RUIP-BA: Renewable, Unlinkable, and Irreversible Privacy-Preserving Behavioral Authentication via Random Projection and Local Differential Privacy for IoT and Mobile Platforms

1. Introduction

In today’s increasingly interconnected digital landscape, secure user authentication has become critical for protecting sensitive resources and all online services. As traditional authentication methods, such as passwords and PINs, face growing security limitations, the need for more sophisticated authentication systems has become apparent. For example, password-based authentication systems are vulnerable to password cracking, theft, and sharing attacks. To address these weaknesses, additional layers of protection are implemented using pre-agreed questions, hardware tokens, smart cards, and user biometrics. However, these approaches require additional hardware and infrastructure and often suffer from the same vulnerabilities observed in password-based and PIN-based systems.

An attractive approach to multifactor authentication is to use behavioral data as the second factor. Behavioral authentication (BA) systems [1,2,3,4] leverage distinctive user behavior patterns, such as typing style, gait, or touch dynamics, to verify users’ identities seamlessly and continuously. Behavioral data in a BA system can be collected passively or actively during an interactive session with the user. Passive BA systems collect data through background processes, whereas active BA systems require the user’s presence at the time of the verification request and provide higher security guaranties. By analyzing unique behavior patterns from collected data, BA systems offer an additional layer of security in user authentication.

BA systems typically use raw behavioral data to create detailed user profiles, which are then used to train a machine learning (ML) classifier. Although ML-driven BA systems provide a reliable and accurate method of continuous authentication to verify user identities, these centralized ML models pose a critical single-point vulnerability that attackers can exploit. Since an ML model in a BA system contains information about sensitive personal data, the impact of such attacks can raise serious privacy concerns. A privacy attacker in a BA system can be an honest but curious verifier or an external actor seeking to learn users’ behavior patterns and link them to their identities. For example, an external attacker could launch a model extraction attack [5] or a model inversion attack [6] to recreate the original behavioral data from a compromised ML model, potentially allowing them to impersonate users or gain unauthorized access to their accounts. Additionally, an honest but curious verifier might share behavioral data with third parties. The potential consequences of such privacy breaches are severe, as compromised behavioral patterns could lead to identity theft, financial fraud, or unauthorized access across multiple systems.

Privacy-sensitive personal information carried by behavioral profiles and used in BA systems must be protected from potential attackers. Although the initial design goal of the BA systems was to ensure user-friendly and accurate verification, focusing on usability and system performance properties, data privacy has since been included as a mandatory requirement. According to the ISO/IEC 24745 standard [7], any privacy-preserving biometric or behavioral biometric system must meet three key privacy requirements:

• Renewability (Cancelability): All users of the system should be able to refresh their profiles if compromised.
• Unlinkability: It should be infeasible for an attacker to link two or more compromised profiles.
• Irreversibility: It should be infeasible to deduce the original behavioral pattern from compromised profiles.

Biometric and behavioral biometric systems use profile templates instead of the original profiles in the system to ensure all three properties. Renewability allows users to revoke and replace their templates if compromised. Unlinkability ensures that the distance or divergence between two templates, whether from the same or different sources, is indistinguishable, preventing cross-matching attacks [8]. Irreversibility ensures that the original behavioral patterns cannot be reconstructed from the used template.

Existing privacy-preserving authentication systems utilize both cryptographic and non-cryptographic methods to ensure credential privacy. Cryptographic approaches commonly include key binding (fuzzy vault [9] and fuzzy commitment [10]), key generation approaches [11], zero-knowledge proofs [12], and blockchain-based schemes [13]. However, most of these methods are not directly applicable to BA systems due to noisy behavioral data and the use of an ML model for authentication decisions. Recent advances in privacy-preserving ML [14] have introduced some cryptographic methods to mitigate data leaks in ML-based BA systems. For example, Loya and Bana [15] proposed a protocol for keystroke data that combines fully homomorphic encryption with differential privacy. A similar attempt is observed in [16]. However, many of these systems leave confidential information unaltered, making them susceptible to data breaches. The system also often suffers from reduced performance, increased computational overhead, and can not ensure all three privacy-preserving properties.

Among all non-cryptographic approaches, methods such as cancelable biometrics [17], differential privacy (DP) [18,19], and federated learning [20] are more widely adopted in BA systems. Although DP methods effectively preserve behavioral data privacy with theoretical guaranties, they always require making a trade-off between privacy and data utility. Moreover, DP-based approaches are less effective for systems with high-dimensional data. Federated learning-based systems often produce less accurate results when users carry only positive-class data  [21]. Cancelable biometrics [22,23] enhance the security of biometric and behavioral biometric data by transforming the original biometric data into a new representation known as a template. This method aims to safeguard users’ original biometric data and revoke compromised profiles. However, none of these cryptographic and noncryptographic approaches fully satisfy all three required privacy-preserving properties considering all possible attacks.

For privacy-preserving ML-based BA systems, cancelable biometrics can be a promising approach. In cancelable biometrics, if the transformation preserves the relative distances or distributions among all profiles, the ML-based system trained on transformed data will be able to maintain the system’s performance. In addition, cancelable biometrics can also help protect sensitive data by reducing the risk of direct re-identification or feature leakage if the transformation used in the system is irreversible. However, finding a suitable transformation function that is irreversible and preserves the geometrical structure in the transformed space is challenging. Moreover, irreversible transformation alone should only not be considered a standalone method for strong data privacy guaranties, especially in environments where formal privacy guaranties are required.

Our work. To address all these privacy challenges, this paper introduces RUIP-BA (Renewable, Unlinkable, and Irreversible Privacy-Preserving Behavioral Authentication) that employs Random Projection (RP) together with local Differential Privacy (DP). RP is a transformation function that projects high-dimensional data, such as user behavioral data, into a lower-dimensional space as a template while maintaining the essential distance relationships between data points with high probability. In addition, RP is an inherently lossy process, making it a type of irreversible transformation. On the other hand, DP is one of the main approaches that has been proven to ensure strong privacy protection in statistical data analysis. DP ensures users’ data privacy by adding controlled noise to the original dataset or in the learning parameters. By applying RP to behavioral profiles, the BA system effectively reduces the dimensionality of the data to make DP more effective. Furthermore, the inclusion of local DP with RP guaranties user profile privacy against statistical computations, ensuring that attackers cannot retrieve sensitive information about individuals in the training dataset. Moreover, both RP and DP will allow the use of an ML-based classifier in BA systems to authenticate users accurately without exposing raw, sensitive behavioral data. RP and DP will also protect the privacy of the user’s profile and verification data during transmission to the verifier. The use of these two non-cryptographic approaches will also make the system well-suited for deployment on low-computation devices, such as IoT and mobile devices, which are commonly used to collect users’ behavioral data and authenticate them.

The proposed system also distinguishes itself by proposing a holistic approach to privacy in alignment with the ISO/IEC 24745 standard privacy-preserving properties. Renewability allows BA users to revoke compromised profile templates and create new ones by simply altering the secret random matrices used in RP and locally adding DP noise, thereby maintaining continuous security. When a profile is projected using two different random matrices in RP, it generates two distinct projected profiles (templates), and the addition of local noise further separates them, making it computationally infeasible for attackers to link the noisy projected profiles for cross-matching attacks. Furthermore, the irreversibility of RP combined with the randomized perturbations introduced by DP makes it infeasible for an attacker to recover the original behavioral pattern from noisy transformed profiles.

A conference version of this paper was published in [24]. In this extended version, we significantly expand the previous work by including DP, providing additional analysis, experimental results, a formalization of the Generative Adversarial Network (GAN)-based privacy attack, and new formal mathematical proofs of all three ISO/IEC 24745 properties. In general, the contributions in this paper can be described as follows.

• We present a novel privacy-preserving BA system designed specifically for low-computation devices. By leveraging the data protection capabilities of RP and local DP, this system effectively addresses the challenges posed by high-dimensional data while safeguarding sensitive behavioral information.
• Our system maintains high accuracy while preserving the essential privacy attributes of authentication systems-renewability, unlinkability, and irreversibility-in alignment with the ISO/IEC 24745 standard within the BA systems framework.
• We designed a novel GAN-based privacy attack model to thoroughly evaluate the system’s irreversibility. Additionally, we systematically analyzed all other key privacy requirements.
• Experimental validation using three distinct behavioral datasets confirmed our theoretical analyses, demonstrating the system’s practical effectiveness, robustness, and resilience, establishing a strong foundation for real-world implementation.
• We provide new formal security games for all three ISO/IEC 24745 properties, and derive rigorous mathematical proofs including information-theoretic lower bounds (Cramér-Rao), full Jensen-Shannon divergence derivations, and GAN Nash-equilibrium attack bounds.

Contribution and Novelty Highlights

• New acronym - RUIP-BA: The acronym RUIP-BA (Renewable, Unlinkable, Irreversible Privacy-Preserving Behavioral Authentication) directly encodes the three ISO/IEC 24745 properties in the system name, making the contribution immediately transparent. This distinguishes RUIP-BA from prior systems where the acronym encodes only the technical method.
• Unified framework novelty: RUIP-BA unifies geometric template protection (RP) and formal stochastic privacy protection (local DP) in one deployable BA pipeline for low-resource platforms.
• Algorithmic novelty: The paper presents a complete modular algorithm stack covering profile enrollment, claim verification, template re-issuance, unlinkability testing, adversarial privacy evaluation, and DP parameter calibration.
• Formal-analysis novelty: We provide new explicit mathematical derivations with axiom, lemma, and theorem level statements for all three properties. Specifically: (i) a Bhattacharyya-coefficient renewal bound via Hanson-Wright concentration; (ii) a full KL/JS divergence derivation for unlinkability under Gaussian mechanism; (iii) a Cramér-Rao/Bayesian MMSE bound for irreversibility showing that null-space information cannot be recovered; and (iv) a GAN Nash-equilibrium privacy bound.
• Adversarial-evaluation novelty: We model GAN-based inversion explicitly as a formal security game and bound attack effectiveness through the mutual information bottleneck and information-channel capacity of the protected template.

The structure of the paper is as follows. Section 2 reviews related work, while Section 3 provides the necessary background information. Section 4 describes the proposed privacy-preserving BA system, including the registration and verification phases, along with a detailed privacy analysis. Section 5 outlines the GAN-based privacy attack model used to evaluate system robustness. Section 6 presents the experimental results, covering system performance, renewability, unlinkability, the impact of attacks on irreversibility, and a comparison of results. Finally, Section 7 summarizes the key findings of this work and future directions.

Notation.Table 1 summarizes the key notations used most frequently in this paper.

2. Related Work

Recent advances in BA systems  [1,2,16,25,26] have demonstrated significant potential to enhance security by leveraging unique user behavioral patterns. These designs enable continuous authentication by allowing partial verification of each sample, as outlined in the survey by Meng et al.[27]. Recent efforts have improved classification accuracy using neural network (NN)-based classifiers in behavioral systems such as mouse movements [2], gaits [3], and keystrokes [4]. Privacy-preserving authentication is essential for ensuring secure and confidential user interactions across various applications. Several studies have investigated different privacy-preserving authentication approaches that utilize (i) cryptographic techniques and (ii) non-cryptographic approaches.

2.1. Cryptographic Approach

Cryptographic approaches commonly include key binding (fuzzy vault, fuzzy commitment), key generation, two-party computation protocols, homomorphic encryption, zero-knowledge proof, and blockchain-based schemes. In [28], the key binding approach involves associating user biometric data with cryptographic keys. Methods like fuzzy vault [9] and fuzzy commitment [10] hide a key using biometric data or link the key to the data. Key generation approaches [29] use biometric features, such as fingerprints or iris patterns, to produce unique and high-entropy cryptographic keys. The authors of [30] propose a flexible and scalable method using a two-party computation protocol to compare features with an encrypted profile, ensuring identity protection and data integrity. Similarly, the authors of [16] introduce a continuous authentication protocol that preserves privacy based on homomorphic encryption. The authors of [12] propose a decentralized, anonymous multifactor authentication scheme that leverages blockchain and zero-knowledge proofs. By eliminating the need for trusted third parties, their approach provides robust privacy guaranties. In [13], the authors propose a multifactor authentication system that integrates biometrics and blockchain technologies to enhance both system security and privacy. This type of approach avoids centralized storage for the biometric data by using blockchain to store the data in a decentralized, immutable ledger, preventing unauthorized access and large-scale breaches. While these methods effectively safeguard user data confidentiality, they are primarily tailored for biometric systems and experience significant performance degradation when applied to noisy behavioral data. Moreover, they are less effective for systems with low-computation devices, such as IoT and mobile devices.

2.2. Non-Cryptographic Approach

Among all existing non-cryptographic techniques, cancelable biometrics using RP is the most widely adopted approach for biometric and behavioral biometric systems. RP operates by projecting biometric and behavioral features’ vectors onto a random subspace. Studies such as [23,31,32,33,34,35] provide a comprehensive insights of RP-based methods for biometric and behavioral biometric authentication systems. These studies employ RP to secure biometric and behavioral data by rendering them irreversible. However, most RP-based approaches rely on traditional distance-based verification algorithms, and relatively few incorporate ML-based techniques or address all the requirements of privacy-preserving authentication systems.

DP-based methods [18,19] obfuscate behavioral data to balance privacy and recognition accuracy. In [18], the authors applied DP in the IoT domain to protect multimedia data privacy. Similarly, [19] explored DP in face recognition, employing local DP. These approaches are particularly suitable for resource-constrained environments and effectively safeguard privacy. However, they face a trade-off between privacy and utility, particularly for high-dimensional data, which can adversely affect the system recognition accuracy. Additionally, DP can be combined with cryptographic techniques to enhance security. For example, Loya and Bana [15] proposed a protocol that uses fully homomorphic encryption with DP to secure keystroke data. Recently, Wazzeh et al. [20] introduced a federated learning-based continuous authentication system to mitigate the privacy risk. However, federated learning methods face challenges when dealing with clients that possess only positive class data, which can affect system performance. Moreover, ensuring that all three privacy requirements are met for privacy-preserving authentication systems is essential.

3. Background

3.1. Random Projection (RP)

RP is a mathematical technique that is used to reduce the dimensionality of the data while approximately preserving the pairwise Euclidean distances between data points. Given a high-dimensional vector ${\mathbf{x}}_{\mathbf{i}}$, RP projects it into a lower-dimensional space, resulting in a vector ${\mathbf{x}}_{\mathbf{i}}^{\prime }$. For a profile $\mathbf{X}$, RP transformation is defined as ${\mathbf{X}}^{\prime }={\displaystyle \frac{1}{\sqrt{k}{\sigma }_r}}\mathbf{R}\mathbf{X}$ or, more simply, ${\mathbf{X}}^{\prime }=\mathbf{R}\mathbf{X}$, where $\mathbf{R}$ is a random matrix and ${\mathbf{X}}^{\prime }$ is a transformed profile.

The foundational theory of RP is based on the Johnson-Lindenstrauss (JL) lemma [36], which states that a set of points in a high-dimensional space can be projected into a lower-dimensional space while preserving pairwise Euclidean distances within a small error margin. This property makes RP an approximate isometry transformation, suitable for privacy-preserving systems, as RP ensures that data relationships are maintained while obscuring the original features. Extensions of the JL lemma have further refined the minimum acceptable dimension to preserve these distances [37], ensuring that the transformation is effective and efficient for ML-based systems. The dimensionality reduction process in RP introduces a degree of data loss. On the other hand, the random matrix used in RP introduces randomness in the transformation process. Both processes make RP a kind of irreversible transformation.

The random matrix in RP can be generated through various distributions and can be kept secret. Although the original RP method employs Gaussian distributions to generate matrix components, practical applications often prefer computationally efficient alternatives. For example, [38] introduced a discretized form of the Gaussian distribution, where the components of the random matrix $\mathbf{R}$ are generated from a set $\{+1,0,-1\}$ with probabilities $Pr(r_{ij}=+1)={\displaystyle \frac{1}{2\varphi }}$, $Pr(r_{ij}=0)=1-{\displaystyle \frac{1}{\varphi }}$, and $Pr(r_{ij}=-1)={\displaystyle \frac{1}{2\varphi }}$, respectively and $r_{ij}\in \mathbf{R}$. Setting $\varphi =3$ provides a balance between preserving distance properties and computational efficiency, making RP particularly useful for resource-constrained devices.

The mathematical analysis of RP-based methods for privacy preservation was first explored for biometric data by [31,32,33,34,35] and later adapted for behavioral biometrics in [23]. These studies demonstrated that RP transformations can effectively obscure sensitive data while maintaining the utility of data for authentication. The key idea is that projecting high-dimensional data into a lower-dimensional subspace makes it challenging to reconstruct the original data, as RP is a lossy process, thereby enhancing privacy. Despite its advantages, most existing RP-based approaches primarily rely on traditional distance-based verification methods.

Theorem 1

(Johnson-Lindenstrauss (JL) Lemma [37]). For any ${ϵ}_{jl}\in (0,1)$, integer $n\ge 1$, and any set P of n points in ${\mathbb{R}}^d$, if

$$k\ge {\displaystyle \frac{4lnn}{{ϵ}_{jl}^2/2-{ϵ}_{jl}^3/3}},$$

then there exists a Lipschitz function $f:{\mathbb{R}}^d\to {\mathbb{R}}^k$ such that for all $\mathbf{u},\mathbf{v}\in P$:

$$(1-{ϵ}_{jl}){\parallel \mathbf{u}-\mathbf{v}\parallel }^2\le \parallel f\left(\mathbf{u}\right)-f\left(\mathbf{v}\right){\parallel }^2\le (1+{ϵ}_{jl}){\parallel \mathbf{u}-\mathbf{v}\parallel }^2.$$

For RUIP-BA with voice data ($n=200$, ${ϵ}_{jl}=0.5$), this requires $k\ge 73$. With swipe data ($n=300$, ${ϵ}_{jl}=1.0$), $k\ge 30$. With drawing data ($n=300$, ${ϵ}_{jl}=0.7$), $k\ge 46$ as illustrated in Table 2.

Lemma 1

(RP ${\ell }_2$ Sensitivity [38]). For a random matrix $\mathbf{R}\in {\mathbb{R}}^{k\times d}$ with i.i.d. Achlioptas entries ($\varphi =3$), the ${\ell }_2$ sensitivity of the projection map $g\left(\mathbf{x}\right)=\mathbf{R}\mathbf{x}$ satisfies

$${\Delta }_2\left(g\right)=\underset{\mathbf{x}\sim {\mathbf{x}}^{\prime }}{max}{\parallel \mathbf{R}(\mathbf{x}-{\mathbf{x}}^{\prime })\parallel }_2\le \sqrt{{\displaystyle \frac{k}{\varphi }}}·{\Delta }_x,$$

where ${\Delta }_x$ is the ${\ell }_2$ sensitivity of the raw data. Concretely, for swipe features ($d=33$, $k=30$, $\varphi =3$, ${\Delta }_x\le \sqrt{33}$ as shown in Table 2): ${\Delta }_2\left(g\right)\le \sqrt{10·33}=\sqrt{330}\approx 18.2$. For bounded features in ${[0,1]}^d$, a tighter bound ${\Delta }_2\left(g\right)\le \sqrt{k/\varphi }$ applies when profiles differ in one sample by one unit.

Proof. 

Each entry $R_{ij}\in \{+1,0,-1\}$ has $\mathbb{E}\left[R_{ij}\right]=0$ and $\mathrm{Var}\left(R_{ij}\right)=1/\varphi$. For any $\mathbf{v}=\mathbf{x}-{\mathbf{x}}^{\prime }$ with ${\parallel \mathbf{v}\parallel }_2\le {\Delta }_x$:

$$\mathbb{E}\left[{\parallel \mathbf{R}\mathbf{v}\parallel }_2^2\right]=\sum _{i=1}^k\mathbb{E}\left[{\left(\sum _{j=1}^d{R}_{ij}{v}_j\right)}^2\right]=\sum _{i=1}^k\sum _{j=1}^d{v}_j^2\mathrm{Var}\left(R_{ij}\right)={\displaystyle \frac{k}{\varphi }}{\parallel \mathbf{v}\parallel }_2^2\le {\displaystyle \frac{k}{\varphi }}{\Delta }_x^2.$$

Taking the square root and noting that ${\parallel \mathbf{R}\mathbf{v}\parallel }_2\le \sqrt{{\mathbb{E}[\parallel \mathbf{R}\mathbf{v}\parallel }_2^2]+O\left(\sqrt{kln(1/\delta )}\right){\Delta }_x}$ with high probability, we obtain the stated bound.    □

3.2. Differential Privacy (DP)

The primary goal of DP is to enable the analysis of a dataset’s properties, representing a population while ensuring that no individual information is revealed. Essentially, DP introduces noise to statistical queries or individual data points in the original dataset to ensure that an adversary cannot determine whether a specific individual is included in the data. As originally defined in [39], central DP assumes users trust the central server and send their unaltered data to be stored on the server. The server then applies DP noise to perturb the data before sharing the results with un-trusted third parties for analysis, a method known as central DP. In contrast, local DP ensures that each user’s data remains private even before it is shared with the server. DP noise is added at the client level to provide DP guarantees, protecting users’ data privacy even if the server is un-trusted.

The concept of $ϵ$-DP, introduced in [39], formally defines DP. This definition was later extended to $(ϵ,\delta )$-DP, which incorporates an additional $\delta$ term to account for the privacy guaranties provided by the Gaussian distribution.

Definition 1.(ϵ-Differential Privacy) A mechanism or algorithm $\mathcal{M}$ satisfies ϵ-differential privacy if, for all neighboring datasets D and $D^{\prime }\in D^n$, and for all subsets $S\subseteq Y$, where Y represents the set of all possible outputs, $\mathcal{M}$ satisfies the condition $Pr[\mathtt{M}\left(D\right)\in S]\le e^{ϵ}Pr[\mathtt{M}\left(D^{\prime }\right)\in S]$. This implies that the output of the mechanism $\mathcal{M}$ applied to D is nearly indistinguishable from the output when $\mathcal{M}$ is applied to $D^{\prime }$. Smaller values of ϵ result in stronger privacy guarantees.

Definition 2.(($ϵ,\delta$)-Differential Privacy) A mechanism or algorithm $\mathcal{M}$ satisfies $(ϵ,\delta )$-differential privacy if, for all neighboring datasets D and $D^{\prime }\in D^n$, and for all subsets $S\subseteq Y$, where Y represents the set of all possible outputs, $\mathcal{M}$ holds the condition $Pr[\mathtt{M}\left(D\right)\in S]\le e^{ϵ}Pr[\mathtt{M}\left(D^{\prime }\right)\in S]+\delta .$ This means that the output of the mechanism $\mathcal{M}$ applied to D is nearly indistinguishable from the output when $\mathcal{M}$ is applied to $D^{\prime }$, with a small probability of failure captured by δ. Smaller values of ϵ and δ result in stronger privacy guarantees.

A mechanism $\mathcal{M}$ satisfies ($ϵ,\delta$)-DP if it guarantees $ϵ$-DP with a probability of at least $1-\delta$, while allowing a failure probability of up to $\delta$.

Various probability distributions have been proposed in the literature to satisfy $ϵ$-DP and $(ϵ,\delta )$-DP. Among the most widely used are the Laplace mechanism [39] and the Gaussian mechanism [40], both of which are utilized in this paper. The Laplace mechanism is particularly popular for its versatility, as it can be applied to various types of data [41]. Laplace mechanism operates by adding noise sampled from the continuous Laplace distribution, $Lap(0,{\displaystyle \frac{{\Delta }_f}{ϵ}})$. In contrast, the Gaussian mechanism satisfies the requirements of the newer $(ϵ,\delta )$-DP framework and supports efficient management of privacy budget under composition, making it a robust choice for complex privacy-preserving scenarios.

Definition 3.

Given a function $f:D^n\to Y$, where Y is the set of all possible outputs, and $ϵ>0$. The Laplace mechanism is defined as $\mathtt{M}\left(D\right)=f\left(D\right)+Lap(0,{\displaystyle \frac{{\Delta }_f}{ϵ}})$.

Definition 4.

Given two neighboring datasets D and $D^{\prime }$ in the dataset universe $D^n$, a query function $f:D^n\to Y$, where Y is the set of all possible outputs and $ϵ>0$. An ϵ- Gaussian DP mechanism (ϵ-GDP) defined as $\mathtt{M}\left(D\right)=f\left(D\right)+\mathcal{N}(0,{\displaystyle \frac{{\Delta }_f^2}{{ϵ}^2}})$, where ${\displaystyle \frac{{\Delta }_f^2}{{ϵ}^2}}$ stands for the normal distribution.

In RUIP-BA, applying RP projection followed by local DP to the same behavioral profile therefore consumes a total budget of $(ϵ,\delta )$ as specified by the user.

Lemma 2

(Gaussian Noise Calibration). Given sensitivity ${\Delta }_2$ from Lemma 1 and privacy budget $(ϵ,\delta )$ with $ϵ\le 1$, adding $\eta \sim \mathcal{N}(0,{\sigma }^2{\mathbf{I}}_k)$ with

$$\sigma ={\displaystyle \frac{{\Delta }_2\sqrt{2ln(1.25/\delta )}}{ϵ}}$$

yields $(ϵ,\delta )$-DP for the projected output $\widehat{\mathbf{X}}=\mathbf{R}\mathbf{X}+\eta$.Concrete example (voice data): ${\Delta }_2\approx 5.60$ (for $d=104$, $k=94$, features in $[0,1]$ as mentioned in Table 2), $ϵ=7$, $\delta ={10}^{-5}$ gives $\sigma \approx 3.81$.

3.3. Profile Similarity

Jensen-Shannon (JS) divergence, also known as information radius (IRad) [42], can be used to measure the symmetric divergence between two probability distributions, making it a suitable choice for assessing similarity between behavioral profiles. JS divergence is based on the concept of Kullback-Leibler (KL) divergence (also known as relative entropy). KL divergence quantifies the “distance” between two probability distributions. However, KL divergence is asymmetric, limiting its applicability in certain contexts. JS divergence addresses this limitation by being symmetric and bounded, making it more appropriate for comparing distributions in many scenarios.

For two probability distributions $\mathbf{X}$ and $\mathbf{Y}$, the KL divergence, $D_{KL}\left(\mathbf{X}\right|\left|\mathbf{Y}\right)$, measures how a distribution $\mathbf{Y}$ diverges from an expected reference distribution $\mathbf{X}$. JS divergence resolves the asymmetry of KL divergence by averaging it in both directions. The symmetric formula for JS divergence is given as:

$$D_{JS}\left(\mathbf{X}\right|\left|\mathbf{Y}\right)={\displaystyle \frac{1}{2}}(D_{KL}\left(\mathbf{X}\right|\left|\mathbf{Z}\right)+D_{KL}\left(\mathbf{Y}\right|\left|\mathbf{Z}\right)),$$

where $\mathbf{Z}={\displaystyle \frac{1}{2}}(\mathbf{X}+\mathbf{Y})$ is the mixture distribution, representing the average of $\mathbf{X}$ and $\mathbf{Y}$.

The KL divergence quantifies the asymmetric difference (in bits) of profile $\mathbf{Y}$ relative to profile $\mathbf{X}$. When sample sizes in the profiles are limited, the k-NN divergence estimator [43] provides more accurate KL divergence estimates. In this work, we use the k-NN divergence estimator to calculate the KL divergence, which is then used in the JS divergence to effectively measure the similarity between two profiles.

4. Proposed RUIP-BA System

Figure 1 presents the architecture of the proposed RUIP-BA system. A BA system consists of two primary components: a prover and a verifier. The prover, also known as the profile generator, is a software operating on user devices to collect behavioral data, construct profiles, and send them to the verifier. Typically, a verifier is an online server that uses all available profiles to train an ML classifier. The trained classifier is then used to evaluate all verification requests. Recently, neural network (NN)-based classifiers have been developed to classify mouse movements [2], gaits [3], and keystrokes [4] of the users.

A profile $\mathbf{X}$ in a BA system consists of m vectors $\{{\mathbf{x}}_{\mathbf{1}},{\mathbf{x}}_{\mathbf{2}},\cdots ,{\mathbf{x}}_{\mathbf{m}}\}$ of dimension d, where each dimension represents a behavioral feature and each vector represents a measurement of all d features. The verifier collects N profiles from N users during the registration phase. Traditional distance-based algorithms $\mathrm{Ver}(·,·)$ store the collected profiles in a database, while ML classifier-based algorithms train a NN-based classifier $\mathcal{C}(·)$ using the collected profiles. In both cases, a verification request is a tuple $(u_i,\mathbf{Y})$, where $u_i$ is an identity, and $\mathbf{Y}$ contains n ($n<m$) behavioral samples $\{{\mathbf{y}}_{\mathbf{1}},{\mathbf{y}}_{\mathbf{2}},\cdots ,{\mathbf{y}}_{\mathbf{n}}\}$. Distance-based algorithms $\mathrm{Ver}({\mathbf{X}}_i,{\mathbf{Y}}_i)$ measure the distance between ${\mathbf{X}}_i$ and ${\mathbf{Y}}_i$, returning an accept or reject decision based on a predefined threshold. In contrast, ML classifier-based algorithms input $\mathbf{Y}$ to the trained classifier $\mathcal{C}(·)$ to generate n prediction vectors $\widehat{y_1},\widehat{y_2},\cdots ,\widehat{y_n}$, which are aggregated into a final accept or reject decision.

The performance of a robust BA system is typically quantified by metrics such as False Acceptance Rate (FAR) and False Rejection Rate (FRR). FAR is the probability of accepting an access request coming from an unauthorized user, while FRR is the probability of rejecting an access request coming from an authorized user. Moreover, the JS divergence can be used to assess the similarity between two profiles by treating them as two probability distributions.

4.1. Development of a Privacy-Preserving BA System

Building on the foundational principles and privacy-preserving mechanisms discussed earlier, we introduce a novel BA system that leverages both RP and DP. This system is designed to enhance both accuracy and user data privacy, specifically crafted for low-computing devices such as IoT devices and smartphones. Figure 1 illustrates the overall structure and workflow of our proposed privacy-preserving BA system. Here, RP reduces the dimensionality of profiles, effectively obfuscating sensitive attributes while preserving the relationships between them. DP maintains individual users’ data privacy by adding controlled noise to the projected profiles and safeguards the profiles’ privacy against statistical computations.

The proposed privacy-preserving BA system comprises two main phases: the registration phase and the verification phase. Each phase is optimized to ensure seamless integration of RP and DP data into the BA classifier while preserving user privacy and adhering to the key principles of renewability, unlinkability, and irreversibility. The details of these phases are outlined in the next two sections.

4.1.1. Registration Phase

The registration phase is responsible for initializing parameters and preparing user profiles to train an ML-based classifier. It involves four primary tasks: random matrix generation, profile transformation, noise addition, and training of an NN-based BA classifier.

• Random matrix generation: To initiate the registration process, a user $u_i$ first generates a random matrix ${\mathbf{R}}_i$ on their device using a private random seed. This matrix serves as a unique key for projecting the user’s BA profile.
• Profile transformation: For each profile ${\mathbf{X}}_i$ of user $u_i$, the device applies the RP transformation to produce a projected profile ${\mathbf{X}}_i^{\prime }={\mathbf{R}}_i{\mathbf{X}}_i$. The RP transformation follows a Lipschitz mapping $f:{\mathbb{R}}^d\to {\mathbb{R}}^k$, project the data from d dimensions to k dimensions, where $k<d$. To enhance computational efficiency, we employ the discrete distribution discussed earlier for RP with $\varphi =3$.
• Additive noise: The user applies local DP to add noise to the projected profile ${\mathbf{X}}_i^{\prime }$, transforming it into a noisy projected profile $\widehat{\mathbf{X}}=\mathtt{M}\left({\mathbf{X}}_i^{\prime }\right)$ before transmitting it to the verifier. The client chooses the values of $ϵ$ and $\delta$ for DP, where smaller $ϵ$ and $\delta$ are preferred for stronger privacy.
• Training a BA classifier: The verifier collects all N noisy projected profiles $\{{\widehat{\mathbf{X}}}_1,{\widehat{\mathbf{X}}}_2,\cdots ,{\widehat{\mathbf{X}}}_N\}$ from N users and uses them to train a NN-based BA classifier $\mathcal{C}(·)$. The verifier may act as a third party service provider, deploying $\mathcal{C}(·)$ through a Machine Learning as a Service (MLaaS).

The random matrix for RP is generated using a seed. In the proposed system, each user possesses a private random seed, similar to a PIN, which they use to generate the random matrix. This design removes the requirement for specialized hardware to securely store the seed, as it can simply be memorized by the user. The $ϵ$ and $\delta$ values of DP chosen by each user are kept confidential, although the type of added noise is public information.

4.1.2. Verification Phase

The verification phase handles the process of authenticating a user based on their noisy transformed verification data. The verification algorithm $\mathrm{Ver}(·,·)$ ensures that only valid users are granted access, leveraging the output of the trained NN-based BA classifier.

• Profile transformation for verification: When a verification request $(u_i,{\mathbf{X}}_i)$ is initiated, user device collects and transforms the verification profile ${\mathbf{Y}}_i$ into ${\mathbf{Y}}_i^{\prime }={\mathbf{R}}_i{\mathbf{Y}}_i$ using ${\mathbf{R}}_i$, which is generated from the secret seed. DP noise is then added to the transformed profile ${\mathbf{Y}}_i^{\prime }$ through local DP, resulting in noisy projected verification data ${\widehat{\mathbf{Y}}}_i=\mathtt{M}\left({\mathbf{Y}}_i^{\prime }\right)$. The device subsequently transmits ${\widehat{\mathbf{Y}}}_i$ along with the user identity $u_i$ to the verifier as a verification claim $(u_i,{\widehat{\mathbf{Y}}}_i)$.
• Verification process: The verification algorithm $\mathrm{Ver}(·,·)$ verifies the claim with the help of the trained BA classifier $\mathcal{C}(·)$. For $\mathcal{C}\left({\widehat{\mathbf{Y}}}_i\right)$, the output will be the n prediction vectors $\{\widehat{y_1},\widehat{y_2},\cdots ,\widehat{y_n}\}$. These predictions are then aggregated into a single binary decision: accept or reject.

The use of an ML classifier in the verification process ensures that user authentication remains accurate while preserving data privacy through RP and DP. Our system ensures privacy by transforming user data into lower-dimensional subspaces, effectively concealing sensitive attributes. Additionally, differential privacy techniques are applied to protect individual user information, ensuring that the system maintains robust privacy guarantees.

4.2. Complete Algorithmic Realization

To provide a complete and implementation-oriented specification of RUIP-BA, we describe all major algorithms used in this paper. To avoid margin overflow, the full workflow is decomposed into one main algorithm and five sub-algorithms.

Algorithm 1 RUIP-BA Main Workflow

Require:  User set $\mathcal{U}$, profile generator, verifier, projection dimension k, DP parameters $(ϵ,\delta )$ Ensure : Trained classifier $\mathcal{C}(·)$, privacy-evaluation reports, updated templates if needed 1: RegistrationSubalgorithm($\mathcal{U},k,ϵ,\delta$)            ▹ Subalg. A: Enrollment + model training 2: VerificationSubalgorithm($\mathcal{U},\mathcal{C}(·)$)               ▹ Subalg. B: Authenticate claims 3: RenewalSubalgorithm($\mathcal{U},\mathcal{C}(·)$)                  ▹ Subalg. C: Revoke and re-enroll 4: UnlinkabilitySubalgorithm($\mathcal{U}$)                ▹ Subalg. D: JS-divergence testing 5: GANPrivacyAttackSubalgorithm($\mathcal{U}$)         ▹ Subalg. E: GAN adversarial evaluation 6: return $\mathcal{C}(·)$ and all privacy-performance metrics

Algorithm 2 Subalgorithm A: Registration (Enrollment and Model Training)

Require:  User $u_i$ with raw profile ${\mathbf{X}}_i\in {\mathbb{R}}^{d\times m}$, secret seed $s_i$, target dimension k, DP mechanism $\mathcal{M}$ with budget $({ϵ}_i,{\delta }_i)$ Ensure : Noisy projected profile ${\widehat{\mathbf{X}}}_i$ uploaded to verifier; classifier $\mathcal{C}(·)$ trained on all users’ profiles 1: for each user $u_i\in \mathcal{U}$ do 2:     Generate ${\mathbf{R}}_i\leftarrow RandMat(s_i,k,d)$ using Achlioptas distribution with $\varphi =3$            ▹ Eq. $Pr(r_{ij}=\pm 1)=1/6$ and $Pr(r_{ij}=0)=2/3$ and $r_{ij}\in {\mathbf{R}}_i$ 3:     Project: ${\mathbf{X}}_i^{\prime }\leftarrow {\mathbf{R}}_i{\mathbf{X}}_i$                  ▹ Dimensionality: ${\mathbb{R}}^{d\times m}\to {\mathbb{R}}^{k\times m}$ 4:     Compute ${\ell }_2$ sensitivity: ${\Delta }_2\leftarrow \sqrt{k/\varphi }·{\Delta }_x$                   ▹ Lemma 1 5:     Calibrate noise: ${\sigma }_i\leftarrow {\Delta }_2\sqrt{2ln(1.25/{\delta }_i)}/{ϵ}_i$                  ▹ Lemma 2 6:     Perturb: ${\widehat{\mathbf{X}}}_i\leftarrow {\mathbf{X}}_i^{\prime }+\mathcal{N}(0,{\sigma }_i^2{\mathbf{I}}_k)$                   ▹ Local DP on device 7:     Send ${\widehat{\mathbf{X}}}_i$ to verifier 8: end for 9: Train $\mathcal{C}(·)$ on ${\left\{{\widehat{\mathbf{X}}}_i\right\}}_{i=1}^N$ using NN architecture (Section 6) 10: return  $\mathcal{C}(·)$

Algorithm 3 Subalgorithm B: Verification

Require:  Verification claim $(u_i,{\mathbf{Y}}_i)$ where ${\mathbf{Y}}_i\in {\mathbb{R}}^{d\times n}$; secret seed $s_i$; trained classifier $\mathcal{C}(·)$; threshold $\tau$ Ensure : Accept/Reject decision 1: Recompute ${\mathbf{R}}_i\leftarrow RandMat(s_i,k,d)$                 ▹ Same seed as enrollment 2: ${\mathbf{Y}}_i^{\prime }\leftarrow {\mathbf{R}}_i{\mathbf{Y}}_i$                            ▹ Project verification data 3: ${\widehat{\mathbf{Y}}}_i\leftarrow {\mathbf{Y}}_i^{\prime }+\mathcal{N}(0,{\sigma }_i^2{\mathbf{I}}_k)$                      ▹ Add DP noise with same ${\sigma }_i$ 4: $\widehat{\mathbf{y}}\leftarrow \mathcal{C}\left({\widehat{\mathbf{Y}}}_i\right)$                              ▹n prediction vectors 5: $p_i\leftarrow AggregateConfidence\left(\widehat{\mathbf{y}}\right)={\displaystyle \frac{1}{n}}{\sum }_{t=1}^n{\widehat{y}}_{t,u_i}$ 6: if$p_i\ge \tau$then 7:     return Accept                 ▹ e.g., $p_i=0.97>\tau =0.50$: phone unlocked 8: else 9:     return Reject                  ▹ e.g., $p_i=0.12<\tau$: mimic swipe denied 10: end if

Algorithm 4 Subalgorithm C: Template Renewal and Model Update

Require:  Compromised user $u_i$, old parameters $({\mathbf{R}}_i,{ϵ}_i,{\delta }_i)$, re-capture plain profile ${\mathbf{X}}_i$ Ensure : Old template revoked; fresh unlinkable template active; classifier updated 1: Generate new seed $s_i^{\prime }\ne s_i$ and derive ${\mathbf{R}}_i^{\prime }\leftarrow RandMat(s_i^{\prime },k,d)$        ▹${\mathbf{R}}_i^{\prime }\perp {\mathbf{R}}_i$ almost surely 2: Choose new privacy budget $({ϵ}_i^{\prime },{\delta }_i^{\prime })$           ▹ May tighten for stronger protection 3: ${\mathbf{X}}_i^{\prime }\leftarrow {\mathbf{R}}_i^{\prime }{\mathbf{X}}_i$ 4: Recalibrate: ${\sigma }_i^{\prime }\leftarrow {\Delta }_2\sqrt{2ln(1.25/{\delta }_i^{\prime })}/{ϵ}_i^{\prime }$ 5: ${\widehat{\mathbf{X}}}_i^{\prime }\leftarrow {\mathbf{X}}_i^{\prime }+\mathcal{N}(0,{\sigma }_i^{\prime 2}{\mathbf{I}}_k)$ 6: Revoke old ${\widehat{\mathbf{X}}}_i$ from verifier database              ▹$Pr[{\widehat{\mathbf{X}}}^{\prime }=\widehat{\mathbf{X}}]\approx 0$ by Theorem 5 7: Update verifier with ${\widehat{\mathbf{X}}}_i^{\prime }$; retrain/fine-tune $\mathcal{C}(·)$ 8: return updated $\mathcal{C}(·)$

Algorithm 5 Subalgorithm D: Unlinkability Evaluation

Require:  Protected templates under three scenarios: (s1) different source, (s2) same source different keys, (s3) same source same key Ensure:  Distribution-level unlinkability decision 1: for each scenario pair $(a,b)\in \left\{\right(s1,s2),(s2,s3\left)\right\}$ do 2:     Compute JS divergences ${\left\{D_{JS}({\widehat{\mathbf{X}}}_j^{\left(a\right)},{\widehat{\mathbf{X}}}_j^{\left(b\right)})\right\}}_j$ using k-NN estimator 3:     Compute divergence distribution ${\mathcal{P}}_{(a,b)}$ 4: end for 5: Run KS test: $KSTest({\mathcal{P}}_{(s1,s2)},{\mathcal{P}}_{(s2,s3)})$ returns p-value $p_{12}$ and $p_{23}$ 6: if$p_{12}\gg p_{23}$ and $p_{12}>0.05$ then 7:     Conclude: unlinkability is satisfied    ▹ Cases 1 and 2 are statistically indistinguishable 8: else 9:     Flag: potential linkage risk detected 10: end if 11: return unlinkability verdict and p-values

Algorithm 6 Subalgorithm E: GAN-Based Privacy Attack and Evaluation

Require:  Auxiliary plain profiles $\left\{{\mathbf{X}}_j^{aux}\right\}$, projected noisy counterparts $\left\{{\widehat{\mathbf{X}}}_j^{aux}\right\}$, attack generator $\mathcal{G}$, discriminator $\mathcal{D}$, reconstruction weight ${\lambda }_{\mathrm{recon}}$ Ensure : Recoverability score $\rho$ and privacy conclusion 1: Build training pairs $({\widehat{\mathbf{X}}}^{aux},{\mathbf{X}}^{aux})$ 2: for each epoch $t=1,\dots ,T_{max}$ do 3:     Update $\mathcal{D}$: maximize ${\mathcal{L}}_D=\mathbb{E}[log\mathcal{D}\left(\mathbf{X}\right)]+\mathbb{E}[log(1-\mathcal{D}\left(\mathcal{G}\left(\widehat{\mathbf{X}}\right)\right))]$ 4:     Update $\mathcal{G}$: minimize ${\mathcal{L}}_G=-\mathbb{E}[log\mathcal{D}\left(\mathcal{G}\left(\widehat{\mathbf{X}}\right)\right)]+{\lambda }_{\mathrm{recon}}·{\parallel \mathcal{G}\left(\widehat{\mathbf{X}}\right)-\mathbf{X}\parallel }_2^2$ 5: end for 6: Reconstruct: ${\overline{\mathbf{X}}}_j\leftarrow \mathcal{G}\left({\widehat{\mathbf{X}}}_j^{comp}\right)$ for each compromised profile j 7: Run per-feature KS test between $\left\{{\overline{X}}_{j,l}\right\}$ and $\left\{X_{j,l}^{*}\right\}$ for all features $l=1,\dots ,d$ 8: Compute ${\rho }_j={\displaystyle \frac{1}{d}}{\sum }_{l=1}^d\mathbf{1}\left[\mathrm{KS}-\mathrm{test}({\overline{X}}_{j,l},X_{j,l}^{*})\mathrm{passes}\right]$ 9: Check ${\mathbb{E}}_j\left[{\rho }_j\right]\le {\rho }_{max}(ϵ,\delta ,k,d)$ from Theorem 8 10: return$\left\{{\rho }_j\right\}$ and privacy status

4.3. Privacy Analysis of the Proposed BA System

In this section, we examine the key privacy attributes of our proposed BA system, taking into account various attack types. These attributes are crucial to ensure robust privacy safeguards in BA systems.

4.3.1. Formal Privacy Security Games

We formalize the three ISO/IEC 24745 privacy properties as security games between a challenger $\mathsf{Ch}$ and a PPT (probabilistic polynomial-time) adversary $\mathcal{A}$.

Definition 5

(Renewability Security Game ${\mathsf{Game}}^{\mathsf{REN}}$).

1. 

Setup. $\mathsf{Ch}$ fixes RUIP-BA parameters $(k,d,\varphi ,ϵ,\delta )$.

2. 

Challenge generation. $\mathsf{Ch}$ selects a profile $\mathbf{X}\sim p_{\mathbf{X}}$ and generates two independent key pairs $(s_1,{ϵ}_1,{\delta }_1)$ and $(s_2,{ϵ}_2,{\delta }_2)$, then computes:

$${\widehat{\mathbf{X}}}^{\left(1\right)}={\mathcal{M}}^{({ϵ}_1,{\delta }_1)}\left({\mathbf{R}}_{s_1}\mathbf{X}\right),{\widehat{\mathbf{X}}}^{\left(2\right)}={\mathcal{M}}^{({ϵ}_2,{\delta }_2)}\left({\mathbf{R}}_{s_2}\mathbf{X}\right).$$

3. 

Adversary’s turn. $\mathcal{A}$ receives $({\widehat{\mathbf{X}}}^{\left(1\right)},{\widehat{\mathbf{X}}}^{\left(2\right)})$ and must distinguish whether both templates come from the same source (with different keys) or from different sources.

The renewability advantage is ${\mathrm{Adv}}^{\mathsf{REN}}\left(\mathcal{A}\right)=|Pr\left[\mathcal{A}\mathrm{guesses}\mathrm{correctly}\right]-1/2|$. The system hasrenewable templates if ${\mathrm{Adv}}^{\mathsf{REN}}\left(\mathcal{A}\right)\le \mathsf{negl}\left(\lambda \right)$ for all PPT adversaries $\mathcal{A}$.

Definition 6

(Unlinkability Security Game ${\mathsf{Game}}^{\mathsf{UNL}}$).

1. 

Setup. $\mathsf{Ch}$ fixes RUIP-BA parameters.

2. 

Challenge generation. $\mathsf{Ch}$ samples a bit $b\in \{0,1\}$. If $b=0$: select same source ${\mathbf{X}}_a={\mathbf{X}}_b=\mathbf{X}$; if $b=1$: select different sources ${\mathbf{X}}_a\ne {\mathbf{X}}_b$. In both cases, use distinct key pairs $(s_1,{ϵ}_1,{\delta }_1)$ and $(s_2,{ϵ}_2,{\delta }_2)$ and compute:

$${\widehat{\mathbf{X}}}_1={\mathcal{M}}^{({ϵ}_1,{\delta }_1)}\left({\mathbf{R}}_{s_1}{\mathbf{X}}_a\right),{\widehat{\mathbf{X}}}_2={\mathcal{M}}^{({ϵ}_2,{\delta }_2)}\left({\mathbf{R}}_{s_2}{\mathbf{X}}_b\right).$$

3. 

Adversary’s turn. $\mathcal{A}$ receives $({\widehat{\mathbf{X}}}_1,{\widehat{\mathbf{X}}}_2)$ and must output a guess $b^{\prime }\in \{0,1\}$.

The unlinkability advantage is ${\mathrm{Adv}}^{\mathsf{UNL}}\left(\mathcal{A}\right)=|Pr[b^{\prime }=b]-1/2|$. Templates areunlinkable if ${\mathrm{Adv}}^{\mathsf{UNL}}\left(\mathcal{A}\right)\le \mathsf{negl}\left(\lambda \right)+\xi$ where $\xi =O\left(e^{-k/d}\right)$.

Definition 7

(Irreversibility Security Game ${\mathsf{Game}}^{\mathsf{IRR}}$).  

1. 

Setup. $\mathsf{Ch}$ fixes RUIP-BA parameters.

2. 

Challenge. $\mathsf{Ch}$ samples $\mathbf{X}\sim p_{\mathbf{X}}$, generates key $(s,ϵ,\delta )$, and computes $\widehat{\mathbf{X}}={\mathcal{M}}^{(ϵ,\delta )}\left({\mathbf{R}}_s\mathbf{X}\right)$. Sends $\widehat{\mathbf{X}}$ to $\mathcal{A}$.

3. 

Reconstruction. $\mathcal{A}$ outputs a reconstructed profile $\overline{\mathbf{X}}=g\left(\widehat{\mathbf{X}}\right)$.

4. 

Scoring.Feature recoverability $\rho (\overline{\mathbf{X}},\mathbf{X})={\displaystyle \frac{1}{d}}{\sum }_{j=1}^d\mathbf{1}\left[\mathrm{KS}-\mathrm{test}({\overline{X}}_j,X_j)\mathrm{passes}\right]$.

5. 

The system provides${\rho }_0$-irreversibilityif for all PPT $\mathcal{A}$: $\mathbb{E}\left[\rho (\overline{\mathbf{X}},\mathbf{X})\right]\le {\rho }_0<1$.

4.3.2. Formal Assumptions and Mathematical Derivations

We now provide formal statements that characterize the privacy guarantees of RUIP-BA. Let neighboring profiles differ in one behavioral sample, and let $\mathcal{M}$ satisfy $(ϵ,\delta )$-DP.

Axiom 1

(Seeded diversity and bounded sensitivity). Each user template is generated with a user-specific secret seed defining ${\mathbf{R}}_i$, and the per-sample sensitivity after projection is bounded by ${\Delta }_{\mathrm{RP}}=\sqrt{k/\varphi }·{\Delta }_x$ (Lemma 1). Consequently, the DP noise scale is calibrated as $b={\Delta }_{\mathrm{RP}}/ϵ$ (Laplace) or $\sigma ={\Delta }_{\mathrm{RP}}\sqrt{2ln(1.25/\delta )}/ϵ$ (Gaussian), per Lemma 2.

Lemma 3

(Renewability under key and privacy refresh). For a fixed profile $\mathbf{X}$, two renewed templates

$${\widehat{\mathbf{X}}}^{\left(1\right)}=\mathcal{M}\left({\mathbf{R}}^{\left(1\right)}\mathbf{X}\right),{\widehat{\mathbf{X}}}^{\left(2\right)}=\mathcal{M}\left({\mathbf{R}}^{\left(2\right)}\mathbf{X}\right),$$

with independent seeds and independently sampled DP noise satisfy

$$Pr\left[{\widehat{\mathbf{X}}}^{\left(1\right)}={\widehat{\mathbf{X}}}^{\left(2\right)}\right]\approx 0,$$

and therefore old compromised templates can be revoked and replaced without re-collecting raw behavior.

Proof. 

Independence of seeds implies ${\mathbf{R}}^{\left(1\right)}\ne {\mathbf{R}}^{\left(2\right)}$ almost surely. Since $\mathcal{M}$ is randomized, the additive perturbations are also independent. Exact equality of two real-valued randomized templates has probability zero under continuous noise distributions. Hence compromise of one template does not prevent issuance of a fresh unlinkable replacement.    □

Theorem 2

(Unlinkability bound). Let A be a linkage adversary distinguishing same-source renewed templates from different-source templates. Define

$${\mathrm{Adv}}_{link}\left(A\right)=\left|Pr[A({\widehat{\mathbf{X}}}_a,{\widehat{\mathbf{X}}}_b)=1\mid \mathrm{same}\mathrm{source}]-Pr[A({\widehat{\mathbf{X}}}_a,{\widehat{\mathbf{X}}}_b)=1\mid \mathrm{different}\mathrm{source}]\right|.$$

Under Axiom 1 and independent renewal keys, there exists a small ξ such that

$${\mathrm{Adv}}_{link}\left(A\right)\le \xi +O\left(\delta \right),$$

where ξ decreases as projection randomness and DP noise increase.

Proof. 

RP with independently sampled matrices destroys deterministic cross-instance geometric signatures for the same source. DP further contracts distinguishability between neighboring outputs by at most $(ϵ,\delta )$ multiplicative/additive factors. Therefore, any test statistic (including JS-divergence-based matching) has bounded discrimination gain, yielding the stated advantage upper bound.    □

Theorem 3

(Irreversibility and reconstruction error floor). For compromised template $\widehat{\mathbf{X}}=\mathcal{M}\left(\mathbf{R}\mathbf{X}\right)$, any estimator $\tilde{\mathbf{X}}=g\left(\widehat{\mathbf{X}}\right)$ satisfies

$$\mathbb{E}\left[\parallel \mathbf{X}-\tilde{\mathbf{X}}{\parallel }_2^2\right]\ge \underset{\mathrm{RP}\mathrm{information}\mathrm{loss}}{\underbrace{\mathbb{E}\left[\parallel \mathbf{X}-{\mathbf{R}}^{†}{\mathbf{R}\mathbf{X}\parallel }_2^2\right]}}+\underset{\mathrm{DP}\mathrm{noise}\mathrm{floor}}{\underbrace{\Omega \left({\sigma }^2\right)}},$$

where ${\mathbf{R}}^{†}$ is the Moore-Penrose pseudo-inverse.

Proof. 

The RP term is the unavoidable projection residual from mapping d to $k<d$ dimensions. Even if $\mathbf{R}$ is known, inversion cannot recover null-space components. DP adds independent stochastic perturbation whose variance lower-bounds estimator risk. Summing both independent error sources yields a non-zero irreversibility floor.    □

Theorem 4

(GAN attack privacy bound). Let ${\mathcal{M}}_{\mathcal{P}}(·)$ be the strongest GAN attacker trained with auxiliary data under either known or unknown $(\mathbf{R},ϵ,\delta )$. If RUIP-BA satisfies Theorem 3, then the recoverable-feature ratio ρ (fraction of features passing statistical similarity) obeys

$$\rho \le {\rho }_{max}(ϵ,\delta ,k,d,{\mathcal{D}}_{aux}),$$

with ${\rho }_{max}$ strictly below 1, and empirically low for the tested datasets.

Proof. 

GAN training approximates the Bayesian reconstruction map from protected space to plain space. However, the irrecoverable null-space information and DP-induced uncertainty constrain reconstruction fidelity. Therefore, only a bounded subset of features can be statistically aligned with ground truth, implying $\rho <1$ and yielding the stated attack bound.    □

4.3.3. Renewability Analysis - Extended Formal Proof

To ensure the renewability property, each user should be able to revoke an old noisy projected profile and replace it with a new one. In our proposed privacy-preserving BA system, a user u can achieve this by changing the secret ${\mathbf{R}}_i$ to ${\mathbf{R}}_j$ along with altering the DP parameters, which will generate a new noisy projected profile ${\widehat{\mathbf{X}}}_j=\mathtt{M}\left({\mathbf{R}}_j\mathbf{X}\right)$ from $\mathbf{X}$. The user will then revoke the old noisy projected profile ${\widehat{\mathbf{X}}}_i$, generated by ${\widehat{\mathbf{X}}}_i=\mathtt{M}\left({\mathbf{R}}_i\mathbf{X}\right)$, by updating the trained BA classifier $\mathcal{C}(·)$ with ${\widehat{\mathbf{X}}}_j$. For u, the new verification request will be $(u,{\widehat{\mathbf{Y}}}_j)$. This update process is the same for all registered users of the system. For the updated $\mathcal{C}(·)$, the performance of the BA system should be largely preserved, which is confirmed in Section 6.2.1 by the experimental results. Moreover, adding DP noise to the data before training $\mathcal{C}(·)$ will help to mitigate the impact of poisoning attacks [44].

Theorem 5

(Renewability - Formal Bhattacharyya Bound). Under Axiom 1 and the Gaussian mechanism with σ calibrated per Lemma 2, the advantage in ${\mathsf{Game}}^{\mathsf{REN}}$ (Definition 5) satisfies:

$${\mathrm{Adv}}^{\mathsf{REN}}\left(\mathcal{A}\right)\le \sqrt{1-exp\left(-{\displaystyle \frac{k\parallel {\mu }_{\mathbf{X}}{\parallel }_2^2}{2\varphi {\sigma }^2}}\right)}+O\left(\delta \right),$$

where ${\mu }_{\mathbf{X}}=\mathbb{E}\left[\mathbf{X}\right]$ is the mean behavioral profile. For voice data ($k=94$, $\varphi =3$, $\sigma \approx 3.81$): ${\mathrm{Adv}}^{\mathsf{REN}}\le 0.011$, confirming near-negligible linkage between renewed templates.

(RP decorrelation via independence)..Proof. Step 1 Let ${\mathbf{R}}^{\left(1\right)},{\mathbf{R}}^{\left(2\right)}$ be generated from independent seeds. For any $\mathbf{x}\in {\mathbb{R}}^d$, define ${\mathbf{u}}^{\left(j\right)}={\mathbf{R}}^{\left(j\right)}\mathbf{x}$, $j\in \{1,2\}$. By independence:

$$\mathbb{E}\left[{\mathbf{u}}^{\left(1\right)}·{\mathbf{u}}^{\left(2\right)}\right]=\mathbb{E}\left[{\mathbf{R}}^{\left(1\right)}\right]\mathbf{x}·{\left(\mathbb{E}\left[{\mathbf{R}}^{\left(2\right)}\right]\mathbf{x}\right)}^T=\mathbf{0},$$

since $\mathbb{E}\left[R_{ij}\right]=0$. Moreover, $\mathbb{E}[\parallel {\mathbf{u}}^{\left(1\right)}-{\mathbf{u}}^{\left(2\right)}{\parallel }_2^2{]=2k\parallel \mathbf{x}\parallel }_2^2/\varphi$ by variance linearity.

Step 2 (Bhattacharyya coefficient). The post-DP templates follow ${\widehat{\mathbf{X}}}^{\left(j\right)}\sim \mathcal{N}({\mathbf{u}}^{\left(j\right)},{\sigma }^2{\mathbf{I}}_k)$. The Bhattacharyya coefficient between the two distributions is:

$$BC=exp\left(-{\displaystyle \frac{\parallel {\mathbf{u}}^{\left(1\right)}-{\mathbf{u}}^{\left(2\right)}{\parallel }_2^2}{8{\sigma }^2}}\right).$$

Step 3 (Total variation bound). Total variation satisfies $\mathsf{TV}(p,q)\le \sqrt{1-B{C}^2}$. Using the expected squared distance from Step 1:

$${\mathbb{E}}_{{\mathbf{u}}^{\left(1\right)},{\mathbf{u}}^{\left(2\right)}}\left[BC\right]\ge exp\left(-{\displaystyle \frac{k\parallel {\mu }_{\mathbf{X}}{\parallel }_2^2}{4\varphi {\sigma }^2}}\right).$$

Step 4 (Advantage bound). The adversary in ${\mathsf{Game}}^{\mathsf{REN}}$ is limited by the total variation distance: ${\mathrm{Adv}}^{\mathsf{REN}}\le \mathsf{TV}({\widehat{\mathbf{X}}}^{\left(1\right)},{\widehat{\mathbf{X}}}^{\left(2\right)})\le \sqrt{1-exp(-k\parallel {\mu }_{\mathbf{X}}{\parallel }_2^2/\left(2\varphi {\sigma }^2\right))}$. The DP mechanism further limits any per-sample distinguishability by an additive $O\left(\delta \right)$ term (Definition 2).

Numerical verification. For voice: $\parallel {\mu }_{\mathbf{X}}{\parallel }_2\approx 0.5$ (features in $[0,1]$, $d=104$), $k=94$, $\varphi =3$, $\sigma =3.81$:

$${\mathrm{Adv}}^{\mathsf{REN}}\le \sqrt{1-e^{-94\times 0.25/(2\times 3\times 14.52)}}\approx \sqrt{1-e^{-0.271}}\approx 0.011.$$

   □

4.3.4. Unlinkability Analysis - Full Jensen-Shannon Divergence Derivation

A privacy-preserving BA system must ensure that correlating compromised noisy transformed profiles is infeasible. For instance, if an adversary obtains two noisy projected profiles, ${\widehat{\mathbf{X}}}_i$ and ${\widehat{\mathbf{X}}}_j$, of user u, it should be computationally difficult to verify if they originate from the same source. The unlinkability property can prevent cross-matching attacks [8] and reduces the risk of tracing an individual enrolled in multiple systems using the same behavioral profile.

Theorem 6

(Unlinkability - Full JS Divergence Derivation). Let ${\widehat{\mathbf{X}}}_a={\mathcal{M}}^{\left({ϵ}_1\right)}\left({\mathbf{R}}^{\left(1\right)}{\mathbf{X}}_a\right)$ and ${\widehat{\mathbf{X}}}_b={\mathcal{M}}^{\left({ϵ}_2\right)}\left({\mathbf{R}}^{\left(2\right)}{\mathbf{X}}_b\right)$ under the Gaussian mechanism with common variance ${\sigma }^2$. Define:

• Case 1(invalid claims, different source): ${\mathbf{X}}_a\ne {\mathbf{X}}_b$, different keys.
• Case 2(same source, different keys): ${\mathbf{X}}_a={\mathbf{X}}_b=\mathbf{X}$, ${\mathbf{R}}^{\left(1\right)}\ne {\mathbf{R}}^{\left(2\right)}$.
• Case 3(valid claims, same source, same key): ${\mathbf{X}}_a={\mathbf{X}}_b=\mathbf{X}$, ${\mathbf{R}}^{\left(1\right)}={\mathbf{R}}^{\left(2\right)}$.

Then $D_{JS}\left({\widehat{\mathbf{X}}}_{\mathrm{Case}1}\right)\approx D_{JS}\left({\widehat{\mathbf{X}}}_{\mathrm{Case}2}\right)\gg D_{JS}\left({\widehat{\mathbf{X}}}_{\mathrm{Case}3}\right)$, with the first two agreeing to within $O({\sigma }^{-2}\parallel {\mu }_{{\mathbf{X}}_a}-{\mu }_{{\mathbf{X}}_b}{\parallel }_2^2)$.

Proof. 

Step 1(KL divergence for Gaussians with equal covariance). Under Gaussian mechanism, $\widehat{\mathbf{x}}\sim \mathcal{N}(\mathbf{R}{\mu }_{\mathbf{X}},\mathbf{R}{\Sigma }_{\mathbf{X}}{\mathbf{R}}^T+{\sigma }^2{\mathbf{I}}_k)$. When ${\sigma }^2\gg \parallel \mathbf{R}{\Sigma }_{\mathbf{X}}{\mathbf{R}}^T\parallel$, the covariance simplifies to $\approx {\sigma }^2{\mathbf{I}}_k$. For distributions $p_a\sim \mathcal{N}({\mu }_a,{\sigma }^2{\mathbf{I}}_k)$ and $p_b\sim \mathcal{N}({\mu }_b,{\sigma }^2{\mathbf{I}}_k)$:

$$D_{KL}(p_a\parallel p_b)={\displaystyle \frac{\parallel {\mu }_a-{\mu }_b{\parallel }_2^2}{2{\sigma }^2}}.$$

Step 2 (Mixture distribution for JS divergence). Let $p_m={\displaystyle \frac{1}{2}}(p_a+p_b)\sim \mathcal{N}\left({\displaystyle \frac{{\mu }_a+{\mu }_b}{2}},{\sigma }^2{\mathbf{I}}_k+{\displaystyle \frac{({\mu }_a-{\mu }_b){({\mu }_a-{\mu }_b)}^T}{4}}\right)$.

$$D_{JS}(p_a\parallel p_b)={\displaystyle \frac{1}{2}}\left[D_{KL}(p_a\parallel p_m)+D_{KL}(p_b\parallel p_m)\right]\approx {\displaystyle \frac{\parallel {\mu }_a-{\mu }_b{\parallel }_2^2}{4{\sigma }^2+{\parallel {\mu }_a-{\mu }_b\parallel }_2^2}}.$$

Step 3 (Case-by-case analysis).

• Case 1: ${\mu }_a={\mathbf{R}}^{\left(1\right)}{\mu }_{{\mathbf{X}}_a}$, ${\mu }_b={\mathbf{R}}^{\left(2\right)}{\mu }_{{\mathbf{X}}_b}$, ${\mathbf{X}}_a\ne {\mathbf{X}}_b$. By JL (Theorem 1): $\parallel {\mu }_a-{\mu }_b{\parallel }_2^2\approx (1\pm {ϵ}_{jl})\parallel {\mu }_{{\mathbf{X}}_a}-{\mu }_{{\mathbf{X}}_b}{\parallel }_2^2·{\parallel \mathbf{R}\parallel }_F^2/d$.
• Case 2: ${\mu }_a={\mathbf{R}}^{\left(1\right)}{\mu }_{\mathbf{X}}$, ${\mu }_b={\mathbf{R}}^{\left(2\right)}{\mu }_{\mathbf{X}}$, same $\mathbf{X}$. By RP randomness: $\parallel {\mu }_a-{\mu }_b{\parallel }_2^2=\parallel ({\mathbf{R}}^{\left(1\right)}-{\mathbf{R}}^{\left(2\right)}){\mu }_{\mathbf{X}}{\parallel }_2^2\approx 2k{\parallel {\mu }_{\mathbf{X}}\parallel }_2^2/\varphi$ (cf. Step 1 of Theorem 5).
• Case 3: ${\mathbf{R}}^{\left(1\right)}={\mathbf{R}}^{\left(2\right)}$, same $\mathbf{X}$. Then ${\mu }_a={\mu }_b$ and $D_{JS}=0$.

Step 4 (Unlinkability condition). Cases 1 and 2 have equal JS divergence when $\parallel {\mu }_{{\mathbf{X}}_a}-{\mu }_{{\mathbf{X}}_b}{\parallel }_2\approx \sqrt{2}{\parallel {\mu }_{\mathbf{X}}\parallel }_2$, i.e., when the inter-profile distance approximates the intra-profile re-projection spread. This occurs when DP noise dominates (${\sigma }^2\gg {\parallel {\mu }_{\mathbf{X}}\parallel }_2^2/k$), making same-source different-key templates statistically equivalent to different-source templates.

Step 5 (Adversarial advantage bound). The adversary in ${\mathsf{Game}}^{\mathsf{UNL}}$ must distinguish Case 2 from Case 1 via any function $f({\widehat{\mathbf{X}}}_1,{\widehat{\mathbf{X}}}_2)$. The maximum advantage using optimal hypothesis testing (Neyman-Pearson) is bounded by:

$${\mathrm{Adv}}^{\mathsf{UNL}}\left(\mathcal{A}\right)\le \sqrt{D_{JS}(p_{\mathrm{Case}1}\parallel p_{\mathrm{Case}2})}=O\left({\displaystyle \frac{\parallel {\mu }_{\mathbf{X}}{\parallel }_2}{\sqrt{{\sigma }^2+{\parallel {\mu }_{\mathbf{X}}\parallel }_2^2/k}}}\right).$$

This decreases as $\sigma$ increases (stronger DP) or k decreases (stronger RP), confirming the unlinkability/utility trade-off.    □

4.3.5. Unlinkability Analysis - Experimental Validation

In two noisy projected profiles of $\mathbf{X}$, two distinct $\mathbf{R}$ matrices are required in RP, and then DP added random noise, produces two completely different noisy projected profiles, ${\widehat{\mathbf{X}}}_i$ and ${\widehat{\mathbf{X}}}_j$, respectively. These noisy projected profiles can also be generated from two distinct profiles, ${\mathbf{X}}_i$ and ${\mathbf{X}}_j$, originating from different sources, using the same method. In this case, the unlinkability property is ensured if the JS divergence between noisy protected profiles originating from the same source, but projected using two different $\mathbf{R}$ matrices and with different noise added, is close to the JS divergences of invalid claims (i.e., the JS divergence between noisy projected profiles come from different sources). Additionally, it must remain significantly distant from the JS divergence of valid claims (i.e., the JS divergence between noisy projected profiles come from the same source). In Section 4.3.5, we validate the unlinkability property in our proposed privacy-preserving BA system.

4.3.6. Irreversibility Analysis - Cramér-Rao Lower Bound

To extract the behavioral pattern noisy project profiles, let us consider a scenario where $\widehat{\mathbf{X}}$ is known but the plain profile $\mathbf{X}$ is unknown. In a system $\widehat{\mathbf{X}}=\mathtt{M}\left(\mathbf{R}\mathbf{X}\right)$, two main factors ensure the irreversibility property: the irreversibility of $\mathcal{M}$, and the irreversibility of the RP transformation.

Theorem 7

(Irreversibility - Information-Theoretic Lower Bound). Let $\widehat{\mathbf{X}}=\mathcal{M}\left(\mathbf{R}\mathbf{X}\right)$ where $\mathbf{R}\in {\mathbb{R}}^{k\times d}$ with $k<d$, and $\mathcal{M}$ adds Gaussian noise $\eta \sim \mathcal{N}(0,{\sigma }^2{\mathbf{I}}_k)$. Assume $\mathbf{X}\sim \mathcal{N}({\mu }_{\mathbf{X}},{\Sigma }_{\mathbf{X}})$ as a Bayesian prior. For any estimator $\overline{\mathbf{X}}=g\left(\widehat{\mathbf{X}}\right)$ of $\mathbf{X}$, the Bayesian Minimum Mean Squared Error (MMSE) satisfies:

$$\mathrm{MMSE}\left(\mathbf{X}\right|\widehat{\mathbf{X}})=\mathrm{tr}\left({\Sigma }_{\mathbf{X}}\right)-\mathrm{tr}\left({\Sigma }_{\mathbf{X}}{\mathbf{R}}^T{(\mathbf{R}{\Sigma }_{\mathbf{X}}{\mathbf{R}}^T+{\sigma }^2{\mathbf{I}}_k)}^{-1}\mathbf{R}{\Sigma }_{\mathbf{X}}\right)\ge (d-k){\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right),$$

where the right-hand side is strictly positive when $k<d$, establishing an irreducible reconstruction error floor independent of σ.

Proof. Step 1 (Fisher information matrix). The observation model is $\widehat{\mathbf{x}}=\mathbf{R}\mathbf{x}+\eta$, $\eta \sim \mathcal{N}(0,{\sigma }^2{\mathbf{I}}_k)$. The Fisher information matrix for $\mathbf{x}$ from $\widehat{\mathbf{x}}$ is:

$$\mathcal{I}(\mathbf{x};\widehat{\mathbf{x}})={\mathbf{R}}^T{\left({\sigma }^2{\mathbf{I}}_k\right)}^{-1}\mathbf{R}={\displaystyle \frac{1}{{\sigma }^2}}{\mathbf{R}}^T\mathbf{R}\in {\mathbb{R}}^{d\times d}.$$

Step 2 (Rank deficiency). Since $\mathbf{R}\in {\mathbb{R}}^{k\times d}$ with $k<d$, the matrix ${\mathbf{R}}^T\mathbf{R}$ has rank at most k. Therefore, the null space of $\mathbf{R}$ has dimension $\ge d-k>0$. For any $\mathbf{v}\in ker\left(\mathbf{R}\right)$:

$${\mathbf{v}}^T\mathcal{I}(\mathbf{x};\widehat{\mathbf{x}})\mathbf{v}={\displaystyle \frac{1}{{\sigma }^2}}{\parallel \mathbf{R}\mathbf{v}\parallel }_2^2=0.$$

Hence $d-k$ directions of $\mathbf{x}$ carry zero Fisher information in $\widehat{\mathbf{x}}$: they are fundamentally unidentifiable.

Step 3 (Cramér-Rao bound on null space). For any direction $\mathbf{v}\in ker\left(\mathbf{R}\right)$ and any unbiased estimator $\overline{v}={\mathbf{v}}^T\overline{\mathbf{X}}$:

$$\mathrm{Var}\left[\overline{v}\right]\ge {\left[{\mathbf{v}}^T\mathcal{I}\mathbf{v}\right]}^{-1}=\infty .$$

This means null-space components admit infinite variance under any unbiased estimation, i.e., they are inherently irreversible.

Step 4 (Bayesian MMSE via Wiener filter). Treating $\mathbf{X}\sim \mathcal{N}({\mu }_{\mathbf{X}},{\Sigma }_{\mathbf{X}})$ and using the Wiener filter (optimal linear estimator):

$${\overline{\mathbf{X}}}_{\mathrm{LMMSE}}={\mu }_{\mathbf{X}}+{\Sigma }_{\mathbf{X}}{\mathbf{R}}^T{(\mathbf{R}{\Sigma }_{\mathbf{X}}{\mathbf{R}}^T+{\sigma }^2{\mathbf{I}}_k)}^{-1}(\widehat{\mathbf{X}}-\mathbf{R}{\mu }_{\mathbf{X}}).$$

The MMSE equals:

$$\mathrm{MMSE}=\mathrm{tr}\left({\Sigma }_{\mathbf{X}}\right)-\mathrm{tr}\left({\Sigma }_{\mathbf{X}}{\mathbf{R}}^T{(\mathbf{R}{\Sigma }_{\mathbf{X}}{\mathbf{R}}^T+{\sigma }^2{\mathbf{I}}_k)}^{-1}\mathbf{R}{\Sigma }_{\mathbf{X}}\right).$$

Step 5 (Lower bound via eigendecomposition). Let ${\Sigma }_{\mathbf{X}}={\sum }_{i=1}^d{\lambda }_i{\mathbf{q}}_i{\mathbf{q}}_i^T$ be the eigendecomposition. For the $(d-k)$ eigenvectors ${\mathbf{q}}_i\in ker\left(\mathbf{R}\right)$, the second term contributes zero, so:

$$\mathrm{MMSE}\ge \sum _{i\in ker\left(\mathbf{R}\right)}{\lambda }_i\ge (d-k){\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right)>0.$$

Step 6 (DP augmentation). Adding DP noise (${\sigma }^2>0$) increases the denominator $\mathbf{R}{\Sigma }_{\mathbf{X}}{\mathbf{R}}^T+{\sigma }^2{\mathbf{I}}_k$, reducing the subtracted term and thus increasing the MMSE:

$$\mathrm{MMSE}({\sigma }^2>0)\ge \mathrm{MMSE}({\sigma }^2=0)\ge (d-k){\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right).$$

Numerical verification. Voice data ($d=104$, $k=94$ (Table 2), ${\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right)\approx 0.001$): $\mathrm{MMSE}\ge (104-94)\times 0.001=0.010$, corresponding to $\ge 1.0\%$ reconstruction error. The DP noise ($\sigma =3.81$) adds further to this floor, consistent with observed $1.57$-$5.20\%$ recovery rates.    □

The irreversibility of $\mathcal{M}$ in DP is a fundamental aspect of its design, achieved through randomized noise addition and the inherent unpredictability of DP mechanisms. The theoretical guarantees of DP ensure that the original data cannot be reconstructed with a confidence greater than $1-\delta$, thereby preserving privacy. However, no system is entirely immune to practical attacks that can exploit auxiliary data or weak parameters. In this case, our system has a second level of defense. If an attacker is able to recover ${\mathbf{X}}^{\prime }$ from $\widehat{\mathbf{X}}$, the system of linear equations defined by ${\mathbf{X}}^{\prime }=\mathbf{R}\mathbf{X}$ has $d-k$ degrees of freedom for the unknown $\mathbf{X}$. Among all solutions, $\overline{\mathbf{X}}={\mathbf{R}}^T{\left(\mathbf{R}{\mathbf{R}}^T\right)}^{-1}{\mathbf{X}}^{\prime }$, known as the minimum-norm solution, minimizes the Euclidean norm $|\overline{\mathbf{X}}|=\sqrt{{\sum }_{t=1}^d{{\overline{x}}_t}^2}$, where ${\overline{x}}_t$ represents the elements of $\overline{\mathbf{X}}$[45], allowing the recovery of an approximate profile $\overline{\mathbf{X}}$ with m vectors. However, in [23], the authors show that for behavioral data, RP is an effective privacy-preserving transformation against the minimum-norm solution for both known and unknown $\mathbf{R}$.

5. GAN-based Privacy Attack Analysis

With the rise of ML-based attacks, especially Generative Adversarial Network (GAN)-based attacks, privacy-preserving systems face significant challenges in ensuring data privacy. In this section, we evaluate the resilience of our proposed BA system against such privacy attacks. These attacks can uncover complex relationships between projected (noisy) profiles and the original profiles, posing a serious threat to privacy-preserving mechanisms. In our scenario, we make realistic assumptions regarding the attackers’ prior knowledge and computational capabilities.

5.1. Formal GAN Attack Security Game

Definition 8

(GAN Attack Security Game ${\mathsf{Game}}^{\mathsf{GAN}}$).

1. 

Setup. A challenger $\mathsf{Ch}$ fixes RUIP-BA system parameters $(k,d,ϵ,\delta )$ and behavioral profile distribution $p_{\mathbf{X}}$.

2. 

Auxiliary data.Adversary $\mathcal{A}$ obtains auxiliary plain profiles ${\left\{{\mathbf{X}}_j^{aux}\right\}}_{j=1}^{n_{aux}}$ and their noisy projected counterparts $\left\{{\widehat{\mathbf{X}}}_j^{aux}\right\}$ using either known or estimated parameters.

3. 

Attack training. $\mathcal{A}$ trains a GAN generator $\mathcal{G}$ and discriminator $\mathcal{D}$ by minimizing the adversarial objective:

$$\underset{\mathcal{G}}{min}\underset{\mathcal{D}}{max}\mathcal{L}(G,D)={\mathbb{E}}_{\mathbf{x}\sim p_{\mathbf{X}}}[log\mathcal{D}\left(\mathbf{x}\right)]+{\mathbb{E}}_{\widehat{\mathbf{x}}}[log(1-\mathcal{D}\left(\mathcal{G}\left(\widehat{\mathbf{x}}\right)\right))].$$

4. 

Challenge phase. $\mathsf{Ch}$ provides target ${\widehat{\mathbf{X}}}^{*}$. $\mathcal{A}$ outputs ${\overline{\mathbf{X}}}^{*}=\mathcal{G}\left({\widehat{\mathbf{X}}}^{*}\right)$.

5. 

Scoring. $\rho ({\overline{\mathbf{X}}}^{*},{\mathbf{X}}^{*})={\displaystyle \frac{1}{d}}{\sum }_{j=1}^d\mathbf{1}\left[\mathrm{KS}-\mathrm{test}({\overline{X}}_j^{*},X_j^{*})\mathrm{passes}\right]$.

5.2. Attacker Knowledge and Capabilities

• The attacker has knowledge about the operation of the verification algorithm $\mathrm{Ver}(·,·)$. The attacker is also aware of the architecture and input-output dimensions of the trained classifier $\mathcal{C}(·)$.
• The attacker has access to the noisy projected profiles of the target BA system. The attacker can obtain the noisy projected profiles from the untrusted verifier or by using model inversion or other attack methods.
• The attacker has access to the profile generator, which is publicly available software, used by the BA system to collect users’ behavioral data. The attacker will use it to gather auxiliary profiles.
• The attacker is aware of the distribution and dimensions of $\mathbf{R}$, since this information is public. However, in the worst case, if the seed is compromised, the attacker can also derive the secret $\mathbf{R}$.
• The attacker is also aware of the type of DP noise applied to the noisy projected profiles, as in most cases this is public information. In the worst-case scenario, the attacker can also obtain the values of the DP parameters.

5.3. Train an Attack Model

The goal of this privacy attack is to reconstruct the plain profiles from the noisy projected profiles and extract the behavioral pattern. For this purpose, the attackers will trains a GAN-based attack model ${\mathcal{M}}_{\mathcal{P}}(·)$. The details of each step in the ${\mathcal{M}}_{\mathcal{P}}(·)$ training process are outlined below.

• Collect auxiliary data. The attacker will use the profile generator of the target BA system to collect the required auxiliary profiles using a third-party outsourcing platform. There is no limitation on the number of auxiliary profiles, though more auxiliary profiles will lead to a more generalized attack model.
• RP and DP on auxiliary data. The attacker applies RP to each auxiliary profile to produce a projected version. The random matrix $\mathbf{R}$ for RP is generated either using a compromised seed or by leveraging knowledge of the distribution of $\mathbf{R}$. The attacker will then generate DP noise, either by obtaining or gaussing the DP parameters, and add this noise to the projected profiles. To increase the number of projected auxiliary profiles and improve the generalization of ${\mathcal{M}}_{\mathcal{P}}(·)$, the attacker can apply multiple instances of $\mathbf{R}$ and different instances of DP noise to each auxiliary profile.
• Train the attack model ${\mathcal{M}}_{\mathcal{P}}(·)$. To train ${\mathcal{M}}_{\mathcal{P}}(·)$, the attacker will use noisy projected versions of auxiliary profiles as training data and original auxiliary profiles as the ground truth. Figure 2 illustrates the training process of GAN-based ${\mathcal{M}}_{\mathcal{P}}(·)$. Let $\mathbf{x}\in \mathbf{X}$ denote an original auxiliary data vector, and $\widehat{\mathbf{x}}\in \widehat{\mathbf{X}}$ represent its projected noisy version obtained through RP and DP. During training, the generator $\mathcal{G}$ takes the projected vector $\widehat{\mathbf{x}}$ as input and produces a reconstructed feature vector $\overline{\mathbf{x}}=\mathcal{G}\left(\widehat{\mathbf{x}}\right)$ that aims to approximate the original data $\mathbf{x}$. The discriminator $\mathcal{D}$ receives either a real auxiliary sample $\mathbf{x}$ or a reconstructed sample $\overline{\mathbf{x}}$, and attempts to distinguish between real and generated data. Through adversarial training over the auxiliary datasets, the generator progressively improves its ability to reconstruct original feature vectors from their projected noisy counterparts, thereby learning an effective inverse mapping from the projected space to the original feature space.

The trained ${\mathcal{M}}_{\mathcal{P}}(·)$ will then be used to reconstruct a plain profile from the compromised noisy projected profile and extract the user’s behavioral pattern. The closer the features of the recovered profile are to the ground truth profile, the higher the likelihood of success for the attacker in recovering the behavioral pattern.

5.4. Privacy Evaluation

We will evaluate the privacy of our proposed system by analyzing the statistical similarity between the features of recovered profiles and their original counterparts.

Definition 9.(ϵ-Distribution-Privacy:) Suppose ${\mathcal{M}}_{\mathcal{P}}(·)$ is applied to a noisy projected profile $\widehat{\mathbf{X}}$ to recover its plain profile. A privacy-preserving BA system is said to offer ϵ-distribution-privacy against a privacy attacker if the best ML-based approach produces a profile $\overline{\mathbf{X}}$ where no more than ϵ percent of the features pass the statistical similarity tests with the corresponding features of the original profile $\mathbf{X}$.

For this privacy attack, we consider two scenarios: (i) the adversary is aware of the distribution of $\mathbf{R}$ and the type of noise added by DP, and (ii) the adversary has access to the secret $\mathbf{R}$ and the DP parameters. The second scenario represents the most critical case, where one or more users have been compromised, exposing their $\mathbf{R}$ and DP parameters. If the adversary knows $\mathbf{R}$ and the DP parameters, they can use them to project the auxiliary profiles and add noise to create noisy projected profiles, which are then used to train ${\mathcal{M}}_{\mathcal{P}}(·)$. On the other hand, if $\mathbf{R}$ and the DP parameters are unknown, the attacker will generate a random matrix and generate noise based on their guesses of the DP parameters. The aim of the proposed privacy-preserving BA system for both scenarios is to limit the privacy attacker’s ability to recover more than an $ϵ$-percentage of the features on average from each profile.

Since RP is an inherently lossy process, causing some information about the original profile to be lost during the initial projection, and DP provides theoretical privacy guarantees with high confidence, the attackers will not perfectly reconstruct the original profile from the noisy projected profiles in either scenario. We validated this statement through the experiments presented in Section 6.3, where we used GAN as a attack model.

5.5. GAN Attack - Formal Privacy Proof

Theorem 8

(GAN Nash-Equilibrium Privacy Bound). At the Nash equilibrium of ${\mathsf{Game}}^{\mathsf{GAN}}$ (Definition 8), the optimal generator ${\mathcal{G}}^{*}$ satisfies:

$${\mathcal{G}}^{*}=arg\underset{\mathcal{G}}{min}{D}_{JS}(p_{\mathbf{X}}\parallel p_{\mathcal{G}\left(\widehat{\mathbf{X}}\right)}),$$

and the expected feature recoverability fraction obeys:

$$\mathbb{E}\left[\rho ({\mathcal{G}}^{*}\left(\widehat{\mathbf{X}}\right),\mathbf{X})\right]\le {\rho }_{max}(ϵ,\delta ,k,d):={\displaystyle \frac{k}{d}}·{\displaystyle \frac{{\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right)}{{\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right)+{\sigma }^2}},$$

where σ is the Gaussian DP noise scale from Lemma 2.

Proof. Step 1 (Optimal discriminator). At fixed $\mathcal{G}$, the optimal discriminator is ${\mathcal{D}}^{*}\left(\mathbf{x}\right)={\displaystyle \frac{p_{\mathbf{X}}\left(\mathbf{x}\right)}{p_{\mathbf{X}}\left(\mathbf{x}\right)+p_{\mathcal{G}}\left(\mathbf{x}\right)}}$. Substituting into the loss: $C\left(\mathcal{G}\right)=-log4+2D_{JS}(p_{\mathbf{X}}\parallel p_{\mathcal{G}})$.

Step 2 (Generator objective). Minimizing $C\left(\mathcal{G}\right)$ is equivalent to minimizing $D_{JS}(p_{\mathbf{X}}\parallel p_{\mathcal{G}})$, achieved uniquely when $p_{\mathcal{G}}=p_{\mathbf{X}}$. However, since $\widehat{\mathbf{X}}$ is a noisy, low-dimensional proxy of $\mathbf{X}$, perfect reconstruction is impossible due to the information barrier from Theorem 7.

Step 3 (Mutual information bottleneck). The mutual information between $\mathbf{X}$ and $\widehat{\mathbf{X}}$ upper-bounds the information accessible to any reconstruction algorithm. By the data processing inequality:

$$I(\mathbf{X};\widehat{\mathbf{X}})\le I(\mathbf{X};\mathbf{R}\mathbf{X})\le \sum _{i=1}^k{\displaystyle \frac{1}{2}}log\left(1+{\displaystyle \frac{{\lambda }_i\left(\mathbf{R}{\Sigma }_{\mathbf{X}}{\mathbf{R}}^T\right)}{{\sigma }^2}}\right)\le {\displaystyle \frac{k}{2}}log\left(1+{\displaystyle \frac{\parallel {\Sigma }_{\mathbf{X}}{\parallel }_F^2}{{\sigma }^{2}k}}\right).$$

This means the generator can access at most $I(\mathbf{X};\widehat{\mathbf{X}})$ bits of information about $\mathbf{X}$.

Step 4 (Feature recoverability channel capacity). A feature $X_j$ passes the KS test if the KL divergence $D_{KL}(p_{{\overline{X}}_j}\parallel p_{X_j})<{\tau }_{\mathrm{KS}}$. Faithful reconstruction of feature j requires $I(X_j;\widehat{\mathbf{X}})>log(1/{\tau }_{\mathrm{KS}})$ bits. The number of features satisfying this requirement:

$$\#\left\{\mathrm{recoverable}\mathrm{features}\right\}\le {\displaystyle \frac{I(\mathbf{X};\widehat{\mathbf{X}})}{log(1/{\tau }_{\mathrm{KS}})}}\le k·{\displaystyle \frac{{\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right)}{{\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right)+{\sigma }^2}}.$$

Step 5 (Normalizing to ratio). Dividing by d:

$$\mathbb{E}\left[\rho \right]\le {\displaystyle \frac{k}{d}}·{\displaystyle \frac{{\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right)}{{\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right)+{\sigma }^2}}={\rho }_{max}.$$

Step 6 (Known vs. unknown parameters). When $\mathbf{R}$ and DP parameters are known to the attacker, the optimal GAN can potentially learn the exact projection and noise model. However, the information-theoretic barrier from Step 3 still applies: knowledge of $\mathbf{R}$ does not increase $I(\mathbf{X};\widehat{\mathbf{X}})$ beyond its value as a sufficient statistic. Hence ${\rho }_{max}$ is the same for both scenarios.

Numerical verification. Voice data ($d=104$, $k=94$ (Table 2), $\sigma =3.81$, ${\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right)\approx 0.01$):

$${\rho }_{max}={\displaystyle \frac{94}{104}}·{\displaystyle \frac{0.01}{0.01+14.52}}\approx 0.904\times 0.00069\approx 0.062,$$

i.e., $\le 6.2\%$ recovery, consistent with the observed $1.57$-$5.20\%$. Swipe data ($d=33$, $k=30$, $\sigma \approx 1.73$ for $ϵ=9$): ${\rho }_{max}\approx 0.3\%$, consistent with $0.02$-$0.42\%$.    □

Corollary 1

(Privacy Guarantee under Worst-Case Attack). Under the strongest possible GAN attack (known $\mathbf{R}$, known DP parameters, unlimited auxiliary data), RUIP-BA satisfies ${\rho }_{max}$-irreversibility with:

$${\rho }_{max}={\displaystyle \frac{k}{d}}·{\displaystyle \frac{1}{1+{\sigma }^2/{\lambda }_{min}\left({\Sigma }_{\mathbf{X}}\right)}}\le {\displaystyle \frac{k}{d}},$$

where the upper bound $k/d$ is achieved in the limit $\sigma \to 0$ (no DP noise). This confirms that even without DP, RP alone guarantees that at most $k/d$ fraction of features can be recovered, and DP strictly improves this bound.

6. Experimental Results

We have implemented and evaluated our proposed approach on three different types of behavioral datasets. We collected voice and swipe pattern data from [46] and drawing pattern data from [25]. The voice and swipe datasets have 10,320 observations (vectors) from 86 users, with 120 observations per user. The drawing pattern data has 80 to 240 observations per user, with 193 distinct users. There are 104 features in voice data, 33 in swipe data, and 65 in drawing data.

Experiment setup. We downloaded and cleaned1 the behavioral profiles before using them in the experiments. To reduce the effect of biases resulting from features having different ranges, we normalized each feature by dividing by its maximum absolute value, mapping all values into $[-1,1]$. For the voice and swipe dataset specifically, this normalization was applied independently per feature column across all 10,320 raw observations (86 users × 120 samples per user), yielding a normalized feature matrix. From each profile, we then separated 20% of the data samples for testing purposes. we follow the same approach for drawing pattern data.

Data oversampling. Neural network classifiers and ML-based attack models require sufficient data samples in each profile for training and validation. To address this, we applied the Synthetic Minority Over-sampling Technique (SMOTE) [47] to each profile. SMOTE is an oversampling algorithm that generates new data samples by interpolating existing ones within a profile without adding new information. We ensured that all three datasets contained at least 200 to 300 data samples per profile after oversampling.

Training and auxiliary data. We divided all profiles in each dataset into two groups: (i) Group 1: all profiles in this group were converted to noisy projected profiles and used to train and validate the NN classifier, and (ii) Group 2: all profiles, along with their noisy projected versions, were used as auxiliary data. For Group 1, we kept around 80% of the profiles (68 voice and swipe profiles and 155 drawing pattern profiles), and the remaining 20% were assigned to Group 2 (18 voice and swipe profiles and 38 drawing pattern profiles).

6.1. Performance of BA System

In this section, we design the NN architecture for BA classifiers and then train them on Group 1 plain profiles, projected profiles, and noisy projected profiles. Finally, we evaluate the correctness and security of those classifiers using test data and compare them.

6.1.1. Performance of BA Classifier for Plain Profiles

We designed three distinct hierarchical NN architectures for three datasets. Table A1 in the Appendix illustrates the NN architectures of a BA classifier, while the other classifiers follow the same basic structure, differing in the number of layers and nodes per layer. For example, the baseline plain-profile classifier of voice dataset follows the architecture $104\to 128\to 256\to 512\to 256\to 128\to 68$, where each hidden layer uses Batch Normalization, ReLU activation, and Dropout (rate $=0.1$ for the first layer, increasing toward deeper layers). The final layer applies a 68-way softmax. The model is compiled with RMSprop$(\eta =0.001,\rho =0.9)$ and a ReduceLROnPlateau callback on validation accuracy. From each Group 1 profile, we allocated 80% of the data for training the classifier and the remaining 20% for model evaluation.

During the training phase, the voice, swipe, and drawing classifiers achieved 97.27%, 97.57%, and 95.68% classification accuracy and 98.47%, 97.06%, and 96.98% validation accuracy, respectively. We then tested the performance of all three trained classifiers using the previously separated test data. Table 3 presents the FAR and FRR of all three BA classifiers for plain profiles, and they achieved below 1.0% FAR and below 4.0% FRR, which is close to the reported performance in the original paper. For voice and swipe data, the authors of [48] reported 0.02% FAR and 3.52% FRR, and [25] reported 1.97% FAR and 1.97% FRR for drawing pattern data.

6.1.2. Performance of BA Classifier for Projected Profiles

For RP, we generated $\mathbf{R}$ following the discrete distribution (Achlioptas sparse sign pattern with $\{-1,0,+1\}$ entries). We used the JL lemma [37] to calculate the minimum value of k for each ${\mathbf{R}}^{k\times d}$. Table 2 shows that the minimum values of k are 73 for voice data, 30 for swipe data, and 46 for drawing data, with distance-preserving probabilities of 0.99, 0.94, and 0.99, respectively. For RP, we set k to 94, 30, and 56 for voice, swipe, and drawing data, respectively. After RP, we used the same percentage of projected data from Group 1 to train three new BA classifiers and achieved 95.65%, 96.42%, and 97.34% of training precision and 98.56%, 98.18%, and 99.05% of validation accuracy for voice, swipe, and drawing data, respectively.

For the correctness test of all three trained classifiers, each test profile was projected using the correct $\mathbf{R}$ that was used in the training phase, while an incorrect $\mathbf{R}$ was used for the security test. In the correctness test, all three classifiers produced 99.56%, 98.93%, and 98.97% classification accuracy, which is equivalent to 0.44%, 1.07%, and 1.03% FRR, respectively. In the security test, the classification accuracy was reduced to 0.45%, 0.23%, and 0.33%, which corresponds to FAR, respectively. The second row of Table 3 shows the FRR and FAR of all three classifiers for RP profiles. A slight performance improvement in all three classifiers is attributed to the use of distinct $\mathbf{R}$ during each profile projection, which enhanced the distances among the profiles in the projected domain.

6.2. Privacy-Preserving Properties of BA System

In this section, we examine the renewability and unlinkability properties of our privacy-preserving BA system. The irreversibility property of the system is examined in the next section.

DP parameter selection. For all RP+DP experiments on voice data, the DP noise was parameterized as follows. For Laplace noise, we set $\epsilon =7$ and sensitivity ${\Delta }_2\left(g\right)=1$ (normalized features lie in $[-1,1]$), yielding a Laplace scale $b={\Delta }_2/\epsilon =1/7\approx 0.143$. For Gaussian noise, we used $\epsilon =7$, $\delta ={10}^{-5}$, and computed

$$\sigma ={\displaystyle \frac{\sqrt{2ln(1.25/\delta )}}{\epsilon }}={\displaystyle \frac{\sqrt{2ln(125,000)}}{7}}\approx {\displaystyle \frac{4.845}{7}}\approx 0.692.$$

(1)

For the invalid-claim security test, a distinct $\epsilon =5$ (Laplace, scale $=0.2$) was used to simulate a stricter privacy regime. The RP+DP classifier for voice data (VDP3 architecture, $94\to 64\to 128\to 256\to 128\to 68$, trained for 200 epochs) achieved 97.38% test accuracy (loss $=0.077$). Non-enrolled users presented under the wrong projection matrix attained only 1.65% accuracy (loss $=13.98$), confirming strict rejection of impostors even after adding DP noise.

6.2.1. Renew Training Profile

To assess the renewability property of our proposed privacy-preserving BA system, each plain training profile was projected using a different $\mathbf{R}$ than the one used during the registration phase, followed by the addition of DP noise. For each dataset, we then updated $\mathcal{C}(·)$ using the newly generated noisy projected profiles. For the RP with Laplace and Gaussian noise, the training and validation accuracy of all updated $\mathcal{C}(·)$s are 96.64% and 98.60%, and 97.87% and 98.96% for voice data, 96.16% and 97.97%, and 97.37% and 97.03% for swipe data, and 95.65% and 96.57%, and 96.65% and 98.43% for drawing data in 200 training rounds.

The security of all updated BA classifiers was tested using the previously used test data projected by an incorrect $\mathbf{R}$ and DP noise, which was generated using incorrect parameters. The updated classifiers achieved FARs of approximately 0.18% and 1.64% for voice data, 1.95% and 1.70% for swipe data and 1.94% and 1.55% for drawing data with both types of noise, as expected. However, when the test data were projected using the correct $\mathbf{R}$, and the correct DP parameters were used to add DP noise, the correctness of the systems was restored to 96.85% (3.15% FRR) and 97.58% (2.42% FRR) for voice data with Laplace and Gaussian noise, respectively. For swipe data, the correctness was 97.74% (2.26% FRR) and 98.03% (1.97% FRR), and for drawing data, it was 98.15% (1.85% FRR) and 97.32% (2.68% FRR). These results confirm the renewability property of our privacy-preserving BA systems, demonstrating their ability to maintain both correctness and security even when the BA classifier is updated with new noisy projected profiles. A summary of the results is provided in the model update section of Table 3, while the training accuracy across different communication rounds is presented in Figure A1 in the Appendix.

6.2.2. Similarity of Divergence Distributions

To ensure unlinkability, the JS divergence distribution between two noisy projected profiles generated from the same source using different $\mathbf{R}$ matrices and different DP parameters should be as close as the JS divergence distribution of invalid claims (different sources, different $\mathbf{R}$, and different DP parameters). Furthermore, it should also differ from the JS divergence distribution of valid claims (same source, same $\mathbf{R}$, and same DP parameters). To evaluate this, we calculated the symmetric JS divergences for all pairs of noisy projected profiles under three scenarios: (i) profiles originate from different sources and are projected using different $\mathbf{R}$ matrices and different DP parameters (invalid claims); (ii) profiles originate from the same source but are projected using different $\mathbf{R}$ matrices and different DP parameters; and (iii) profiles originate from the same source, are projected using the same $\mathbf{R}$, and use the same DP parameters (valid claims). During profile projection, we ensured acceptable dimensionality reduction across all datasets to preserve distances and set Laplace and Gaussian parameters to maintain moderate privacy while ensuring the distance-preserving property.

Figure 3 illustrates the divergence distributions of the noisy projected profiles across three cases within the three datasets. It is evident that the divergence distribution in case 1 (different sources, different $\mathbf{R}$, and different DP parameters) aligns more closely with case 2 (same source, different $\mathbf{R}$, and different DP parameters) compared to case 3 (same source, same $\mathbf{R}$, and same DP parameters).

Quantitative profile-distance analysis (voice data as example). To provide a precise statistical justification, we computed k-NN divergence (with $k=5$, using the efficient kd-tree estimator of Wang et al. [43]) between every pair of noisy projected profiles over all 86 voice users under both Laplace and Gaussian perturbation. Valid-claim divergences (${\widehat{\mathbf{X}}}_{\mathrm{same}\mathrm{R}}^u$ vs. ${\widehat{\mathbf{X}}}_{\mathrm{same}\mathrm{R}}^u$) ranged from approximately 0.14 to 31.2 (Laplace) and 0.02 to 33.7 (Gaussian), consistent with the tight within-user intra-class geometry. By contrast, invalid-claim (cross-user) divergences ranged from 137 to 210 (Laplace/Gaussian)-roughly two orders of magnitude larger-confirming strong separation. Inter-profile divergences (same source, different $\mathbf{R}$) fell in a similarly high range (approximately 112 to 210), making them statistically indistinguishable from invalid-claim divergences.

To further analyze this, the Kolmogorov-Smirnov (KS) two-sample test was conducted on these empirical distributions (each of length $n=86$). Table 4 reports the exact p-values:

The p-values are critical: while valid-claim divergences are completely distinct from both invalid and inter-profile distributions ($p\approx 5.5\times {10}^{-51}\ll 0.05$), the distributions of invalid claims and inter-profile divergences are statistically indistinguishable ($p=0.0693>0.05$). This is the key unlinkability result: an adversary observing two noisy projected profiles of the same user-generated with different $\mathbf{R}$ matrices-cannot distinguish them from profiles of two entirely different users, because their divergence distributions are drawn from the same statistical population. This confirms that for the voice dataset, the null hypothesis of identical distributions between cases 1 and 2 cannot be rejected at $\alpha =0.05$, providing direct empirical corroboration of Theorem 6.

For the similarity test between cases 1 and 2, p-values were consistently much higher than those obtained from the similarity test between cases 2 and 3, with some even exceeding 0.05. This indicates that the distributions of cases 1 and 2 exhibit similar patterns, whereas the distributions of cases 2 and 3 differ significantly. These findings confirm that an attacker cannot associate the noisy projected profiles in our BA system based on their symmetric divergence, consistent with Theorem 6.

6.3. Performance of ML-Based Attack

In this section, we trained an ML-based attack model ${\mathcal{M}}_{\mathcal{P}}(·)$ to attempt the recovery of the features from noisy projected profiles that were compromised.

6.3.1. Train an Attack Model

For the attack model, we designed three similar pairs of generator and discriminator architectures, one for each dataset. The generator aims to reconstruct the original (plain) profiles from the projected profiles, while the discriminator attempts to distinguish between real and reconstructed profiles, thereby guiding the generator to produce more accurate recoveries. Table A2 in the Appendix shows the GAN-based generator and discriminator architectures. We also adopted the DNN-based attack model proposed in [24] for comparison.

After collecting auxiliary profiles through the profile generator, we projected them using newly generated $\mathbf{R}$ (when only the distribution of $\mathbf{R}$ is known) or preexisting $\mathbf{R}$ (when the exact matrix $\mathbf{R}$ is known). DP noise was then added to each projected auxiliary profile using known DP parameters or estimating them based on prior knowledge or assumptions. All noisy projected profiles, along with their corresponding plain profiles2, were used to train both types of attack models.

DNN attack architecture and training ( voice dataset as example). For the voice dataset, the DNN inversion regressor follows the architecture $94\to 128\to 256\to 256\to 128\to 104$ with sigmoid output activation (total 160,360 parameters, 158,824 trainable), compiled with MSE loss and SGD optimizer. The auxiliary set consists of $18\times 200=3,600$ samples projected with per-instance random $\mathbf{R}$ and perturbed using $\epsilon =9$, $\delta ={10}^{-5}$ (Gaussian, $\sigma \approx 0.538$) or $\epsilon =7$ (Laplace) DP noise. Training runs for 200 epochs (batch 64). For the unknown-$\mathbf{R}$ scenario, epoch 1 yields training MSE $=0.1288$ / validation MSE $=0.1191$; by epoch 200 the MSE stabilizes at $0.0153$ / $0.0160$, indicating convergence. On the held-out test set, the final evaluate MSE $=0.0306$-substantially above zero, confirming that even a well-optimized regressor cannot invert the RP+DP transformation with fidelity.

GAN attack architecture and training. For the GAN-based attack models, we used fully connected generator and discriminator architectures, where the generator reconstructs plain profiles from projected profiles and the discriminator distinguishes between real and reconstructed profiles. The networks were trained using BCELoss for the discriminator and a weighted combination of BCELoss + MSELoss for the generator (${\lambda }_{\mathrm{recon}}=1\mathrm{to}10.0$). Both networks were optimized using Adam ($\eta =2\times {10}^{-4}$, ${\beta }_1=0.5$) over 200 epochs. For the unknown-$\mathbf{R}$ voice scenario, the discriminator loss starts at $D=1.317$, $G=1.149$ (epoch 0) and converges to $D=1.383$, $G=0.766$ (epoch 190); for the known-$\mathbf{R}$ scenario, convergence is $D=1.383$, $G=0.753$. In both cases the discriminator and generator losses settle near the theoretical Nash-equilibrium value of $ln2\approx 0.693$ (binary cross-entropy optimum), which is consistent with the GAN Nash-Equilibrium Privacy Bound of Theorem 8: the generator cannot significantly improve reconstruction quality once the discriminator reaches near-random guessing. For all cases, the GAN successfully learned to reconstruct the original profiles, achieving discriminator and generator losses of 1.35-1.38 and 0.75-0.76 for voice data, 1.32-1.38 and 0.74-0.75 for swipe data, and 1.36-1.37 and 0.71-0.72 for drawing data. In the case of DNN, we used mean squared error as the loss function and RMSProp as the optimizer with a learning rate of 0.001. For unknown $\mathbf{R}$ and unknown DP parameters, after 200 epochs of training, the training and validation loss for ${\mathcal{M}}_{\mathcal{P}}(·)$ for both types of noise ranges between 0.014 and 0.016 for voice data, between 0.0013 and 0.0022 for swipe data and between 0.0013 and 0.0029 for drawing data.

6.3.2. Recover Feature

Both types of trained attack models were used to recover plain profiles from each compromised noisy projected profile. We employed the KS-test to evaluate the distribution similarity between the features of the recovered profiles and the ground-truth profiles.

Mean feature recovery rates (voice data as example, unknown $\mathbf{R}$). For the DNN-based inversion model under the unknown-$\mathbf{R}$ scenario on voice data, across 68 enrolled users only 66 out of $68\times 104=7,072$ total feature recovery attempts yielded a KS-passing result under Laplace noise, and 62 under Gaussian noise. This corresponds to aggregate mean feature recovery rates of ${\overline{\rho }}_{\mathrm{DNN},\mathrm{L}}=3.79\%$ and ${\overline{\rho }}_{\mathrm{DNN},\mathrm{G}}=2.31\%$, respectively, providing concrete verification of Theorem 8. The per-user feature counts for the DNN attack under Laplace noise are: {6, 4, 3, 4, 4, 2, 5, 0, 5, 6, 4, 1, 0, 2, 1, 10, 6, 5, 2, 3, 2, 7, 3, 7, 7, 2, 6, 9, 3, 13, 2, 3, 3, 2, 2, 4, 8, 0, 4, 2, 4, 2, 2, 5, 4, 5, 0, 3, 4, 7, 2, 1, 1, 3, 4, 4, 4, 3, 5, 2, 6, 3, 1, 4, 6, 6, 2, 3}, confirming that even the most-recovered user (user 16, 10 features) regains less than 12.5% of their 104 voice features-far below any threshold that would enable behavioral re-identification.

For all three datasets, Figure 4(a-c) presents the percentage of features per profile that passed the KS-test for both attack networks across all three datasets when both the random projection matrix $\mathbf{R}$ and DP parameters were unknown to the attacker. In this setting, the attacker reconstructs $\mathbf{R}$ by sampling it from the known distribution and randomly guesses the DP parameters. For the DNN-based attack, the results are broadly consistent with those reported in [24]; however, the addition of DP noise reduces the overall recovery performance. Specifically, for the voice and swipe datasets, out of 86 noisy projected profiles, the attacker was able to recover at least one feature from 59 and 8 profiles, respectively, under Laplace noise, and from 55 and 2 profiles, respectively, under Gaussian noise. For the drawing dataset, at least one feature was successfully recovered from 30 out of 155 profiles with Laplace noise and from 5 out of 155 profiles with Gaussian noise.

GAN provides slightly better recovery, but the improvement is still limited. Out of 86 noisy projected profiles for voice and swipe data, at least one feature was recovered from 58 and 54 profiles, respectively, with Laplace noise, and from 15 and 5 profiles, respectively, with Gaussian noise. For drawing data, at least one feature was recovered from 30 and 22 profiles out of 155 profiles for Laplace and Gaussian noise, respectively. Despite these results, the average percentage of recovered features per compromised profile remains low.

Figure 5 (a-c) presents the results when the attacker knows both $\mathbf{R}$ and DP parameters. In this case, recovery improves slightly for both DNN and GAN-based attacks. For DNN, the attacker recovered at least one feature from 64 and 7 voice and swipe profiles, respectively, with Laplace noise, and from 56 and 2 profiles with Gaussian noise. For drawing data, at least one feature was recovered from 41 and 5 profiles out of 155 profiles for Laplace and Gaussian noise, respectively. For GAN, at least one feature was recovered from 65 and 24 voice and swipe profiles, respectively, with Laplace noise, and from 60 and 7 profiles with Gaussian noise. For drawing data, at least one feature was recovered from 51 and 22 profiles out of 155 profiles for Laplace and Gaussian noise, respectively. Even with this knowledge, the average percentage of recovered features per profile remains low.

Overall, attacks performed with known $\mathbf{R}$ and DP parameters achieve slightly better results compared to those with unknown parameters. Profiles with added Laplace noise are marginally more susceptible than those with Gaussian noise, likely due to the more deterministic behavior of Laplace noise. Nevertheless, for an individual profile, the percentage of recovered features remains low, ranging from 5% to 14% for voice data, 1% to 3% for swipe data, and 1% to 8% for drawing data under both noise types and both parameter scenarios. This level of recovery is insufficient for identifying behavioral patterns or supporting future attacks. Critically, all observed $\rho$ values satisfy $\rho \le {\rho }_{max}$ from Theorem 8 and Corollary 1.

6.4. Results Comparison

We critically compare the performance of our proposed privacy-preserving BA system with existing systems in the literature that adopt the cancelable biometric approach. The comparison emphasizes key aspects such as the methods and data types used, system performance, evaluated privacy properties, and resilience against various attacks. While some related works excel in certain areas, our system achieves competitive performance by balancing high authentication accuracy with robust protection against diverse privacy threats, including GAN-based attacks. A summary of the comparisons is in Table 5.

• Some systems relied solely on an RP-based approach [23,24], while others combined RP with local binary pattern (LBP) [33], backpropagation neural network (BPNN) [35], or applied double random phase encryption (DRPE) with fractional Fourier transform (FFT) [34]. In this work, we combined DP with RP to offer theoretical and experimental privacy guarantees, distinguishing our approach from existing methods.
• Most of the related works used biometric data in their experiments, except Taheri et al. [23,24], who included biometric and behavioral data. Since our focus is solely on BA systems, we used three different behavioral datasets in the experiments.
• Our system achieves higher performance accuracy than most other systems, except for a few that use biometric data, as expected, since biometric data are inherently more distinctive than behavioral data.
• Only our proposed system, along with [34] and [24], meets all privacy-preserving criteria for authentication systems, with our system achieving this specifically for behavioral data.
• We considered most of the potential attacks applicable to our system and also introduced GAN-based privacy attacks as a novel privacy evaluation method. Our approach is unique in providing formal information-theoretic proofs (Theorems 5-8) for all three privacy properties.

7. Conclusion

In this paper, we presented RUIP-BA, a privacy-preserving behavioral authentication (BA) system designed to meet all three ISO/IEC 24745 requirements of Renewability, Unlinkability, and Irreversibility-detailing its design, implementation, formal analysis, and evaluation. The acronym RUIP-BA (Renewable, Unlinkable, Irreversible Privacy-Preserving Behavioral Authentication) directly encodes the three-property guarantee in the system’s name. Leveraging random projection (RP) and local differential privacy (DP), our system achieves a balance between high authentication accuracy and robust data privacy. Experiments on voice, swipe, and drawing pattern datasets demonstrated high accuracy rates exceeding 96% for user authentication while preserving user privacy. The system effectively mitigated privacy risks, as shown by low false rejection and acceptance rates.

New formal contributions include: (i) the Johnson-Lindenstrauss Lemma and RP sensitivity lemma providing dimensionality reduction guarantees; (ii) three formal security games formalizing the ISO/IEC 24745 properties as PPT adversarial games; (iii) a Bhattacharyya-coefficient renewal bound (Theorem 5) showing adversarial advantage $\le 0.011$ for voice data; (iv) a full KL/JS divergence derivation for unlinkability (Theorem 6) grounded in Gaussian mechanism analysis; (v) a Cramér-Rao/Bayesian MMSE lower bound for irreversibility (Theorem 7) showing null-space dimensions are fundamentally unrecoverable; and (vi) a GAN Nash-equilibrium privacy bound (Theorem 8) bounding feature recoverability by ${\rho }_{max}={\displaystyle \frac{k}{d}}·{\displaystyle \frac{{\lambda }_{min}}{{\lambda }_{min}+{\sigma }^2}}$.

Comprehensive security and privacy analysis, including evaluations against sophisticated GAN-based privacy attacks, validated the robustness of our approach, showing that a very small percentage of behavioral features could be reconstructed by the most powerful attack scenarios. Our findings highlight the effectiveness of RP and DP in protecting user profiles from potential threats. Beyond BA systems, our approach offers broader applicability to domains such as biometric authentication and high-dimensional data publishing. Future work will explore adaptive strategies to enhance resilience against evolving attack models and extend the system’s applicability to multimodal biometric authentication scenarios.