Assessment of Two Privacy Preserving Authentication Methods Using Secure Multiparty Computation Based on Secret Sharing

: Secure authentication is an essential mechanism required by the vast majority of computer systems and various applications in order to establish user identity. Credentials such as passwords and biometric data should be protected against theft, as user impersonation can have serious consequences. Some practices widely used in order to make authentication more secure include storing password hashes in databases and processing biometric data under encryption. In this paper, we propose a system for both password-based and iris-based authentication that uses secure multiparty computation (SMPC) protocols and Shamir secret sharing. The system allows secure information storage in distributed databases and sensitive data is never revealed in plaintext during the authentication process. The communication between different components of the system is secured using both symmetric and asymmetric cryptographic primitives. The efﬁciency of the used protocols is evaluated along with two SMPC speciﬁc metrics: The number of communication rounds and the communication cost. According to our results, SMPC based on secret sharing can be successfully integrated in real-word authentication systems and the communication cost has an important impact on the performance of the SMPC protocols.


Introduction
Nowadays, while the most widely used authentication method is represented by password validation, biometric authentication is becoming more and more popular due to the many advantages it provides. Biometric traits are strongly bonded to the person they belong to and they uniquely identify the owner. These traits are part of the human body and, unlike passwords, cannot be forgotten or lost, excepting the case somebody suffers serious injuries. Some common biometric traits are: iris, fingerprint, retina and face. While it is recommended for users to have different passwords for different accounts, each person has only one set of biometric traits. This raises security concerns because, when compromised, biometric information can hardly be revoked and never replaced. Disclosed credentials can have negative consequences and stolen biometric traits can even facilitate identity theft.
Designing secure authentication protocols and systems represents a challenge of great interest in the academic research, especially when it comes to biometric credentials. According to the architecture, the authentication components of these systems can be centralized or distributed. In a centralized architecture, a single authentication component matches the credentials received from clients against the legitimate credentials which are persistently stored in databases. A security requirement when it comes to password-based authentication is never to store passwords in plaintext but apply a hash algorithm such as SHA. The same rule applies for biometric data, usually stored after being encrypted with classical algorithms. Centralised storage of biometric data raises both privacy concerns and even legal issues. In a distributed architecture, on the other hand, multiple components interact with each other in order to perform an authentication operation. The clients sensitive information is securely stored in multiple distributed databases using secret sharing and components perform secure multiparty computation (SMPC) to verify credentials.
SMPC has been studied extensively, mainly focusing on its theoretical contributions in providing security in multiparty interactive protocols, until the emergence of new application domains such as cloud computing, IoT, etc. which provide the possibility of cooperative computing and data processing, but at the same time stress the demand for preserving the privacy of confidential data. In this context, SMPC has known a tremendous re-activation as a research domain, now the focus being mainly on the application-oriented aspects, providing the much-needed mechanism of jointly computing on private data, without leaking confidential information. The state of the art regarding SMPC in practice is presented in [1]. The SMPC authentication systems have the great advantage of ensuring data privacy during the entire authentication process, which represent a motivation for our research in SMPC authentication protocols based on secret sharing.
Secret sharing consists in dividing a sensitive value into multiple shares, such that individual shares do not reveal any information about the initial value but, when recombined, the secret can be reconstructed. If a (k, n) threshold schema is used, the sensitive value is splitted into n shares and the secret can be reconstructed using a minimum number of k shares. There are several threshold schemes for secret sharing, such as those proposed by Shamir [2], Blakley [3] and Asmuth-Bloom [4]. In the present authentication system, passwords and iriscodes are divided into shares using Shamir threshold schema and each share is stored in a distinct database such that, if k − 1 databases are compromised, the attacker gains no useful information.
In order to guarantee the security of sensitive user information during the entire authentication process, secret values should never be reconstructed by the system. This can be achieved through SMPC protocols, which allow secure processing on secret shared data. The multiple distributed computing parties, each having access to only one database, collaborate in order to perform SMPC authentication operations. The input party or the client divides the password/iriscode into shares that are sent to the computing nodes and matched against the stored user's information. The authentication result is also represented as a secret shared value and the corresponding shares are sent to the result party, which represents the system or the application the client is trying to authenticate to. Only then the public result is revealed.
For password-based authentication, the equality between vectors of secret shared values is computed using SMPC. The iris-based authentication method can be divided into two phases: (1) the extraction from an iris image of the feature vector as a sequence of bits and (2) the matching of the iriscode with a template stored in a database. In this paper we focus strictly on the validation/matching of biometric credentials, when the Hamming distance (HD) [5] is computed using SMPC.
The main contributions of our research are: the design of a SMPC system used for both password-based and iris-based authentication and the evaluation of the protocols considering efficiency and SMPC specific metrics. Furthermore, starting from the SMPC adapted Hamming Distance for iris-based authentication, we added three enhancements to the base algorithm: • In order to increase security, an extra check is made for the minimum number of iriscode bits that are considered when computing the Hamming Distance; • The fusion of Hamming Distance and fragile bit distance (FBD) [6] that improves recognition accuracy, is integrated in the SMPC system; • The database storage requirements for secret shared authentication data is decreased using bit decomposition.
As expected, each enhancement comes with a smaller or larger performance penalty. The paper is structured as follows. In Section 2, the related work and the state of the art in SMPC authentication are presented. Section 3 describes the architecture of the distributed system and Section 4 introduces the base SMPC authentication protocols. The three mentioned enhancements are presented in Section 5, together with a theoretical evaluation. The methods and results for the experimental results are described in Section 6, followed by conclusions in Section 7.

Related Work
Nowadays, hardware architectures provide highly efficient computations, which enable the integration of SMPC in real-world applications. During the last few years, many SMPC frameworks that allow encrypted data processing were developed. The authors of [1] describe the security requirements that must be provided by these systems: privacy, correctness, independence of input, guarantee of output and fairness. They also present an overview regarding the state of the art in designing SMPC protocols that resist in various security models. In the semi-honest adversary model (the honest-but-curious model), the corrupted parties do not deviate from the protocol but try to gain as much information as possible from the other participants. Although it provides weaker resistance than the other models, the semi-honest model manages to cover several security needs in many practical scenarios. In the malicious adversary model, the corrupted parties may not execute the protocol correctly and may manipulate messages. The resistant protocols in this model provide strong security buy their complexity results in performance penalties. The covert adversary model represents a tradeoff: the corrupted parties may deviate from the protocol but they are caught cheating with a given probability. The IPS compiler that converts honest majority agreements into agreements under the malicious model is one of the state of the art technologies mentioned in [1].
SMPC techniques are used in various contexts such as password or biometric authentication, electronic voting, computation of privacy-preserving statistics using financial or medical data. SMPC can even be used in order to securely evaluate the S-boxes of the well-known block ciphers, Triple DES and AES [7], or for threshold Elliptic Curve Digital Signature Algorithm signing [8]. The SMPC protocols became rather mature and, during the last few years, they were integrated in highly topical fields, for example cloud computing [9], data mining [10] and machine learning [11]. These techniques are based on cryptographic tools that ensure data privacy, such as secret sharing, garbled circuits, oblivious transfer and homomorphic encryption.
The authors of [12] propose an E-voting scheme that uses SMPC based on Shamir secret Sharing. The scheme is secure and keeps the anonymity of the voters while it also provides efficiency and reliability. The E-voting scheme from [13], also based on SMPC, provides enhanced security as Visual Cryptography is used for the biometric identification of the voters. Two shares are created from a fingerprint image: one share is stored by an administrator and one share is stored by the voter, such that none of them has full access to the biometric data.
When it comes to secret shared passwords, matching can be performed using two methods: • The legitimate password is reconstructed from persistent-stored shares before it is compared to the password received from a client; • The legitimate secret shared password is never reconstructed and matching against another secret shared password received from a client is performed through SMPC.
A password-based authentication system that uses the first method and Shamir secret sharing is presented in [14]. The password is divided into shares before being stored, but the secret is reconstructed when a client authentication is performed. The system has an architecture with several component roles: client, dealer (performs secret sharing and secret reconstruction), shareholders, service and external server. The authors of [14] also present a possible security enhancement for their system, based on the idea of hiding the abscissa vector (the vector of integer points in which the Lagrange interpolation polynomial used by Shamir schema is evaluated when computing the secret shares). If a (k, n) threshold schema is used and an attacker steals k shares, he cannot reconstruct the original value without knowing the abscissa vector.
While in [14] the passwords are reconstructed during authentication, in our system the SMPC method is implemented and passwords are not revealed in plaintext during the authentication process. Our system is secure in the semi-honest model with at most k corrupted parties out of n parties, according to the (k, n) threshold schema (the (2,3) schema or the (3,5) schema). The authors of [15] describe a distributed password-based authentication service that uses three-party computation based on garbled circuits. Their protocol provides security against a single malicious party.
Several SMPC authentication systems with various characteristics were also developed for biometric authentication. In [16], the authors present possible threats for these systems together with the main cryptographic tools used nowadays to prevent the leakage of biometric data: SMPC, Verifiable Computation and Bloom Filters.
The SMPC iris-based and fingerprint-based recognition methods in [17] rely on twoparty protocols based on homomorphic encryption, garbled circuits and oblivious transfer. The presented methods achieve security against semi-honest adversaries. In [18], the authors present an authentication system resistant in the malicious security model. The SMPC system, called SEMBA, is used for multimodal recognition that relies on both facial and iris biometrics. SEMBA relies on the SPDZ protocol as the inner cryptographic tool and uses two computing parties. Our SMPC system relies on Shamir secret sharing and it uses unimodal biometric protocols (only iris-based authentication is implemented). As a security enhancement, symmetric and asymmetric cryptography is also used in order to secure the communication between components in our system. A comparison between these systems is provided in Table 1.

Characteristic
The SMPC protocols from [17] The SMPC protocols from [18] The SMPC protocols from our system Another short description of the way SMPC can be used for password authentication and biometric identification, along with the presentation of a successfully implemented system, is presented in [19]. The system, developed by Unbound Technology for enterprise environments, makes use of virtual Hardware Security Modules (vHSM) for authentication. These modules are software implemented.
The motivation of our work is to provide an evaluation for the used SMPC authentication protocols in order to highlight that SMPC based on Shamir threshold schema can be successfully integrated in authentication frameworks.
Preliminaries: This paper is a continuation of our previous work [20], where two sets of SMPC protocols based on secret sharing are evaluated and compared. Both of the sets contain three main algorithms: SMPC Equality (the equality of two secret shared values), SMPC Comparison (the comparison of two secret shared values) and SMPC Interval test (the belonging of a secret shared value to a public interval). While in our previous work we focused on finding efficient SMPC inner algorithms in order to ensure a better performance for the three main algorithms, in this paper we integrate these algorithms in a SMPC authentication system. The set of algorithms with the best efficiency from the two sets benchmarked in our previous work are now adapted and used in several authentication protocols for passwords and iriscodes matching.
The SMPC protocols in our system use the (k, n) Shamir secret sharing threshold schema as the inner cryptographic primitive. A confidential value is splitted into n shares and at least k shares are needed in order to reconstruct the original value. Shamir secret sharing is based on the Lagrange interpolation polynomial. A polynomial f (x) with degree k − 1 is constructed (Equation (1)), where the first coefficient is the secret value s and the other coefficients are random positive integer values.
The n secret shares are computed by evaluating f (x) in n different positive and nonzero integer points. The secret value is equal to f (0) and it can be reconstructed by interpolation if we know k secret shares s i and the points a i the shares were evaluated in (Equation (2)).
Shamir secret sharing is explained in detail in [2] and the way the SMPC main protocols based on secret sharing work is presented in [21].

System Architecture
The proposed SMPC system authenticates users based on plaintext usernames and secret shared passwords/iriscodes. Two secret sharing threshold schemas are supported: the (2,3) schema (the confidential values are splitted into 3 shares and can be reconstructed using 2 shares) and the (3,5) schema (the confidential values are splitted into 5 shares and can be reconstructed using 3 shares). Figure 1 presents the architecture of the proposed SMPC authentication system when the (2,3) Shamir secret sharing threshold schema is used. The authentication result is computed by matching secret shared passwords/iriscodes stored in distributed databases against secret shared passwords/iriscodes received from the client. These confidential values are distributed across the computing nodes and they are never reconstructed. One share is not needed when reconstructing the authentication result (it is represented by a dotted line). The distributed architecture of the system consists of multiple components having one of the following roles: • Input party: divides the password/iriscode into shares and sends the shares to the computing nodes, together with the plaintext username; • Computing nodes: exchange messages with one another in order to perform a SMPC authentication operation by matching the client input with the information stored in databases. They also have the role to store new usernames and secret shared passwords/iriscodes in databases when a client registers to the system. The computing nodes can dynamically connect to and disconnect from the system. When a (k, n) schema is used, at least n nodes must be connected to the system. • Result party: computes the public authentication result by combining the shared output of the computing nodes; • Service node: acts like a proxy and selects the n computing nodes required for each client request. The nodes are chosen according to a load balancing algorithm: the service node keeps evidence of how many active requests each computing node is serving at a given moment and, when a new authentication request is made, the service node selects those computing nodes that manage the fewest requests. The sets of n IP addresses of the selected computing nodes are sent to the clients before they can connect to the computing nodes for authentication or registration operations. The service node is also responsible for key management: the clients and the computing nodes provide an RSA public key every time they connect to the system and the server generates AES keys that are sent both to the clients and to the selected computing nodes after being encrypted with the corresponding RSA public keys. Clients encrypt the password/iriscode shares using the AES keys in order to avoid man-in-the-middle attacks on the communication channels established with the computing nodes.
The steps for authentication operations (similar steps are used for registrations, excepting SMPC processing and secret reconstruction which are replaced by an insert operation in the distributed databases) are as follows: 1.
The client connects to the service node and sends its public RSA key to the node; 2.
The service node selects the IP addresses of n available computing nodes; 3.
The service node generates an AES key, which is sent to each selected computing node after being encrypted with the node's RSA public key; 4.
The service node sends to the client the selected computing nodes IPs and the AES key encrypted with the client's RSA public key; 5.
The client divides his password/iriscode into secret shares and encrypts the shares using the AES key; 6.
The client connects to the selected computing nodes and sends the encrypted secret shared values to them, together with the plaintext username; 7.
The computing nodes connect to one another and perform a SMPC authentication operation using the client's shares, decrypted with the received AES key, and the shares retrieved from databases; 8.
The computing nodes send the secret shared result to the result party; 9.
The result party reveals if the authentication succeeded.

The SMPC system security analysis and threats resistance:
The SMPC authentication protocols presented in this paper are secure in the semihonest model and they rely on the (k, n) Shamir secret sharing threshold schema. Before being sent to the computing nodes, the biometric information and the passwords are splitted into secret shares, such that at least k out of the n shares must be known in order to reconstruct the initial values. The client's authentication data is also stored as secret shares in distributed databases. The biometric information and the passwords are never reconstructed during the authentication process as matching is performed using SMPC. The system tolerates at most k − 1 corrupted computing nodes such that security is not broken.
The shares transmitted between the input party and the computing nodes are encrypted using AES, which makes our system resistant against sniffing and man-in-themiddle attacks, even if more than k − 1 communication channels are eavesdropped. More-over, different AES keys are used for every authentication operation, such that reply attacks are prevented. If the legitimate client sends his secret data to the computing nodes and then an attacker tries to use the same messages for another authentication, the stolen encrypted shares are decrypted using a wrong AES key. However, the values transmitted between the computing nodes are secret shared but they are not otherwise encrypted because, as our experimental results show, the number of messages exchanged between the computing nodes is large and encrypting them would represent a significant overhead.
A possible solution in order to secure the communication between the computing nodes against sniffing and man-in-the-middle attacks is to encrypt the messages exchanged between these nodes with a high-performance stream cipher such as Rabbit [22] or Trivium [23]. The secret keys needed by the stream ciphers can be encrypted using asymmetric protocols and distributed by the service node in the same way the AES keys are currently exchanged.
Several well-known attacks against password-based authentication protocols are presented in [14]: dictionary attacks, brute force, lookup tables, reverse lookup tables, hybrid attacks (a combination of different attacks). In [16], the main threats against biometric authentication systems are described. In our system, knowing k − 1 shares does not reduce the keyspace in order to brute force one more share. While the brute force attacks can be prevented using long passwords, the dictionary attacks can be prevented using complex passwords such that they are not among the preselected words and phrases tried by an attacker. Also, blind brute force and even set covering (an optimal brute-force attack) are not feasible for 6400-bit iriscodes. Lookup tables are based on precalculated hashes of possible passwords. As different sets of secret shared values can be obtained by secret sharing a password multiple times, the construction of lookup tables is very difficult. Moreover, the secret shares are distributed and stored in multiple databases, which makes this attack even harder to succeed in our system.

Authentication Protocols
This section presents a password-based SMPC authentication protocol and an irisbased SMPC authentication protocol, both secure in the semi-honest adversary model. The authentication protocols use four main inner algorithms: SMPC_Equality (the equality of two secret shared values), SMPC_Comparison (the comparison of two secret shared values), SMPC_Interval_test (the belonging of a secret shared value to a public interval) and SMPC_Bit_decomposition (simplified bit decomposition). These algorithms, along with their sub-algorithms, are introduced in [21] and are integrated in our system with some adaptations such as the possibility to be applied on vectors of secret shared values. The algorithms are implemented in a similar way as the second set of SMPC protocols in our previous work [20], with the same constraint: they work only on positive integer values. The SMPC_Pre f ix_OR/AND and SMPC_Fan_in_OR/AND sub-algorithms are computed bit by bit, as in [24]. The SMPC_Bit_decomposition algorithm presents an efficiency improvement compared to the original bit decomposition algorithm from [25], although it uses the same bitwise sum sub-algorithm as in [25].
Each secret shared value is represented on m = 2 r bits (M = m 8 bytes). A (k, n) Shamir secret sharing threshold schema is used and computations are performed in the finite field Z p , where p is the largest prime number less than 2 m . The computing nodes have IDs from 1 to n and they execute the same algorithm flow in parallel, each processing secret shared values [s] id computed from the secret value s by Lagrange polynomial evaluation at point id. The computing nodes perform symmetrical operations during the authentication process. All algorithms were extended to work on vectors of shares. For example, The SMPC protocols involve multiple communication rounds between the computing nodes, when they exchange messages containing one or more secret shared partial results. The total number of values sent by all the computing nodes during a SMPC operation represents the communication cost. The evaluation of the number of communication rounds and the communication cost is performed using the method and the theoretical results from [20]. In the protocols described in this section, the final result of the match, revealed by the result party in the authentication system, is reconstructed at the end of each algorithm by the computing nodes in order to verify the correctness of the implementation during testing.

Password-Based Authentication Protocol
We consider a plaintext password represented on P LENGTH bytes. Firstly, the password is padded with zeros so that its length in bytes is a multiple of M. Then, the password bytes are grouped in password chunks, each chunk containing M password bytes. Finally, the password chunks vector is splitted into secret shares according to the (k, n) Shamir threshold schema. n vectors of secret shared values are obtained. Each vector contains P SH ARES_NO = ceil( P LENGTH M ) shares and it is stored in a different database. Each share is represented on M bytes. The secret sharing operation introduces randomness, so the results obtained by splitting the same password multiple times are not equal.
Before an authentication operation, the password is splitted again by the client and the shares are sent to n computing nodes with distinct IDs. The nodes perform SMPC in order to check the equality between the secret shared password stored in databases and the one provided by the client.
In Algorithm 1, the equality between all pairs of password shares is computed, then all the elements of the result vector are multiplied (a secret shared zero value, meaning that a pair of shares does not match, fails the entire authentication). The multiplication between all the vector's elements (Algorithm 2) is computed with a minimum number of communication rounds P MUL_ROUNDS = ceil(log 2 P SH ARES_NO ) and a communication cost P MUL_COST < 2 P MUL_ROUNDS .

Algorithm 1: SMPC_Password_match
When forming groups of M password bytes from the plaintext password, the constraint is to obtain values smaller than the largest prime number p < 2 m . Otherwise, by secret sharing the password chunks (operation performed in Z p ), the values equal to or greater than p are truncated.
If each password byte has the most significant bit unset, the above constraint is satisfied as each password chunk is smaller than p (2 m−1 < p < 2 m ). In the present system, passwords consisting of standard ASCII characters (ASCII codes below 128) are considered valid. The drawback of our method is that only 7m 8 bits can be used for the password while the rest have values equal to '0'. In

Iris-Based Authentication Protocol
A reliable and widely used method for iris pattern recognition is based on the Hamming Distance, which measures the dissimilarity between two iris feature vectors. Two bit vectors of equal length I LENGTH are extracted from an eye image X: the iriscode C X and a mask M X marking all bits unoccluded by artifacts such as eyelashes. The HD is computed according to Equation (3).
The result should not exceed a given threshold ('0' means perfect match between the two iriscodes).
Algorithm 3 illustrates how to compute the Hamming Distance through SMPC. The iriscodes and masks are vectors of length I LENGTH , containing secret shared bits. The SMPC comparison with threshold t is computed, where t represents a public integer value, 1 ≤ t ≤ 100. A zero numerator represent perfect match and the comparison (strict inequality) never passes with a zero denominator. In order to avoid sum overflow, I LENGTH should be chosen such that I LENGTH * 100 < p.

Iris-Based Authentication Enhancements
In this section, three enhancements are added to the SMPC_Iris_match algorithm in order increase security, improve recognition accuracy and decrease database storage requirements. The extra checks and operations are marked with blue in the next algorithms.

Security Enhancement
The SMPC_Iris_match algorithm considers only those bits unoccluded by artifacts. If an attacker sends a random iriscode [C Y ] with a mask [M Y ] containing only one set bit and if the corresponding bit in the stored mask [M X ] is also set, the chances are 50 percent for the authentication to be successful.
An extra check is added in Algorithm 4, so that at least k bits to be considered when matching iriscodes. k is a public value but the actual number of pairs of bits at the same index which are set in both masks is not revealed. The total communication cost is the sum of: (1) the cost needed for SMPC_I M, (2) the cost for an interval test and (3) the cost for a multiplication.

Accuracy Enhancement
Reference [6] presents a method to improve the accuracy of iris recognition through fusion of Hamming Distance and fragile bit distance. An iriscode bit is consistent if it has the same value for most images of the same iris, otherwise it is considered fragile. The authors explain how to determine if a bit is consistent from a single image: when applying a Gabor filter to the image to a specific location during feature vector extraction, the magnitude of the real part, respectively the imaginary part, of the resulting complex number is considered. A large magnitude indicates a corresponding consistent bit in the iriscode and a small magnitude indicates a fragile bit. For each iris image X, three vectors are extracted: the iriscode C X , the occlusion mask M X and the fragility mask F X . FBD is computed according to Equation (4).
The fusion score is computed from HD and FBD considering weight α (Equation (5)).
Algorithm 5 illustrates how the fusion score can be computed through SMPC. The iriscodes, occlusion masks and fragility masks are vectors of length I LENGTH , containing secret shared bits. 1 V represents a vector of length I LENGTH , with all the elements equal to '1'. We consider α = 0.6 (the value for which the lowest equal error rate was obtained in [6]). The total communication cost is the sum of: the cost needed for SMPC _ I M and (2) the cost for two extra multiplications performed on vectors with I LENGTH elements.

Database Storage Requirements Enhancement
For all the previous SMPC iris match algorithms, each bit in iriscodes or in masks is secret shared according to the (k, n) schema and n shares, each represented on M bytes, are generated. Consequently, a plaintext iriscode/mask containing I LENGTH bits occupies I LENGTH · M bytes in each of the n databases after secret sharing.
In order to reduce the storage requirements, the plaintext iriscode/mask is padded with zeros so that its length is a multiple of m − 1, where M = m 8 , then groups of m − 1 bits are formed. A vector containing values represented on m bits is generated, where the most significant bit of each element is unset and the rest of the bits are represented by one of the groups previously formed. All the elements of the vector should be smaller than the prime p in order not to be truncated during secret sharing, which is performed in Z p . The constraint is satisfied as each value has the most significant bit equal to '0'. By secret sharing the vector, n result vectors are obtained, each containing I SH ARES_NO = ceil( I LENGTH m−1 ) shares. According to the above method, where groups of bits are treated as decimal values, the database storage requirements for secret shared iriscodes and masks is reduced about m − 1 times. For example, if we consider a plaintext iriscode/mask with 6400 bits and shares represented on M = 8 bytes, 8 × 6400 bytes = 50 KB are needed in each of the n databases in order to store the secret shared iriscode/mask without using bit decomposition. If each database has a storage capacity of 1 GB, 10,485 secret shared iriscodes can be stored along with their occlusion masks. If we use bit decomposition, 8 × ceil( 6400 63 ) = 816 bytes are needed in each of the n databases for a secret shared iriscode/mask. Consequently, 657,930 iriscode-mask pairs can be stored if each database has a capacity of 1 GB.
In Algorithm 6, [C X ] id and [M X ] id represent stored vectors of decimal values. Before computing the Hamming Distance through SMPC, bit decomposition is applied on these values in order to obtain vectors of secret shared bits. As SMPC_Bit_decomposition is relatively expensive and time consuming, the clients that try to authenticate to the system send [C Y ] and [M Y ] id directly as secret shared bit vectors. SMPC_Bit_decomposition can be applied only if M is a power of 2. where: The total communication cost is the sum of: (1) the cost needed for SMPC _ I M and (2) the cost for two bit decomposition operations performed on vectors with I LENGTH elements.

Experimental Results
Experiments were conducted on a computer equipped with 8 GB of RAM and an Intel(R) Core(TM) i7 CPU (64 bits) at 1.80 GHz, with 4 cores and 8 logical processors, running Windows 10 operating system.
All the components of the distributed authentication system, along with the SMPC authentication protocols, are implemented in Python 3. The communication between the components is implemented using sockets. The SMPC system uses 1024-bits RSA keys and AES GCM algorithm with 256-bits keys. Passwords, iriscodes and masks were randomly generated for all testing scenarios and the SMPC authentication results were compared to those expected.

Experimental Evaluation of the SMPC Authentication System
In order to verify the correctness of our implementation and to evaluate the authentication system in terms of efficiency, a testing environment was created using VMware. Five virtual machines with Ubuntu 16.4 operating system were used: one machine for the service node, three machines as computing nodes and one machine having both the role of client and of result party. We chose MongoDB for persistent storage and the physical machine hosted the databases.
For this experiment, the (2,3) secret sharing threshold schema was used. For SMPC password-based authentication, we considered passwords containing 64 standard ASCII characters (with ASCII codes below 128) and secret shared values represented on M bytes, with 1 <= M <= 8.
For iris-based authentication, we considered the SMPC_Iris_match_with_masks_threshold algorithm, iriscodes containing 6400 bits and secret shared values represented on M bytes, with 3 <= M <= 8. The condition I LENGTH * 100 < p is not fulfilled for M = 2, p = 65521. Table 2 presents the efficiency of the authentication protocols, when 250 serial authentication operations were performed for each value of M. Efficiency is computed as the duration of a single operation in milliseconds. The time needed for the clients RSA keys generation, the AES key exchange and shares encryption is also considered. For both the authentication methods, efficiency is constant with M, but large values for M provide better security in the SMPC system than small values.

Experimental Evaluation of the SMPC Authentication Protocols
For each authentication algorithm we evaluated efficiency and two SMPC metrics: the number of communication rounds and the communication cost. Efficiency is computed in milliseconds as the processing time needed for a single SMPC operation. The number of communication rounds counts how many times the computing nodes exchange messages with one another during the execution of a SMPC algorithm. Those messages contain one or more secret shared partial results, each represented on M bytes. The total number of values transmitted between the nodes represents the communication cost. These experiments were performed on the physical machine, considering only the computing nodes and AES encryption was not applied. Secret shared data was already distributed to the computing nodes when evaluation started and the nodes also performed the reconstruction of the authentication result. For each algorithm and each value of M, 2500 serial operations were performed and the average values of the metrics for one operation were computed.
Evaluation for SMPC password-based authentication: Passwords of various lengths P LENGTH , containing standard ASCII characters, were considered. As presented in Table 3 for schema (2,3) and in Table 4 for schema (3,5), the duration of the password matching operations increases linearly with M. However, the best security is achieved for the largest value of M.  Table 5 presents the number of communication rounds for the (2,3) and (3,5) secret sharing schemas. Similar results for this metric were obtained for both schemas as the flow of the algorithm does not change with the n. The number of computing nodes n has no impact on the number of rounds but affects the communication cost and consequently the efficiency of the algorithm when different schemas are used.  Tables 6 and 7

Evaluation for SMPC iris-based authentication:
Iriscodes and masks containing I LENGTH = 6400 bits were considered. The penalty added by each enhanced algorithm to the base SMPC_Iris_match algorithm is provided in parentheses (+x) in all the following tables. Tables 8 and 9 present the efficiency of the SMPC iris-based authentication algorithms considering the (2,3) and (3,5) secret sharing schemas. For iriscodes of the same length and shares represented on 46 bits, the authors of [18] obtained an efficiency of 120 milliseconds using the SMPC iris-based authentication protocol implemented in their system. However, they use different testing machine specifications, n = 2 computing parties and the SPDZ protocol instead of Shamir secret sharing. For n = 3 and shares represented on 48 bits, we obtained an efficiency of 209 milliseconds.
Checking the number of set bits in the occlusion masks (SMPC_I MMT) has a small impact considering efficiency and represents an important security enhancement. HD and FDB fusion (SMPC_I MFBD) increases the accuracy of the iris-based authentication protocol by 8% according to [6], but the efficiency decreases by 1.55 times according to our results when this enhancement is integrated in the SMPC system. When bit decomposition (SMPC_I MBD) is used, the database storage requirements for secret shared iriscodes decreases but performance is significantly affected. For M = 8, the duration of the algorithm is 15 times longer than for the base SMPC_I M algorithm but the storage requirements decrease about 63 times. As in the case of passwords, the greater M is, the better the security of the authentication protocols is.  The number of communication rounds is similar for the (2,3) and (3,5) schemas (Table 10). The SMPC_I MFBD algorithm adds no communication round to the base algorithm, while SMPC_I MMT adds more than 50 new rounds. However, SMPC_I MMT has smaller negative impact considering efficiency than SMPC_I MFBD has.  The communication cost (presented in Tables 11 and 12) is more related to performance than the number of rounds. It can be observed that those algorithms that have an increased cost come also with significant efficiency penalties.

Conclusions
The idea of using SMPC techniques for authentication is a relatively old one but, in the past, it was not facilitated by the hardware capabilities. In this paper, we considered classical password-based and iriscode-based authentication algorithms and translated them into a SMPC form. We also presented how several enhancements regarding security, accuracy and database storage requirements can be added to the Hamming-Distance-based SMPC algorithm and how they affect the performance of the system. The architecture of the SMPC authentication system was described, along with the interactions between its components.
The efficiency of the algorithms was evaluated, along with two SMPC metrics: the number of communication rounds and the communication cost. This evaluation is relevant as it shows that the performance of the SMPC authentication protocols based on secret sharing facilitates their integration in real-word authentication systems, although the complex SMPC operations involve a large amount of information transmitted through the network. As far as we know, no similar evaluation was performed for SMPC authentication protocols based on Shamir secret sharing threshold schema. Using the (2,3) secret sharing schema, shares represented on 8 bytes and passwords containing 64 standard ASCII characters, the SMPC password matching algorithm is executed by the computing nodes in 0.067 s and the entire password-based authentication process (the SMPC password matching algorithm together with the AES/RSA encryptions/decryptions and the interaction between all the components of the system) is performed in 1.101 s. Using the same secret sharing configurations and 6400-bit iriscodes, the base SMPC iriscode matching algorithm (SMPC_I M) is executed by the computing nodes in 0.229 s and the entire iris-based authentication process is performed in 1.441 s. The performance is comparable to that obtained in other similar systems. According to our results, the communication cost has a considerable impact on the efficiency of the protocols. The iris-based authentication algorithms whose enhancement implies additional SMPC operations with high communication cost have a significant performance penalty. For example, the enhanced iriscode matching algorithm that used bit decomposition (SMPC_I MBD) has a communication cost that is about 10 times higher than the cost of SMPC_I M. However, the time needed in order to execute the SMPC_I M algorithm is about 13 times smaller than the time needed in order to execute the SMPC_I MBD algorithm.
As future work, we intend to integrate SMPC matching algorithms for multiple biometric traits into our system. The security of the system as a whole can be further improved, by performing message authentication between the computing nodes. And nonetheless, we aim to research and benchmark alternative SMPC protocols for improving the performance of the system.