Security of a Privacy-Preserving Biometric Authentication Protocol Revisited Aysajan Abidin 1 , Kanta Matsuura 2 , Aikaterini Mitrokotsa 1 1 Chalmers University of Technology, Gothenburg, Sweden {aysajan.abidin, aikaterini.mitrokotsa}@chalmers.se 2 University of Tokyo, Japan kanta@iis.u-tokyo.ac.jp Abstract. Biometric authentication establishes the identity of an indi- vidual based on biometric templates (e.g. fingerprints, retina scans etc.). Although biometric authentication has important advantages and many applications, it also raises serious security and privacy concerns. Here, we investigate a biometric authentication protocol that has been proposed by Bringer et al. and adopts a distributed architecture (i.e. multiple entities are involved in the authentication process). This protocol was proven to be secure and privacy-preserving in the honest-but-curious (or passive) attack model. We present an attack algorithm that can be employed to mount a number of attacks on the protocol under investigation. We then propose an improved version of the Bringer et al. protocol that is secure in the malicious (or active) insider attack model and has forward security. Key words: Biometrics, privacy-preserving biometric authentication, homomorphic encryption, active attack, forward security. 1 Introduction Biometric authentication offers important advantages mainly due to the uniqueness of biometric identifiers and other favorable properties since biometrics cannot be lost or forgotten. A biometric authentication system consists of two phases, namely, the enrollment phase and the authentication phase; and it typically involves two entities: a client and a server. During the enrollment phase, the client provides the server with his biometric data for storage in a database. Then, during the authentication phase, the server authenticates the client if his fresh biometric template matches the one that is stored in the database. Since the server often has to perform many tasks (e.g. retrieving from the database the client’s reference biometric template, checking if it matches the fresh template) its role can be divided into several parts. Thus, the execution of the protocol involves different entities where each