An Efficient and Privacy-Preserving Biometric Identification Scheme Based on the FITing-Tree

,


Introduction
With the booming development of the Internet of ings (IoT), the number of smart devices, such as smart cameras and smartwatches, has grown dramatically in recent years.According to the reports, there have been 12 billion IoT devices in 2020, and this amount will grow to more than 30 billion in 2025 [1].e proliferation of IoT devices and the development of image processing technologies make biometric-based services increasingly easy to deploy and reliable.As a result, biometric-based services have been applied to a variety of scenarios including airport service, criminal investigation, and counterterrorism [2][3][4][5].
As a major type of biometric-based services, biometric identification aims to find whether a given biometric template exists in a precollected biometric dataset.Specifically, a biometric template is usually denoted by a vector, e.g., an l-dimension vector T � t 1 , t 2 , . . ., t l  .For a given biometric dataset T, T exists in T, which means that there exists a biometric template T ′ � t 1 ′ , t 2 ′ , . . ., t l ′   ∈ T, which makes the Euclidean distance dis(T, T ′ ) less than or equal to a given threshold δ, i.e., dis(T, T ′ ) � Since the biometric template dataset owner may be limited in computing power and storage capacity, it is necessary to outsource the biometric dataset to the cloud for data management and biometric identification request processing when the dataset becomes large.However, as biometric data is crucially sensitive, and the cloud server is not always trusted, some measures should be adopted to prevent the cloud from extracting private information from the outsourced data.It is well accepted that encryption is the most intuitive solution to this issue.But we should pay attention to the fact that, in addition to privacy, data utility should also be guaranteed, which means that the similarity between two templates should be able to be derived from their encrypted data.
To solve this problem, researchers have proposed many schemes [6][7][8][9][10][11][12][13] to achieve privacy-preserving biometric recognition.Unfortunately, most of these schemes [6][7][8][9][10] work in a basic way, which means that they just traverse the whole dataset to get the identification result, and no optimization tactics are taken to accelerate the searching process.Consequently, a huge computing burden is brought to the cloud when it handles too many identification requests simultaneously, which makes these schemes inefficient and unpractical.e situation turns worse when the dataset size grows.As a result, it is urgent to design a privacy-preserving biometric identification scheme by which both the security of the biometric template and the efficiency of the identification process can be guaranteed.Some schemes [11] employ some data structures to expedite the searching process.However, the data owner has to be on standby during the identification service, which results in the loss of the native advantages of cloud computing.
In this paper, we propose an efficient and privacy-preserving biometric identification scheme based on two data structures, namely, the FITing-tree [14] and iDistance [15], and a symmetric homomorphic encryption (SHE) algorithm [16,17].With our proposed scheme, the privacy of the biometric dataset and the identification request is preserved.In addition, the computational costs of the cloud, which are used to process the identification requests, are kept at an acceptable level.Specifically, the main contributions of this paper are threefold.
(i) First, we propose a privacy-preserving biometric identification scheme with two noncollusive cloud servers.With our proposed scheme, the privacy of the biometric dataset and the identification request is protected during the online biometric identification service process.Specifically, the cloud servers cannot obtain the specific value of the identification request and the plaintext of the biometric template in the dataset.
(ii) Second, the efficiency of the proposed scheme is improved with the FITing-tree and iDistance.By introducing the FITing-tree, the computational costs of the biometric identification process are significantly lowered by reducing the number of similarity comparison operations.Besides, the size of the index is also optimized.
(iii) ird, to evaluate the performance of our proposed scheme, we implement our proposed scheme and conduct extensive experiments on a synthetic dataset.Both the theoretical and experimental results show that the proposed scheme is more efficient than other similar schemes in both computational and communication costs.In addition, we also test the accuracy of our proposed scheme on a real-world face dataset.
e remainder of the paper is organized as follows.In Section 2, we review some related work at first.en, we formalize our system model and security model and identify our design goal in Section 3 and review some preliminaries, including a SHE scheme, FaceNet algorithm, iDistance data structure, and FITing-tree data structure in Section 4. After that, we present our proposed scheme in Section 5, followed by security analysis and performance evaluation in Section 6 and Section 7, respectively.Finally, we draw our conclusion in Section 8.

Related Work
In this section, we will briefly review some related work on privacy-preserving biometric identification.
Early privacy-preserving biometric identification schemes only focus on the privacy-preserving issue.In these schemes, the biometric identification scheme is considered to be a two-party system, where the data owner takes charge of biometric dataset management and template matching.Most of these schemes are designed based on the secure computation protocol [18][19][20] and homomorphic encryption [9,21,22] techniques.Although the privacy-preserving is achieved in these schemes, the data owner is required to be equipped with powerful computing ability and remarkable storage capacity in these schemes, which can hardly be satisfied in most application scenarios and thus makes these schemes unpractical.
e emergence of cloud computing presents a new and promising paradigm to handle these challenges.Some researchers leverage cloud computing techniques to release the data owner from this burden.In their schemes, the data owner outsources the encrypted biometric dataset to the cloud server, and the matching process is completed on the cloud.Yuan et al. [6] proposed the first cloud-based privacypreserving biometric identification scheme using a matrix encryption scheme, where the biometric dataset and identification query are both encrypted and sent to the cloud server by the data owner.However, Wang et al. [7] and Zhu et al. [23] pointed out that [6] is not secure under the knownplaintext attack model [24].In addition, [7] presented a privacy-preserving biometric identification scheme based on the similarity matrix under the same system model in [6] and the security analysis showed that [7] had a higher security level than [6].Zhang et al. [8] proposed an efficient privacypreserving biometric identification scheme based on the matrix and perturbed terms with lower time cost and bandwidth consumption than [6,7].Wang et al. [10] proposed an inference-based framework for privacy-preserving similarity search in Hamming space and achieved privacypreserving biometric identification based on it.Hu et al. [25] proposed a privacy-preserving biometric identification scheme in an outsourcing environment with two noncolluded servers based on homomorphic encryption and batched protocols.With the help of the cloud, the computing cost of the data owner during the biometric matching is significantly reduced in the above schemes.However, in [6][7][8], the data owner has to keep on online to encrypt the user's query data and decrypt the identification result, which whittles some advantages of cloud computing away and leads heavy load to the data owner if it serves too many users 2 Security and Communication Networks at the same time.What is more, in all the cloud-based schemes above, the searching process is not optimized, which means that the searching cost of the cloud server is linear with the size of the dataset.Despite the fact that the cloud server is equipped with strong computing power, it may still run into a bottleneck while simultaneously severing too many users.
To address this issue, some researchers begin to focus on how to achieve sublinear searching efficiency in the biometric identification process, which will significantly ease the pressure of the cloud server.Zhu et al. [11] proposed a cloud-assisted privacy-preserving biometric identification scheme.With the help of an asymmetric scalar-product preserving encryption scheme and R-tree, sublinear search efficiency is achieved in [11].Nevertheless, the data owner also needs to keep online in [11].And since R-tree is not constructed among the metric relation between the data objects, the cloud server needs to search the tree twice to find the closest biometric template in the dataset, which reduces the efficiency of the searching process.Yang et al. [26] proposed a privacy-preserving biometric identification scheme based on the M-tree to achieve a sublinear search efficiency.
In this paper, to protect the privacy of the biometric data and reduce the time consumption in the biometric searching process, we introduce SHE and FITing-tree to construct a privacy-preserving biometric identification scheme based on two noncolluded cloud servers.Compared with previous works, the service provider in our proposed scheme does not need to keep online in the identification scheme, and higher efficiency in both computation and communication is achieved.

Models and Design Goal
In this section, we formally describe our system model and security model and identify our design goals.

System
Model.In our system model, we consider a cloud-based biometric identification system as shown in Figure 1, which mainly consists of three parts: the service provider, a cloud with two servers, and the client.
(i) Service provider: the service provider (SP) has collected a biometric templates dataset T with n biometric templates, i.e., T � T 1 , T 2 , . . ., T n  , where each template is an l-dimension vector T i � t i1 , t i2 , . . ., t il  .For simplicity and clear description, we assume that the value of each t ij (1 ≤ j ≤ l) is a positive integer since a nonintegral biometric template can be transformed into a positive integer vector easily.To make the best use of the dataset, the data owner is willing to offer an online biometric identification service to some users.Since the SP usually has limited computing power and storage capability, to relieve the burden of data management and handling a large number of biometric identification requests, it tends to outsource the biometric dataset to the cloud.In consideration of the sensibility of the biometric data, and the fact that the cloud is not always trusted, the biometric data should be encrypted before being outsourced to the cloud.(ii) Cloud servers: in our system, the cloud employs two cloud servers, namely, cloud server 1 (CS1) and cloud server 2 (CS2), from two different cloud service providers, to collaboratively process the biometric identification requests.Specifically, CS1 stores the encrypted dataset and indexes and accepts identification requests.CS2 holds the secret key and helps CS1 get the identification result by decrypting some intermediate results.Note that these two cloud servers are powerful in computing and have sufficient storage space.(iii) Client: the client in our system model can be an IoT device, which is equipped with sensors (e.g., camera, microphone, or fingerprint collector) and has moderate computation ability (e.g., to extract biometric features and encrypt some data).An application employs the client to access the biometric identification service.To get the identification result, the client generates an identification request, submits it to the cloud servers, and processes the response from the cloud servers.

Security Model.
In our system model, we consider that the SP and the client are fully trusted and will honestly follow the prearranged protocol.As for the two cloud servers, CS1 and CS2 are considered to be honest-butcurious, which means they will faithfully follow the protocols by outputting the correct identification result but will be curious about the client's or SP's data once certain conditions are satisfied.Meanwhile, we assume that the two cloud servers do not collude with each other.is is reasonable since the cloud servers should maintain their reputation and interests.Note that since we only focus on how to achieve efficient and privacy-preserving biometric identification in this paper, active attacks on data integrity and source authentication from external adversaries are beyond the scope of our work and will be discussed in our future work.Security and Communication Networks 3.3.Design Goals.Our design goal is to propose an efficient and privacy-preserving cloud-based biometric identification scheme to address the challenges mentioned in the above system model and security model.Specifically, the following two objectives should be achieved: (i) Privacy: since the biometric data is highly sensitive, the proposed biometric identification scheme should be privacy-preserving, which means that the security of the biometric data stored in the biometric template dataset and identification request should be guaranteed.(ii) Efficiency: since high time delay is intolerable for a biometric identification system, the proposed biometric scheme should be efficient in terms of both computational and communication costs.e factors causing the inefficiency of the biometric identification system mainly lie in two aspects.First, the cloud servers need to search the whole biometric template dataset at the identification stage, which is quite time-consuming when the template dataset becomes large.Second, to satisfy the privacy-preserving requirements, some additional operations will be necessarily introduced, which significantly increases the computational costs of the cloud servers.Besides, since both the dataset and the identification request are needed to be sent to the cloud servers, it will bring a heavy communication burden to the cloud server while serving too many users simultaneously.erefore, some measures should be adopted to achieve higher efficiency in computation and communication.

Preliminaries
In this section, we briefly review the FaceNet algorithm [27], symmetric homomorphic encryption (SHE) scheme [16], the iDistance data structure [15], and FITing-Tree data structure [14], which will serve as the building blocks of our proposed scheme.[27] is a face recognition system that aims at outputting an embedding by mapping a face image into a compact Euclidean space.With the help of a deep convolutional network, FaceNet works in a twophases model, i.e., the training phase and the matching phase.In the training phase, given a face image x, a mapping from the face image x to a compact Euclidean space R d is built at first.en, based on the mapping, a Euclidean embedding f(x) ∈ R d can be calculated to represent the face image x.In the matching phase, two face images x and y are given, which will be represented as two embeddings: f(x) � (x 1 , x 2 , . . ., x d ) and f(y) � (y 1 , y 2 , . . ., y d ).To evaluate the similarity of x and y, the Euclidean distance of the two embeddings f(x), f(y) can be computed as

􏽱
. en, a threshold δ is used to determine whether these two faces x, y are the same (denoted as R same ) or different (denoted as R diff ).e decision process is performed as follows:

Description of SHE.
e SHE [16,17] is a symmetric homomorphic encryption scheme, which mainly consists of three algorithms, namely, (i) key generation, (ii) encryption, and (iii) decryption: (i) Key generation: given three security parameters then the secret key is generated as sk � (p, q, L), where p, q are two large prime numbers with |p| � |q| � k 0 , and L is a random number with the bit length |L| � k 2 .Eventually, compute N � pq and set the public parameters PP � (k 0 , k 1 , k 2 , N). e message space of the SHE scheme is M as 0, 1 { } k 1 .(ii) Encryption: given a message m ∈ M, it can be encrypted with the secret key sk � (p, q, L) as where r ∈ 0, 1 e correctness of the decryption can be proven as follows:

SHE satisfies the following homomorphic properties:
(i) Homomorphic Addition-I: given two ciphertexts e iDistance data structure is an indexing and query processing technique for the k-nearest neighbor (kNN) queries on point data in multidimensional metric spaces [15].For a given dataset, iDistance firstly partitions the data based on a space-or datapartitioning strategy and selects a reference point for each partition.en, a one-dimensional index is calculated for each data point in one partition based on its distance to the reference point of this partition.Finally, a B+ tree is built on these indexes, and the kNN search can be performed using a one-dimensional range search.As shown in Figure 2, the detailed description of the index building process is as follows: (i) Data partition: the dataset is divided into a set of partitions with some clustering algorithms, e.g., the K-means algorithm.en, a reference point is assigned for each partition.Suppose that there are m partitions P 1 , P where c is an offset value used to avoid the overlap between the iDistance range of different partitions.Specifically, c plays a role in splitting the one-dimensional space into regions, and all points in each partition are mapped to different regions.For example, for the ith partition p i , all data points in this region will be mapped to the range , where dis max (p, O i ) is the greatest distance of all points in P i from the reference point of P i .c must be set sufficiently large to avoid the overlap between the index regions of different partitions.(iii) Range query: the given range query (q, r) aims to find all data points in D that satisfy p ∈ D|dis(p, q) ≤ r  .For any data point p in the ith partition P i , it is straightforward to get the inequality (6) based on the triangle inequality property of Euclidean distance.With the range query requirement, we have which means that we only need to check data points whose iDistance index lies in

FITing-Tree Data
Structure.e FITing-tree [14] is a data-aware index structure that approximates an index using piece-wise linear functions.With FITing-tree, a given key can be mapped to a storage location with a bounded error.
ere are two basic data notions in the FITing-tree, namely, the error threshold error and the segment: (i) Segment: a segment is a line segment that maps a key to its approximate storage position.A segment Seg can be represented by the starting point start and the slope, i.e., Seg � start, slope  .For a given key x lying in this segment, its predicted position can be calculated by (ii) Error: the error threshold error is the maximum distance that the predicted location of any key inside a segment from its actual position.
e operations of the FITing-tree mainly consist of FITing-tree building and query.e detailed description of the FITing-tree building and query process is as follows.
(i) FITing-tree building: the main goal of the FITingtree building process is to use a series of disjoint linear segments to capture trends that exist in the data with the error threshold satisfied.e dataset is sorted in ascending order at first, and then a greedy streaming algorithm is used to maximize the length of a segment as shown in Algorithm 1.After all the segments are selected, a B+ tree is built on these segments.(ii) Query: in the query process, given a key x, we firstly find which segment this key is located in.For a segment i, x lies in segment i meaning Seg is process can be easily achieved by the B+ tree search algorithm.
en, the predicted position pred_pos of x is calculated by equation (8).After interpolating the key's position, the true position of the key is guaranteed to be within the error threshold.Finally, FITing-tree locally searches the region [pred_pos − error, pred_pos + error] using binary search.Figure 3 illustrates this query process.Security and Communication Networks

Our Proposed Scheme
n this section, we will present our privacy-preserving cloudbased biometric identification scheme, which consists of four phases, i.e., System Initialization, Index Creation and Encryption, Encrypted Identification Request Generation, and Biometric Identification.Before delving into the details, we give an overview of our proposed scheme.Specifically, in the System Initialization stage, SP firstly generates system parameters (including the security parameters and identification parameters) and distributes them to the client and cloud servers.en, SP builds an index based on the iDistance and FITing-tree, encrypts the index and the dataset, and outsources them to the cloud in the Index Creation and Encryption stage.
e client generates an encrypted identification request based on a given biometric template in the Encrypted Identification Request Generation stage.Eventually, in the Biometric Identification stage, the client sends an encrypted identification request to the cloud, and two cloud servers work together to get the identification result and return it to the client.To describe our proposed scheme clearer, we give the explanation of the main notations used in the following sections in Table 1.

System Initialization.
In the System Initialization phase, SP sets up the system and generates keys for the client and cloud servers.Following the method described in subsection, SP selects the security parameters (k 0 , k 1 , k 2 ), calculates the secret key sk � (p, q, L), and generates the public parameters PP � k 0 , k 1 , k 2 , N  , where N � p • q.After that, SP encrypts 0 and 1 with sk, and the corresponding ciphertexts are denoted as E(0) and E(1), respectively.en, SP sets the identification threshold δ for the identification system.After all parameters are generated, SP publishes PP and δ and sends E(0), E(1) to the client, and sk to CS2, respectively.

􏽱
. Besides, the maximum distance of all distance calculated in the ith partition is denoted as d max−i .en, to avoid the overlap of indexes between different partitions, an offset should be added while calculating the iDistance index.Meanwhile, to keep the gap between indexes of different partitions as small as possible, the offset is selected as offset i �  i−1 j�1 d max−j .Eventually, for a biometric template T in the ith partition, its iDistance index is calculated as (iii) FITing-tree building: after all the iDistance indexes for all templates are calculated, SP builds a FITingtree based on these iDistance indexes following Algorithm 1 with a given error threshold.When the building process of the FITing-tree is complete, a series of disjoint linear segments Seg and r i ∈ 0, 1 { } k 2 is a random number.After the identification request is encrypted, it is sent to CS1.

Biometric Identification.
On receiving a biometric identification request from the client, two cloud servers work together to verify whether it exists in dataset T. Firstly, two cloud servers collaboratively calculate the distance of the identification request corresponding to each reference point.
en, based on the trained FITing-tree and iDistance data structure, a candidate result set is generated.Eventually, two cloud servers traverse the candidate result set to get the identification result.

Stage 1: iDistance Index Calculation.
After receiving the biometric request from the client, CS1 firstly calculates the ciphertext of the square of the Euclidean distance between E(T r ) and each encrypted reference point E(O i ), where en, CS1 sends to CS2.CS2 decrypts these ciphertexts with sk and returns the corresponding plaintexts to CS1.After getting the plaintexts from CS2, CS1 computes the positive square root , where pre_pos1 is the predicted position of lb calculated by the FITing-tree, and pre_pos2 is the predicted position of ub.

Stage 3:
Verification.When the candidate result set is determined, two cloud servers work together to make sure whether there is a biometric template satisfying the identification requirements.Specifically, for each candidate result set CRS j , CS1 firstly calculates the encrypted distances between T r and all the templates in this candidate result set.
For a template T i , the encrypted square of the distance from T r to T i is calculated as en, the encrypted distances are sent to CS2 to get the plaintexts.While receiving the plaintexts, CS1 finds the template that is closest to T r and verifies whether it satisfies the identification requirements by checking whether dis(T r , T i ) ≤ δ holds.If it does, CS1 adds the identifier of T i to the result set.After all the candidate result sets are checked, CS1 returns the result set to the client.

5.4.4.
Correctness.We will show the correctness of the our proposed scheme.If our proposed scheme is not correct, it means that there exists a template T ∈ T which satisfies dis(T, T r ) ≤ δ, but is not searched by our scheme.To proof the correctness of our scheme, we only need to prove that all the biometric templates T ∈ T satisfying dis(T, T r ) ≤ δ are searched by our scheme.All the biometric templates in the candidate result set are verified, and the biometric templates whose position lie in [pre_pos1 − error, pre_pos2 + error] are added to the candidate result set.According to the properties of the FITing-tree, if the predicted position of T lies in [pre_pos1, pre_pos2], it will be added to the candidate result set.Since pre_pos1 is the predicted position of lb calculated by the FITing-tree and pre_pos2 is the predicted position of ub, and the iDistance indexes are in the ascending order in the FITing-Tree, if dis(T, T r ) ≤ δ, its iDistance index will lie in erefore, if a template T ∈ T which satisfies dis(T, T r ) < δ, it will be searched by our proposed scheme.

Security Analysis
In this section, we will analyze the security of our proposed privacy-preserving biometric identification scheme.Since our proposed scheme is designed based on the SHE scheme, which has been proved to be CPA-secure in previous work [17], we mainly focus on the privacy-preserving goal described in section.Specifically, both CS1 and CS2 cannot obtain the plaintext of the biometric dataset and biometric identification request.In the following, we will prove the security of our scheme from the view of the two cloud servers.

Theorem 1. CS1 cannot obtain the plaintext of the biometric dataset and the biometric identification request during the biometric identification process.
Proof.We give the view of CS1 during the biometric identification process firstly and analyze why CS1 cannot obtain the plaintext of the biometric dataset and biometric identification request.
(i) View 1: in the Index Creation and Encryption phase, the encrypted biometric dataset E(T) and the encrypted searching indexes including the encrypted reference points , and FITing-tree segments Seg 1 , Seg 2 , . . .  are sent to CS1.Since the biometric dataset and reference points are encrypted by the SHE scheme, and CS1 does not have the secret key sk, CS1 cannot get any information about the plaintext of the biometric data from these encrypted data directly.By analyzing the maximum distance list, CS1 can only learn that there exists a biometric template T i in each data partition that satisfies where 1 < i < m.Since the reference points and biometric template are both encrypted by the SHE scheme, CS1 cannot infer their plaintext from these data.e FITing-tree segments are built on the iDistance indexes and do not have corresponding relation to the biometric dataset or identification request; thus, CS1 cannot obtain the plaintext from the segments either.Security and Communication Networks (ii) View 2: the encrypted biometric identification request.Since the biometric identification request is also encrypted by the SHE scheme and CS1 cannot decrypt it, the plaintext of the biometric identification will not be leaked to CS1. (iii) View 3: intermediate values during the biometric identification process.In the identification process, the distance between the biometric identification request and each reference point and the distance between the biometric identification request and each candidate template are leaked to CS1.Since the biometric identification request, the reference points, and the biometric template in the candidate result set are all encrypted by the SHE scheme, CS1 cannot get the plaintext of the biometric dataset and biometric identification request from these intermediate values.
erefore, CS1 cannot obtain the plaintext of the biometric dataset and the biometric identification request during the biometric identification process.

□ Theorem 2. CS2 cannot obtain the plaintext of the biometric dataset and the biometric identification request during the biometric identification process.
Proof.We give the view of CS2 during the biometric identification process firstly and analyze why CS2 cannot learn the plaintext of the biometric dataset, biometric identification request from these data.
(i) View 1: the distance between the biometric identification request and each reference point.While calculating the iDistance indexes of the biometric identification request, CS2 gets the distance between the biometric identification request and each reference point.However, CS2 cannot get the encrypted reference points and biometric identification request; thus, CS2 cannot obtain the plaintext of the biometric identification request.(ii) View 2: the distance between the biometric identification request and each candidate template.While verifying the template in the candidate result set, CS2 obtains the distance between the biometric identification request and each candidate template.Since the encrypted biometric dataset and biometric identification request are kept secret from CS2, CS2 cannot get the plaintext of the biometric dataset and the biometric identification request.
erefore, CS2 cannot learn the plaintext of the biometric dataset and the biometric identification request during the biometric identification process.

Performance Evaluation
In this section, we evaluate the performance of our proposed scheme in terms of computational costs and communication overhead.Specifically, we will compare our proposed scheme with an M-tree based privacy-preserving biometric identification scheme named MASK [26].e reason why we compare with MASK is twofold: (i) MASK is designed under the same system model with our proposed scheme.(ii) MASK is more efficient than other schemes designed for the biometric identification scenario in terms of computational and communication costs.

Evaluation Environment.
In order to measure the integrated performance, we implement both schemes with Java and conduct some experiments on an Intel Xeon 6226R CPU@2.9GHz Windows platform with 256 GB RAM. e SHE scheme is used to protect the privacy of the dataset and identification requests in these two schemes.e security parameters are set as k 0 � 2048, k 1 � 20 and k 2 � 160.A real-world dataset and a synthetic dataset are used to test the performance of these two schemes.ese two datasets are prepared as follows.
(i) Real-world dataset: we choose the Labeled Faces in the Wild (LFW) dataset [28], which contains 13223 face images collected from 5749 individuals.In this dataset, 1680 of the people pictured have two or more distinct photos.In this paper, we use the FaceNet algorithm to extract face features from these face images at first.Each extracted face feature is a 512-dimensional vector, and all the face features live on the same hypersphere, which means that each of the dimensions of the vector is in the range (-1,1).(ii) Synthetic dataset: we randomly generate a synthetic dataset that contains 8 × 10 4 face features.Each face feature is a 512-dimensional vector, and all face features lie in the same range (−1, 1) as the face features extracted by the FaceNet.e templates in the synthetic dataset are distributed in a hypercubes, in which each dimension is lying in (-1, 1).

Computational Costs.
In this section, we will evaluate the computational costs of our proposed scheme while generating the searching index, encrypting identification request, and answering the biometric identification requests, which correspond to the computational costs in Index Creation and Encryption phase, Encrypted Identification Request Generation phase, and Biometric Identification phase, respectively.Since the data in these two schemes are encrypted by the SHE scheme, we denote the computational costs of encrypting and decrypting data by the SHE scheme as C enc and C dec , the computational costs of adding and multiplying two SHE ciphertexts as C add−I and C mul−I , and the computational costs of multiplying a plaintext and SHE ciphertext as C mul−II .

Index Creation and Encryption.
As described in Section 5, there are two stages in the Index Creation and Encryption phase.e computational costs in this phase are related to the dataset size n, data dimension l, and partition numbers k.

Security and Communication Networks
(i) Index building process: in this stage, the biometric dataset is firstly divided into m partitions using the K-means algorithm.en, a reference point is selected for each partition.In Figure 4, we plot the computational costs of partitioning the dataset versus with n when l � 512 and m � 10. en, the distance between the biometric templates in each partition and the partition's reference point is calculated.Later, a FITing-tree is built on these iDistance indexes.e computational costs of creating the index are shown in Figure 5. (ii) Index encryption: when the index building process is complete, the searching index is encrypted.While encrypting the searching index, m reference points are encrypted.erefore, the computational costs of encrypting the searching index are m • l • C enc .In MASK, the index size is related to the node capacity of the M-tree [29].Given the node capacity C, there are at most  w max w�1 (⌈n/C w ⌉) nodes in the M-tree, where C w max < n < C w max +1 .erefore, the computational costs of encrypting the searing index in MASK are less than  w max w�1 (⌈n/C w ⌉) • l • C enc .Since the computational costs of encrypting the dataset are the same in these two schemes, we mainly focus on comparing the computational costs of encrypting the searching indexes.We test the computational costs of encrypting the searching indexes in both schemes over the synthetic dataset, and the results are shown in Figure 6 (m � 10).
We can see that our proposed scheme is more efficient in generating and encrypting the searching indexes.

Encrypted Identification Request Generation.
As described in Section 5, the client generates the encrypted identification request by encrypting the biometric template.
en, the encrypted identification request is sent to the cloud servers to get the identification result. 2 operations of multiplying a plaintext and SHE ciphertext are needed to encrypt each dimension of the identification request.Since the length of the biometric template is l, the computational costs of encrypting the identification template are 2lC mul−II in our proposed scheme.In MASK, the computational costs of generating the encrypted identification are 2(l + 1) C mul−II .In this phase, the computational costs are constant when the template length and the security parameters are set to fixed values.

Biometric Identification.
In the biometric identification phase, there are three stages: (i) iDistance index calculation: in this stage, two cloud servers work together to find out which partition the identification request belongs to.At first, the encrypted square of Euclidean distance between the identification request and each partition's reference points is calculated over their ciphertexts by CS1.
en, the encrypted data is sent to CS2 to get the plaintext.e computational costs of CS1 in this phase are •fa, and the computational costs of CS2 are m • l • C dec .(ii) Candidate result set generation: in this phase, CS1 firstly finds out which segments lb and ub lie in by searching in the B+ tree built over the FITing-tree segments.en, CS1 calculates the predicted position calculation of lb and ub and determines the candidate result set.Since the predicted position is calculated based on the plaintext, the computational costs in this phase contain the searching costs and predicted position calculation costs.In MASK, computational costs in this phase consist of the computational costs in searching the M-tree and verifying nodes in leaf nodes.e computational costs of CS1, CS2 in these two schemes are shown in Figures 7(a) and Figure 7(b), respectively.And the integrated running time in the biometric identification process of our proposed scheme and MASK is shown in Figure 7(c).We can see that our proposed scheme takes more time than MASK in identifying a biometric template when the biometric dataset is not very large.But as the size of the biometric dataset grows, our scheme is advantageous in the computational cost of the identification process.Since the searching process in each data partition is independent, it is easy to accelerate the search process of our proposed scheme in a concurrent way.As shown in 7(c), the efficiency of our proposed scheme is greatly improved when it is executed concurrently.In this section, we will evaluate the communication overhead of our proposed scheme when outsourcing the searching index and the encrypted biometric template dataset, submitting the encrypted identification request and searching the biometric templates, which are corresponding to the communication overhead in Index Creation and Encryption phase, Encrypted Identification Request Generation phase, and Biometric Identification phase, respectively.We analyze the communication overhead in theory at first and test it over the synthetic dataset.For the sake of simplicity, we denote the bit length of an integer and a floating number as L i and L f , respectively.According to the SHE scheme, the size of the ciphertext is k 0 bits.Since there are m reference points and n biometric templates in the dataset T, where both the reference point and biometric template are l-dimensional vectors, the size of the encrypted reference point is m • l • k 0 and the size of the encrypted dataset is n • l • k 0 .As the data in the maximum distance list is stored in floating number, their size is m • L f .A FITing-tree segment consists of a start point and the slope, and the size of each FITing-tree segment is (L i + L f ).Suppose that there are u segments contained in the FITingtree, the size of FITing-tree segments is u(L i + L f ).According to the building process of FTIing-tree, there are at least error + 1 data points in a segment, which means that u ≤ n/error + 1.In MASK, there are at most  w max w�1 (⌊n/C w ⌋) nodes in the M-tree, where C w max < n < C w max +1 .Hence, the communication overhead of MASK in this stage is less than (n + (⌊n/C w ⌋) • l • k 0 .

Encrypted Identification Request Generation.
In the Encrypted Identification Request Generation phase, the identification request is encrypted and sent to cloud servers.Since the identification request is an l-dimensional vector, and the ciphertext of each dimension is k 0 bits, the size of the identification request is lk 0 .e communication overhead of MASK in this phase is (l + 1)k 0 .We test the communication costs of different phases in both two schemes over the synthetic dataset, and the experimental results are shown in Figure 8. Specifically,   e experimental results demonstrate that the communication costs of our proposed scheme in this phase are much lower than those of MASK. Figure 8(a) shows the communication costs of sending the identification request in both two schemes.e communication costs in this phase are almost the same, but our proposed scheme is more efficient.Figure 8(a) shows the communication costs while identifying a template in the dataset.e results show that our proposed scheme sends more data than MASK when the dataset is not very large.But our proposed scheme is more and more efficient when the dataset size grows.

Storage Cost.
In our proposed scheme and MASK, the storage consumption of the cloud servers is mainly used to store the search indexes and the encrypted dataset.Since the size of the encrypted dataset is the same in these two schemes, we mainly compare the storage cost of storing the search indexes.In our proposed scheme, the search indexes consist of the encrypted reference points, the maximum distance list, and the FITing-tree segments.In MASK, the search indexes consist of the M-tree indexes.
e storage cost of storing the searching indexes of these two schemes is shown in Table 2.
7.4.1.Accuracy.In our proposed scheme, the combination iDistance and FITing-tree structure can achieve accurate range query.Transforming the biometric template into integers may reduce the accuracy of the identification scheme.is influence is very slight when enough decimal places are kept during the transforming process.We test the accuracy of our proposed scheme in terms of the false acceptance rate (FAR), false rejection rate (FRR), and equal error rate (ERR) over the LFW dataset [28].We firstly test the accuracy of the original FaceNet algorithm in terms of FAR, FRR, and EER varying with thresholds from 0 to 2, and the result is shown in Figure 9(a).e ERR of the original  FaceNet algorithm is 0.025.en, we also test the accuracy of the FaceNet algorithm with the biometric templates, which have been converted to integers.In this experiment, the biometric template values are converted to integer values with 3 decimals kept.We test the FAR, FRR varying with thresholds from 0 to 2000, and the result is shown in Figure 9(b).
e ERR of FaceNet algorithm with integer templates is 0.026.We can see the accuracy is kept almost the same as the original FaceNet algorithm.
After that, we also evaluate the accuracy of our proposed scheme in terms of FAR, FRR, and ERR in the identification scenario.We test the FAR, FRR varying with thresholds from 0 to 2000, and the result is shown in Figure 10.e ERR of the identification scheme is 0.249.

Conclusion
In this paper, we have proposed an efficient and privacypreserving identification scheme for identifying an individual in huge biometric datasets.Specifically, we introduced the FITing-tree to generate an index for the biometric dataset based on which the efficient identification service can be achieved.
en, we use the SHE technique to ensure the privacy of identification requests and the biometric dataset.
e security of our proposed scheme has been analyzed, and the result shows that the privacy of both the biometric dataset and biometric identification can be preserved.To evaluate the computational and communication cost of our proposed scheme, we implement it and test it over a synthetic dataset.Experimental results demonstrate that our proposed scheme is efficient in terms of computational and communication costs when identifying a biometric template in a large dataset.Security and Communication Networks 13

Figure 3 :
Figure 3: e query process of the FITing-tree.
(iii) Verification: in this phase, two cloud servers collaboratively traverse the biometric templates in the candidate result set.e computational costs of CS1 in this phase are  m i�1 (|CRS i |)• (2lC mul−I + (2l− 1)C add−I ), and the computational costs of CS2 in this phase are  m i�1 (|CRS i |) • l • C dec , where |CRS i | is the size of the ith partition's candidate result set.

Figure 4 :
Figure 4: e running time of partitioning the dataset varies with dataset size n.

Figure 5 :
Figure 5: e computational cost of creating the index.(a) e running time of calculating iDistance index with different n.(b) e running time of building FITing-tree with different n.(c) e integrated running time of creating index with different n.

Figure 6 :
Figure 6: e running time of encrypting indexes varies with dataset size n.

Figure 8 :
Figure 8: e communication costs of our proposed scheme and MASK.(a) e communication costs of sending the indexes with different n.(b) e communication costs of sending the identifiaction request with different n.(c) e communication costs in the identification phase with different n.

Figure 7 :
Figure 7: e computational cost in the identification stage.(a) e running time of CS1 in identification stage with different n.(b) e running time of CS2 in identification stage with different n.(c) e integrated running time in identification stage with different n.

Figure 9 :Figure 10 :
Figure 9: e error rate of the recognition algorithm.(a) e FAR and FRR of the original FaceNet algorithm varying with threshold.(b) e FAR and FRR of the FaceNet algorithm with integer templates varying with threshold.
2 , . . ., P m if slope > S low and slope < S high then (xi) Add point (i, D[i]) to this segment.(xii) S high ← min(S high , start.y− D[i] + error/start.x− i) (xiii) S low ← max(S low , start.y− D[i] − error/start.x− i) Index Creation and Encryption.In this phase, SP firstly builds a searching index based on the iDistance data structure and FITing-tree data structure over the biometric dataset T. en, SP encrypts the index and dataset T with the SHE scheme.Eventually, SP outsources the encrypted index and dataset to CS1.   utilizing the K-means algorithm and selects a reference point for each partition, where the reference point for the ith partition P i is represented by O i .(ii) iDistance index calculation: for every template in one partition, the Euclidean distance between this biometric template and the partition's reference point is computed at first.For example, for the ith partition P i , for any T � t 1 , t 2 , . . ., t l   ∈ P i , the Euclidean distance between them is computed as dis(T, O i ) � 5.2.1.Stage 1: Index Building Process.In this stage, the iDistance index for each biometric template in dataset T is calculated at first.en, a FITing-tree is built based on these indexes.(i)Data partition: SP firstly divides the biometric dataset T into m partitions P 1 , P 2 , . . ., P m j − o ij ) 2 are generated.Each segment can be represented by its starting point and slope, where Seg i � start i , slope i  .5.2.2.Stage 2: Index Encryption.After the FITing-tree is built, SP encrypts the indexes and the dataset with the SHE scheme.At first, SP encrypts the reference points of each partition with the SHE scheme, and the encrypted reference points are represented as E(O 1 ), E(O 2 ), . .., E(O m )  .en,SP encrypts each biometric template in dataset T using the SHE scheme.For a biometric T i � t i1 , . .., t il   ∈ T, it is encrypted as E(T) � E(t i1 ), . .., E(t il )  .In the end, SP outsources the encrypted dataset E(T) and the searching index, which includes the encrypted reference points E(O 1 ), E(O 2 ), . .., E(O m )  , maximum distance list d max−1 , d max−2 , . .., d max−m  , and FITing-tree segments Seg 1 , Seg 2 , . . .  to CS1. 5.3.Encrypted Identification Request Generation.When a client wants to verify whether a biometric template T r � t r1 , t r2 , . .., t rl  exists in the dataset T, it needs to send an identification request to the cloud servers.Considering the issue of privacy protection, T r should be encrypted in advance.Since the client receives the ciphertexts E(0) and E(1) in the System Initialization phase, the biometric template can be encrypted based on the homomorphic properties of the SHE scheme.

Table 1 :
Definition of main variables in our proposed scheme.and gets dis(T r , O 1 ), . . ., dis(T r , O m )  .After that, CS1 checks whether dis(T r , O i ) ≤ δ + d max−i holds.If it does, it means that ith partition has an intersection with the query range and will be considered as a candidate partition.Otherwise, it will be ignored.Eventually, the iDistance indexes of the identification request corresponding to each candidate partition's reference point are computed.For example, if ith partition is a candidate partition with reference point O i , the iDistance index of the identification request with respect to O i is calculated as iDis i � dis(T r , O i ) + offset i , where offset i �  i−1 j�1 d max−j .
i , we need to search the data points p ∈ P i whose iDistance index lies in[dis(T r , O i ) − δ, min(dis(T r , O i ) + δ, d max−i )].We denote dis(T r , O i ) − δ and min(dis(T r , O i ) + δ, d max−i ) as the lower search bound lb and upper search bound ub, respectively.CS1 finds out the biometric templates, which are stored in the range [pre_pos1 − error, pre_pos2 + error], and adds them to the candidate result set CRS i

Table 2 :
Storage cost (MB) of our proposed scheme vs. MASK with different dataset size.