A Generic Privacy-preserving Protocol for Keystroke Dynamics-based
Continuous Authentication
Ahmed Fraz Baig
a
and Sigurd Eskeland
b
Norwegian Computing Center, Postboks 114 Blindern, 0314 Oslo, Norway
Keywords:
Continuous Authentication, Homomorphic Encryption, Keystroke Dynamics, Behavioral Biometrics.
Abstract:
Continuous authentication utilizes automatic recognition of certain user features for seamless and passive
authentication without requiring user attention. Such features can be divided into categories of physiological
biometrics and behavioral biometrics. Keystroke dynamics is proposed for behavioral biometrics-oriented
authentication by recognizing users by means of their typing patterns. However, it has been pointed out
that continuous authentication using physiological biometrics and behavior biometrics incur privacy risks,
revealing personal characteristics and activities. In this paper, we consider a previously proposed keystroke
dynamics-based authentication scheme that has no privacy-preserving properties. In this regard, we propose
a generic privacy-preserving version of this authentication scheme in which all user features are encrypted —
preventing disclosure of those to the authentication server. Our scheme is generic in the sense that it assumes
homomorphic cryptographic primitives. Authentication is conducted on the basis of encrypted data due to the
homomorphic cryptographic properties of our protocol.
1 INTRODUCTION
User authentication is a process that confirms whether
a user is the one who he claims to be. The most com-
mon form of authentication is session-oriented au-
thentication, where a session has a certain duration,
and the user authenticates himself once at the start of a
session. Such authentication mechanisms are mainly
classified into the following categories: Knowledge-
based authentication (what you know, like pass-
words and PIN codes), possession-based authenti-
cation (what you have, such as smartcards or don-
gles) physiological biometrics (face recognition, iris
recognition, fingerprint recognition, etc.). Session-
orientation implies that the user is required to do some
active or explicit action up front, like typing a pass-
word, inserting a smartcard, or scanning his finger-
print. Session-oriented authentication approaches au-
thenticate users at the beginning of the session. If the
user leaves the device for some time, the device will
remain unlocked for a time, which could allow a ma-
licious user to use the device in the meantime.
For computer devices that are carried by humans,
such as smartphones, continuous authentication has
been proposed to strengthen the mentioned authenti-
a
https://orcid.org/0000-0001-6017-0237
b
https://orcid.org/0000-0003-0045-3387
cation methods. The supposed advantage is passive
and seamless authentication mechanisms that do not
require user attention. The idea of continuous au-
thentication is that there is some uniqueness to some
user biometry or user context. The authentication pro-
cess is automatically conducted by events of relevant
user activity. The time window of access is much
smaller than for session-oriented approaches, and the
system automatically locks in case the user is inactive
or when it observes anomalous behaviors.
Continuous authentication can be achieved by fol-
lowing categories of modes: Behavioral biometrics,
physiological biometrics, and context-aware authen-
tication. The overall premise for behavioral biomet-
rics is that every person has a uniqueness in walk-
ing style, typing style, movement, and so on. By
recognizing such movement patterns, a person can
be uniquely identified. Behavioral biometric modes
include touch screen dynamics, keystroke dynamics,
stylometry, gait and walking style, etc.
Physiological biometrics, including face and iris
recognition, are often considered for continuous au-
thentication, although such modalities normally re-
quire explicit user actions and fails as such being pas-
sive and seamless.
Context-aware authentication modes include IP-
addresses, operating systems, and other profiling pa-
Baig, A. and Eskeland, S.
A Generic Privacy-preserving Protocol for Keystroke Dynamics-based Continuous Authentication.
DOI: 10.5220/0011141400003283
In Proceedings of the 19th International Conference on Security and Cryptography (SECRYPT 2022), pages 491-498
ISBN: 978-989-758-590-6; ISSN: 2184-7711
Copyright
c
2022 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
491
rameters such as GPS position, battery usage, network
usage, web browsing histories, and other behavioral
activities. Context-aware modes rely on contextual
parameters of the device, such as IP addresses, loca-
tion data, etc. The potential problem with context-
aware modes is that they only re-authenticate users
when there is a change in contextual information. But
they cannot differentiate between a legitimate user or
an imposter, if there is no contextual change. Such
problems may occur when users leave their devices
open, and someone else uses their devices in their ab-
sence.
The definition of continuous authentication de-
mands that the selected mode needs to be passive and
continuous simultaneously. Therefore, the physiolog-
ical biometrics and context-aware modes cannot be
solely considered for continuous authentication. Only
behavioral biometrics fulfill the requirements of con-
tinuous authentication, due to their passive and con-
tinuous nature (Baig and Eskeland, 2021).
Keystroke dynamics are categorized as behavioral
biometrics that authenticates users by analyzing and
recognizing user typing behaviors and typing pat-
terns. The keystroke dynamics authentication mecha-
nism can be implemented either in continuous way,
where the user is identified on each input (Bours,
2012) or in periodic way, where user validity is con-
firmed over a collected block of actions; the decision
is based on the analysis of that block of data (Dhakal
et al., 2018; Xiaofeng et al., 2019). A minor disad-
vantage of periodic authentication is the delay for the
authentication decision to take place, while for con-
tinuous authentication this is conducted immediately
at every user event (Bours, 2012).
The problem about continuous authentication
methods including behavioral modalities is that there
is no privacy protection. The behavioral features of
keystroke dynamics are privacy sensitive, and may
disclose sensitive user information related to gen-
der, age, left-or right-handedness, and even emotional
states during typing (Brizan et al., 2015). Behavioral
biometrics data are categorized as sensitive data in
GDPR, Article 4.
In this paper, we propose a privacy-preserving
protocol that is based on the Bours (2012) continu-
ous authentication scheme. To mitigate privacy is-
sues, our protocol uses generic homomorphic crypto-
graphic methods; this enables the authentication op-
erations to be conducted in the encrypted domain.
2 RELATED WORK
Govindarajan et al. (2013) proposed a periodic
privacy-preserving protocol for touch dynamics-
based authentication. Their scheme utilizes pri-
vate comparison protocol proposed by Erkin et al.
(2009) and the homomorphic DGK encryption al-
gorithm proposed by Damg
˚
ard et al. (2008). Note
that the Erkin et al. (2009) comparison protocol is
based on the private comparison protocol proposed by
Damg
˚
ard et al. (2007, 2009). The scheme of Govin-
darajan et al. does not reveal anything, because it
makes comparisons in the encrypted domain. How-
ever, it is not efficient for continuous authentication,
mainly because of the inefficiency of the Erkin et al.
subprotocol, which requires that each bit of the inputs
are encrypted. In the protocol, each of these cipher-
texts are then sent to the other party.
Balagani et al. (2018) proposed a keystroke
dynamics-based privacy-preserving authentication
scheme. They extended the idea of Govindarajan
et al. protocol, but is also based on the private com-
parison protocol proposed by Erkin et al. (2009) and
the homomorphic DGK encryption algorithm pro-
posed by Damg
˚
ard et al. (2008). This scheme has the
same efficiency problems as the scheme by Govin-
darajan et al.
Wei et al. (2020) proposed a privacy-preserving
authentication scheme for touch dynamics using ho-
momorphic encryption properties. It is based on sim-
ilarity scores between input and reference features us-
ing cosine similarity. The authentication server per-
forms a comparison between the encrypted reference
template (provided during enrollment) and encrypted
input template sampled during authentication. The
authentication server decrypts the similarity scores
and compares them with a predefined threshold.
Safa et al. (2014) proposed a privacy-preserving
generic protocol by utilizing context-aware data fea-
tures such as users GPS data, search histories (cook-
ies), etc. Additive homomorphic encryption prop-
erties and order-preserving symmetric encryption
(OPE) are utilized to achieve the privacy of users data
features. Their protocol uses the Average Absolute
Deviation (AAD) for the comparison between input
feature and the reference features during the authenti-
cation phase.
Shahandashti et al. (2015) proposed an implicit
authentication scheme by utilizing order-preserving
symmetric encryption (OPSE) with additive homo-
morphic encryption. The primitives are generic, but
the authors suggest the OPSE scheme proposed by
Boldyreva et al. (2009) and the Paillier public key
scheme. They consider different features for implicit
authentication such as user location, visited websites,
etc. Further, the AAD is utilized to compute the sim-
ilarity between input and reference templates.
SECRYPT 2022 - 19th International Conference on Security and Cryptography
492
Domingo-Ferrer et al. (2015) proposed a privacy-
preserving authentication scheme using generic fea-
tures, such as device data, carrier data, location data,
user data stored in the cloud, etc. They utilize set in-
tersection to determine the dissimilarity between ref-
erence data and input data. The privacy is protected
by means of the Paillier cryptosystem and a private set
intersection computation protocol proposed by Freed-
man et al. (2004). However, a potential problem with
these protocols (Domingo-Ferrer et al., 2015; Shahan-
dashti et al., 2015) is that context-aware modes cannot
tell whether the user is present or not. Thus, if the de-
vice is stolen within the specified domain, it cannot
distinguish between a legitimate user and imposters
(Baig and Eskeland, 2021).
3 THE BOURS CONTINUOUS
AUTHENTICATION SCHEME
This section revisits the keystroke dynamics-based
continuous authentication scheme proposed by Bours
(2012). The Bours authentication scheme is shown in
Algorithm 1, and it consists of two phases: An en-
rollment phase and an authentication phase, that are
presented next.
Enrollment Phase. Keystroke dynamics-based au-
thentication schemes utilize time-related data from a
keystroke. The timing data are extracted in the form
of features when a key is pressed down (t
down
i
) and
when the key is lifted up (t
up
i
). The time difference
t
i
= t
up
i
t
down
i
is computed for each keystroke, where
i is the index i
th
key, such as ’A’ is i = 0, ’B’ is i = 1,
etc. Based on t
i
, further statistical analysis is per-
formed by computing the mean µ
i
and the standard
deviation σ
i
for each key. Finally, a reference tem-
plate is created, which contain the statistical values
(µ
i
,σ
i
) for each key. These reference templates are
then stored in the database for the purpose of authen-
tication.
Authentication Phase. In this phase, an input tem-
plate is sampled for subsequent comparison with
the prestored reference template. The authentication
phase continuously takes the sampled time difference
t
i
and computes Scaled Manhattan Distance (SMD)
between t
i
and the reference template (µ
i
,σ
i
) accord-
ing to
d
i
=
|t
i
µ
i
|
σ
i
The distance d
i
is compared to the predefined thresh-
old T
dist
in order to update the aggregated distance in-
dicator (C), which is increased or decreased based on
Algorithm 1: Bours keystroke dynamics-based authentica-
tion scheme.
Enrollment phase
Compute µ
i
,σ
i
, 1 i n
Authentication phase
C = max
while IsKeyReleased(i) do
t
i
= t
up
i
t
down
i
d
i
= |t
i
µ
i
|/σ
i
if d
i
> T
dist
then
C (C d
i
+ T
dist
) // Penalty function
else
C min(C + R, max) // Reward function
end if
if C < T
reject
then
Reject
end if
end while
distance d
i
. A small value of d
i
, close to zero, indi-
cates the similarity between the input and the refer-
ence templates, while a greater value d
i
indicates dis-
similarity. Initially, C is assigned a maximum value
max.
When d
i
> T
dist
, then C is decremented in the form
of a penalty function C (C d
i
+ T
dist
). Other-
wise, C is incremented in form of a reward function
C min(C + R,max) by R to at most max, where R
is a constant reward value. Note that C cannot exceed
the maximum value. The C is continuously compared
to the reject threshold T
reject
on each input. When C
goes below the reject threshold (C < T
reject
), the au-
thentication fails and then the user is rejected.
3.1 Adversarial Model
We assume that authentication server is semi-honest
adversary, that will not deviate from the defined pro-
tocol but will attempt to learn all possible information
from legitimately received messages. The privacy re-
quirement is that the stored reference templates and
input templates are protected so that the server can-
not learn anything about them. We assume that the
communication between the user and the server is se-
cure, and that external threats are mitigated by apply-
ing network security techniques.
4 PROPOSED PROTOCOL
In this section, we present a new generic privacy-
preserving continuous authentication protocol. This
protocol is based on the continuous authentication
A Generic Privacy-preserving Protocol for Keystroke Dynamics-based Continuous Authentication
493
scheme proposed by Bours (2012), which lacks pri-
vacy. The authentication is performed in the en-
crypted domain, so the authentication server cannot
learn anything about prestored templates, except the
Boolean results and the key index i. Our proposed
protocol uses two types of cryptosystems as building-
blocks:
Homomorphic Public Key Encryption Algorithm.
We assume a public key encryption algorithm (e.g.,
the Paillier cryptosystem) that supports following ho-
momorphic property: E(m
1
) · E(m
2
) = E(m
1
+ m
2
).
For multiple identical ciphertexts, this property can
be expressed as E(m)
k
= E(k · m).
Privacy Preserving Comparison Sub-protocol
(PPCP). We use PPCP to compare the distance and
the threshold in a privacy-preserving way, which takes
one encrypted input E(x) and an unencrypted input y,
and determines whether x > y without disclosing the
values of x. This feature is met by the private compar-
ison protocol of Damg
˚
ard et al. (2007, 2008, 2009),
which takes one encrypted and one unencrypted in-
put.
The proposed privacy-preserving continuous au-
thentication protocol is presented in Figure 1. It con-
sists of the following three phases: Setup phase, en-
rollment phase, and authentication phase. The de-
tailed description of each phase is stated in the fol-
lowing:
Enrollment Phase. During the enrollment phase, the
user registers himself to the server. For this the user
creates a key pair, and sends his public keys to the
server. The asterisk (*) indicates a ciphertext vari-
able. The biometric features are collected at the user
side. We consider the following features are extracted
from a keystroke: down-time (t
down
i
), up-time (t
up
i
)
for every key i. The time duration (t
i
), the mean (µ
i
),
and the standard deviation (σ
i
) are computed in the
similar manners as stated in Section 3. During the en-
rollment phase, the user encrypts the reference tem-
plate E(µ
i
/σ
i
),E(1/σ
i
),1 i n, for each key and
sends encrypted template along with the user identity
id
u
and the key index i to the server. The server stores
id
u
and E(µ
i
/σ
i
),E(1/σ
i
),1 i n, according to the
index i of each key. Note that the user device does not
store template locally.
Authentication Phase. During the authentication
phase, the user initializes the protocol by sending
the authentication request with his identity id
u
to the
server. The server searches for user identity id
u
and
extracts them template that matches id
u
. Next, the
server sends E(1/σ
i
), 1 i n, to the user.
The remaining part is conducted each time that the
user presses a key, which has index i. The user com-
putes the time duration t
i
= t
up
i
t
down
i
of the pressed
key, which is input to the homomorphic computation
E(t
i
/σ
i
) E(1/σ
i
)
t
i
that is sent back to the server.
The server receives E(t
i
/σ
i
) and the server already
holds reference template E(µ
i
/σ
i
). The server homo-
morphically computes the encrypted Scaled Manhat-
tan Distance between encrypted input and encrypted
reference templates:
E(d
i
) = E(t
i
/σ
i
) · E(µ
i
/σ
i
) (1)
As templates are encrypted with user public key, the
server cannot find any information about the tem-
plates. The encrypted distance E(d
i
) is compared to a
predefined threshold T
dist
in privacy-preserving man-
ners. The privacy-preserving comparison is explained
in the following.
4.1 Privacy-preserving Comparison
The presented protocol invokes a privacy-preserving
comparison sub-protocol for the following tasks:
1) Compare the encrypted distance E(d
i
) and thresh-
old T
dist
to decide whether to compute the privacy-
preserving reward or the penalty functions; 2) to com-
pare the encrypted aggregated distance indicator C
with a preassigned maximum value w.r.t. the reward
function; and 3) to compare C
with the reject thresh-
old value T
reject
.
The reason for utilizing the privacy-preserving
protocol is to hide the exact resultant values from
the server and also from the malicious users. The
server holds the encrypted SMD E(d
i
) and unen-
crypted threshold T
dist
. The privacy-preserving com-
parison could be achieved by DGK comparison pro-
tocol Damg
˚
ard et al. (2007, 2009). The server and
the user invoke PPCP
gt
E(d
i
), T
dist
to check whether
the distance is greater than the threshold. The com-
parison protocol returns a Boolean result. If true, the
encrypted distance indicator C
is computed by the
following penalty function:
C
C
· E(d
i
)
1
· E(T
dist
)
= C
· E(d
i
) · E(T
dist
) = E(C d
i
+ T
dist
)
(2)
which decreases the plaintext value C of C
.
If false, the reward function is computed, which
increments the plaintext value C of C
as long as it
is below the maximum value according to the Bours
reward function:
C min(C + R, max) (3)
In our protocol, this is realized by an if-block, where a
privacy-preserving comparison is invoked for the sec-
ond time:
PPCP
gt
(c
· E(R),max)
SECRYPT 2022 - 19th International Conference on Security and Cryptography
494
User (Priv
u
) Server (PK
u
)
Enrollment phase
id
u
,i, E(1/σ
i
),E(µ
i
/σ
i
),1 i n
Store E(1/σ
i
),E(µ
i
/σ
i
), 1 i n
Authentication phase
id
u
Get E(1/σ
i
),E(µ
i
/σ
i
), 1 i n
E(1/σ
i
),1 i n
Input: i,t
i
E(t
i
/σ
i
) E(1/σ
i
)
t
i
i,E(t
i
/σ
i
)
C
E(max)
E(µ
i
/σ
i
) E(µ
i
/σ
i
)
1
E(d
i
) |E(t
i
/σ
i
) · E(µ
i
/σ
i
)|
PPCP
gt
if PPCP
gt
E(d
i
), T
dist
then
C
C
· E(d
i
)
1
· E(T
dist
)
else
PPCP
gt
if PPCP
gt
(C
· E(R),max) then
C
E(max)
else
C
C
· E(R)
end if
end if
PPCP
gt
if PPCP
gt
(C
, T
reject
) = false then
Reject
end if
Figure 1: Proposed privacy-preserving protocol for keystroke dynamics-based authentication.
where the E(R) is the encrypted constant reward
value. If the comparison is true, the E(max) is as-
signed to C
. Otherwise, C
C
·E(R) = E(C + R).
Lastly, a third privacy-preserving comparison
PPCP
gt
(C
, T
reject
) comparing the reject threshold
with (C
). If C
is below the reject threshold (T
reject
),
then the authentication fails and the user is rejected.
5 ANALYSIS
In this section, we provide the correctness analysis,
security analysis, and an analysis of computation and
communication complexity.
5.1 Correctness Analysis
The correctness of our proposed protocol relies on ad-
ditive homomorphic encryption properties. The con-
tinuous authentication phase is entirely performed on
encrypted templates. This section considers three
kinds of computations performed in the encrypted do-
main: the correctness of the encrypted Scaled Man-
hattan Distance E(d
i
), the encrypted penalty function,
and the encrypted reward function.
During the enrollment phase the user sends en-
crypted template E(1/σ
i
), E(µ
i
/σ
i
),1 i n, to the
server, and during the authentication phase the server
receives encrypted input E(t
i
/σ
i
) = E(1/σ
i
)
t
i
. The
correctness proof of the encrypted Scaled Manhattan
Distance E(d
i
) in Eq. (1) can be verified by the fol-
lowing equation:
E(d
i
) =E(t
i
/σ
i
) · E(µ
i
/σ
i
) = E(
|t
i
µ
i
|
σ
i
)
The aggregated distance indicator C
is computed in
the form of penalty and reward functions in Eqs. (2,
3). The correctness proof of the encrypted penalty
A Generic Privacy-preserving Protocol for Keystroke Dynamics-based Continuous Authentication
495
function is
C
= C
· E(d
i
)
1
· E(T
dist
) = E(C d
i
+ T
dist
)
and the correctness proof of the encrypted reward
function is
C
=min(C
· E(R),E(max)) = E(C + R),E(max)
where C
is the encryption of C, E(R) is the encryp-
tion of reward value R, and E(max) is the encryption
of maximum value.
5.2 Security Analysis
Our generic protocol relies on the security properties
of additive homomorphic cryptosystems, e.g., Pail-
lier (1999). As noted, the privacy requirement is
that the stored reference templates and input tem-
plates are protected so that the server cannot learn
anything about them. Our protocol achieves the pri-
vacy in the following ways: 1) The reference tem-
plate is stored in the encrypted form, 2) Scaled Man-
hattan Distance is computed on the encrypted input
and encrypted reference templates), 3) the compari-
son between the threshold and the result is made in
a privacy-preserving way, 4) the aggregated indicator
C is computed in the encrypted form and, 5) the fi-
nal comparison is also made in a privacy-preserving
way using PPCP. The server or malicious insider on
the server cannot see any additional information about
biometric templates. Hence, this protocol is a fully
privacy-preserving protocol.
5.3 Performance Analysis
The performance of a protocol can be determined by
analyzing the computation and communication com-
plexities. In this context, we analyzed the number of
rounds to complete the authentication decision, the
number of transmitted encryptions, and the number
of invocations of sub-protocols for privacy-preserving
comparison. We compared our protocol with other
protocols that have been proposed only for behavioral
biometrics limited to touch-dynamics or keystroke
dynamics. Context-aware authentication modes, such
as authentication based on GPS data, web-histories,
IP addresses; e.g., Domingo-Ferrer et al. (2015); Sha-
handashti et al. (2015) are not considered for compar-
ison.
Our protocol performs continuous authentication
in five rounds. Each round contains only one encryp-
tion, except for the first round which is performed
only once. Our protocol invokes a sub-protocol for
privacy-preserving comparison three times, where the
second time PPCP
gt
is only invoked when d
i
< T
dist
.
Our protocol is based on only one sampled input that
compares only two integers (resultant value and a
threshold).
The Govindarajan et al. protocol transmits N + 1
encryptions during the authentication phase. The first
round transmits N encrypted elements and the second
round transmits only one encrypted element. The au-
thentication decision is completed by four times in-
voking the privacy-preserving comparison protocol.
Each time the sub-protocol compares the series of N
encrypted elements of a feature vector. These sub-
protocols are based on the Erkin et al. (2009) proto-
col, and the Erkin et al. utilizes the Damg
˚
ard et al.
(2007, 2009) comparison protocol. As Govindara-
jan et al. invoked a sub-protocol four times for N
samples, where one comparison is completed in three
rounds. Their protocol takes total 12 × N rounds to
complete an authentication decision.
The Balagani et al. (2018) protocol completes
authentication in five rounds, and they transmitted
2N + 1 encryptions. Moreover, they five times in-
voked sub-protocols to complete one decision. They
also utilized the Erkin et al. protocol for privacy-
preserving comparison. Their protocol completes au-
thentication decision in 15 × N total rounds.
The Wei et al. Wei et al. (2020) protocol utilizes
Paillier cryptosystem and completes an authentication
decision in three rounds. They transmit 3N encrypted
vectors, where each vector contained N encrypted el-
ements in a vector.
In comparison to Govindarajan et al. (2013); Bal-
agani et al. (2018); Wei et al. (2020), our protocol is
efficient in terms of computation cost, other protocols
compute and transmit N the encrypted elements in
each round, whereas our protocol transmits only one
encrypted element. The comparison of N encrypted
elements in each round makes them very inefficient
even for periodic authentication. Therefore, our pro-
tocol is very efficient for continuous authentication.
The comparison is presented in Table 1, where
the number of rounds and transmitted encryptions are
counted without including the sub-protocols.
5.4 Implementation
To determine the performance of our proposed proto-
col, we implemented the authentication protocol on
Intel(R) Core(TM) i5-7440 HQ CPU @ 2.80GHz,
32 GB RAM in Python (Jupyter Notebook, Ana-
conda3). We use two libraries for our implementa-
tion; the homomorphic encryption library (Python-
paillier.readthedocs.io, 2016) and a library for the se-
cure comparison protocol, developed by TNO MPC
Lab (2021). To evaluate the computation cost, we
SECRYPT 2022 - 19th International Conference on Security and Cryptography
496
Table 1: Complexity comparison.
Protocol Rounds
Transmitted
encryptions
Sub-protocols
invocations
Govindarajan et al. (2013) 4 N + 1 4N
Balagani et al. (2018) 5 2N + 1 5N
Wei et al. (2020) 3 3N 0
Our protocol 5 N + 4 3
calculated execution time to complete homomorphic
operations (such as multiplication and exponentia-
tion). Furthermore, we also the calculated the exe-
cution time to complete privacy-preserving compar-
isons. The computation cost is calculated in millisec-
onds (ms).
We set 1024-bits security parameter k for Paillier
cryptosystem. Moreover, we set the maximum bit-
length (l = 4, 7, 7) for the first, second, and third com-
parisons, respectively, as stated in Sec. 4.1. The com-
plete description of the comparison protocol is pre-
sented by Veugen (2018).
Our protocol utilizes one-time exponentiation
(1T
E
); five times multiplication (5T
M
); and invokes
sub-protocols three times (3T
PPCP
) to complete one
authentication decision. The execution time of 1T
E
=
19ms and 5T
M
= 51ms. To complete one authenti-
cation decision, the execution time of our proposed
protocol is 1T
E
+5T
M
+3T
PPCP
= 437ms. The execu-
tion time can be decreased by reducing the l-bits. The
l can be set by determining the length of input values.
For instance, our protocol compares very small inte-
gers in the first comparison; in this scenario the l = 4
is considered enough.
6 CONCLUSIONS AND FUTURE
WORK
Continuous authentication strengthens the security by
monitoring the user behavioral features but causes pri-
vacy concerns when behavioral features are transmit-
ted to the authentication server. In this paper, we have
presented a new generic privacy-preserving keystroke
dynamics-based continuous authentication protocol.
We have proposed a simple and efficient privacy-
preserving protocol utilizing homomorphic encryp-
tion properties as building blocks. Our protocol does
not reveal any information about the biometric tem-
plates or the resultant outputs. This protocol pro-
vides privacy against the honest-but curious server.
To the best of our knowledge, our protocol is the first
one to offer privacy-preserving continuous authenti-
cation. Moreover, our protocol provides efficient per-
formance compared to the literature.
Multimodal behavioral biometric-based continu-
ous authentication may offer more security than a uni-
modal authentication mechanism. We will consider
multimodal continuous authentication using behav-
ioral biometrics in the future. This will be achieved
by combining keystroke dynamics with touch dynam-
ics. Continuous authentication requires efficient per-
formance in terms of communication and compu-
tation costs, and our future research will focus on
lightweight encryption techniques to reduce commu-
nication overhead.
ACKNOWLEDGEMENT
This work is part of the Privacy Matters (PriMa)
project. The PriMa project has received funding from
European Union’s Horizon 2020 research and innova-
tion programme under the Marie Skłodowska-Curie
grant agreement No. 860315. The authors would like
to thank Dr. Wolfgang Leister for valuable comments.
REFERENCES
Baig, A. F. and Eskeland, S. (2021). Security, privacy, and
usability in continuous authentication: A survey. Sen-
sors, 21(17):5967.
Balagani, K. S., Gasti, P., Elliott, A., Richardson, A.,
and O’Neal, M. (2018). The impact of application
context on privacy and performance of keystroke au-
thentication systems. Journal of Computer Security,
26(4):543–556.
Boldyreva, A., Chenette, N., Lee, Y., and O’Neill, A.
(2009). Order-preserving symmetric encryption. In
Proceedings of the 28th Annual International Con-
ference on Advances in Cryptology - EUROCRYPT
2009 - Volume 5479, page 224–241, Berlin, Heidel-
berg. Springer-Verlag.
Bours, P. (2012). Continuous keystroke dynamics: A dif-
ferent perspective towards biometric evaluation. In-
formation Security Technical Report, 17(1-2):36–43.
Brizan, D. G., Goodkind, A., Koch, P., Balagani, K., Phoha,
V. V., and Rosenberg, A. (2015). Utilizing linguis-
tically enhanced keystroke dynamics to predict typist
cognition and demographics. International Journal of
Human-Computer Studies, 82:57–68.
A Generic Privacy-preserving Protocol for Keystroke Dynamics-based Continuous Authentication
497
Damg
˚
ard, I., Geisler, M., and Krøigaard, M. (2007). Effi-
cient and secure comparison for on-line auctions. In
Australasian conference on information security and
privacy, pages 416–430. Springer.
Damg
˚
ard, I., Geisler, M., and Krøigard, M. (2008). Homo-
morphic encryption and secure comparison. Interna-
tional Journal of Applied Cryptography, 1(1):22–31.
Damg
˚
ard, I., Geisler, M., and Krøigard, M. (2009). A cor-
rection to ’efficient and secure comparison for on-line
auctions’. International Journal of Applied Cryptog-
raphy, 1(4):323–324.
Dhakal, V., Feit, A. M., Kristensson, P. O., and Oulasvirta,
A. (2018). Observations on typing from 136 million
keystrokes. In Proceedings of the 2018 CHI Confer-
ence on Human Factors in Computing Systems, pages
1–12.
Domingo-Ferrer, J., Wu, Q., and Blanco-Justicia, A. (2015).
Flexible and robust privacy-preserving implicit au-
thentication. In IFIP International Information Secu-
rity and Privacy Conference, pages 18–34. Springer.
Erkin, Z., Franz, M., Guajardo, J., Katzenbeisser, S., La-
gendijk, I., and Toft, T. (2009). Privacy-preserving
face recognition. In International symposium on pri-
vacy enhancing technologies symposium, pages 235–
253. Springer.
Freedman, M. J., Nissim, K., and Pinkas, B. (2004). Effi-
cient private matching and set intersection. In Inter-
national conference on the theory and applications of
cryptographic techniques, pages 1–19. Springer.
Govindarajan, S., Gasti, P., and Balagani, K. S. (2013).
Secure privacy-preserving protocols for outsourcing
continuous authentication of smartphone users with
touch data. In 2013 IEEE Sixth International Confer-
ence on Biometrics: Theory, Applications and Systems
(BTAS), pages 1–8. IEEE.
Paillier, P. (1999). Public-key cryptosystems based on com-
posite degree residuosity classes. In International
conference on the theory and applications of crypto-
graphic techniques, pages 223–238. Springer.
Python-paillier.readthedocs.io (2016). Python library for
Partially Homomorphic Encryption. https://python-
paillier.readthedocs.io/en/develop/index.html. [Ac-
cessed 11.05.2022].
Safa, N. A., Safavi-Naini, R., and Shahandashti, S. F.
(2014). Privacy-preserving implicit authentication. In
IFIP International Information Security Conference,
pages 471–484. Springer.
Shahandashti, S. F., Safavi-Naini, R., and Safa, N. A.
(2015). Reconciling user privacy and implicit authen-
tication for mobile devices. Computers & Security,
53:215–233.
TNO MPC Lab (2021). Secure Comparison Pro-
tocol. https://pypi.org/project/tno.mpc.protocols.
secure-comparison/. [Accessed 11.05.2022].
Veugen, T. (2018). Correction to ”improving the dgk com-
parison protocol”. Cryptology ePrint Archive.
Wei, F., Vijayakumar, P., Kumar, N., Zhang, R., and Cheng,
Q. (2020). Privacy-preserving implicit authentication
protocol using cosine similarity for internet of things.
IEEE Internet of Things Journal, 8(7):5599–5606.
Xiaofeng, L., Shengfei, Z., and Shengwei, Y. (2019). Con-
tinuous authentication by free-text keystroke based
on CNN plus RNN. Procedia computer science,
147:314–318.
SECRYPT 2022 - 19th International Conference on Security and Cryptography
498