Privacy leakage in biometric secrecy systems

Abstract

Motivated by Maurer [1993], Ahlswede and Csiszar [1993] introduced the concept of secret sharing. In their source model two terminals observe two correlated sequences. It is the objective of both terminals to form a common secret by interchanging a public message (helper data), that should contain only a negligible amount of information about the secret. Ahlswede and Csiszar showed that the maximum secret key rate that can be achieved in this way is equal to the mutual information between the two source outputs. In a biometric setting, where the sequences correspond to the enrollment and authentication data, it is crucial that the public message leaks as little information as possible about the biometric data, since compromised biometric data cannot be replaced. We investigate the fundamental trade-offs for four biometric settings. The first one is the standard (Ahlswede-Csiszar) secret generation setting, for which we determine the secret key rate - privacy leakage region. Here leakage corresponds to the mutual information between helper data and biometric enrollment sequence conditional on the secret. In the second setting the secret is not generated by the terminals but independently chosen, and transmitted using a public message. Again we determine the region of achievable rate - leakage pairs. In setting three and four we consider zero-leakage, i.e. the public message contains only a negligible amount of information about the secret and the biometric enrollment sequence. To achieve this a private key is needed which can be observed only by the terminals. We consider again both secret generation and secret transmission and determine for both cases the region of achievable secret key rate - private key rate pairs.