On July 6, 2026, Frederik Ubbesen successfully defended his Master’s thesis titled „Secure Multimodal Biometric Verification Using IoM Hashing and Zero-Knowledge Proofs“. This is a joint effort of h_da (Germany) and DTU (Denmark).
Abstract:
The use of biometric security and verification systems has steadily increased as their acceptance has become more widespread. Most people now use biometric verification every day to log in to a phone or access private applications, and using a fingerprint or face to unlock a security barrier has become commonplace. However, this act of applying measurable, distinct human characteristics for automated verification or recognition faces a key challenge, namely, keeping the biometric data safe both in storage and while the system uses it. Naively, one might compare the challenges of biometric security to those of password security, however, they are inherently different. The challenge of securing biometric data differs fundamentally from protecting a password. A leaked password can be changed, but a compromised biometric characteristic cannot. Moreover, a password is reproduced identically at every successful login, whereas biometric verification compares different samples from the same individual every login. Even when captured by the same sensor under similar conditions, samples show natural variation due to factors such as sensor noise, pose, environmental conditions, and other sources of intra-class
variability. This makes encryption or hashing of biometric data difficult, and that difficulty has spawned numerous biometric template protection schemes aimed at storing and using biometric data safely. Each biometric template protection family provides specific security goals designed to keep biometric templates safe, but also carries drawbacks, among them high computational overhead, reliance on trusted setups, degraded recognition accuracy compared to unprotected templates, large protected templates, and the absence of security guarantees during comparison. Recent research into multi-modal fusion, dimensionality reduction, and zeroknowledge protocols shows promising potential to address these drawbacks. This thesis combines recent work in zero-knowledge protocols, multimodal fusion, and dimensionality reduction with cancelable biometrics to build a biometric verification pipeline that is secure against a malicious adversary while maintaining high recognition accuracy and a practical verification time. The pipeline pairs GRP-IoM cancelable hashing with the biometric-authentication zero-knowledge protocol (BAZKP), reinstantiated over a prime-order group so that it requires no trusted setup and the verifier learns only the accept-or-reject decision, and never learns the template, the probe, or the distance between them. A naive reinstantiation over this group is shown to be unsound, and soundness against a malicious prover is restored by an explicit bound on the compared codes. Multimodal fusion of face, fingerprint, and iris reaches a lower error rate than the strongest single modality at a quarter of the code length, m = 128 rather than m = 512, and therefore at roughly a third of the verification cost, about 41 ms against 132 ms. Two optimisations were then investigated, the first being Pippenger’s algorithm, which reduces endtoend verification time at the largest code length by roughly a factor of two, from approximately 266 ms to 132 ms. The second optimisation is the application of a Bulletproofs innerproduct argument, which reduces proof size by a factor of 5.8, from approximately 117 kB to 20 kB, while roughly doubling the prover time, from approximately 137 ms to 268 ms. The pipeline is evaluated on a multimodal dataset assembled from the FRGCv2, MCYT, and CASIAIris databases, over 1,501 mated and 141,778 nonmated comparisons. The resulting pipeline meets the threat model, achieving an end-to-end verification time of approximately 132 ms at a fused dimension of 256 and an IoM code length of 512, with a FNMR rate of 0.53 % at a 0.1 % FMR operating point.
