Nowadays, interactions are moving from face to face in the physical world to the Internet. Electronic instead of physical interactions are growing meteorically. Consequently, electronic identification is a booming market since it allows people to prove electronically that they are who they say they are in order to gain access to services or carry out electronic transactions.
Typically, a person proves: (a) to know secret data whenever the verifier asks what you know, (b) to have a unique possession (what you have), and (c) to be a physical entity (who you are). In the last case, people usually provide biometric data, such as data from their faces. Biometric data, which are stored as template at the registration phase or enrollment, are private and sensitive data, as contemplated in the data protection regulation of many countries. Hence, protection schemes should be employed to transform them into public non-sensitive data named pseudonyms. The problem is that, concerning a brute-force attack, the security of current biometric recognition systems usually ranges from 17 to 24 bits. This is very much lower than the security of a cryptographic system (80 bits at least). Moreover, the biometric schemes with template protection offer even lower security. Recently, new cryptographic techniques, like homomorphic encryption, are being explored to increase the security of protected biometric recognition systems. However, the security of many of these techniques is based on problems (like the Discrete Logarithm and the Integer Factorization problems) that are hard for current computers but not for quantum computers, which will be available in the future. Thanks to the results obtained in our previous project TEC2017-83557-R, the project Mas+Cara will develop protected schemes using post-quantum cryptog raphy to offer a high and long-term security. Nowadays, most of electronic identification systems employ a device-centric authentication topology, in which the PIN (what you know) or the biometric (who you are) data capture and processing (feature extraction and matching), as well as the storing of the biometric templates, are all handled locally, on the users device (what you have). The most widely extended device is the smartphone. The device authenticates its user. The person is who its device says he/she is without any external verification. No external verifier can attest that a credential holder (a person) is truly presenting a digital credential.
Recently, new protected schemes using a decentralized model are being explored to ensure that the digital credentials can be verified externally by using public keys and pseudonymous biometrics that could offer people privacy. However, while the cryptographic verification of digital signatures with public keys is quite well established, the efficient and practical implementations of pseudonymous biometrics offering irreversibility, unlinkability, and revocability are still a challenge.
Exploiting the knowledge acquired in our previous project TEC2017-83557-R, the project Mas+Cara will develop protected schemes using post-quantum cryptography and a decentralized and private model. The proof of concept to be developed in Mas+Cara will be implemented by means of smartphone App and will be validated in a relevant environment so that a prototype will be ready to be demonstrated in an operational environment and the way will be paved to obtain a final product to commercialize.