Cancelable Biometrics with Provable Security and ... - Semantic Scholar

IEICE TRANS. FUNDAMENTALS, VOL.E94–A, NO.1 JANUARY 2011

233

PAPER

Special Section on Cryptography and Information Security

Cancelable Biometrics with Provable Security and Its Application to Fingerprint Verification∗ Kenta TAKAHASHI†,††a) , Member and Shinji HIRATA† , Nonmember

SUMMARY Biometric authentication has attracted attention because of its high security and convenience. However, biometric feature such as fingerprint can not be revoked like passwords. Thus once the biometric data of a user stored in the system has been compromised, it can not be used for authentication securely for his/her whole life long. To address this issue, an authentication scheme called cancelable biometrics has been studied. However, there remains a major challenge to achieve both strong security and practical accuracy. In this paper, we propose a novel and fundamental algorithm for cancelable biometrics called correlation-invariant random filtering (CIRF) with provable security. Then we construct a method for generating cancelable fingerprint templates based on the chip matching algorithm and the CIRF. Experimental evaluation shows that our method has almost the same accuracy as the conventional fingerprint verification based on the chip matching algorithm. key words: biometrics, authentication, cancelable biometrics, template protection

1.

Introduction

Biometric verification technology, which automatically identifies a person based on his/her physical or behavioral features, has been used for user authentication for physical access control or computer login, and is expected to be applied to remote user authentication over networks. A typical remote biometric authentication system consists of an authentication server with database and client terminals with biometric sensors. The server keeps biometric feature data, which are called templates, in the database. There are some problems here. The first is a security concern: because biometric features such as fingerprint patterns are unchangeable, they can not be revoked even if the templates or feature data are leaked. The second is a privacy concern: biometrics are strongly linked to a person’s identity, so some users have an aversion to disclose their biometric data to the server over the network. Manuscript received March 17, 2010. Manuscript revised July 2, 2010. † The authors are with Systems Development Laboratory, Hitachi, Ltd., Yokohama-shi, 244-0817 Japan. †† The author is with the Graduate School of Information Science and Technology, The University of Tokyo, Tokyo, 113-8656 Japan. ∗ Preliminary versions of this paper were presented at the IEEE Third International Conference on Biometrics: Theory, Applications and Systems (BTAS2009), Washington DC, September, 2009, and the 3rd IAPR/IEEE International Conference on Biometrics (ICB2009), Alghero, Italy, June, 2009. This work was partially supported by the national project promoted by the Ministry of Internal Affairs and Communications of Japan. a) E-mail: [email protected] DOI: 10.1587/transfun.E94.A.233

Conventional remote biometric authentication systems have been dealt with these problems by encrypting templates in the database and using cryptographic communication. However, the encrypted templates have to be decrypted on the server to perform pattern matching at the time of authentication. Thus a skilled attacker who aims at this timing, or a malicious administrator of the server can acquire the original biometric feature or templates. To address these issues, biometric template protection schemes have been studied for about a decade. The schemes can be broadly classified into two categories, namely feature transformation approach and biometric cryptosystems [1]. The feature transformation approach was firstly proposed by Ratha, et al. [2], named cancelable biometrics. In the followings, we collectively call the schemes of this approach cancelable biometrics. Biometric cryptosystems [3], such as ones using fuzzy vault (e.g. [4]), take an approach of extracting stable binary representation from “analogue” biometrics data (biometric key generation), and using it as a private key or a password. Typically, biometric key generation technique is constructed by a quantization step and an error-correcting step. However, generating user-specific key from biometric data with practical accuracy (i.e. low error rates of generating wrong key from a genuine user, and of generating correct key from an impostor user) is a major challenge in this approach. In fact, if there is a biometric key generation algorithm with certain error rates, then it can be easily convert to a biometric matching algorithm with the same error rates (FRR: False Rejection Rate, and FAR: False Acceptance Rate), by simply comparing generated keys. However, the general method of the opposite conversion is not known, i.e. there is no known general method to construct a biometric key generation algorithm from an arbitrary biometric matching algorithm without degrading the accuracy. This fact implies that it is much harder to achieve good accuracy in the biometric cryptosystems than in the conventional biometric authentication. On the other hand, in cancelable biometrics, biometric data is transformed in the feature (or signal) domain, and matched in the transformed domain directly, without restoring the original feature. Some methods of cancelable biometrics such as [5]–[8] have potential to take advantage of conventional matching algorithms with practical accuracy. However, the security analyses of most methods do not seem so rigorous as those of the conventional encryption algorithms. It is a challenge to construct transformations for

c 2011 The Institute of Electronics, Information and Communication Engineers Copyright


234

cancelable biometrics with provable security. In this paper, we propose a novel and fundamental algorithm for cancelable biometrics called correlationinvariant random filtering (CIRF), which has provable security in the meaning that the transformed feature does not leak any information about the original feature. The CIRF can be widely applied to any kind of biometrics whose similarity is measured via cross-correlation between features. Then we construct a method for generating cancelable fingerprint templates for the chip matching algorithm [9] based on the CIRF. The organization of this paper is as follows. In Sect. 2, we overview the scheme of cancelable biometrics and state the desirable properties. In Sect. 3, we propose the CIRF and show the security proof. In Sect. 4, we construct a method for generating cancelable fingerprint templates based on the well-known chip matching algorithm for fingerprint verification and the CIRF for transforming templates. In Sect. 5, we describe the result of experimental evaluation of the accuracy and discuss the security of the proposed method. Finally, concluding remarks are presented in Sect. 6. 2.

Cancelable Biometrics

2.1 Overview and Desirable Properties A typical model of server/client type biometric authentication system with cancelable biometrics is shown in Fig. 1. In the enrollment stage, a biometric feature data a is transformed via a function F P , and F P (a) is stored in the server as a reference data, called a cancelable template. In the authentication stage, a newly extracted feature b is transformed via G P , and G P (b) is sent to the server as an authentication data. The server matches G P (b) to F P (a), and evaluate the similarity between the original features a and b. The transformation functions F P and G P can be the same or different. The parameter P is generated randomly or sometimes in relation to a at the time of enrollment. P plays a similar role as an encryption key and kept in the client or some token of the user. Even if F P (a) or P leaks out, they can be revoked by generating a new parameter P and replacing F P (a) with

F P (a). Note that P should not be stored with F P (a), because in that case, the both data could leak out simultaneously. An attacker who obtained both F P (a) and P is able to recover the original feature a, if F P is a bijective (one-to-one) function, as in many cases of cancelable biometrics. Even if F P is a many-to-one function as proposed in [7], it is shown to be possible to recover a from F P (a) and P [10]. An ideal cancelable biometric system should possess the following properties [1]. (i) Accuracy performance: In general, an error would occur in evaluating the similarity of the features in the transformed domain, and so the accuracy (FAR: False Acceptance Rate, and FRR: False Rejection Rate) may be degraded from that of the original version. It is important that the degree of accuracy degradation is small. (ii) Security: A cancelable biometric scheme have to protect the original biometric feature even if some information is compromised. In particular, it should be impossible or computationally hard to obtain the original biometric feature, (ii-a) from the cancelable template: The cancelable template stored in the server might be compromised. It should be sufficiently hard to recover or estimate a from F P (a) without knowing P. (ii-b) from the authentication data: The authentication data sent through the channel might be compromised. It should be sufficiently hard to recover or estimate b from G P (b) without knowing P. (ii-c) from the parameter: The parameter stored in the client or the the token of the user might be compromised. It should be sufficiently hard to recover or estimate a from P without knowing F P (a). Above properties are countermeasures against external attacks. In addition, an ideal cancelable biometric scheme is desired to have security against internals attack, i.e., a malicious server. Note, however, to evaluate the similarity of the original feature data, the server have to calculate some sort of relation r(a, b) between a and b, such as the cross-correlation. (ii-d) Security against the server: It is desirable that the server cannot obtain extra information other than r(a, b), which may be utilized to recover a and b. (iii) Diversity: The cancelable template must not allow cross-matching across databases, thereby ensuring the privacy. (iv) Revocability: It should be straightforward to revoke a compromised template and reissue a new one based on the same biometric feature. 2.2 Related Works

Fig. 1

System model of cancelable biometrics.

Some transformations for cancelable biometrics have been

TAKAHASHI and HIRATA: CANCELABLE BIOMETRICS WITH PROVABLE SECURITY

235

proposed for several kinds of biometrics, such as iris [5] and face [6], [8]. As for fingerprint, Ratha, et al. [7] proposed three transforms: Cartesian, polar, and functional transformation. The first two methods have a drawback of the boundary problem, i.e. if a original minutiae point crosses a boundary of sectors dividing the feature space due to minor deviation of image alignment or distortion of a fingerprint, then the transformed version of the minutiae point is located far from the appropriate position. The third method deals with this issue by some locally smooth functions to distort the feature space. Lee, et al. [11] also proposed a locally smooth function for cancelable fingerprint template which does not need alignment for matching process. However, the security analysis of above methods seems insufficient. For example, an attacker might be able to narrow down the candidates of original minutia patterns based on the constrains of continuity of minutiae orientation and local smoothness of the transform function. Chikkerur, et al. [12] proposed a provably secure method for cancelable fingerprint templates. Their method extracts a local image (called a patch) around each minutiae, and transforms it by a projection matrix which does not change the dot product measure of two patches. However, the experimental accuracy is poor (FAR: 1%, FRR: 20%). Considerable reasons are as follows. (i) The matching measure of patches does not allow extraction error of minutiae locations, i.e. if a detected minutiae location is apart from the true position by only several pixels, the extracted patch image would not be matched. (ii) The final score is calculated according to the minimum total distance among all combinations of patches, thus an impostor’s fingerprint whose patch set is similar to the genuine one, for a certain permutation, can easily cause a false acceptance, even if the minutia locations are totally different. 3.

Correlation Invariant Random Filtering

In this section we propose a fundamental algorithm called correlation-invariant random filtering (CIRF), which can be applied to construct cancelable biometrics for image-based matching. The CIRF has provable security in the meaning that the transformed feature does not leak any information about the original feature. 3.1 Preliminary We assume that a biometric feature a is represented as an image data (i.e. two-dimensional array of brightness values) with w(width) × h(height) pixels, and the value of each pixel is an integer, i.e., a ∈ Zwh . Let a[x, y] denote the value of the pixel of coordinates (x, y), where 0 ≤ x ≤ w − 1, 0 ≤ y ≤ h − 1. Furthermore, we assume the similarity of two feature images a[x, y], b[x, y] can be evaluated through the cyclic cross-correlation a b ∈ Zwh , which can be expressed in the following cyclic convolution formula,

ˆ (a b)[u, v] = (a ∗ b)[u, v] h−1 w−1 ˆ − x mod w, v − y mod h] a[x, y]b[u = x=0 y=0

(0 ≤ u ≤ w − 1, 0 ≤ v ≤ h − 1)

(1)

ˆ y] = b[w − where bˆ denotes the flipped image of b, i.e. b[x, wh ˆ x − 1, h − y − 1], and a ∗ b ∈ Z denotes the cyclic conˆ The (linear) cross-correlation is widely volution of a and b. used as a measure of similarity of two signals including images, audio signals, and so on. The linear cross-correlation can be calculated from the cyclic cross-correlation by appending a zero-signal to the original signal. We will use this technique in Sect. 4, to apply the CIRF to the chip matching algorithms. To establish cancelable biometrics, it is required to calculate a ∗ bˆ without knowing a nor b. Here, we introduce the two-dimensional number theoretic transform (NTT) F, a kind of two-dimensional discrete Fourier transform (DFT) defined over Galois field Z p , where p is a prime. wh F : Zwh p → Zp ,

F(a)[X, Y] =

h−1 w−1

αXx βYy a[x, y] mod p,

(2)

x=0 y=0

where α, β ∈ Z p are the roots of unity of order w, h respectively. The prime p have to satisfy the following property: w | p − 1 and h | p − 1.

(3)

The inverse NTT F−1 is defined as follows. wh F−1 : Zwh p → Zp ,

F−1 (A)[x, y] = N −1

(4) w−1 h−1

α−Xx β−Yy A[X, Y] mod p. (5)

X=0 Y=0

The NTT is known to have a cyclic convolution property or CCP [13]: F(a ∗ b) = F(a) ◦ F(b)

(mod p),

(6)

where “◦” denotes the pixel-wise multiplication, i.e. (A ◦ B)[X, Y] = A[X, Y]B[X, Y]. We make use of the CCP of the NTT to construct the CIRF. 3.2 Algorithms The CIRF is a tuple of functions (F, G, R). F transforms a biometric feature image a ∈ B to a filtered image T ∈ T using a random filter K ∈ K. F : B × K → T,

(a, K) → T = F(a) ◦ K,

(7)

∗ wh where B, T ⊆ Zwh (Z∗p = Z p \ {0}). K p and K = (Z p ) is chosen uniformly randomly from K at the time of enrollment. For a fixed K, we denote the transformation by F K , i.e., T = F K (a).


236

Note that a is originally represented as an integervalued image, i.e., a ∈ Zwh . However, we can regard it as an element of Zwh p for sufficiently large p and appropriate representatives of Z p . We will show later how to choose p and the representatives. G transforms a biometric feature image b ∈ B to a filtered image U ∈ T using a random filter K ∈ K. G : B × K → T,

ˆ ◦ K −1 , (b, K) → U = F(b)

(8)

where K −1 denotes the pixel-wise inverse of K, i.e., (K −1 )[u, v] = (K[u, v])−1 . For a fixed K, we denote the transformation by G K , i.e., U = G K (b). R takes two filtered images T = F K (a) and U = G K (b) as inputs and outputs the cross-correlation r. (9)

Zwh p .

where R = From (6)–(9), we have r = = = = =

F−1 (F K (a) ◦ G K (a)) ˆ ◦ K −1 )) F−1 ((F(a) ◦ K) ◦ (F(b) ˆ F−1 (F(a) ◦ F(b)) ˆ a ∗ b (mod p). ab

(mod p).

(10)

(11)

However, to evaluate the similarity of two feature images a, b, the cyclic cross-correlation have to be calculated in Z. This problem can be solved if we set p and choose representatives of Z p appropriately as follows. Let B s ⊂ Zwh be a set of possible feature images. For example, if features are represented as binary (e.g. black and white) images and coded with {0, 1}, B s = {a ∈ Zwh | a[x, y] ∈ {0, 1}}. Let Max, Min be the maximum and the minimum of the cyclic cross-correlation between a, b ∈ B s : Max = max (a b)[x, y],

(12)

Min = min (a b)[x, y].

(13)

a,b∈B s 0≤x≤w−1 0≤y≤h−1

a,b∈B s 0≤x≤w−1 0≤y≤h−1

The prime p is chosen to satisfy (3) and the following inequality: p ≥ Max − Min + 1,

(14)

and the representatives of Z p are chosen to include Min, Min + 1, · · · , Max − 1, Max.

(16)

We constructed the CIRF based on the NTT. Actually the CIRF can be implemented with normal DFT instead of the NTT. However, the perfect secrecy is achieved only with the NTT. Besides, data size of the templates is reduced by the NTT, because each element can be represented as an integer of log2 (p) bits (= 9 bits, in our implementation), whereas in the case of DFT, each element is a complex number which should be represented as a pair of floating-point numbers.

We will show that F and G have perfect secrecy if we slightly restrict the feature space B. For preparation, let us define a cryptosystems and perfect secrecy according to [14]. Definition 1. A cryptosystem is a tuple (P, C, K, E, D) with the following properties:

wh Note that the above equality holds in Zwh p , not in Z . Thus, if we regard the value of each pixel as an element of Z, the following equality holds only in modulo p:

r[u, v] = (a b)[u, v] (mod p).

r[u, v] = (a b)[u, v].

3.3 Security Analysis

R : T × T → R,

(T, U) → r = F−1 (T ◦ U),

Since each pixel value of the cyclic cross-correlation (a b)[u, v] is within the interval [Min, Max], the following equality holds in Z:

(15)

1. 2. 3. 4.

P is a set and called the plaintext space, C is a set and called the ciphertext space, K is a set and called the key space, E = {Ek |k ∈ K} is a family of functions Ek : P → C, 5. D = {Dk |k ∈ K} is a family of functions Dk : C → P, 6. For each e ∈ K, there is d ∈ K such that Dd (Ee (m)) = m for all m ∈ P. We present the Shannon’s definition of perfect secrecy [14]: Definition 2. A cryptosystem (P, C, K, E, D) has perfect secrecy if the events that a particular ciphertext occurs and that a particular plaintext has been encrypted are independent (i.e., Pr(m|c) = Pr(m) for all m ∈ P and c ∈ C). This definition means that any ciphertext c = Ek (m) of a cryptosystem with perfect secrecy provides no information about the plaintext m. Here, let us consider a slightly restricted spaces B∗ of feature images for enrollment and Bˆ ∗ for authentication. ∗ wh B∗ = {a ∈ Zwh p | F(a) ∈ (Z p ) }, ∗ wh ˆ Bˆ ∗ = {b ∈ Zwh p | F(b) ∈ (Z p ) }.

(17)

Note that (Z∗p )wh forms an Abelian group under pixel-wise multiplication “◦,” i.e., there exist an identity element I ∈ (Z∗p )wh (an image with all pixel value is 1 ∈ Z p ) and inverse elements A−1 ∈ (Z∗p )wh for all A ∈ (Z∗p )wh , and A ◦ B = B◦A ∈ (Z∗p )wh for all A, B ∈ (Z∗p )wh . By the above restriction, ˆ and the random filter K are all elements of the F(a), F(b)


237

abelian multiplicative group. Thereby, the space of filtered images T can also be restricted to this group: T ∗ = (Z∗p )wh .

(18)

Let us denote F = {F K : B∗ → T ∗ | K ∈ K}, G = {G K : Bˆ ∗ → T ∗ | K ∈ K}. F −1 = {F K−1 : T ∗ → B∗ | K ∈ K}, ∗ ˆ∗ G−1 = {G−1 K : T → B | K ∈ K},

3.4.1 Accuracy Performance By setting appropriate parameters, the CIRF can calculate the cyclic cross-correlation a b of the original features a and b without error. Thus, if the similarity can be evaluated based only on the cyclic cross-correlation, the accuracy performance is not affected by the CIRF. 3.4.2 Diversity

(19)

Note that F K−1 (F K (a)) = a and G−1 K (G K (b)) = b. Thus (B , T ∗ , K, F , F −1 ) and (Bˆ ∗ , T ∗ , K, G, G−1 ) are cryptosystems. Here, the following theorem holds.

We assume a filtered image T = F(a, K) as a cancelable template. Let us consider the situation where two cancelable templates T 1 = F(a, K 1 ) and T 2 = F(a, K 2 ), generated from the same feature a, are enrolled to two databases DB1 and DB2 respectively. To protect cross-matching across databases, it is sufficient that two cancelable templates T 1 , T 2 have no correlation. Actually, we can prove the following theorem.

Theorem 1. The cryptosystems (B∗ , T ∗ , K, F , F −1 ) and (Bˆ ∗ , T ∗ , K, G, G−1 ) both have perfect secrecy.

Theorem 2. Let T 1 = F(a, K 1 ) and T 2 = F(a, K 2 ). If K 1 and K 2 are independently and uniformly distributed on K,

where F K−1 (T ) = F−1 (T ◦ K −1 ), −1 ˆ G−1 K (U) = b , b = F (U ◦ K).

(20)

∗

The proof is described in the Appendix. This theorem indicates that the CIRF satisfies the desirable property (ii-a) and (ii-b) described in Sect. 2.1. Furthermore, it is apparent that a randomly generated K provides no information about the feature images, i.e., the CIRF satisfies the property (ii-c). Let us consider the property (ii-d), i.e., the security of the CIRF against the server. The server obtains the filtered images T, U, but does not know the random filter K. What information about the original feature images a, b can the server get? For any a ∈ B∗ , b ∈ Bˆ ∗ , K ∈ K, and T, U ∈ T ∗ , the following equivalence holds: T = F K (a) T = F K (a) ⇔ . (21) R(T, U) = a b U = G K (b) From the theorem 1, the first equation provides no information about a. Thus, the only information the server can get is r = a b, i.e., the cyclic cross-correlation of a and b. In this meaning, we can say the CIRF satisfies the property (ii-d). Note, however, that the following equation may provide some information about a and b: r[u, v] = (a b)[u, v].

(22)

This is a quadratic simultaneous equations with 2wh unknown variables a[x, y], b[x, y] and wh equations. It is considered that solving this equation is sufficiently hard for large wh, but further discussion is necessary. This is one of our future works. 3.4 Other Properties Let us discuss the desirable properties of cancelable biometrics stated in Sect. 2.1 other than the security.

Pr(T 1 |T 2 ) = Pr(T 1 )

(23)

for any a ∈ B∗ . The proof is described in the Appendix. This theorem means that two cancelable templates T 1 , T 2 generated from the same biometric feature are statistically independent, thereby they have no correlation. 3.4.3 Revocability We assume T = F(a, K) as a cancelable template. If the cancelable template T (or K) is compromised, we can revoke it and reissue a new one T = F(a, K ) based on the same biometric feature a as follows. The client randomly choose a new random filter K ∈ K, calculate a differential filter ΔK = K ◦ K −1 ,

(24)

and sent ΔK to the server. The server calculate the new cancelable template as follows, T = = = =

T ◦ ΔK (F(a) ◦ K) ◦ (K ◦ K −1 ) F(a) ◦ K F(a, K ).

(25)

Note that ΔK does not leak any information about K, thereby has no effect on the security. This process does not require a user to input his/her biometrics afresh. Thus it is possible to execute revocation periodically without bothering users.


238

4.

Generating Cancelable Fingerprint Templates Based on the CIRF

In this section, we propose a method of generating cancelable fingerprint templates based on the CIRF and the chip matching algorithm. 4.1 Chip Matching Algorithm The chip matching [9] is a well-known algorithm for fingerprint verification. Figure 2 shows the outline of the algorithm. A captured image is preprocessed to a binary (white and black) image of W × W pixels, and the core (the center of the loop, whorl or arch) is detected for fingerprint registration. We implemented the preprocess including image enhancement using the directional Gabor filter, threshold binarization and shrinking. The focal point method was used to detect the core. Refer to [15] for details of the above processes. Then, in the enrollment stage, the minutiae (bifurcation points and ending points) are extracted. The coordinate of each minutia is represented as (xi , yi ) (i = 1, 2, · · · , N) where N is the number of extracted minutiae and the origin (0, 0) is the core point. Next, a chip image ai of size wC × wC centered at each minutiae is extracted from the binary image. The set of minutiae coordinates and chip images T = {(xi , yi , ai ) | i = 1, 2, · · · , N} is enrolled as a template. In the authentication stage, for each minutiae representation (xi , yi , ai ) ∈ T , find the local area of size wC × wC centered at (xi + u, yi + v) (u, v = 0, ±1, ±2, · · · ) most similar to the chip image ai , from the search area of size wS × wS (wS > wC ) centered at (xi , yi ) in the binary image. Here, the origin (0, 0) is defined as the core point in the binary image for authentication. Note that there is no need for minutiae extraction or minutiae alignment during the authentication process.

Fig. 2

Chip matching algorithm.

The similarity measure between the chip image ai and the local area centered at (xi +u, yi +v) is defined as the Hamming distance Di (u, v), i.e. the number of pixels of different color (i.e. white-black or black-white). If the following inequality holds for a predetermined threshold τ, then the chip image ai is counted as a matched chip. min Di (u, v) ≤ τ, (Δ = (wS − wC )/2).

−Δ≤u,v≤Δ

(26)

Finally, the similarity score is calculated as n/N where n is the number of matched chips. It will be shown in the next section that the Hamming distance Di (u, v) can be calculated from the cross-correlation formula. This makes it possible to apply the CIRF to the chip matching algorithm. 4.2 Generating Cancelable Templates for Chip Matching We describe how to generate cancelable fingerprint templates for the chip matching, and then show the whole system of cancelable biometrics. In what follows, all calculations are performed in the Galois field Z p , where p is a prime number such that wS |p − 1. We represent the elements of Z p as p−1 {− p−1 2 , · · · , −1, 0, 1, · · · , 2 }. To calculate the Hamming distance from the cross-correlation, we encode each pixel of a binary image to 1 (white) or −1 (black). Our cancelable template consists of filtered chip images individually transformed using the CIRF. Figure 3 describes the outline of generating one filtered chip image using the CIRF. 4.2.1 Transformation Process for Enrollment In the enrollment stage, each chip image ai is transformed as follows. (i) ai is extended to the same size as the search area (wS × wS ) by padding the extra area with 0. This process is necessary to calculate linear cross-correlation from cyclic cross-correlation. Let a˜ i be the extended

Fig. 3

Chip matching based on the CIRF.


239

chip image. (ii) Let a˜ ∗i = a˜ i . If F(ã∗i )[X, Y] = 0 for some (X, Y) (0 ≤ X, Y ≤ wS − 1), i.e., if a˜ ∗i is not a member of B∗ , then let a˜ i [x, y] ((x, y) (x0 , y0 )) ∗ (27) a˜ i [x, y] = a˜ i [x, y] + 1 ((x, y) = (x0 , y0 )) for randomly chosen (x0 , y0 ) (0 ≤ x0 , y0 ≤ wS − 1). Repeat this step until a˜ ∗i ∈ B∗ is found. This process is necessary to restrict the feature space to B∗ , and make the CIRF have perfect secrecy. Let ia = a˜ ∗i − a˜ i . (iii) The random filter Ki ∈ K is generated randomly for each chip image ai independently. (iv) a˜ ∗i ∈ B∗ is transformed to a filtered chip image T i by the CIRF with the random filter Ki . Ti =

F(ã∗i , Ki ).

(28)

4.2.2 Transformation Process for Authentication The transformation process for each image of the search area bi in the authentication stage is as follows. (i) The search area bi (of size wS × wS ) for ai is clipped from the binary image. Let b∗i = bi . (ii) If F(bˆ ∗i )[X, Y] = 0 for some (X, Y) (0 ≤ X, Y ≤ wS − 1), i.e., if b∗i is not a member of B∗ , then let bi [x, y] ((x, y) (x0 , y0 )) ∗ (29) bi [x, y] = bi [x, y] + 1 ((x, y) = (x0 , y0 )) for randomly chosen (x0 , y0 ) (0 ≤ x0 , y0 ≤ wS − 1). Repeat this step until b∗i ∈ Bˆ ∗ is found. Let ib = b∗i −bi . (iii) b∗i ∈ Bˆ ∗ is transformed to a filtered chip image Ui by the CIRF. Ui = G(b∗i , Ki ).

(30)

Let us consider the repeat count m in the above step (ii). If F(a)[u, v] is randomly distributed in Z p , as is often the case, the success probability per trial is w2 1 S q= 1− , p

(31)

and the probability distribution of m is a geometric distribution Pr(m) = q(1 − q)m−1 .

(32)

Thus the expected number of the repeat count is E[m] = 1/q.

(33)

By substituting p = 337, wS = 28, which are the experimental parameter, we get E[m] = 10.3. The experimental average of the repeat number was 10.7, which is about the same as the expected number.

4.2.3 Matching Process The matching process for each chip image is performed by calculating the cyclic cross-correlation of a˜ ∗i and b∗i as follows: ri∗ = = = =

R(T i , Ui )

a˜ ∗i b∗i (ãi + ia ) (bi + ib ) r i + i ,

(34)

ri = a˜ i bi , i = a˜ i ib + ia bi + ia ib .

(35)

where

ri [u, v] is the summation of products of corresponding pixels of bi and cyclically shifted version of a˜ i . Note that each product is equal to 1 when the corresponding pixels are the same color (white-white or black-black), and −1 when different color (white-black or black-white). As the extended region of a˜ i padded with zeros does not contribute to the summation, the cyclic-correlation ri [u, v] is equal to the linear correlation within the following region. −Δ ≤ u, v ≤ Δ (Δ = (wS − wC )/2).

(36)

Thus, within the region of Eq. (36), ri [u, v] can be expressed using the Hamming distance Di (u, v) as follows, ri [u, v] = #{pixels of the same color} −#{pixels of different colors} = (wC 2 − Di (−u, −v)) − Di (−u, −v) = wC 2 − 2 · Di (−u, −v).

(37)

Therefore, Eq. (26) is equivalent to the following inequality. wC 2 − ri [−u, −v] ≤ τ. −Δ≤u,v≤Δ 2 min

(38)

Next, let us evaluate the error term i . Since ia , ib have only one pixel of non-zero value “1,” the infinity norm ||||∞ = maxu,v [u, v] is expected to be small relative to ||ri ||∞ . In fact, the following inequality holds: ||||∞ = ≤ = =

||ãi ib + ia bi + ia ib ||∞ ||ãi ib ||∞ + ||ia bi ||∞ + ||ia ib ||∞ ||ãi ||∞ + ||bi ||∞ + 1 1 + 1 + 1 = 3.

(39)

Thus, it will be reasonable to use the following criteria instead of (38). wC 2 − ri∗ [−u, −v] ≤ τ. −Δ≤u,v≤Δ 2 min

(40)

Of course the accuracy may be affected by the error term i . However, the effect is not so large, as we show experimentally in the next section.


240

Fig. 4

Proposed system of fingerprint authentication using cancelable templates. (basic version)

4.3 Fingerprint Authentication System Using Cancelable Templates By applying the above process to all chip images, the cancelable biometrics for fingerprint authentication can be established. However, the minutia coordinates are necessary to determine the search areas in the authentication stage. For that purpose we store the coordinates (xi , yi ) together with the random filters Ki as a part of the parameter. Figure 4 shows the whole system with our cancelable fingerprint templates. We refer to the system as “basic version.” The detail of enrollment, authentication and revocation processes of the basic version are described in the preliminary versions of this paper [16]. Let us consider the security and privacy regarding the minutiae coordinates included in the parameter P of the basic version. Note that even an attacker who obtained the parameter P of a genuine user can not easily impersonate the user because the decision of acceptance is not made based on the correspondence of minutiae location, but on the similarity of local images. However, the information of minutiae location itself may be considered as privacy information, since it can be used for personal identification to some extent. Thus it is preferable to hide the minutiae location in the parameter P. For this end, we add some chaff points to the parameter as shown in Fig. 5. Specifically, in the enrollment stage, we locate Nc chaff points randomly other than Nm minutiae. We refer to this system as “minutiae hiding version.” In the followings, we describe the detail of the enrollment, authentication and revocation processes of the minutiae hiding version.

Fig. 5

Adding chaffs.

4.3.1 Enrollment Process The enrollment process is as follows. (E1) The client preprocess the captured fingerprint image, and extract the core and the minutiae location. (E2) For each minutiae coordinates ( x¯1 , y¯ 1 ), · · · , ( x¯ Nm , y¯ Nm ),

(41)

where the origin (0, 0) is the core position and Nm is the number of minutiae, the client clips a chip image ai from the processed binary image. (E3) The client generates Nc > 0 chaff points ( x¯ Nm +1 , y¯ Nm +1 ), · · · , ( x¯ Nm +Nc , y¯ Nm +Nc )

(42)

randomly within the area of a fingerprint image. (E3) The client generates N random filters K¯ 1 , · · · , K¯ N , where N = Nm + Nc . Let P¯ i = ( x¯i , y¯ i , K¯ i ). (E4) The client transforms each chip image ai (i = 1, · · · , Nm ) to a filtered chip image T¯ i by using the random filter K¯ i . Let T¯ i = φ for i = Nm + 1, · · · , N where φ denotes a symbol of a chaff.


241

(E5) The client chooses a permutation σ ∈ S N randomly, where S N is the symmetric group of degree N.

hiding version of our methods have completely the same accuracy.

(E6) Let the cancelable template T be the ordered list of filtered chip images

4.3.3 Revocation Process

T = (T 1 , · · · , T N ) = (T¯ σ(1) , · · · , T¯ σ(N) ),

The revocation process is as follows. (43)

and let the parameter P be the ordered list of pairs of the minutiae coordinates and the random filter as a parameter P = (P1 , · · · , PN ) = (P¯ σ(1) , · · · , P¯ σ(N) ).

(R1) The client Choose a permutation σ ∈ S N randomly. (R2) The client generate a new random filter Ki for each i = 1, 2, · · · , N. (R3) The client calculates the differential filter ΔKi as follows, ΔKi = Ki ◦ Ki−1

(44)

(46)

(R4) The client sends σ and {ΔK1 , · · · , ΔKN } to the server.

This step (random permutation) is necessary to keep the attacker from guessing the true minutiae coordinates from the order of coordinates recorded in the parameter P.

(R5) The server re-transforms each T i to a new one T i as follows,

(E7) The client sends the cancelable template T to the server.

(47)

(E8) The server enrolls the cancelable template T .

T¯ i = T i ◦ ΔKi = F(ai , Ki ), T i = T¯ σ (i) .

(R6) The server replaces the cancelable template T with T .

(E9) The client stores the parameter P.

T = (T 1 , · · · , T N )

4.3.2 Authentication Process

(R7) The client replaces the parameter P with P as follows,

The authentication process is as follows.

P = (P1 , · · · , PN ),

(A1) The client preprocesses the captured fingerprint image, and extract the core position as the origin (0, 0). (A2) For each Pi = (xi , yi , Ki ) recorded in the parameter P, the client clips a local image bi of the search area centered at (xi , yi ) from the processed binary image. Note that bσ−1 ( j) ( j = 1, · · · , Nm ) correspond to the true minutiae. (A3) The client transforms each clipped image bi to Ui by using the random filter Ki . (A4) The client sends the ordered list of filtered images U = (U1 , U2 , · · · , U N )

(48)

(49)

where Pi = (xσ (i) , yσ (i) , Kσ (i) ). Note that during the revocation process, the set of coordinates {(x1 , y1 ), · · · , (xN , yN )} in the parameter P are kept unchanged, although the order is permuted. This is necessary because if only chaff points change randomly, an attacker who obtained both the old parameter P and the new parameter P can distinguish the true minutiae from the chaff points. In this manner, we can keep the minutiae information secret as long as the template T and the parameter P do not leak out at the same time.

(45)

to the server. (A5) The server calculates the cross-correlation ri∗ = R(T i , Ui ) = a˜ ∗i b∗i for each filtered chip image T i φ, and decide whether it is matched or not according to Eq. (40). (A6) Let n be the number of matched chip images. If the similarity score s = n/Nm exceeds an authentication threshold t, the user is accepted. Note that the server performs the chip matching process only for the chip images of the true minutiae, whereas the client does not know which coordinates (xi , yi ) are the true minutiae. Thus, the accuracy is not affected by the number of chaff points Nc , and the basic version and the minutiae

5.

Evaluation

In this section, we experimentally evaluate the accuracy of the proposed method, and discuss the security, diversity and revocability. 5.1 Accuracy Evaluation We evaluated the accuracy of fingerprint verification using the proposed cancelable templates, and compared with the conventional chip matching. We used 181 pairs of fingerprint images captured through a capacitive sensor (Veridicom 5th Sense† ) to evaluate the FAR and FRR and generate †

5th Sense is a trademarkof Veridicom International Inc.


242 Table 1

Number of candidate sets of minutiae.

#Chaffs

Fig. 6 DET curves evaluated using cancelable templates and conventional templates.

#Candidate Sets

Size of P

0

1

16 KB

10

1.3 × 107

25 KB

20

3.4

× 1010

34 KB

40

4.5

× 1014

51 KB

80

2.1 × 1019

86 KB

tered chip images T 1 , · · · , T N transformed using the CIRF with different random filters, it is impossible to extract any information of the original chip images from T . 5.2.2 (ii-b): From the Authentication Data

the DET (decision error tradeoff) curve. Experimental parameters are set as follows: W = 176, wC = 12, wS = 28, τ = 44, p = 337. To measure the effect that the proposed cancelable transform has on the accuracy of fingerprint verification, a chip image for enrollment and the corresponding clipped image for authentication are transformed using the same parameter, as described in Sect. 4.2. Note that this means the FAR is evaluated in the scenario that an attacker who tries to impersonate a genuine user finds the parameter of the target user and use it to transform his own fingerprint for authentication. Figure 6 shows the DET curves evaluated using conventional templates and proposed cancelable templates. Note that since the basic version and the minutiae hiding version have completely the same accuracy, there is only one DET curve of the proposed method. As shown in the figure, the DET curve of the proposed method has almost the same accuracy as of the conventional chip matching algorithm. 5.2 Security Discussion Let us discuss the security of the proposed method for generating cancelable fingerprint templates. As described in Sect. 2.1, it should be impossible or computationally hard to obtain the original biometric feature from (ii-a) the cancelable template, (ii-b) from the authentication data, (ii-c) from the parameter, and furthermore, (ii-d) it is desirable that the server cannot obtain extra information other than r(a, b), where r is any relation between a, b for similarity evaluation.

Since our authentication data U consists only of filtered images U1 , · · · , U N transformed using the CIRF with different random filters, it is impossible to extract any information of the original chip images from U. 5.2.3 (ii-c): From the Parameter Let us consider the security compromise when the parameter leaked out from the client. A parameter of the basic version consists of random filters and minutiae coordinates. The random filters do not include any information about the original fingerprint. However, the information of minutiae location may be considered as privacy information, as it can be used for personal identification to some extent. The minutiae hiding version deals with this issue by adding chaff points besides minutiae. A parameter of this version includes coordinates of Nm minutiae and Nc chaff points. Even if the attacker obtaining the parameter knows Nm , the number of candidate sets of minutiae is: Nm +Nc C Nm

=

(Nm + Nc )! . Nm !Nc !

(50)

This number becomes larger and larger as the number of chaffs Nc increases. However, as Nc gets larger, size of the parameter and authentication data increase. We calculated the above formula and the size of parameter P by substituting Nm = 18 (experimental average number of minutiae) and Nc = 0, 10, 20, 40, 80, showing the result in Table 1. The size of the authentication data U is almost the same as the size of P. Further discussion about how many chaffs are necessary and sufficient to hide minutiae information is a future work.

5.2.1 (ii-a): From the Cancelable Template 5.2.4 (ii-d): Security Against the Server The proposed method to generate cancelable fingerprint templates is based on the CIRF. As proved in Sect. 3, it is proved that the CIRF has perfect secrecy, i.e., it is impossible to extract any information about the original image from the transformed one. Because our cancelable template T consists only of fil-

As discussed in Sect. 3, the only information the server can get from T i = F Ki (ã∗i ), Ui = G Ki (b∗i ) is ri∗ = a˜ ∗i b∗i . In this meaning, we can say the proposed method satisfies the property (ii-d). However, as we mentioned in Sect. 3.3, further discussion about possibility of recovering ai or bi from


243

ri∗ is necessary. 5.3 Diversity and Revocability As we proved, the CIRF has diversity, i.e., there is no correlation between two filtered image T 1 = F(a, K 1 ) and T 2 = F(a, K 2 ) generated from the same biometric feature (theorem 2). Since our cancelable template T consists only of filtered chip images T 1 , · · · , T N transformed using the CIRF, it is apparent that T also has diversity. As for revocability, we already showed how to revoke the cancelable template in Sect. 4.2 (ref. step (R1)–(R7)). 6.

Conclusions

In this paper, we proposed a novel and fundamental algorithm for cancelable biometrics called correlation-invariant random filtering (CIRF), which can be widely applied to any kind of biometrics whose similarity is measured via crosscorrelation between features. We proved that the CIRF have the perfect secrecy, i.e., the transformed feature does not leak any information about the original feature. Then we constructed a method for generating cancelable fingerprint templates based on the chip matching algorithm and the CIRF. Experimental evaluation shows that the proposed method has almost the same accuracy as the conventional fingerprint verification based on the chip matching algorithm. By applying our method, we can realize a secure and privacy-enhanced system of remote biometric authentication. References [1] A.K. Jain, K. Nandakumar, and A. Nagar, “Biometric template security,” EURASIP J. Advances in Signal Processing, 2008. [2] N.K. Ratha, J.H. Connell, and R.M. Bolle, “Enhancing security and privacy in biometric-based authentication systems,” IBM System J., vol.40, no.3, 2001. [3] U. Uludag, S. Pankanti, S. Prabhakar, and A. Jain, “Biometric cryptosystems: Issues and challenges,” Proc. IEEE, vol.92, no.6, pp.948– 960, 2004. [4] K. Nandakumar, A.K. Jain, and S. Pankanti, “Fingerprint-based fuzzy vault: Implementation and performance,” IEEE Trans. Information Forensics and Security, vol.2, no.4, pp.744–757, 2007. [5] M. Braithwaite, U.C. von Seelen, J. Cambier, J. Daugman, R. Glass, R. Moore, and I. Scott, “Application-specific biometric templates,” AutoID02, pp.167–171, 2002. [6] M. Savvides, B. Vijayakumar, and P.K. Khosla, “Cancelable biometric filters for face recognition,” Proc. ICPR2004, pp.922–925, 2004. [7] N.K. Ratha, S. Chikkerur, J.H. Connell, and R.M. Bolle, “Generating cancelable fingerprint templates,” IEEE Trans. Pattern. Anal. Mach. Intell., vol.29, no.4, pp.561–572, 2007. [8] M.A. Dabbah, W.L. Woo, and S.S. Dlay, “Secure authentication for face recognition,” Proc. CIISP2007, 2007. [9] M. Mimura, S. Ishida, and Y. Seto, “Development of personal authentication techniques using fingerprint matching embedded in smart cards,” IEICE Trans. Inf. & Syst., vol.E84-D, no.7, pp.812– 818, July 2001. [10] F. Quan, S. Fei, C. Anni, and Z. Feifei, “Cracking cancelable fingerprint template of Ratha,” ISCSCT’08, pp.572–575, 2008. [11] C. Lee, J. Choi, K. Toh, S. Lee, and J. Kim, “Alignment-free cancelable fingerprint templates based on local minutiae information,”

[12]

[13] [14] [15] [16]

IEEE Trans. Syst. Man. Cybern. B, Cybern., vol.37, no.4, pp.980– 992, 2007. S. Chikkerur, N.K. Ratha, H. Connell, and R.M. Bolle, “Generating registration-free cancelable fingerprint templates,” Proc. BTAS08, pp.1–6, 2008. R.C. Agarwal and C.S. Burrus, “Number theoretic transforms to implement fast digital convolution,” Proc. IEEE, pp.550–560, 1975. A. Buchman, Introduction to Cryptography, second ed., Springer, 2004. D. Maltoni, D. Maio, A.K. Jain, and S. Prabhakar, Handbook of Fingerprint Recognition, ch. 3, Springer, 2003. K. Takahashi and S. Hirata, “Generating provably secure cancelable fingerprint templates based on correlation-invariant random filtering,” Proc. BTAS2009, 2009.

Appendix:

Proof of Theorems

A.1 Proof of Theorem 1 As for the perfect secrecy, the following lemma holds. Lemma 3. Let |P| ≤ |K| = |C| < ∞. A cryptosystem (P, C, K, E, D) has perfect secrecy if the probability distribution on the key space is the uniform distribution and if for any plaintext m ∈ P and any ciphertext c ∈ C there is exactly one key k ∈ K with Ek (m) = c. Proof. For a plaintext m ∈ P, let us consider a function em : K → C such that em (k) = Ek (m). By assumption, em is an one-to-one mapping. Thus if k is uniformly distributed on K, then c = em (k) is also uniformly distributed on C, i.e., Pr(c|m) = 1/|C|, where |C| is the cardinality of C. By Bayes’ theorem, Pr(c|m)Pr(m) Pr(c|m )Pr(m ) (1/|C|) · Pr(m) = m ∈P (1/|C|) · Pr(m ) Pr(m) = m ∈P Pr(m ) = Pr(m).

Pr(m|c) =

m ∈P

Using lemma 3, we can prove the Theorem 1.

(A· 1)

Proof of Theorem 1. Since F is bijective, |B∗ | = |F(B∗ )| = ˆ ∈ Bˆ ∗ }| = |(Z∗p )wh |. Therefore, |(Z∗p )wh | and |Bˆ ∗ | = |{F(b)|b |B∗ | = |Bˆ ∗ | = |T ∗ | = |K|. It can be easily shown that for any a ∈ B∗ and any T ∈ T ∗ , there is exactly one key K ∈ K with F K (a) = T : F K (a) = T ⇔ F(a) ◦ K = T ⇔ K = F(a)−1 ◦ T.

(A· 2)

Similarly, for any b ∈ Bˆ ∗ and any U ∈ T ∗ , there is exactly one key Q ∈ K with G Q (b) = U: ˆ ◦ Q−1 = U G Q (b) = U ⇔ F(b) ˆ ◦ U −1 . ⇔ Q = F(b)

(A· 3)


244

Shinji Hirata received Bachelor and Master degree from the Dept. Basic Science, The University of Tokyo in 2000 and 2002. He has been engaged in research on biometrics and information security at Systems Development Lab, Hitachi, Ltd. since 2002.

A.2 Proof of Theorem 2 Let us focus on the following decomposition: Pr(T i ) = Pr(T i |a)Pr(a) (i = 1, 2), a∈B∗

Pr(T 1 , T 2 ) =

Pr(T 1 , T 2 |a)Pr(a).

(A· 4)

a∈B∗

Since for a fixed a ∈ B∗ , there is a one-to-one mapping from K i to T i (i.e., T i = F(a) ◦ K i ), Pr(T i |a) = Pr(K i |a), Pr(T 1 , T 2 |a) = Pr(K 1 , K 2 |a).

(A· 5)

However, the occurrence of K 1 , K 2 is independent of each other and of a, thereby Pr(K i |a) = Pr(K i ) = 1/|K|, Pr(K 1 , K 2 |a) = Pr(K 1 )Pr(K 2 ) = 1/|K|2 .

(A· 6)

where |K| is the cardinality of K. From Eqs. (A· 4)–(A· 6), we have (1/|K|)Pr(a), Pr(T i ) = a∈B∗

= 1/|K|, and Pr(T 1 , T 2 ) =

(A· 7)

(1/|K|2 )Pr(a),

a∈B∗

= 1/|K|2 .

(A· 8)

From Eqs. (A· 7), (A· 8), Pr(T 1 , T 2 ) 1/|K|2 = 1/|K| Pr(T 2 ) = 1/|K| = Pr(T 1 ).

Pr(T 1 |T 2 ) =

(A· 9)

Kenta Takahashi is a researcher of the Systems Development Laboratory, Hitachi, Ltd. He received the B.S. degree and the M.S. degree from the University of Tokyo in 1998 and 2000. He joined Hitachi, Ltd. in 2000. For 10 years he has worked on research and development of biometric authentication systems. He is now a doctoral candidate in the Graduate School of Information Science and Technology, The University of Tokyo. He received the best paper award from the Information Processing Society of Japan (IPSJ) in 2009. He is a member of IPSJ and IEEE.