Biometric untargeted attacks: A case study on near-collisions

IF 8.1 1区计算机科学 0 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information Sciences Pub Date : 2025-04-24 DOI:10.1016/j.ins.2025.122217

Axel Durbet , Paul-Marie Grollemund , Kevin Thiry-Atighehchi

{"title":"Biometric untargeted attacks: A case study on near-collisions","authors":"Axel Durbet , Paul-Marie Grollemund , Kevin Thiry-Atighehchi","doi":"10.1016/j.ins.2025.122217","DOIUrl":null,"url":null,"abstract":"<div><div>Biometric recognition systems are now integral to many authentication and identification processes, prompting the need to understand their resilience under various attack scenarios. In this work, we analyze the security of such systems against <em>untargeted attacks</em>, where an adversary aims to impersonate any user without focusing on a specific target. Assuming a minimal leakage model—where only a binary acceptance or rejection is revealed—we derive upper and lower bounds on the attack complexity as functions of the template size, decision threshold, and database size. Our contributions apply to templates following a uniform distribution, such as randomized biometric templates or those derived from high-entropy secret sources. Many biometric template protection schemes, such as BioHashing or random projection-based transformations, combine biometric data with a high-entropy secret (e.g., a password or token). This combination is designed to produce pseudo-random outputs, making the uniform distribution a reasonable assumption for the transformed template space. As a result, our analysis covers two-factor authentication systems where biometrics are combined with a stored random secret or strong password. We use probabilistic modeling to assess the theoretical security limits of such systems. We investigate two practical attack scenarios: naive outsiders submitting random guesses, and multiple simultaneous attackers increasing the overall trial rate. We also introduce the notion of <em>weak near-collisions</em> to evaluate the risk of mutual impersonation due to close templates in the database. Our theoretical analysis is validated on real biometric datasets (LFW and FVC) using transformation schemes such as BioHashing. Finally, we provide practical recommendations for configuring system parameters to mitigate untargeted attacks and near-collision risks.</div></div>","PeriodicalId":51063,"journal":{"name":"Information Sciences","volume":"716 ","pages":"Article 122217"},"PeriodicalIF":8.1000,"publicationDate":"2025-04-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Sciences","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0020025525003494","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"0","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Biometric recognition systems are now integral to many authentication and identification processes, prompting the need to understand their resilience under various attack scenarios. In this work, we analyze the security of such systems against untargeted attacks, where an adversary aims to impersonate any user without focusing on a specific target. Assuming a minimal leakage model—where only a binary acceptance or rejection is revealed—we derive upper and lower bounds on the attack complexity as functions of the template size, decision threshold, and database size. Our contributions apply to templates following a uniform distribution, such as randomized biometric templates or those derived from high-entropy secret sources. Many biometric template protection schemes, such as BioHashing or random projection-based transformations, combine biometric data with a high-entropy secret (e.g., a password or token). This combination is designed to produce pseudo-random outputs, making the uniform distribution a reasonable assumption for the transformed template space. As a result, our analysis covers two-factor authentication systems where biometrics are combined with a stored random secret or strong password. We use probabilistic modeling to assess the theoretical security limits of such systems. We investigate two practical attack scenarios: naive outsiders submitting random guesses, and multiple simultaneous attackers increasing the overall trial rate. We also introduce the notion of weak near-collisions to evaluate the risk of mutual impersonation due to close templates in the database. Our theoretical analysis is validated on real biometric datasets (LFW and FVC) using transformation schemes such as BioHashing. Finally, we provide practical recommendations for configuring system parameters to mitigate untargeted attacks and near-collision risks.

查看原文本刊更多论文

生物识别非目标攻击：近距离碰撞的案例研究

生物识别系统现在是许多身份验证和识别过程中不可或缺的一部分，这促使人们需要了解它们在各种攻击场景下的恢复能力。在这项工作中，我们分析了此类系统针对非目标攻击的安全性，攻击者的目标是冒充任何用户，而不关注特定目标。假设一个最小泄漏模型——其中只显示二进制接受或拒绝——我们得出攻击复杂性的上限和下限，作为模板大小、决策阈值和数据库大小的函数。我们的贡献适用于遵循均匀分布的模板，例如随机生物特征模板或来自高熵秘密源的模板。许多生物特征模板保护方案，如生物哈希或基于随机投影的转换，将生物特征数据与高熵秘密（例如密码或令牌）结合起来。这种组合被设计成产生伪随机输出，使均匀分布成为转换模板空间的合理假设。因此，我们的分析涵盖了双因素身份验证系统，其中生物识别技术与存储的随机秘密或强密码相结合。我们使用概率模型来评估这类系统的理论安全极限。我们研究了两种实际的攻击场景：天真的局外人提交随机猜测，以及多个同时攻击者增加总体试验率。我们还引入了弱近碰撞的概念，以评估由于数据库中的封闭模板而导致的相互模拟的风险。我们的理论分析在真实的生物特征数据集（LFW和FVC）上使用转换方案（如BioHashing）进行验证。最后，我们提供了配置系统参数以减轻非目标攻击和近碰撞风险的实用建议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information Sciences 工程技术-计算机：信息系统

CiteScore

14.00

自引率

17.30%

发文量

1322

审稿时长

10.4 months

期刊介绍： Informatics and Computer Science Intelligent Systems Applications is an esteemed international journal that focuses on publishing original and creative research findings in the field of information sciences. We also feature a limited number of timely tutorial and surveying contributions. Our journal aims to cater to a diverse audience, including researchers, developers, managers, strategic planners, graduate students, and anyone interested in staying up-to-date with cutting-edge research in information science, knowledge engineering, and intelligent systems. While readers are expected to share a common interest in information science, they come from varying backgrounds such as engineering, mathematics, statistics, physics, computer science, cell biology, molecular biology, management science, cognitive science, neurobiology, behavioral sciences, and biochemistry.