometrics such as expensive storage cost and privacy are described in [23]. To solve expensive storage cost limitations, SviaB stores only the hash value of the encrypted reference iris template instead of ε(X i ). To overcome the privacy limitation, SviaB encrypts the fused templates using Paillier HE before sending the template to BC.

F I G U R E 4 Contract-ensuring the integrity of reference templates and trust in distance computation
MORAMPUDI ET AL.
The CD sends (ε(Y), UID) to a smart contract and invokes the Verification function during the authentication phase. The smart contract asks the server for ε(X i ) with the same identity label UID. If the server sends ε(X i ) within a stipulated time, δ c then the Computation function of a smart contract is invoked; otherwise, the Timer function of smart contract gets executed. It sends 'Session Expired' message to the TA. When the computation function is invoked, the smart contract computes hash value Hp = H (ε(X i )). The smart contract computes the distance between ε(X i ) and ε(Y), if the values of Hr and Hp are the same; otherwise, it indicates that ε(X i ) is modified by the intruder. Therefore, a smart contract helps to check the integrity of the encrypted reference template. The differences in the methodology of BMIAE [21] and SviaB are listed in Table 3.

| IMPLEMENTATION DETAILS AND SECURITY ANALYSIS
The following measures are used to evaluate the efficiency of a biometric system according to biometric information protection [41]: 1. Performance evaluation in terms of EER, dʹ, and KS tests. 2. Irreversibility and unlinkability analysis. 3. Computational cost in terms of time taken to perform operations.

| Performance Evaluation
Test environment: Python 3.5.2 is compiled on a Microsoft Windows 10 Pro operating system to execute the HE code. We implemented the smart contract in Solidity 0.5.0 using a truffle framework. We deployed the contract in a private Ethereum BC network. To validate SviaB, we ran the experiments on a 2.50 GHz Intel Core i5 CPU and 16 GB RAM system. Experimental design: The University of Salzburg tool kit [38] is used in SviaB to extract the iris template from the human eye. Subjects consisting of minimum five left and right iris samples are required to develop a MIIR system. So 106, 208, and 115 subjects from SDUMLA-HMT [42], IITD [43], and CASIA-V3-Interval [44] iris databases are considered to conduct our experiments, as they contain both right and left irises with a minimum of five samples each.
Accuracy: The EER obtained for only right iris (ORI), only left iris (OLI), fused iris (FT) and fused compressed iris template (FCT) in unprotected and protected systems for SviaB are shown in Tables 4 and 5. We observe no loss of accuracy in the protected system from Tables 4 and 5.
The baseline comparison of EER, storage cost, and time for SviaB is shown in Table 6. The unprotected and uncompressed template (UUT) indicates the template without compression and encryption, compressed and unprotected template (CUT) indicates the template with compression and without encryption, and compressed and protected template T A B L E 3 Difference in the methodology of BMIAE and SviaB

BMIAE SviaB
Key generation CD generates P k and S k . TA generates P k and S k .
Reducing the size of iris template CD reduces the size of fused iris template. TA reduces the size of fused iris template.

Method employed for reduction (compression)
The 20480-bit iris template is grouped into blocks of size m, where m represents the block size and m = 2, 4, 8, 16, and 32. The m bits are converted to integers and these integers are divided by 2 to obtain the binary vector.

HE scheme ElGamal Paillier
Decryption and authentication result CD performs the decryption of computed result and compares the result with threshold to determine whether the user is genuine or not.
TA performs the decryption of computed result and compares the result with threshold. Sends Accept/Reject decision to the CD.
Abbreviations: BMIAE, BC-based multi-instance iris authentication using additive ElGamal homomorphic encryption; CD, client device; HE, Homomorphic encryption; SviaB, secure and verifiable multi-instance iris remote authentication using blockchain. (CPT) indicates the template with compression and encryption. We can infer from Table 6 that there is no degradation of accuracy with our template protection method. The detection error trade-off curves of SviaB for different databases are shown in Figure 5. The clear separations between genuine and imposter scores of SviaB for different databases are shown in Figure 6. The distributions of false acceptance rate and false rejection rate for considered databases are represented in Figure 7. The separability measures (dʹ and KS test values) and EER on encrypted data of SviaB for different databases are shown in Figure 8.

| Security analysis
The template protection method must satisfy the requirements of irreversibility, revocability, and unlinkability to ensure the privacy of the iris templates. In SviaB, the attacks may happen in the CS, CD, BC network, TA, the communication channel between the server, and the CD. The security has to be assured for the CD and TA because the CD extracts the features from the iris image and TA produces the P k and S k . SviaB assume that the CD and TA are trusted entities. Therefore, the information about iris and keys in CD and TA are secure. The templates in the CS can be attacked by the intruder. Because CS only stores the encrypted templates in SviaB, and the security of encrypted templates depends on DCRA the templates stored in CS are secure. In SviaB, the hash value of the encrypted template is stored in the smart contract. So, there will not be any information leakage. Because it is infeasible to decrypt the encrypted templates without a secret key, the templates are secure even if the intruder attacks the communication channel.
Irreversibility Analysis: In SviaB, the CD transmits the encrypted reference templates to CS and smart contract during the enrolment phase. The encrypted reference template is stored in the CS, whereas the hash value of the encrypted reference template is stored in the smart contract. The CD transmits the encrypted probe template to the BC during the authentication phase. The smart contract retrieves the encrypted reference template from the CS and calculates the Manhattan distance between encrypted reference and encrypted probe iris templates. The smart contract sends the ε(d) to the TA. The TA only can decrypt the result with S k . As the SviaB uses the Paillier HE scheme [22] to protect the templates, and the security of Paillier scheme relies on solving the DCRA, it is difficult to decrypt the templates by the CS or an imposter without secret key (S k ). Therefore, SviaB satisfies the irreversibility property.
Revocability: Revocability ensures that a new protected template should be generated by the protection method if the old template is compromised or stolen. In SviaB, revocability can be achieved by re-encrypting the samples in the database with a new key pair (P k 0 , S k 0 ) instead of acquiring the new samples from the users.
Unlinkability: Unlinkability ensures that there will not be any correlation between the protected templates used in different applications. Paillier scheme used in SviaB are based on probabilistic encryption. Because of the randomness involved in Paillier scheme, different ciphertexts can be generated even if the same message is encrypted multiple times with the same key, and there will not exist any similarity between the generated ciphertexts.
Hill Climbing (or) Inverse Biometrics Attack: The TA produces an output as either accept or reject by decrypting the ε(R) using S k . Hence, attacks such as hill climbing that are due to the score evolution for different probe signatures described in [45] or the inverse biometrics approaches in [46] are hindered (averted), that is, they lack the vital feedback to recreate a relevant template or biometric sample.

| Computational analysis of SviaB
The storage cost in terms of space and computational cost in terms of time, cost, and number of operations are discussed in the following sections.

| Computational cost in terms of time and cost
The computation cost and time required to execute operations in a smart contract in units of gas, dollars, and seconds are shown in Table 7. The time required to perform the encryption/decryption of SviaB on different databases is shown in Table 8. The reduced iris code size is the same for all considered databases in SviaB, whereas the iris code size varies for each database in BMIAE [21] to obtain optimal accuracy. Therefore, in Tables 7 and 8, the computation cost and time, encryption/decryption time is the same for all databases in SviaB. The comparison of time to compute the distance in the BC and the server is illustrated in Table 6. The increase in the computation provides an enhanced functionality (i.e. trust in the computed distance without any third party) to SviaB. We observe from Tables 7 and 8 that SviaB considers less time and cost compared with BMIAE [21].

| Computational cost in terms of number of operations
The privacy of the fused reference and probe iris templates in SviaB is ensured by performing the encryption using P k before sending to the server/BC. The CD/TA needs to perform only one encryption/decryption in SviaB. The number of exponentiations, multiplications, and encryptions/  Table 9.
• SviaB needs to compute the distance between the probe and corresponding reference template associated with UID only.

| Comparison analysis
The EER comparison of SviaB with state-of-the-art works is shown in Table 10. We can infer that SviaB shows a better EER value when compared with other existing works. The dʹ comparison of SviaB with the existing  Table 11. We can infer from Table 11 that the genuine and imposter scores are well separated when compared with other works. SviaB satisfies the properties of template protection schemes and provides trust to the user that the cloud server/BC computes the distance honestly.

| CONCLUSION
An MIIA system, namely SviaB, is proposed to provide privacy to the iris templates and trust in the comparator result. Paillier HE is used to provide the privacy of the iris templates. In SviaB, a smart contract is used to check the similarity between encrypted reference and probe iris templates. The privacy and the expensive storage limitations of BC for biometrics are addressed in SviaB. Experimental results prove the significance and validity of SviaB. SviaB can be experimented with on other biometric modalities such as fingerprint, face, finger vein etc. to ensure the privacy of templates and trust in the computed result. Further  Abbreviations: BMIAE, BC-based multi-instance iris authentication using additive ElGamal homomorphic encryption; SviaB, secure and verifiable multi-instance iris remote authentication using blockchain.