Cryptobiometrics for the Generation of Cancellable Symmetric and Asymmetric Ciphers with Perfect Secrecy

Security objectives are the triad of confidentiality, integrity, and authentication, which may be extended with availability, utility, and control. In order to achieve these goals, cryptobiometrics is essential. It is desirable that a number of characteristics are further met, such as cancellation, irrevocability, unlinkability, irreversibility, variability, reliability, and biometric bit-length. To this end, we designed a cryptobiometrics system featuring the above-mentioned characteristics, in order to generate cryptographic keys and the rest of the elements of cryptographic schemes—both symmetric and asymmetric—from a biometric pattern or template, no matter the origin (i.e., face, fingerprint, voice, gait, behaviour, and so on). This system uses perfect substitution and transposition encryption, showing that there exist two systems with these features, not just one (i.e., the Vernam substitution cipher). We offer a practical application using voice biometrics by means of the Welch periodogram, in which we achieved the remarkable result of an equal error rate of (0.0631, 0.9361). Furthermore, by means of a constructed template, we were able to generate the prime value which specifies the elliptic curve describing all other data of the cryptographic scheme, including the private and public key, as well as the symmetric AES key shared between the templates of two users.


1.
Variability: Biometric data varies, whereas cryptography calls for exact and invariable data, as only one change in one bit of the key invalidates its identification and utility.

2.
Irreversibility: Cryptobiometric keys are not pure biometric data, which usually remain permanent and immutable in each human being, and are never to be obtained in a direct manner, which would oblige the need to revoke them (thus not permitting their later use) in the case of being compromised. Instead, they are generated as the result of some type of secure and irreversible mathematical transformation using that pure data.

3.
Cancellability: Biometric data are inexhaustible as, from them, many different keys can be generated as required. Thus, from a given biometric feature (iris, fingerprint, face, odor, gait, and so on), one is able to extract as many keys (of different lengths) as desired, according to the different applications.

4.
Irrevocability: In spite of the possibility of canceling cryptobiometric keys, our genuine biometric data can still be used, as they cannot be revoked.

5.
Unlinkability: Even if an attacker knows many keys, be it proceeding from the same or from a different pattern, they cannot obtain the original biometric datum. 6.
Reliability: Biometrics seeks an acceptable reliability average value, depending on the application and situation, between false rejection rate and false acceptance rate, while looking for the most Linnartz and Tuyls [32] proposed the "shielding functions" model in a theoretical manner, where the key and the biometric data were operated upon by these functions, thereby generating support data (or "helper data") that could be later used to generate the key again, in the case of authenticated input data.
Other techniques have combined aspects of the "fuzzy vault" and "helper data" [36,37].
More recently, the work of Iida and Kiya has focused on error-correcting codes and fuzzy commitment schemes for JPEG image [46]. The different methodology of Malarvizhi, Selvarani, and Raj uses fuzzy logic and adaptive genetic algorithms [47]. It is also worth mentioning the proposal of Liew, Shaw, Li and Yang, who made use of Bernoulli mapping and chaotic encryption [48]; and the use of face and fingerprint biometrics along with watermarking and hyper-chaotic maps by Abdul, Nafea, and Ghouzali [49].
Another approach is that of Priya, Kathigaikumar, and Mangai, who used random bits mixed in an AES cipher [50]. Asymmetric encryption and irrevocability were used by Barman, Samanta, and Chattopadhyay [51]. The fuzzy extractor with McEliece encryption, which is resistant to quantum attacks, was proposed by Kuznetsov, Kiyan, Uvarova, Serhiienko, and Smirnov [52].
In the work of Chang, Garg, Hasan, and Mishra, a cancelable multi-biometric authentication fuzzy extractor has been proposed, where a novel bit-wise encryption scheme irreversibly transforms a biometric template to a protected one using a secret key generated from another biometric template [53].
More recently, the proposal of Aness and Chen used discriminative binary feature learning and quantization [67], and Yuliana, Wirawan, and Suwadi [68] combined pre-processing with multi-level quantization. Furthermore, Chen, Wo, Xie, Wu, and Han improved quantization techniques against leakage and similarity-based attacks [69].
With regards to cancellability, a crucial aspect of the works of Ratha, Connell, Zuo, and Bolle [70,71], and later, of Savvides, Kumar, and Khosla [72], introduced biometric cancellability, proposing systems that protect the original biometric data. Along with the above, the closest in time was the study of Trivedi, Thounaojam, and Pal [73], or those who used symmetric cryptography, such as Barman, Samanta, and Chattopadhyay [74]. A secured feature matrix from the template and AES cipher was used by Gaddam and Lal [75]. We also note the novel approach using random slopes of Kaur and Khanna [76], and the technique for achieving cancellability through geometric triangulation and steganography of Neethu and Akbar [77]. The work of Punithavathi and Subbiah [78] introduced partial DCT-based cancellability for IoT applications.
In key-binding, cancellability and revocability are naturally simpler; however, in key-generation, the situation is not as easy or simple.

Introduction
Voice data comprises one of the existing biometric identification, recognition, and authentication features. We know that human beings can recognize familiar voices and identify multitudes of people only by voice, even though we tend to express ourselves differently and may not even say the same words in the same way at different times [79].
The voice is produced by the excitation of the vocal tract, which is between the lips and the glottis, leading to the vibration of air particles. The resultant sound waves are able to be picked up and vibrate the primary auditory structure of the receiver, which finally converts these vibrating movements back into auditory signals in the brain. Different types of sounds are the acoustic results of sound waves, and as such, we can analyze them by using signal processing technologies [80][81][82].

Speech Recognition
Voice recognition has two main phases. In the first phase-enrollment-samples are taken of the voice of the speaker; their main and differentiating characteristics are extracted, thereby constituting the template which is then stored in the system. In the subsequent phase-recognition (verification or identification)-a speech sample is taken, which is then compared with the data stored in the system.
When we speak of voice recognition, we must distinguish between two aspects: On the one hand, verification (or authentication), through which a person claims to be a specific person, the truth or falsehood of which is verified by the system, through comparing one sample with their template or pattern (which had been previously generated in her enrollment process) stored in the system. The other is identification, through which it is intended to compare a voice sample with a wide (as much as necessary) set of templates of diverse users, in order to determine who the user is (whenever they are in the system).
In voice biometrics, a distinction can also made between text-dependent or text-independent techniques, depending on whether or not the samples are from the same phrase or common text.

Voice Recognition Techniques
There are two main classes (or types) of speech recognition techniques:

1.
Template Matching: A maximum accuracy or maximum likelihood is sought between the samples previously stored as a voice template and the new voice sample input. This is called the speaker-dependent model.

2.
Feature Analysis: This is also called the speaker-independent model, as it searches for characteristics within human discourse, and from them, it searches for similarities among the input speakers compared to the stored data in the system.
Our system follows the Template Matching method [86].

Spectral Analysis of Frequencies
Speech can be modeled as the response of a time-invariant linear system (i.e., the voice system) to a train of near-periodic pulses (for voiced sounds) or broadband noise (for unvoiced sounds).
The articulation of the entire vocal tract can be modeled as a slowly time-varying filter system, thereby giving the range of speech frequencies. Thus, speech is a non-stationary signal. Its characteristics usually remain very constant over short intervals, between 30 and 40 ms. Although the frequency of the human sound signal reaches a range of about 15 kHz, or even higher, it can be filtered up to 3 kHz while still being perfectly intelligible.
With a suitable window L we can, thus, collect the invariance of the signal properties, and through the DFT (discrete Fourier transform), we can display the properties in the frequency domain of the signal in the interval. The time-dependent Fourier transform provides a very useful description of the properties of the signal over time, as the spectrogram in Figure 1 shows [87].

Periodogram of the Signal
In general, noise-like signals, as with the sound expressions of the human voice, are much better modeled when they are considered to be random signals, due to the difficulty of applying deterministic modeling to them. An especially relevant estimator in speech recognition is the power spectrum, or power density spectrum, of the signal under the DFT, from which we can obtain the periodogram, based on direct Fourier transformation of finite-length segments of the signal [88,89].
If we are looking for an estimator of the power density spectrum P SS (Ω) of a signal, we can apply a low-pass anti-aliasing filter to obtain sampling without aliasing( Figure 2). In this way, x[n] is a discrete-time stationary random signal where we have a very adequate proportional approximation, given by With this, we define the periodogram I(ω) as: is the discrete initial signal, w[n] is the discretization of the window which selects a certain finite quantity, and where L is the number of samples of the finite-length segment, with U being a normalizing factor with value

Welch Method
Improved expression of the periodogram data ( Figure 3) can be done through periodogram averaging ( Figure 4).
A sequence x[n], 0 ≤ n ≤ (Q − 1) is divided into segments of length L samples, with a window of length L, forming For R = L, the segments are contiguous; if R < L, the segments overlap. This system achieves a straightforward method of trading off between spectral resolution and reduction of the variance of the spectral estimate.
On the other hand, the periodogram, as an estimator, is asymptotically unbiased. The variance of the periodogram estimate does not decrease to zero as the length of the segment increases, and so, it is not a good estimator. However, dividing the signal under study into small segments and averaging their respective periodograms achieves a well-behaved estimator [90,91].
The phases of the Welch method are as follows: • Dividing the signal (overlapping segments).

2.
Windowing and FFT. We use an efficient algorithm for computing the DFT, known as fast Fourier transform (FFT); a Hamming window with an FFT size of 2 10 = 1024 and normalization constant U = 0.3970, obtained from the window w[n]; and the size of the FFT.
As the window is not rectangular, it is technically referred not to as a periodogram, but instead, a modified periodogram.

3.
Averaging. The average and normalized values are calculated from the vectorized values of the overlapped fragments of the windowed and FFT-processed signal.

Proposed Model
Of the three types of relationship between biometrics and cryptography-key-release, key-binding, and key-generation-our system is of the third type, key-generation, in which the key is extracted from the biometric pattern. In this way, our model is a key-generation system which is both fully cryptographic and biometric in all of its parts and elements. It does not use functions other than cryptographic ones in any of its parts, as we consider this to be the best way to achieve security objectives.
In reference to the seven characteristics mentioned above which a cryptobiometric system must meet, our system complies with all of them: Irreversibility, cancellability, irrevocability, and unlinkability are characteristics of the system itself.
The other properties-variability, reliability, and biometric bit-length-depend on the biometric system considered. In our case, we experimentally apply our model to voice biometrics and explore how these three characteristics are also achieved.
An additional aspect that we want to highlight, which we will see later in the security analysis, is that the system meets the requirements of being perfectly secret, making it impossible to cryptanalyze.
In this way, considering all of the above, our system meets the highest demands and qualities of a cryptobiometric system.
In the following, we broadly indicate how our system can be implemented in both symmetric and asymmetric encryption modes, showing examples of the main protocols as well as the Diffie-Hellman key-exchange.

Schemes of Ciphers
Our model can be implemented in both symmetric, such as DES (deprecated) or AES, and asymmetric ciphers such as RSA, Elgamal, Paillier, or elliptic curve, and for Diffie-Hellman key-exchange, thereby completing the basic cryptographic suite. These are the examples that we present below, in order to exemplify the methodology.
Note, however, that RSA and the other schemes listed here are more extensive in their functionality than the encryption-decryption function itself (although that was originally their main use), and therefore, they can be used both for public-key encryption, hybrid encryption, digital signatures, and key-exchange, among other capabilities. However, we wanted to show the broad range of application of our system, which is capable of being implemented in various scenarios such as those mentioned here [92].
The different elements of a cryptosystem are usually merely random. In our case, we generate them cryptobiometrically, linking them to the subject; although they do have the property of being cancellable, when necessary.

RSA Cipher
The RSA algorithm, proposed by Ron Rivest, Adi Shamir, and Leonard Adleman [93], bases its strength on the computerized difficulty of factorizing compound numbers of large primes (integer factorization problem).
Each user, A and B, carries out the following process: Starting with two high prime numbers, p and q, which are secret, their product is made public r = p * q. The Euler value, ϕ(r) = (p − 1)(q − 1), is also secret. The secret key, SK, and the public key, PK, preserve the modular relation SK * PK = 1 mod ϕ(r).
With the value of the message to be ciphered defined as X, the encryption (E) and decryption (D) processes can be expressed as: Encryption: E PK (X) = Y = X PK mod r, Decryption: D SK (Y) = Y SK mod r = X (PK * SK) mod r = X mod r. The elements that A (with B similar) generate in this cryptosystem are {p A , q A , SK A }; the rest are obtained from these. Their respective binary lengths are of order {l, l, 2l}.

Elgamal Cipher
Taher Elgamal [94] proposed a public-key ciphering scheme based on the discrete exponentiation problem or the discrete logarithm over the multiplicative group of a finite field Z p . Let G be a cyclic group of order n and f be its generator (i.e., G = { f i ; [0, p)}). Then, the exponential function of base f is defined as F(x) = f x , where x belongs to Z p . Its inverse operation is the discrete logarithm, with the latter over an element t in the base f of G, and the integer x in the interval [0, p) as f x = t, such that x = log f t. With this, the discrete logarithm problem can be described as "given a prime number p, a generator f of Z p , and an element t of Z p , find an integer x within the interval [0, p) such as f x = t mod p." The Elgamal cipher takes elements of G as clear messages or plain text. Let A be the user who wants to send a message X to a user B. By selecting a finite group G and a generator f of it, none of them are secret (i.e., available or public); A selects a random number a (private key) and calculates its public key in G, f a . User B would similarly do with their private key b to obtain f b .
Encryption: A generates a random number s and calculates f s . A takes f b from user B and sends to B the pair ( f s , X( f b ) s ).
Decryption: B calculates ( f s ) b in G from the first coordinate received by raising it to his own private key b. With this, gets the quotient with the second coordinate received and the recently calculated one, thereby obtaining the value X.
The elements that users A and B generate in this cryptosystem are {p, f , a, b, s}, the rest being obtained from these values, all with binary lengths of order {l}.

Elliptic Curve Cipher
Victor S. Miller [95] and Neal Koblitz [96] were the initiators of this type of cryptography. An elliptic curve over Z p , E(Z p ), is defined as the set of points that satisfy y 2 = x 3 + ux + v mod p, adding a point for infinity, O E , with u and v being elements of Z p satisfying ∆ = 4u 3 + 27v 2 = 0 mod p. These can be defined in a very similar way in the reals R and in F 2 m .
The discrete logarithm over an elliptic curve, as we have seen with Elgamal's method, is defined as the difficulty to "find an integer x that belongs to the Galois field GF(p) as xB = P," P and B being points of the curve E.
The cipher over an elliptic curve E first makes public a finite field GF(p), an elliptic curve E, and a base point J in E. Each user, A/B, selects a secret number a/b as a private key and makes public the point that is to be their public key, aJ/bJ.
Encryption: User A wants to send the message P X to B. She takes a random integer k and calculates the point kJ within E. User A takes the public key of user B, bJ, and calculates kbJ and P X + kbJ. Finally, A sends the pair of points (kJ, P X + kbJ) to B.
Decryption: User B, in order to recover the original message, multiplies the first of the points times its private key b, obtaining bkJ. With a simple subtraction, he gets the message point in the following manner: P X + kbJ − bkJ = P X .
The elements that users A and B generate in this cryptosystem are {p, u, v, J x , a, b, k}, the rest being obtained from these values, all with binary lengths of order {l}.

Paillier Cipher
The Paillier cipher system, proposed by Pascal Paillier [97], bases its security on the factorization intractability of high numbers, as well as on the quadratic residuosity problem.
The first step in this scheme is the selection of two secret large prime numbers p and q. Their product, r = p * q, is made public (as in the RSA system). The Euler value ϕ(r) = (p − 1)(q − 1) is kept secret. The primes p and q have to be of similar length; this condition is attained by ensuring that On the other hand, we define a parameter λ(r) = lcm(p − 1, q − 1), the so-called Carmichael function, a parameter g within Z * r 2 , and a value L g λ mod r 2 −1 mod r, where L(x) = (x − 1)/r. Thus, the private key is the pair (λ, µ) and the public key the pair (r, g). If the value of the message to be ciphered is defined as X, in the interval [0, r), the encryption (E) and decryption (D) processes can be expressed as: Encryption: Select a random value a in the interval (0, r). The result is calculated as E PK (X) = Y = g X a r mod r 2 .
Decryption: The deciphered value is X = L(c λ mod r 2 )µ mod r.
The elements that A (with B similar) generates in this cryptosystem are {p A , q A , g A , a}; the rest are obtained from these values. Their respective binary lengths are of order {l, l, 4l, l}.

Diffie-Hellman Key-Exchange
Whitfield Diffie and Martin Hellman [98] developed, utilizing some concepts of Ralph Merkle [99], a protocol to interchange a common secret key with no possibility of being known by another agent in the process of communication or exchange.
The two actors sending and receiving (A and B) the protocol publicly select a finite multiplicative field G of order n (generally Z p ) and a generate element f within G. User A produces a random number a by calculating f a ∈ G, which is sent to B. Actor B also produces a random number b by It is true that with high values for the order of G and random values a and b, due to the inherent difficulty of the discrete logarithm problem, the exchange is secure. However, there exists a problem of man-in-the-middle attack. This can be solved through authentication of the actors; for example, using the station-to-station (STS) protocol of B. O'Higgins, W. Diffie, L. Strawczynski, and R. do Hoog [100], using asymmetric cryptography such as that in the elliptic curve Diffie-Hellman (ECDH) method [101], or through other protocols, depending on the requirements involved [102].
Both the original DH and its variant DH-STS, among others, add the use of prior asymmetric cryptography to send both f a and f b , or the concatenation f a || f b signed by the private keys of actors. This situation calls for the prior use of asymmetric cryptographic keys, and therefore, for previous authentication, thereby generating a vicious circle in our problem. To solve this situation, during these sendings, the asymmetric cryptography of the cryptobiometrics key just seen has to be used.
The elements that users A and B generate in this cryptosystem are {p, f , a, b}, the rest being obtained from these values, all with binary lengths of order {l}.

AES Cipher
AES (Advanced Encryption Standard) has been, from 2002, the cipher symmetric standard (FIPS PUB 197) for the Rijndael cipher of Joan Daemen and Vincent Rijmen, which has been selected by the government of the U.S.A. [103] and is the successor of the DES cipher [104].
AES is a substitution and permutation network with a block size of 128 bits, the key being able to have 128, 192, or 256 bits. It works in the Galois Fields GF(2 8 ) and uses XOR logic operations among text message elements, with sub-keys resulting from the original key, shiftings, mixing of columns in element matrices, or substitutions based on a specific data table (the S-Box).
As it is a system between parties that share the same key, we must first establish asymmetric keys (with a key generated cryptobiometrically, as indicated in this article), in order to build and generate the common symmetric key K for AES in a secure and authenticated manner.
In this case, the only element that users A and B generate in this cryptosystem is {K}, of binary length of order {l}.

Protocols
We distinguish two scenarios.

Asymmetric ciphers
In the case of asymmetric schemes, our purpose is to obtain some of their respective elements. The main elements that determine them are as follows: In the protocol, by generalization, any of the above elements will be called e and its length will be l e .
The protocol for user A (similarly for user B) is:

1.
User A generates their own template − → T , which we can consider to be a binary vector of any length, {0, 1} * .
The binary values − → T and − → R H are adjusted to the right, where options n <, =, > * can be given. Then, the following is calculated: being the outputs of the hash functions H1 and H2 of binary length h.

4.
Over-randomization: (a) User A generates a random number −→ RT e of length l e > h (normally, the output of a hash function is lower in length than the order of our elements, for security reasons).

5.
Depending on the element e that we are considering, we can have the following cases: (a) − → T e generates a prime number: Here, user A carries out GenPrime( − → T e ) = p prime, where GenPrime is a procedure to generate a prime number-applying the usual methods of generation through primality tests-from − → T e : using its value (if it is already prime), the next closest prime, or a strong prime.
In this case, we do not have to make any changes in e; in any case, calculate its modular value in G.
(c) − → T e generates a point of an elliptic curve: Here, user A carries out GenPointEC being a procedure to generate J x , the x coordinate of a point J located on the elliptic curve, such that J 2

Symmetric ciphers
Our objective for symmetric ciphers is to obtain the key K from the biometric data of both users A and B. The sequence of steps for this protocol is:

1.
User A generates their own template − → T A , which we can consider to be a binary vector of any length, {0, 1} * .

3.
A also generates a random value − − → R H A , a binary vector {0, 1} n .
The binary values − → T A and − − → R H A are adjusted to the right, where options n <, =, > * can be given. Then, the following is calculated: those being the outputs of the hash functions H1 and H2 of binary length h. 6.
The binary values − → T B and − − → R HB are adjusted to the right, where options n <, =, > * can be given. Then, the following is calculated being the outputs of the hash functions H1 and H2 of binary length h.

7.
Over-randomization: (a) User A generates a random value − −− → RT KA with the length of the symmetric key t; generally, t < h (normally, the output of a hash function is higher in length than the order of our element K).
User B generates a random value −−→ RT KB with the length of the symmetric key t; generally t < h (normally, the output of a hash function is higher in length than the order of our element K).
B generates a set R LB of t different values from the set [1, h].
(e) User A applies the perfect substitution transposition cipher PST(

8.
User A sends B the vector − → K A , using the asymmetric cryptography of a cryptobiometrically generated key.

9.
User B sends A the vector − → K B , using the asymmetric cryptography of a cryptobiometrically generated key.

10.
Both users apply

The Biometric Pattern (Template)
No matter the biometric technique used-physical feature or behavior, monomodal or multimodal-the different algorithms generate a numeric representation of the data. On the other hand, we always consider templates with a vector structure or which are susceptible of a vectorized form.
Regardless of the origin of the data, which may vary according to the biometric type and the algorithm and technique used, our original data will be the biometric pattern or template T, in the case of monomodal biometrics.
In the case of multimodal biometrics, biometric fusion is a wide field which has reached great maturity, although it requires specific analyses relating to the various cases in which it is implemented, focused on what, when, and how to fuse. Both the sources of fusion (multi-sensor, multi-algorithm, multi-instance, multi-sample, and multi-modal) and the level of fusion (sensor, feature, score, rank, and decision) must be considered. All of this leads us to consider the quality of the data, soft biometric attributes, contextual information to improve accuracy, and ancillary information, among other aspects [105]. As biometric fusion is not the object of this study, in relation to our system, we only need the template as input. In this way, we can indicate that (in the same way as in the case of single biometric modality), a fusion template is required to carry out the procedure indicated here for key-generation, without considering the way it is achieved: either through concatenation of patterns of the diverse biometrics, or perhaps more appropriately, by an interleaving among them or some other similar technique-for example, using Bloom filters [106][107][108], multiple Bayesian models [109], or convolutional neural networks [110].
We have to say that, in the different scenarios of creating the template T, the results will differ, although will be very similar to each other. However, in any case, our system always offers cryptographic data from a template of the same subject.
We can also consider the typical use of error-correcting codes (ECC) for verification and identification procedures, which we can consider as a set of bits attached to the template: T||ECC.
Without loss of generality and for simplicity, we denote the entire set −−−−→ T||ECC by the template − → T .

Hash Functions and Randomization
Let H be a hash function H : {0, 1} * → {0, 1} h , with h ∈ N, which is a mapping such that the inverse process is not easy to achieve, is resistant to pre-image and second pre-image attacks, and is also collision resistant.
To improve security, we use two different types of hash functions, H1 and H2, such that H1 : These functions have to be diverse in their construction, possibly with different characteristics in their strengths and weaknesses, as well as differing in their susceptibilities to attacks.
The method of using H1 and H2 consists of by means of the concatenation hash functions H1 and XOR outputs of the template with circular shifts to the left by i bits (CLS i ), with the random value of length {0, 1} n -the output of which is finally hashed by H2.
The output in asymmetric cryptography is denoted by − → The SHA-2 family, which is very similar in structure to SHA-1 (FIPS PUB 180-1), modifying the constants, shifts, number of rounds, set of registers, and length of elements, among others, has a very similar method for executing each round or iteration. This led to the proposal of the family SHA-3 which is different to SHA-2, which depended on SHA-1 (which, in turn, depends on SHA-0; FIPS PUB 180), which is very similar, except for the lack of a circular shift; all of these build on MD-5, designed by Ronald Rivest [112].
We know of collision and (first and second) pre-image attacks against SHA-0 and SHA-1; as such, they are not considered secure and their use is not recommended [92,113,114]. With regard to SHA-2, we cannot speak of practical attacks, although the weaknesses of SHA-0/-1, SHA-2 being so related to them, motivated the desire for a different way to carry out hash functions. This was the reason for the construction of SHA-3.
Even though SHA-0, SHA-1, and SHA-2 were creations of the NSA (National Security Agency), SHA-3-a functional subset of the Keccak hash function-was designed by Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche. Its construction does not follow the Merkle-Damgård scheme (as SHA-0-1-2 did), but instead, the sponge scheme, which makes it very diverse in its possible attacks and weaknesses, something that was assessed in the competition that led to its selection, carried out by the NIST (National Institute of Standards and Technology) between 2007 and 2012, in which Keccak was finally selected (with 224-/256-/384-/512-bit output options, of which we use the 512-bit variant in our scheme) as the winning candidate [115,116].
Attacks on hash functions, be it pre-image or collision, usually act on versions of a reduced number of rounds. Thus, the best attacks on SHA-2 are: collision of 31 rounds over the total of 64 to SHA-256 with complexity 2 65.5 [117]; collision of 28/64 to SHA-512/256 with practical complexity [118]; collision of 27/80 to SHA-512 with practical complexity [118]; pre-image of 45/64 to SHA-256 with complexity 2 255.5 [119]; and pre-image of 50/80 to SHA-512 with complexity 2 511.5 [119]. In reference to SHA-3, there exists a pre-image attack of eight rounds (over the total 24), requiring a time of 2 511.5 and space (memory) of 2 508 [120]. Therefore, even quantum attacks seem to not be very effective against these systems [121].
In view of these results, using both types of hash functions (i.e., SHA-2 and SHA-3) was considered. First, because they are very different from each other (as we have already indicated), their strengths may lie in different aspects. On the other hand, in our system, the hash function SHA-3 is performed last (although only once), which must therefore be resistant against any pre-image or collision attack, and so, is the first to be resolved; this appeared to be as appropriate as it seems to be the most robust of the existing hash functions.
On the other hand, the random variables are generated by pseudo-random generators (PRG). We consider, for the random value used in the hash structure, a bit length of n = {32, 64, 128} (i.e., not too high, although still seeking high cancellability and suitable to fit in the binary processors [122]).

Over-Randomization with Perfect Ciphers
(a) Perfect Secret Ciphers (a.1) The Substitution Perfect Secret Cipher: Vernam Cipher The Vernam cipher (or one-time-pad) is a cipher which is impossible to cryptanalyze; therefore, it is a perfect cipher. It was invented by Frank Miller [123,124] and reinvented by Gilbert Sandford Vernam [125].
This cipher is based on polyalphabetic encryption but taking the key to the maximum possible difficulty, such that the key (random) is as long as the message. The application of the XOR function on each bit implies that, if the message can be expressed binarily as the sequence m 1 m 2 m 3 ...m (n−1) m n and the key as k 1 k 2 k 3 ...k (n−1) k n , the ciphertext is This exclusive OR (or XOR) is totally balanced, with it not being possible, given c i , to know the entries m i and k i , should there exist one possible and one impossible pair with the same probability.
If the key is really random (in reality, it will always be pseudo-random) and of the same size as the text of the original message, kept secret, and never reused (neither totally nor partially, before or later), we can obtain an encryption that cannot be broken or cryptanalyzed [126].
It is said that the ciphering is perfect when the knowledge of the ciphertext does not provide information of the original message: Pr(M = x/C = y) = Pr(M = x); that is, that the probability a posteriori that the original text is x if the ciphered text is y is identical to the probability a priori that the original text is x.
The deficiencies in the system are only that: the use of a key must be as truly random as possible; the key must be kept secure, at least until deciphering the message or while it is determined that a given ciphertext corresponds to a given original message; and in the sending of the key (key distribution) to the user who deciphers the ciphertext.
(a.2) The Transposition Perfect Secret Cipher: Random Cipher For random transposition ciphering, let us suppose, after binary codification with a set of n bits, we obtain, as output, only the number n 1 of 0 values and the number n 2 of 1 values, where n 1 + n 2 = n.
A random transposition does not provide information, it only gives the number of 0s and 1s. Thus, Pr(M = x/C = y) = Pr(M = x); that is, that the probability a posteriori that the original text is x if the ciphertext is y is identical to the probability a priori that the original text is x. The cipher does not give any information at all when taking a random transposition (not reusing the random value totally nor partially), as there exist many possible combinations of the n 1 zeros and the n 2 ones to generate myriad possible messages, as would occur with the perfect secret substitution cipher. This is why there is not only one perfect cipher (i.e., Vernam's), but also another perfect one for transposition; it can be described, in a general manner, as a list of how many times each symbol of the destination alphabet appears: S 1 symbol appears p 1 times, S 2 symbol appears p 2 times, ..., and S r symbol appears p r times.

(b) Over Randomization
We make a distinction between asymmetric and symmetric cryptography.

(b.1) Asymmetric Cryptography
The user generates a random binary number −→ RT e of length l e . Departing from the templates − → T e of length h, we proceed to accommodate its bits in h other places of −→ RT e of length l e > h. At present, security requirements force the length of the elements that we are considering in our asymmetric cryptographic schemes, of order {l, 2l, 4l}, to be greater in binary length than the usual lengths of the outputs of the hash functions, h. In our proposal, if h = 512 bits and l e = {l, 2l, 4l}, in general, l ≥ 1024 bits.
A possible way to achieve this is to annex a set of random bits, up to the required length l e . However, we follow a more complex randomization process, which we call over-randomization, using Vernam's perfect secret cipher, a substitution cipher, and a cipher that is its counterpart (i.e., its dual function)-a transposition cipher that is also perfect. The full function is PST( First, the user generates a set R L of h different values from the set [1, l e ]. The bits of − → T e are placed in those of −→ RT e (beginning with the bit more to the right of − → T e ) in h places given by R L , obtaining a perfect transposition cipher. However, they are not located merely in the obtained random places, but rather than placing them, they are ciphered by the Vernam system with the previous bit (XOR): , ∀ j ∈ [1, h] and k ∈ R L . These locations of R L must be kept safe, as for the rest of random variables, in order to justify the authentication dependence of the − → T template with the keys and elements generated in the cryptobiometrics process. in the t places given by R LA , thereby obtaining a perfect transposition cipher. However, they are not located merely in the obtained random places, but instead, they are ciphered by the Vernam system with the previous bit (XOR): and k ∈ R LA . As we stated previously, in the asymmetric case, the locations of R LA and R LB must be kept safe, as for the rest of random variables, in order to justify the authentication dependence of the templates with the key generated in the cryptobiometrics process.

Generation of a point in the elliptic curve
The procedure to obtain a point of the elliptic curve E(Z p ), GenPointEC( − → T e , u, v, p) = (J x , p ), is as follows: From the values u, v, and J x , calculate J 2 y = A = J 3 x + uJ x + v mod p. By the Tonelli-Shanks theorem [127], if the Legendre symbol A p = 1 and p mod 4 = 3, then A ((p+1)/4) mod p = J y .
Looking for one prime number after another successively from the original p that meets these equalities, we obtain the value of the prime that defines Z p and the point (J x , J y ).

Strong Primes
The prime numbers selected for ciphering must have a series of characteristics that make them difficult to figure out, even if their product be known. There are a series of requirements, condensed into the fact of their being strong primes. A strong prime p has to meet the following conditions: (a) p = Ap 1 + 1 (with p 1 a high prime and A any integer); (b) p 1 = Bp 2 + 1 (with p 2 a high prime and B any integer); (c) p = Cp 3 − 1 (with p 3 a high prime and C any integer).
However, these conditions are not necessary when large primes are used; for instance, 1024-bit primes, which are presently recommended for security requirements [92], give a value with around 2014 bits for the product p * q = n. On one hand, to find strong primes is considered too costly-not obtaining better security because of the huge size of the selected primes, even when these primes do not meet these strength conditions. On the other hand, even when several attacks against the factorization problem are blocked using strong primes, there is one concrete attack, which uses Hendrik W. Lenstra Jr.'s elliptic curves [128], which can precisely seek not-very-large factorizations, such as those given with low values of A, B, and C.
Another requirement sought for is a low value of gcd(p − 1, q − 1). A more rigid requisite is to seek so-called safe primes, where p = 2p 4 + 1 and q = 2p 5 + 1.

Security Analysis
The proposed model, a cryptobiometrics system, takes a biometric template as input and consists of two sub-systems, the first being the hash structure, and the second, which we call over-randomization, being composed of two perfectly secret systems.
The Holy Grail of security is Shannon's concept of perfect secrecy. This means that the ciphertext reveals no information at all about the plaintext. Part of our system, the second sub-system, has this degree of security. However, in general, this property cannot always be achieved and what is sought is to be semantically secure. The first sub-system of our model achieves this level. Semantically secure is the computational complexity analog of perfect secrecy, which implies that any information revealed cannot be feasibly extracted. A semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext; that is, any probabilistic polynomial-time algorithm (PPTA) which is given the ciphertext C of a certain message M, taken from any distribution of messages and the message's length, cannot determine any partial information of the message with probability non-negligibly higher than all other PPTAs that only have access to the message length and not the ciphertext [129].
Our security analysis is only limited to the cryptobiometrics components considered here. That is why the security of the schemes of ciphers should be subject to a separate analysis outside our system, considering the usual aspects of each cipher, as well as CPA (chosen-plaintext attacks) and CCA (chosen-ciphertext attacks).
For simplicity and better understanding, we have offered examples of the cryptographic schemes RSA, Elgamal, elliptic curve, Paillier, and AES, together with the Diffie-Hellman scheme, which are not semantically secure. However, there are schemes that are, such as the Cramer-Shoup asymmetric cryptosystem [130] or authenticated symmetric encryptions. However, these aspects are not the object of our cryptobiometrics proposal.
Our cryptobiometrics system begins with the template of the user (or users) and generates from it the main parameters of the encryption schemes and protocols. The entire cryptographic scheme is built using these elements, although with a biometric basis, which also allows the following main properties:

1.
Irreversibility: Given an output of our system, an eventual attacker cannot reconstruct − → T (similar with − → T A or − → T B ), the genuine biometric data.
As we examine below, this aspect is achieved by the security properties of the first sub-system of hash functions and the subsequent sub-system of over-randomization with perfect encryption.

2.
Cancellability: From an input − → T , − → T A , or − → T B , we can generate as many outputs as we want.
This property is achieved, in the scenario of asymmetric ciphers, through all those initial moments in which the parameters of the cryptographic scheme must be generated, on which all the encrypted communications subsequently take place, by the random values On the other hand, with R LA we have, as possible options, the h-element variations of t elements with repetition not allowed t! (t−h)! . Thus, the number of possible options for the user A is given by 2 (n+t) t! (t−h)! .

3.
Irrevocability: The elements obtained for the schemes of ciphers can be changed, when necessary, and the biometric data of the initial template, − → T , − → T A , or − → T B , can be used together with new random values, masking the template, which can be used permanently and irrevocably.

4.
Unlinkability: For a single biometric sample − → T , − → T A , or − → T B , we should be able to generate different outputs in a way such that it is not feasible to determine whether those outputs belong to a single subject or not.
The proof of this is that, although the template is the same, as it originates from biological and/or behavioral aspects of a subject, the random variables of the system, as well as the properties of the hash functions (one-way or pre-image resistance, resistance to second pre-image, and collision resistance), and the perfect secret property of the over-randomization sub-system, by which the probability a posteriori that the original text is x if the ciphered text is y, is identical to the probability a priori that the original text is x.

Analysis of the hash structure
Let us examine the security of the first sub-system of our model: the hash structure. If we consider a hash function H : {0, 1} * → {0, 1} h to be ideal, in the sense that it hashes from {0, 1} * to {0, 1} h uniformly at random and behaves as a random oracle (i.e., returns a random element each time it is invoked; except if queried twice on the same input, upon which it returns the same output both times). This function H is suitably secure if it fulfills the following three properties:

1.
Pre-image resistance: this property means that H is a one-way function, and so, for a randomly chosen x ∈ {0, 1} * , it is hard to find, given y = H(x), an x ∈ {0, 1} * such that H(x ) = y.
Taking into account our hash structure, which we can express, in a general way, as an i-bit circular shift to the left and || indicates concatenation, let us analyze its security: offers a random input value in each of the blocks with i from 0 to max( * , n) − 1. In addition, any change in an input bit of a hash function leads to an entirely unpredictable output with no correlation between both outputs.
On the other hand, if H1 and H2 are pre-image resistant, the concatenation of values of the output of H1 is still pre-image resistant with respect to each H1. However, if what we know is the final output of H2, as it is pre-image resistant, we cannot calculate any value of the original set which is a pre-image of that value.
If H1 and H2 are second pre-image resistant, even if we were given a target value in H2 and in each H1 of the concatenation, we cannot obtain other values that would give the same value in the output of the set of H1 concatenations and the subsequent H2 hash function.
Finally, if H1 and H2 are collision resistant, we cannot obtain any pair of values that have the same image for H1, and for the structure itself, where the concatenation of H1 images is applied to the H2 function, we cannot obtain any pair of different values that give the same output.
With all these qualities, our hash function structure is pre-image, second pre-image, and collision resistant.
On the other hand, although it may happen that an attacker can know the value of the template, the random value is not known, which is a value that should never be repeated. With both of the above, the XOR values will be calculated, whose outputs are not known, being the inputs to the different hash functions H1, and with them neither the outputs. These outputs, concatenated, constitute the input, which is unknown, to the hash function H2. In this way, it is clear that our construction of hash functions is secure.
With respect to the hash functions considered, as we have shown before, theoretically, the output value of 512 bits converts to 2 512 the probabilities of first and second pre-image on one hand, and to 2 512/2 of collision on the other hand. Thus, the best attacks for SHA-2 are collision of 27/80 with practical complexity, and pre-image of 50/80 with complexity 2 511.5 ; that for SHA-3 is pre-image of 8/24, with very elevated (space and time) complexity conditions.

Analysis of the over-randomization structure
Let us examine the security of the second sub-system of our model: the over-randomization structure. The strongest security assurance is perfect secrecy. Perfect secrecy was defined by Claude E. Shannon: an encryption scheme with generation, encryption, and decryption, (Gen, Enc, Dec), with message space M, ciphertext space C, and key space K has perfect secrecy if, for every probability distribution on M, every message m ∈ M, and every ciphertext c ∈ C for which Pr(C = c) > 0, This concept of perfect secrecy is also called unconditional security. The basic idea is that intercepting any ciphertext should not give any information about the associated plaintext, nor any information about future encrypted messages; even assuming unbounded computational power.
Shannon's theorem says: Let (Gen, Enc, Dec) be an encryption scheme such that |M| = |C| = |K|. Then, the system has perfect secrecy if and only if the following conditions hold: - The probability distribution on K is uniform. -For every m ∈ M and every c ∈ C, there exists a unique k ∈ K such that Enc k (m) = c.

Theorem 1. The Vernam substitution cipher of our over-randomization model is perfectly secret.
Proof. Following Shannon's theorem, it is clear that XOR or Vernam encryption used in our over-randomization model is a cipher with M = C = K = {0, 1} n . The key generation chooses keys from {0, 1} n according to a uniform distribution. Further, Enc k (m) = c = k ⊕ m, and Dec(c) = m = k ⊕ c, so Enc k = Dec k . Alternatively, it is easy to prove that ∀c ∈ C and ∀m ∈ M, Pr(C = c/M = m) = Pr(k = m ⊕ c) = 1/2 n , and ∀c ∈ C, Pr(C = c) = 1/2 n . Theorem 2. The transposition cipher of our over-randomization model is perfectly secret.
Proof. In the same way that the previous encryption scheme is perfect, let us now prove the same for its dual system, now not in substitution, but in transposition.
In the asymmetric case, we have: The key space K, which for our case is K = R L = {0, 1} h , is random with uniform probability equal to 1/2 h , taking values from the set [1, l e ]. In addition, its cardinality is |K| = 2 h . Additionally, − → T e , that we can consider as the set M, comes from the output of the hash functions, with cardinality 2 h . From the random variable −→ RT e of length l e > h, h values will be taken, resulting in a cardinality of 2 h . Therefore, |M| = |C| = |K|.
The resulting set C = − → T e (with only those h bits changed) is the result (without considering the XOR operation of the perfect substitution encryption scheme) of a new relocation of the bits of M = − → T e , according to the random order given by R L . Thus, for every m ∈ M and every c ∈ C, there exists a unique k ∈ K such that Enc k (m) = c because, if there was another value k ∈ K such that k = k , there would be a different ordering of the bits of m, which would mean that some of the bits of the possible values c and c , both belonging to the set C, were different, and so, c = c . Thus, for every m ∈ − → T e and every c ∈ − → T e , there exists a unique k ∈ R L such that Enc k (m) = c. In the symmetric case, we have: The key space K which, for user A (similar to user B) is K = R LA = {0, 1} t , is random with uniform probability equal to 1/2 t taking values from the set [1, h], where t < h. In addition, its cardinality |K| = 2 t . Additionally, − − → T KA , that we can consider as the set M (with only those t bits changed), comes from the output of the hash functions, such that, although its cardinality is 2 h , only t values will be taken (as selected by R LA ), and so, its cardinality is 2 t . From the random variable − −− → RT KA of length t < h, all t values will be taken, resulting in its cardinality being 2 t . Therefore, |M| = |C| = |K|.
The resulting set C = − → K A of length t, is the result (without considering the XOR operation of the perfect substitution encryption scheme) of a new relocation of the t bits of M = − − → T KA , according to the random order given by R LA . Thus, for every m ∈ M and every c ∈ C, there exists a unique k ∈ K such that Enc k (m) = c as, if there was another value k ∈ K such that k = k , there would be a different ordering of the bits of m, which this would mean that some of the bits of the possible values c and c , both belonging to the set C, were different, and so, c = c . Thus, for every m ∈ − − → T KA and every c ∈ − → K A , there exists a unique k ∈ R LA such that Enc k (m) = c. If the substitution system as well as the transposition system are perfectly secret, we must analyze if its sequential union (i.e., how we apply them) is also perfectly secret. Theorem 3. The sequential union of two perfectly secret systems is perfectly secret.
Proof. From the partial results of perfect secrecy of both sub-systems, On the other hand, as we have already obtained, the probability distribution on K 1 is uniform. Moreover, for every m 1 ∈ M 1 and every c 1 ∈ C 1 , there exists a unique k 1 ∈ K 1 such that Enc k 1 (m 1 ) = c 1 , and for every m 2 ∈ M 2 and every c 2 ∈ C 2 , there exists a unique k 2 ∈ K 2 such that Enc k 2 (m 2 ) = c 2 . As k 1 = k 2 ∈ K 1 = K 2 and c 1 = m 2 , for every m 1 ∈ M 1 and every c 2 ∈ C 2 , there exists a unique k 1 ∈ K 1 such that Enc k 2 (Enc k 1 (m 1 ) = c 1 = m 2 ) = c 2 .
This completes the proof of Shannon's theorem for the two perfectly encrypted systems chained together.
From the results above, we can affirm that our cryptobiometrics system is semantically secure, as this is the lowest level of security of all its constituent parts.
A total of 25 different experiments were carried out, trying to discriminate one person (with 50 text-independent voice fragments per person) against other people (200 different and text-independent fragments), with training-test percentages of 80-20% of the total samples.
The speech fragments taken for processing had a time length of T = 4000 ms. The people in the database were men and women who were diverse in age, almost all of them speaking in the Spanish language (from Spain and Spanish America), while a few of them spoke in the English language.
We show, in Figure 5, the experimental results in terms of the ROC (receiver operating characteristic) curve, which graphically offers the ratio between sensitivity (true positive rate; on the vertical axis) and specificity (1-specifity), or false positive rate (on the horizontal axis), for our binary classifier system, as the discrimination threshold was varied. The value of the area under the curve (AUC) was 98.30% and the point of equal error rate (EER)-the point where the false positive rate and the false negative rate are equal-was (0.0631, 0.9361). The experiments provided, for each case from p = {1, 2, ..., 25}, a vector of 2 9 + 1 = 513 elements, after carrying out the Welch estimation. Thus, for each person p, with the different values of their text-independent voice samples, we obtained a mean vector − → µ p = {µ 1 , µ 2 , ..., µ 513 } p and its variance − → σ 2 p = {σ 2 1 , σ 2 2 , ..., σ 2 513 } p . From these, we could construct a certain threshold − → ε p = {ε 1 , ε 2 , ..., ε 513 } p for each person p. These were the data stored for use in the voice recognition system during the matching process against a text-independent verification.
Thus, at the moment in which a person had to recognize themself in the verification process, they provided their voice signal, thereby generating their input vector − → i = {i 1 , i 2 , ..., i 513 } after applying estimation signal processing through the Welch periodogram.
At this time, the vectors − → µ and − → ε of this person were applied to each of the values of the vector − → i , accounting for the percentage of values within the expected range: i j ∈ [µ j − ε j , µ j + ε j ]?, for every value j = {1, 2, .., 2 9 + 1}. It was this percentage that affirmatively or negatively resolved the verification of the subject.

Generation of Fundamental Elements of Cryptographic Schemes
As an example, let us consider asymmetric encryption with elliptic curve, and symmetric encryption with AES.

Elliptic
Applying the various concatenated hash functions of type SHA-2-512 (H1), and finally, the function SHA-3-512 (H2),   From − → T e , the prime number can be calculated, which is either the same number (if prime), the next prime that follows, or a strong prime. Calculating the following prime (as, in our case, the number was not so), we obtained p = 66389488423738(...)49073654708517 (decimal).
If, otherwise, we sought a strong prime from it, we could have used p 2 = 66389488423738(...)49073654708517 as input, to satisfy the exposed requirements, (a) p = Ap 1 + 1 (with p 1 a high prime and A any integer); (b) p 1 = Bp 2 + 1 (with p 2 a high prime and B any integer); (c) p = Cp 3 − 1 (with p 3 a high prime and C any integer).
The rest of the elements of the elliptic curve over Z p , E(Z p ), y 2 = x 3 + ux + v mod p were obtained as elements of Z p : with p, the values u and v can be calculated randomly, modulo the prime p, such that they always fulfilled ∆ = 4u 3 + 27v 2 = 0 mod p; for example, u = 395718860534 and v = 193139816415, in decimal form.
However, to facilitate finding a base point of the elliptic curve, we applied the procedure GenPointEC( − → T e , u, v, p) = (J x , p ) described above. With this, the obtained prime value was p = 52449023644521(...)69252943620723 (decimal) and the base point J in E had coordinate J x = 22424170466 (decimal).
As detailed above, in the encryption process of the elliptic curve cipher, user A chooses a secret key a, which could be a random value or a cryptobiometric value, generated as we have done here for the case of p. Furthermore, A make its key aJ public and generate a random session value k modulo p .
Similarly as we have done with elliptic curve encryption, we can compute any other prime q, and with the obtained values of p and q, the application to each of the considered asymmetric encryption schemes is immediate.

AES
In the AES symmetric cipher, assuming that actor A has p = 17 (assuming, for A, the same value as before was obtained) and actor B has p = 8, carrying out the corresponding operations, we obtained: As we have seen, it is clear that the biometric data are not the same at different times and in different conditions, although they may adequately identify each subject and are close between different samples, as was the case for the data of the means and variances of each subject used in our system. Furthermore, the results of false rejection rate and false acceptance rate obtained showed adequate reliability, always depending on the biometric system used. As for the bit-length, which also varied between biometric modalities, the results achieved with the digital signal processing and the power density spectrum analysis with the Welch periodogram allowed us, together with the use of the random variables used in our system, to reach the appropriate lengths for the symmetric and asymmetric encryption schemes.
In this way, we met the requirements of variability, reliability, and biometric bit-length.

Conclusions
Cryptography can be used to obtain confidentiality and integrity, but can only achieve partial authentication. We believe that only the combination of cryptography and biometrics (into cryptobiometrics) can achieve total and complete authentication. A suitable cryptobiometric system must meet a number of main requirements: Our proposal achieved, on one hand, the requirements of irreversibility, cancellability, irrevocability, and unlinkability. On the other hand, the characteristics of variability, reliability, and biometric bit-length, depending on the chosen biometry, were also achieved, as demonstrated by our experimental results.
In this paper, we designed a cryptobiometrics system to generate cryptographic keys (i.e., key-generation type), as well as the rest of the necessary elements in the different and diverse cryptographic schemes. Thus, we indicated the related procedures in both symmetric (e.g., AES) and asymmetric ciphers (e.g., RSA, Elgamal, elliptic curve, Paillier), together with the Diffie-Hellman exchange protocol. In this way, we demonstrated the versatility and breadth of use of our design in any cryptographic and/or biometric framework. Through this system, the basic elements of the different cryptographic schemes which are later used in various confidential communications can be calculated. Each of these basic elements is inevitably linked to the biometric data of the subject, in the case of asymmetric cryptography. For the symmetric case, a common key K will be generated between both actors A and B, through gathering biometric aspects of both actors.
On the other hand, our system integrates substitution and transposition ciphers, the unity of which achieves diffusion and confusion, both desirable elements of a good cipher, as considered by Shannon [126]. Our proposal not only integrates these ciphers, but uses both methods in their most secure way: perfect encryption. We showed that our over-randomization algorithm is perfectly secret. Considering a priori that the Vernam substitution cipher, which is used in our over-randomization system, is perfectly secret, we gave proof that there is another (dual) form of perfectly secret substitution in transposition. We also demonstrated that its sequentiality is perfectly secret. With this feature, there is no possibility of being cryptanalysed; at least in our second sub-system. The first part of the system, with a hash structure, is semantically secure. This makes our system at least semantically secure.
We detailed a practical application of our system using voice biometrics. The verification and text-independent modality were followed, using a template matching method. A total of 25 different experiments, with 50 text-independent voice fragments per person assessed against other people (200 different and text-independent fragments), were carried out. Signal processing methods were used to obtain the data of the Welch periodogram, with very adequate results; that is, an equal error rate (EER) of (0.0631, 0.9361) and area under the curve (AUC) of 98.30%.
With the voice biometrics generated for one of the users under study, by means of the mean values − → µ and variance − → σ 2 , we constructed a template − → T . From this, we were able to generate a prime value (as well as a strong prime) totally linked to the biometric data itself (i.e., cryptobiometric data) which specifies the elliptic curve with which all other data of the equation of the curve can be calculated, and furthermore, by the same method, using the template, the private and public key.
We also calculated the value of a symmetric key between two users of our voice biometrics study for AES encryption.
We cannot forget the limitations of the system, which we wish to mention at this time. The system depends on the original biometric data, requiring that the biometric sample be of sufficient length. If this were not the case, the strength of the system would reside only in the random value − → R H . However, the biggest limitation of the system is that, as is inherent to the use of a perfect cipher, its key is as long as the message to be encrypted, which makes it enormously large. Thus, the lengths of −→ RT e and R L , which respectively refer to the perfect substitution and transposition encryption steps, imply high binary lengths to be stored and managed. Thus, in the case considered as an example, with a prime value p of 1024 bits, the length of − → T e is 512 bits (as the output of the hash function SHA-3-512), the length of −→ RT e is 1024 (same as that of the prime value p searched), and the number of bits of the set of 512 values of R L is 4353 bits, which comes to an average of 8.5 bits for each value of R L . Despite this limitation, bear in mind that it is not intended to encrypt a message, with consequent high length, but only to obtain cryptobiometric keys or the main elements of the cipher suite, which are always shorter. In addition, and finally, a limitation that must always be considered in any real and implemented cryptographic system, is the possibility of side-channel attacks.
We believe that this proposal, despite the mentioned limitations, unites the cryptographic aspects of confidentiality and integrity with the biometric physical and behavioral elements of the parties involved in the communication, thereby achieving authenticity, and in this way, adequately accomplishes the security objectives mentioned at the beginning of this work.