Enhanced Multi-line Code for Minutiae-Based Fingerprint Template ...

2

Enhanced Multi-line Code for Minutiae-Based Fingerprint Template Protection

3

Wei Jing Wonga , Andrew B. J. Teohb , M. L. Dennis Wonga,1,∗, Yau Hee Khoa

1

4

a Faculty

of Engineering, Computing and Science, Swinburne University of Technology (Sarawak Campus), 93350 Kuching, Malaysia. b Electrical and Electronic Engineering, College of Engineering, Yonsei University, Seoul, South Korea.

5 6

7

Abstract In this paper, we propose a cancellable fingerprint template technique based on our previous work on multi-line code (MLC) (Wong et al., 2012). The modification and improvement focuses on the change of MLC values and the generation of binary MLC. In addition, an enhanced similarity measure is also proposed to compensate the loss in accuracy for binary MLC, called the dynamically weighted integrated Dice (DWID) similarity. Comprehensive experiments on three FVC datasets are carried out to compare the performance among different settings of MLC. The lowest equal error rate (EER) obtained in the stolen-key scenario is 1.93% for FVC2002 DB1. Besides, analysis on the revocability, non-reversibility and template size of the enhanced MLC have been presented.

8

Keywords:

9

Cancellable Fingerprint Template, Multi-line Code, Dynamically Weighted Integrated Dice,

10

Stolen-Key Scenario

11

1. Introduction

12

Biometric authentication systems offer a great range of advantages over knowledge-based

13

and token-based authentication systems, such as passwords, user IDs, identification cards and ∗

Corresponding author Email addresses: [email protected] (Wei Jing Wong), [email protected] (Andrew B. J. Teoh), [email protected] (M. L. Dennis Wong), [email protected] (Yau Hee Kho) 1 Tel: +6082-260966 Preprint submitted to Pattern Recognition Letters

January 31, 2013

14

PINs. Biometric authentication systems are automated authentication systems which make use

15

of distinctive anatomical and behavioural characteristics or identifiers (e.g., fingerprints, hand

16

geometry, face, iris, voice, signature) to identify a person. However, conventional biometric

17

databases store the original biometric features, once compromised, suffer from permanent pri-

18

vacy and security issue. Therefore, biometric template protection schemes are required to shield

19

the original biometric information. Cancellable biometrics is one of the promising candidates

20

of biometric template protection technique. It utilizes a systematic transformation of the derived

21

biometric features to protect the original biometric information. If a cancellable biometric tem-

22

plate is compromised, the transformation characteristics can be changed and the user’s biometrics

23

is mapped onto a new template, which replaces the compromised template. The three principle

24

objectives of cancellable biometrics (Maltoni et al., 2009) are:

25

(i) Non-reversibility: it should be computationally infeasible to recover the original biometric

26

data from the biometric template so that the biometric identifier can never be reconstructed

27

even when the template is stolen.

28

(ii) Accuracy: the accuracy of fingerprint recognition should not deteriorate after transforma-

29

tion. This determines the overall performance of the system and prevents false authentica-

30

tion.

31

(iii) Diversity: no same biometric template can be used in various applications. It is also refer-

32

ring to revocability of the biometric template, where new template can be reissued in the

33

event of compromise.

34

This paper extends our previous work (Wong et al., 2012) on multi-line code (MLC) with the

35

intention to boost the performance of MLC concerning accuracy, security and storage size of the

36

template. In a nutshell, we modify the original MLC in the following aspects:

37

38

(i) Change of MLC from number of minutiae in the region of interest to the mean of distances from these minutiae to the reference minutia (Pr ).

39

(ii) Conversion of the real number representation to a binary code.

40

(iii) Application of a new similarity measure in the MLC matching. 2

41

2. Related Work

42

Two main categories of cancellable biometrics include non-invertible transforms and biomet-

43

ric salting (Jain et al., 2008). The former approach applies non-invertible transform function to

44

the biometric data, either in signal level or feature level to make it unable to reconstruct the orig-

45

inal biometric data even if template and transformation method are compromised. In the context

46

of cancellable fingerprint, such approach usually implies a loss in accuracy due to the complexity

47

in aligning the fingerprints in the transformed domain. Hence, alignment-free methods have be-

48

come a trend in the research area. On the other hand, biometric salting applies transforms which

49

are invertible (Rathgeb and Uhl, 2011). In case of user-dependent transforms, a user-specific key

50

has to be presented at each transformation. Even though imposters are very likely to recover the

51

biometric feature from the biometric template, the biometric feature is extracted in such a way

52

that the original biometric pattern cannot be reconstructed.

53

Both non-invertible transforms and biometric salting can produce either string-based or fea-

54

ture vector-based cancellable template depending on the method used. In a nutshell, biometric

55

salting may maintain the recognition accuracy of biometric authentication systems while non-

56

invertible transforms yield higher security. In this section, we investigate several instances of

57

non-invertible transforms and biometric salting in the context of cancellable fingerprint template.

58

2.1. Non-invertible Transform

59

Ang et al. (2005) presented a geometric transformation based on the reflection of minutiae.

60

In this approach, a line passing through the core point is drawn, and the minutiae below the

61

line are reflected while the minutiae above remain. The gradient of the line is determined by a

62

user-specific key ranges from 0 to π. Confusion occurs when dealing with fingerprints with no

63

core point (arch) and with more than one core points (whorl). Also, since only one side of the

64

minutiae are reflected, the final template still retains a part of the original minutiae set and thus

65

weakens the security.

66

Ratha et al. (2007) proposed three kinds of non-invertible transforms including Cartesian

67

transform, polar transform and functional transform. Cartesian transform and polar transform di3

68

vide the fingerprint space into cells of equal size and re-arrange the minutiae according to the cell

69

they belong to on a many-to-one mapping basis. Functional transform applies a spatial distortion

70

to the fingerprint space using Gaussian kernels so that the position of the minutiae are translated

71

and rotated in the same way. However, Quan et al. (2008) pointed out that these transforms are

72

vulnerable to attacks as most of the transformed minutiae are possible to be reversed to their

73

original locations.

74

Tulyakov et al. (2005, 2007) used symmetric hash functions to convert the minutiae into hash

75

values. In this algorithm, a minutia is represented by a complex number ci . For each minutia

76

in the fingerprint, a triplet (ci , c j , ck ) is formed with its two nearest neighbouring minutiae and

77

is hashed using predefined hash functions. A secret key is introduced to seed the choices and

78

order of hash functions for different fingerprints. This work was extended (Kumar et al., 2010)

79

by combining more than one hash functions during implementation to increase the security of

80

the template. Also, k-plets of minutiae were used instead of triplets, where k can be more than

81

three. Although it is impossible to reverse the hashed data, a large number of high power hash

82

functions are needed to ensure the revocability of the template, which leads to high complexity.

83

For aforementioned approaches, matching of fingerprint templates requires pre-alignment of

84

the minutiae. This increases the computational time during fingerprint matching and thus re-

85

duces its applicability in real-time authentication systems. One of the solutions of eliminating

86

minutiae alignment is to use invariant features of minutiae in the generation of fingerprint tem-

87

plate as proposed by Lee et al. (2007). These features are extracted following the same fashion

88

used by Tico and Kuosmanen (2003). Together with a user-specific PIN, the invariant features

89

are used to parametrize two changing functions which contribute to the transformation of the

90

minutiae, namely the distance-changing function and the orientation-changing function. An-

91

other cancellable template utilizing invariant features based on triplets was proposed by Farooq

92

et al. (2007a). The features measured are the length of the three sides, the orientations of the

93

three vertex minutiae and the height of the longest side of a triplet. The template is a binary

94

string of quantized feature values, so it requires less database storage.

95

Recently, Wang and Hu (2012) proposed an alignment-free cancellable fingerprint template 4

96

based on a densely infinite-to-one mapping approach. In this method, the invariant features of

97

every minutiae pair are quantized and converted the generated binary string into a complex vector

98

by using discrete Fourier transform. A randomly generated parametric matrix is then blended

99

with the complex vector to obtain the final template. This approach excels in security, even when

100

the template and the parametric key are stolen.

101

A novel bit-string representation of fingerprint template was introduced by Lee and Kim

102

(2010), in which each minutia is described by a three dimensional array. The width and height of

103

the three dimensional array is the x-y plane of the fingerprint image, whereas the depth represents

104

the orientation of minutiae. The array is divided into cells of equal size, and the numbers of

105

minutiae in the cells form the final bit-string. It not only eases the matching of templates, but

106

also provides high revocability by using simple permutation. Other string-based cancellable

107

fingerprint templates include minutiae pair representation (Jin et al., 2010), polar-based 3-tuple

108

representation (Jin et al., 2011) and projection-based line vector (Ahmad et al., 2011).

109

One of the state-of-the-art fingerprint template representations is called the minutiae cylinder-

110

code (MCC) (Cappelli et al., 2010). It forms a cylinder around a minutia and the cylinder is

111

tessellated in the similar manner as presented by Lee and Kim (2010). Instead of counting the

112

number of minutiae in the cells, MCC considers all minutiae around the cell within a certain

113

range. The contribution of each minutia towards the cell value is regulated by its positional and

114

orientation distance from the centre of the cell. Such approach uses the basis of fixed radius-based

115

minutia descriptor without neglecting the area outside but nearby the perimeter. The relaxation

116

approach helps to improve the recognition rate but it increases the storage requirement and com-

117

putational time. Later, Ferrara et al. (2012) presented the protected MCC (p-MCC) as a template

118

protection scheme to enhance the security of MCC.

119

2.2. Biometric Salting

120

Fingerprint salting is also called BioHashing (Teoh et al., 2004, 2008). Other than Finger-

121

Code proposed by Jain et al. (2000), BioHashing pioneers in correlation-based biometric match-

122

ing schemes. It is a two-factor transform that employs the wavelet Fourier-Mellin transform

123

(WFMT) features of fingerprints and a user-specific tokenized key. User-dependent multi-state 5

124

discretization (Teoh et al., 2010) was used in the generation of binary bit-string to improve the

125

performance of BioHashing specifically for stolen-token scenario. As the security of biometric

126

salting lies with the secret key, once both the template and the key are compromised simultane-

127

ously, the protected templates become reversible. In addition, Yang et al. (2010) has suggested

128

dynamic random projection to enhance the security of the conventional random projection used

129

by BioHashing. The idea is to construct a random matrix dynamically, depending on the biomet-

130

ric feature vector itself.

131

By combining the concept of BioHashing (Teoh et al., 2004, 2008) and FingerCode (Jain

132

et al., 2000), Belgeuchi et al. (2010) presented a minutiae-based fingerprint salting scheme. The

133

proposed method extracts the FingerCode for every minutia and applies BioHashing on the Fin-

134

gerCode to produce a protected minutia template, named BioCode.

135

Another novel fingerprint salting approach was proposed by Takahashi and Hirata (2011).

136

The transformation utilizes chip matching algorithm (Mimura et al., 2001) based on correlation-

137

invariant random filtering (CIRF). It first extracts chip images centred at the minutiae from the

138

fingerprint image and transform these chip images using CIRF to generate the template. The

139

method stresses on the security and privacy of cancellable fingerprint template. The mathematical

140

properties of CIRF were further investigated by Takahashi (2009) to derive a new algorithm for

141

cancellable biometrics that establishes better security without affecting the accuracy.

142

3. Multi-line Code

143

In this section, we recapitulate the generation of multi-line code (MLC) (Wong et al., 2012)

144

for the benefits of the readers. MLC is a string-based minutia descriptor used for cancellable

145

fingerprint template. It describes a minutia by inspecting the minutiae distribution along multiple

146

lines of different orientation intersecting at the reference minutia itself. The generation of MLC

147

consists of two steps: MLC formulation and MLC permutation.

148

3.1. Formulation of MLC

149

150

Inspired by Lee’s algorithm (Lee and Kim, 2010) and MCC (Cappelli et al., 2010), the formulation of MLC inspects the fingerprint in three dimensional aspects which include the Cartesian 6

151

plane (x and y coordinates) and the orientation (θ). Taking a reference minutia, Pr (xr , yr , θr ) as

152

an instance, the procedures to create a MLC based on the reference minutia are as follows:

153

1) Divide the minutiae into different angular partitions according to the relative angle between

154

θr and the orientation of the neighbour minutia. As shown in Figure 1b, the depth of the

155

cylinders indicates the range of the angular partitions (∆ϕ) and the depth of the entire space

156

covers all the possible values of minutiae orientation, ranging from 0 to 2π.

157

2) Construct a straight line of length, l in the same direction as θr in every angular dimension

158

and take s sample points equally distributed along the line with distance, d in between one

159

another. .

160

3) Based on the location of the sample points marked in step 2, two semi-circle-shaped bit-wise

161

AND masks (with radius r) are applied on the minutiae map (which indicates the location

162

of all minutiae): one on the left side of the line and another on the right side of the line, to

163

obtain the number of minutiae in the region. This is demonstrated in Figure 1a where different

164

regions of semi-circles are distinguished by their shading.

165

166

4) The number of minutiae in every semi-circle is arranged sequentially according to different orientation to form a single-line code.

167

5) Repeat step 2 to step 4 for lines of different direction with equal angle in between and con-

168

catenate all the single-line codes to form a multi-line code. If we are using M lines to describe

169

the reference minutia, the directions of the lines are: θr , θr +

170

1a shows the graphical illustration of these lines when M = 3. Therefore, the MLC for a

171

minutia can be written as L = [a11 a12 ...a1n ...a1N ; a21 a22 ...a2n ...a2N ; ...; a M1 a M2 ...a Mn ...a MN ],

172

where N = 2 × ( dl + 1) ×

173

value, -1 if the sample point is located outside the boundaries of the fingerprint image.

2π ∆ϕ

π M , θr

+

2π M

... θr +

(M−1)π M .

Figure

is the length of a single-line code. amn is assigned an invalid

174

6) Repeat step 1 to step 5 for the rest of the minutiae extracted from the fingerprint to generate

175

the template of the fingerprint. The template is an array of multi-line codes, T = {L1 L2 ...LK },

176

where K is the total number of minutiae.

177

178

Since the lines are subject to the reference minutia, the position and direction of the lines change according to the coordinates and orientation of the reference minutia, so as the location of 7

179

the circles. Besides, the angular partition a minutia falls in is determined by its angular difference

180

with θr . Hence, MLC is invariant to translation and rotation.

181

The robustness of MLC against local non-linear distortion depends very much on the distance

182

between two adjacent circles (d) and their radius (r) which should be adjusted collaboratively so

183

that the circles overlap partially with one another. The idea is to create a buffer region (where two

184

or more circles overlap) to accommodate the close-to-border minutiae which may be excluded

185

from the circles they used to be in due to non-linear distortion. For instance if a close-to-border

186

minutia is slightly shifted, in the case of non-overlapping circles, the minutiae count of two adja-

187

cent regions can change from {α, β} to {α − 1, β + 1} (considering the worst case), introducing an

188

Euclidean distance of 2; whereas for overlapping-circles, the distance caused by such distortion

189

in the worst case is 1 (between {α, β} and {α − 1, β}). However, this only applies to minutiae near

190

certain parts of the circumference. The other parts, especially those orthogonal to the base line

191

are taken care of by increasing the number of lines (M) so that the circles may overlap each other

192

in all directions. The value of d, r and M used in this paper are 8, 25 and 3 respectively.

193

3.2. Permutation of MLC

194

In order to achieve revocability and diversity of the template, we introduce an external factor

195

that offers huge variety of transformations unto the generated multi-line code. In the previous

196

paper (Wong et al., 2012), we simply permute the code based on a user-specific secret key. The

197

secret key is a random number that seeds the permutation order of the MLC. It is important to

198

ensure that no two individuals or two applications of one individual can be assigned the same

199

number.

200

In addition, permutation of the MLC improves the performance of cancellable fingerprint

201

template. By introducing a unique “personality” to every fingerprint, it greatly reduces the false

202

acceptance rate (FAR) of the system. Figure 2 explains the realization of revocability and accu-

203

racy enhancement through MLC permutation.

204

4. MLC Enhancement Scheme

205

In this section, we propose two attempts towards enhancing the performance of MLC. 8

d l l

Pr

Pr

π/3

2π

οɔ

2r

2r

d

(a) Plane view.

(b) 3D view.

Figure 1: Illustration of MLC generation. Given that different marker of minutiae in (a) represents different orientation division that the minutia is in. If the sequence of the orientation division follows (blue filled circle, red unfilled circle, magenta filled square) order, the original minutiae count-based code generated based on the red solid line is Lθr = {0, 0, 0, 0, 0, 1, 0, 2, 0, 1, 1, 1, 3, 3, 2, 2, 0, 0; 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 3, 0, 0, 0, 0, 0, 0, 0; 0, 1, 0, 1, 0, 1, 3, 0, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0}. In the new mean distance representation, the same line will = {0, 0, 0, 0, 0, 19.2, 0, 17.5, 0, 10.9, 23.1, 22.8, 19.7, 14.2, 16.6, 15, 0, 0; produce a real number code Lθr 0, 0, 0, 0, 0, 0, 0, 0, 16.3, 0, 20.1, 0, 0, 0, 0, 0, 0, 0; 0, 5.8, 0, 6.9, 0, 16.1, 17.2, 0, 14.5, 0, 0, 0, 0, 0, 0, 0, 0, 0}. Finally, the unpermuted binary version of the code generated using non-uniform quantization method discussed in Section 4.2.2 is Lθr = {000000000010001000111010101111110000; 000000000000000011001000000000000000; 000100100011100011000000000000000000}. The blue dashed line and green dotted line are lines in other directions when M = 3 and will each generate a different code to obtain the complete MLC describing Pr .

206

4.1. Minutiae Contribution Measure

207

In this paper, we present a different measure of minutiae contribution in the stage of MLC

208

formulation. Instead of taking the number of minutiae as the code of the region, we now generate

209

the code by computing the mean value of distances between these minutiae and the corresponding

210

sample points. Therefore, the MLC expression is now L = [ xˆ11 xˆ12 ... xˆ1n ... xˆ1N ; xˆ21 xˆ22 ... xˆ2n ... xˆ2N ;

211

...; xˆ M1 xˆ M2 ... xˆ Mn ... xˆ MN ], where xˆmn denotes the mean distance in each region. Figure 1 gives an

212

example of the line code generated based on the new scheme. 9

(a) Assume that a fingerprint is first enrolled with key 1. In the case of template database compromise, the original template can be made obsolete and replaced with a new one generated with a different secret key, key 2.

(b) Taking A and B as two multi-line codes generated from two distinct individual fingerprints. Matching A and B might result in a high score due to inter-class similarity. However, by permuting A and B with two unique secret keys, we can increase the distance between the two MLCs, and hence decrease the FAR during fingerprint matching.

Figure 2: Purposes of permuting multi-line code.

213

According to Farooq et al. (2007b), the accuracy of a biometric system can be increased by

214

adding more information to the protected biometric template. In other words, it is an alteration

215

in the trade-off between accuracy and security. Even though by using the mean distance, the

216

imposter will have no idea about the exact number of minutiae, it may leak the information about

217

the distribution of these minutiae within the region. In this case, the imposter needs less effort

218

to crack the location of the minutiae through brute-force attack. Detailed analysis of the security

219

of MLC is presented in Section 6.4. However, in return we gain accuracy by introducing higher

220

distinctiveness to MLC.

221

Furthermore, another drawback of using mean distance as the minutiae contribution measure

222

is that it is larger in size. Since the number of minutiae is always a whole number, it can be

223

stored as a short integer, which consumes only two bytes of storage memory. On the contrary,

224

the mean distance contains decimal point and requires four bytes of storage if it is stored in a

225

single-precision floating-point format. This doubles the storage requirement of MLC, and thus

226

leading to MLC binarization (Section 4.2) with the intention to complement the trade-off.

10

227

228

4.2. MLC Binarization MLC binarization converts the original mean distance value representation into binary codes.

229

This section discusses different approaches of quantizing MLC to obtain the final binary code.

230

4.2.1. 1-bit Binary Implementation

231

232

In 1-bit binary implementation, each number in MLC is converted into a 1-bit binary number (1 or 0). This is a rather simple thresholding process and can be formulated as:       0 if xˆ < τb ; bα =      1 otherwise.

(1)

233

where b represents the binarized value of xˆ, and τb represents the threshold value of the conver-

234

sion.

235

In addition, since a binary string can only contain logical 1 and logical 0, it is essential to

236

create another binary string, same length as the original real number string to store the invalid

237

bits (indicated by -1 in the real number representation).

238

4.2.2. k-bit Binary Implementation

239

In order to ensure that the performance of fingerprint recognition will not deteriorate af-

240

ter binarization, we increase the quantization bit-length to preserve more information about the

241

original real number MLC. Instead of using only 1 bit to represent the code, we can apply k-

242

bit binarization, where k ∈ {Z|k ≥ 2}. In this paper, we demonstrate the employment of 2-bit

243

binarization. Given that r = 25, the step size of a 2-bit uniform quantization is:

∆β−1 =

r = 6.25 2B

11

(2)

244

where B is the quantization bit-length. The binarized code can be expressed as:

bβ−1

               =             

[00] if cβ−1 = 0; [01] if cβ−1 = 1;

(3)

[11] if cβ−1 = 2; [10] if cβ−1 = 3.

245

xˆ ⌋ is the classification rule of quantization. We choose Gray code over natural where cβ−1 = ⌊ ∆β−1

246

binary code as the binary sequence of the code because it is designed in such a way that the

247

Hamming distances between two adjacent numbers are equal. However, problem arises when

248

adopting Dice similarity (Dice, 1945) from our previous paper (Wong et al., 2012) in the match-

249

ing of binary MLC. Since Dice similarity considers only the positive matches, any match in-

250

volving [00] will result in a zero similarity, which is undesirable. For instance, the similarities

251

between [00] and [01], and [01] and [11] are supposed to be identical, but instead, the calculated

252

Dice similarities of the number pairs are 0 and 0.67 correspondingly. Hence, we propose two

253

solutions to address the issue as described in the followings:

254

(i) One way to resolve the problem is by applying non-uniform quantization where [00] is only

255

associated with 0 in the real number representation while the numbers range in (0,25) are

256

uniformly distributed to the other three quantization levels. In this scenario, equation 2 is

257

modified into: ∆β−2 =

258

r 25 = 2B − 1 3

(4)

and the classification rule is:

cβ−2

      =    

0 xˆ ⌈ ∆β−2 ⌉

if xˆ = 0;

(5)

otherwise.

259

(ii) Another solution is to use a different similarity measure that is specifically designed for bi-

260

nary biometric template recognition and gives credits to both positive and negative matches.

261

This can solve the zero similarity problem concerning matchings with [00]. Examples of 12

262

such similarity or dissimilarity measures include Hamming distance, Faith similarity, Sokal

263

& Michener similarity and AZZOO similarity (Cha et al., 2005). This is further discussed

264

in Section 5.1.

265

5. Fingerprint Matching

266

5.1. MLC-to-MLC Matching

267

Given a MLC Le taken from the enrolled fingerprint template (T E = {L1 L2 ...LE }) and a MLC

268

Lq taken from the query fingerprint template (T Q = {L1 L2 ...LQ }), where E and Q is the total

269

number of minutiae in T E and T Q respectively. The similarity between Le and Lq signifies the

270

likelihood of Lq in T Q being a correspondence to Le in T E . If either Le or Lq contains more

271

than 50% of invalid code, the pair is marked unmatchable and is assigned a zero similarity. This

272

applies to all similarity measures discussed in this section. Otherwise, the similarity between

273

two MLCs is calculated as (Wong et al., 2012):

S Dice =

2|Le • Lq | |L2e | + |L2q |

(6)

274

where • denotes a element-wise multiplication and | · | calculates the sum of all elements. The

275

values of S Dice range from 0 to 1, of which 0 indicates a total mismatch between Le and Lq ,

276

whereas 1 indicates a perfect match between them.

277

In the context of binary MLC, we express the computation of similarity measure in Opera-

278

tional Taxanomic Units (OTUs): ρ1 = |Le ∧ Lq |, ρ2 = |L¯e ∧ Lq |, ρ3 = |Le ∧ L¯q | and ρ4 = |L¯e ∧ L¯q |,

279

where ∧ represents a bit-wise AND operation and L¯e and L¯q are the complements of Le and Lq

280

respectively. Therefore, equation (6) can be rewritten as:

S BinDice =

2ρ1 2ρ1 + ρ2 + ρ3

(7)

281

As suggested in Section 4.2, we need a more appropriate similarity measure to improve the

282

performance of k-bit binary MLCs. AZZOO similarity (Cha et al., 2005) has been proven to

283

outperform other measures in binary feature vector recognition. Unlike Dice similarity which 13

284

only gives credit to positive matches (ρ1 ), AZZOO similarity credits both positive and negative

285

matches (ρ4 ). The formula of weighted AZZOO (WAZZOO) which gives different weights to ρ1

286

and ρ4 , is given as: S WAZZOO = σ p ρ1 + σn ρ4

(8)

287

For the ease of direct comparison between two chosen similarity measures, WAZZOO similarity

288

is normalized so that the resulting score ranges from 0 to 1. The normalized WAZZOO (NWAZ-

289

ZOO) similarity is represented by:

S NWAZZOO =

290

291

σ p ρ1 + σn ρ4 σ p ρ1 + ρ2 + ρ3 + ρ4

(9)

Furthermore, we propose an enhanced similarity measure integrated from Dice similarity, called the dynamically weighted integrated Dice (DWID) similarity. The formula is derived as:

S DWID =

σm ρ1 σm ρ1 + σn (ρ2 + ρ3 )

(10)

292

Similar to Dice’s, DWID similarity ignores the negative matches. Nevertheless, DWID similarity

293

weighs ρ1 dynamically so that it is not credited linearly but exponentially. In order to achieve

294

that, we let σm = σ′m ρ1 while the weight for the non-matches (ρ2 and ρ3 ) in the normalizing

295

denominator is σn = σ′n (ρ2 + ρ3 ). Hence equation (10) can be rewritten as:

S DWID =

296

σ′m ρ21 σ′m ρ21 + σ′n (ρ2 + ρ3 )2

(11)

5.2. Global Matching Score

297

When dealing with two fingerprint templates, each MLC in T Q is cross-matched with the ones

298

in T E so that we have a similarity matrix containing similarity scores among all MLCs between

299

two templates. Each element in the similarity matrix is then re-evaluated with the following

14

300

criterion to eliminate double-matching:       S (e, q) Condition 1; S (e, q) =      0 otherwise.

(12)

301

Condition 1 implies that S (e, q) ≥ τ s and S (e, q) must be the maximum among all values of

302

S (e, i) (for i ∈ [1, Q]) and S (i, q) (for i ∈ [1, E]), where τ s is the lowest similarity value to say

303

that a pair of MLCs are matchable.

304

To determine the overall similarity between T E and T Q , a global matching score is used to

305

measure the likelihood of T E and T Q being two instances of the same fingerprint. With the

306

processed similarity matrix, we calculate the matching score with the following formula:

MS =

307

6. Experiments and Discussions

308

6.1. Experiment Setup

Q E P P

S (e, q)

e=1 q=1

min(E, Q)

(13)

309

The proposed method is evaluated on the following datasets: FVC2002 DB1, DB2 and

310

FVC2004 DB1, DB2. Each dataset contains 100 fingerprints, and each fingerprint has 8 samples

311

with different ways and levels of perturbation. The first impression of every fingerprint is stored

312

as the enrolled template and the remaining seven impressions are used as queries, and thus re-

313

sulting in 70,000 tests in total, which include 700 genuine tests and 69,300 imposter tests per

314

dataset per setting. There are eight distinct settings being tested as abbreviated below:

315

• mlcn-Dice - MLC representing numbers of minutiae matched using Dice similarity.

316

• mlcm-Dice - MLC representing mean distance values matched using Dice similarity.

317

• mlcmb1-Dice - 1-bit binary MLC representing mean distance values matched using Dice

318

similarity.

15

319

320

321

322

323

324

325

326

327

328

• mlcmb2uq-Dice - 2-bit uniformly quantized binary MLC representing mean distance values matched using Dice similarity. • mlcmb2nq-Dice - 2-bit non-uniformly quantized binary MLC representing mean distance values matched using Dice similarity. • mlcmb2uq-NWAZZOO - 2-bit uniformly quantized binary MLC representing mean distance values matched using NWAZZOO similarity. • mlcmb2uq-DWID - 2-bit uniformly quantized binary MLC representing mean distance values matched using DWID similarity. • mlcmb2nq-DWID - 2-bit non-uniformly quantized binary MLC representing mean distance values matched using DWID similarity.

329

Tests are carried out in both genuine-key scenario and stolen-key scenario. In the former

330

scenario, we assume that the secret key is kept secure, so every MLC is permuted with its own

331

unique key (assigned to individual fingerprint) before matching. Whereas in the stolen-key sce-

332

nario, it is assumed that the secret key is compromised and becomes obsolete, so the MLCs are

333

matched unpermuted.

334

6.2. Accuracy

335

In genuine-key scenario, the proposed scheme performs ideally where the EERs for all set-

336

tings are 0%. On the other hand, in the case of stolen key, the EERs declined as expected. Table

337

1 shows the EERs of the proposed scheme as well as other minutiae distribution-based algo-

338

rithms. Despite the fact that the performance of MLC is not directly comparable to the other

339

literature due to different minutiae extraction method applied, we use Lee’s method (Lee and

340

Kim, 2010) and p-MCC (Ferrara et al., 2012) as the references in accuracy evaluation. Figure 3

341

shows the ROC curves of all MLC settings zoomed in to the EER-intercept to provide a graphical

342

comparison of the performances.

343

344

The result has proven that the application of both approaches towards enhancing MLC improves the accuracy of the original MLC. Moreover, the solutions suggested in Section 4.2.2 has 16

Table 1: EERs of the proposed methods and other existing algorithms for stolen-key scenario over different FVC datasets. Method/Setting mlcn-Dice (Wong et al., 2012) mlcm-Dice mlcmb1-Dice mlcmb2uq-Dice mlcmb2nq-Dice mlcmb2uq-NWAZZOO mlcmb2uq-DWID mlcmb2nq-DWID Lee’s method (Lee and Kim, 2010) p-MCC (Ferrara et al., 2012)

FVC2002DB1 4.69

FVC2002DB2 5.03

FVC2004DB1 10.36

FVC2004DB2 11.05

3.2 3.26 2.37 2.27 2.37 2.05 1.97 -

3.53 4.08 3.39 2.85 4.18 2.99 2.54 -

8.26 8.88 7.38 6.92 7.45 7.22 6.53 10.3

10.4 11.04 10.28 9.98 10.37 9.75 9.2 9.5

1.88

0.99

-

-

345

successfully compensated the problem of undesirable similarity among the binary sequences,

346

while the combination of both can reduce the EER to 1.97%, 2.54%, 6.53% and 9.2% for

347

FVC2001DB1, FVC2001DB2, FVC2004DB1 and FVC2004DB2 respectively. However, NWAZ-

348

ZOO similarity does not suit MLC matching probably because in binary MLC, the 1’s are

349

sparsely distributed with too many 0’s in between and thus, the outcome is predominated by

350

the negative matches even when it’s weight is small.

351

6.3. Revocability

352

We adopt the method described by Lee et al. (2007) to evaluate the revocability or diversity of

353

the proposed cancellable fingerprint template. In this section, we briefly explain the experiments

354

performed under two cases.

355

6.3.1. Case 1: Original Templates Versus Permuted Templates

356

In this scenario, we measure the improbability of a permuted template to correlate with the

357

original template of the fingerprint. The experiment procedures are as follows:

358

1) One out of eight impressions for each fingerprint is used to generate 30 different permuted

359

templates as the enrolled templates.

360

2) The remaining seven impressions are matched against the 30 enrolled templates.

361

3) Generate the distribution (hereafter denoted as D1) of matchable MLCs over all fingerprints.

362

A pair of MLCs are said to be matchable if the similarity score satisfies the condition men-

363

tioned in equation (12). Then, calculate the separability between D1 and the original genuine 17

(a) FVC2002DB1.

(b) FVC2002DB2.

(c) FVC2004DB1.

(d) FVC2004DB2.

Figure 3: ROC curves of all settings in stolen-key scenario. We can observe that for all datasets, mlcmb2nq-DWID (marked by inverted triangle) has the lowest EER value.

364

distribution (hereafter denoted as OG), defined as: |µD1 − µOG | SeparabilityD1 = q 2 2

(14)

σD1 +σOG 2

365

where µD1 , µOG , σ2D1 and σ2OG are the means and variances of the corresponding subscript.

366

Taking FVC2002DB1 as an example, Figure 4 illustrates the distribution of D1 and OG for

367

the highest separability setting (mlcn-Dice) together with two low separability settings (mlcmb1-

368

Dice and mlcmb2uq-NWAZZOO). Both figures in Table 2) and Figure 4 show that the distri-

369

butions have no correlation or negligible correlation between each other even for the lowest

370

separability setting (mlcmb2uq-NWAZZOO).

18

371

6.3.2. Case 2: Permuted Templates Versus Permuted Templates

372

If an enrolled template is compromised, it is replaced by a new template associated with a

373

different permutation key. In this scenario, we measure the dissimilarity between templates from

374

the same fingerprint permuted with different keys. The experiment is conducted as follows:

375

1) Similar to previous case, one out of eight impressions for each fingerprint is used as the

376

377

378

379

380

enrolled templates with five distinct permutation orders. 2) Each of the remaining seven impressions is assigned another ten different keys to produce ten unique permuted templates and matched against the five enrolled templates. 3) Produce the distribution (hereafter denoted as D2) of matchable minutiae over all fingerprints for this scenario. Then, calculate the separability between D2 and OG, defined as: |µD2 − µOG | SeparabilityD2 = q 2 2

(15)

σD2 +σOG 2

381

where µD2 and σ2D2 are the mean and variance of D2 respectively.

382

Figure 4 also includes the distribution of D2 for mlcn-Dice, mlcmb1-Dice and mlcmb2uq-

383

NWAZZOO. Similar to those in case 1 (Section 6.3.1), the distributions are uncorrelated or hardly

384

correlated with OG. Hence, if the length of a real number MLC and binary MLC are 1,476 and

385

1,476B respectively (correspond to the parameters in Section 3.1), almost all of the 1,476! or

386

1,476B! permutation orders can be utilized. This applies to all the datasets used.

387

Revocability increases when the separability increases. Also, the revocability of cancellable

388

fingerprint template is one major factor which determines its diversity. From Table 2, we can

389

observe that for all datasets, mlcn-Dice yields the highest diversity while the enhanced MLC

390

weakens in this property.

391

6.4. Non-reversibility

392

In this section, we discuss the non-reversibility of the proposed system by evaluating its

393

security against brute-force attack. It is mainly determined by two factors - the strength of the

394

non-invertible transform and the amount of possible permutation keys. As discussed in Section 19

Table 2: Separabilities of [µOG , σ2OG ](µD1 , σ2D1 ), (µD2 , σ2D2 ). Method/Setting mlcn-Dice

mlcm-Dice

mlcmb1-Dice

mlcmb2uq-Dice

mlcmb2nq-Dice

mlcmb2uq-NWAZZOO

mlcmb2uq-DWID

mlcmb2nq-DWID

all

MLC

FVC2002DB1 4.38,4.38 [27.38,78.14] (0,0),(0,0) 3.85,3.85 [25.48,87.52] (0,0),(0,0) 3.56,3.56 [23.62,88.05] (0,0),(0,0) 3.65,3.65 [23.93,85.78] (0,0),(0,0) 3.75,3.75 [24.72,86.91] (0,0),(0,0) 2.83,2.83 [19.1,91.11] (0,0),(0,0) 3.61,3.61 [23.81,86.91] (0,0),(0,0) 3.72,3.72 [24.62,87.65] (0,0),(0,0)

settings

in

the

FVC2002DB2 4.4,4.4 [33.59,116.52] (0,0),(0,0) 3.88,3.88 [30.67,124.7] (0,0),(0,0) 3.43,3.43 [27.74,130.72] (0,0),(0,0) 3.59,3.59 [28.66,127.14] (0,0),(0,0) 3.72,3.72 [29.67,127.54] (0,0),(0,0) 3.86,3.86 [30.3,122.96] (0,0),(0,0) 3.9,3.9 [30.31,120.84] (0,0),(0,0) 4,4 [31.11,121.1] (0,0),(0,0)

format

of

SeparabilityD1 ,SeparabilityD2

FVC2004DB1 4.55,4.55 [25.46,62.58] (0,0),(0,0) 3.85,3.85 [22.43,67.75] (0,0),(0,0) 3.08,3.08 [18.86,74.81] (0,0),(0,0) 3.13,3.13 [19.06,74.25] (0,0),(0,0) 3.39,3.39 [20.54,73.23] (0,0),(0,0) 3.43,3.43 [20.21,69.33] (0,0),(0,0) 3.62,3.62 [21.12,68.19] (0,0),(0,0) 3.67,3.67 [19.39,94.9] (0,0),(0,0)

FVC2004DB2 3.3,3.3 [18.76,64.46] (0,0), (0.01,0.01) 3.22,3.22 [18.78,68.02] (0,0),(0,0) 2.8,2.8 [16.61,70.55] (0,0),(0,0) 2.99,2.99 [16.44,60.29] (0,0),(0,0) 3.05,3.05 [21.32,97.69] (0,0),(0,0) 2.82,2.82 [19.39,94.9] (0,0),(0,0) 3.02,3.02 [17.82,69.62] (0,0),(0,0) 3.04,3.04 [20.03,87.09] (0,0),(0,0)

Figure 4: Matchable MLCs distributions for FVC2002DB1. For the three settings shown in the figure, D1 and D2 has all-zero distribution, thus resulting in zero means (µD1 and µD2 ) and zero variances (σ2D2 and σ2D2 ) as shown in Table 2. Among the three, OG of mlcn-Dice is distributed furthest from its D1 and D2, resulting in highest separability.

395

6.3, the attackers require at most 1,476! (or 1,476B!) attempts to reconstruct the original template

396

from the permuted template, which is certainly computational infeasible in real time. Despite

397

that, under the worst case scenario where both the template and the key are compromised and the

398

transformation method is known, the security only relies on the strength of the transformation. It 20

399

refers to the improbability of unveiling the original minutiae set from the unpermuted template. For the number-of-minutiae version of MLC, provided ∆ϕ =

400

π 3

≈ 1.1 (from Section 3.1),

401

with precision of 0.1, there are 11 possible orientations in an angular division. Also given r = 25

402

and

403

Therefore, a 1 in the MLC may be the result of a minutia being in one of the 11 × 982 = 10, 802

404

locations in the semi-cylinder. Even if there are only 40 unique minutiae in the fingerprint,

405

the total number of repeatable minutiae contributing to all the entire template can easily exceed

406

3,000. Since there is no way to know which ones are repeating, the attacker requires more than

407

10, 802 × 3, 000 ≈ 30 million attempts to uncover the raw minutiae data.

πr2 2

≈ 982, we can know that there are approximately 982 pixels in a region (semi-circle).

408

It does not make it easier when the mean distance value is used as MLC. Due to the fact

409

that the calculation of mean value itself is a many-to-one mapping function, the attacker needs

410

to get all the distance values in a region before cracking the location of the minutiae, without

411

any information about the number of minutiae within the region. This creates even more hassles

412

for the attacker. Furthermore, the quantization process in binary MLC generation serves as an

413

additional level of protection as it is another many-to-one mapping function to be cracked. In

414

short, it is impracticable to reverse the transformation in real time.

415

6.5. Template Size

416

Given that the length of a MLC is 1,476×k, where k = 1 for real number MLC and k is equiva-

417

lent to the quantization bit-length (B) for binary MLC. Taking an integer as a two-byte data and a

418

decimal-point number as a four-byte data, the template size for mlcn and mlcm are approximately

419

115 KB and 230 KB respectively (assuming that there are 40 minutiae in a fingerprint).

420

With the implementation of MLC binarization, the original MLC is converted into a 1,476B-

421

bit binary MLC plus a 1,476-bit invalid codes. So when B = 1, the template size drops down

422

to 14 KB whereas it is 22 KB for B = 2. In general, the template compression rate from mean-

423

distance-value MLC to binary MLC is 32:(B+1). Besides, since MLC contains long repeated

424

0’s, the storage size can be further reduced using appropriate data compression algorithm.

21

425

7. Conclusions

426

In this paper, a two-staged enhancement method was proposed to ameliorate the performance

427

of MLC considering the recognition accuracy, template size and security. The idea was to ac-

428

quire the balance point among the four criterions. The results showed that the enhanced MLC

429

excelled in recognition accuracy and template size, but the computational cost and security were

430

compromised to a reasonable extent that the three main objectives of template protection scheme

431

(Section 1) were not violated.

432

One potential application of MLC (or specifically binary MLC) is biometric cryptography

433

(bio-cryptography), which includes key generation and key binding. However, MLC alone is not

434

robust enough to be used in bio-crypto systems. Error correction coding, fuzzy vault and fuzzy

435

commitment are the possible ways of incorporating MLC in bio-cryptography.

436

References

437

Ahmad, T., Hu, J., Wang, S., 2011. String-based cancelable fingerprint templates, in: 6th IEEE Conference on Industrial

438 439 440 441 442 443 444 445 446

Electronics and Applications, Beijing. pp. 1028–1033. Ang, R., Safavi-Naini, R., McAven, L., 2005. Cancelable key-based fingerprint template, in: Proceedings of 10th Australasian Conference (ACISP’05) Information Security and Privacy, pp. 109–128. Belgeuchi, R., Rosenberger, C., Ait-Aoudia, S., 2010. Biohashing for securing fingerprint minutiae templates, in: the 20th International Conference on Pattern Recognition (ICPR), Istanbul. pp. 1168–1171. Cappelli, R., Ferrara, M., Maltoni, D., 2010. Minutia cylinder-code: A new representation and matching technique for fingerprint recognition. IEEE Trans. Pattern Anal. Mach. Intell. 32, 2128–2141. Cha, S.H., Yoon, S., Tappert, C.C., 2005. Enhancing Binary Feature Vector Similarity Measure. Technical Report. Ivan E. Seidenberg School of Computer Science and Information Systems, Pace University.

447

Dice, L.R., 1945. Measures of the amount of ecologic association between species. Ecol. 26, 297–302.

448

Farooq, F., Bolle, R.M., Jea, T.Y., Ratha, N., 2007a. Anonymous and revocable fingerprint recognition, in: IEEE

449

Conference on Computer Vision and Pattern Recognition, Minneapolis. pp. 1–7.

450

Farooq, F., Ratha, N., Jea, T.Y., Bolle, R., 2007b. Security and accuracy trade-off in anonymous fingerprint recognition,

451

in: First IEEE International Conference on Biometrics: Theory, Applications, and Systems, Crystal City, VA. pp. 1–6.

452

Ferrara, M., Maltoni, D., Cappelli, R., 2012. Non-invertible minutia cylinder-code representation. IEEE Trans. Inf.

453 454

Forensics Secur. . Jain, A.K., Nandakumar, K., Nagar, A., 2008. Biometric template security. EURASIP J. Adv. Signal Process 2008, 1–17.

22

455 456

Jain, A.K., Prabhakar, S., Hong, L., Pankanti, S., 2000. Filterbank-based fingerprint matching. IEEE Trans. Image Process. 9, 846–859.

457

Jin, Z., Ong, T.S., Tee, C., Teoh, A.B.J., 2011. Generating revocable fingerprint template using polar grid based 3-tuple

458

quantization technique, in: IEEE 54th International Midwest Symposium on Circuits and Systems, Seoul. pp. 1–4.

459

Jin, Z., Teoh, A.B.J., Ong, T.S., Tee, C., 2010. Generating revocable fingerprint template using minutiae pair representa-

460 461 462 463 464 465 466

tion, in: 2nd International Conference on Education Technology and Computer, Shanghai. pp. 251–255. Kumar, G., Tulyakov, S., Gavindaraju, V., 2010. Combination of symmetric hash functions for secure fingerprint matching, in: 20th International Conference on Pattern Recognition, Istanbul. pp. 890–893. Lee, C., Choi, J.Y., Toh, K.A., Lee, S., Kim, J., 2007. Alignment-free cancelable fingerprint templates based on local minutiae information. IEEE Trans. Syst., Man Cybern. - Part B: Cybern. 37, 980–992. Lee, C., Kim, J., 2010. Cancelable fingerprint templates using minutiae-based bit-strings. J. Netw. Comput. Appl. 33, 236–246.

467

Maltoni, D., Maio, D., Jain, A.K., Prabhakar, S., 2009. Handbook of Fingeprint Recognition. Springer-Verlag, London.

468

Mimura, M., Ishida, S., Seto, Y., 2001. Development of personal authentication techniques using fingerprint matching

469 470 471 472 473 474 475

embedded in smart cards. IECIE Trans. Inf. Syst. E84-D, 812–818. Quan, F., Fei, S., Anni, C., Feifei, Z., 2008. Cracking cancelable fingerprint template of ratha, in: 2008 International Symposium on Computer Science and Computational Technology, Beijing. pp. 572–575. Ratha, N.K., Chikkerur, S., Connell, J.H., Bolle, R.M., 2007. Generating cancelable fingerprint templates. IEEE Trans. Pattern Anal. Mach. Intell. 29, 561–572. Rathgeb, C., Uhl, A., 2011. A survey on biometric cryptosystems and cancelable biometrics. EURASIP J. Inf. Secur. 2011, 1–25.

476

Takahashi, K., 2009. Unconditionally provably secure cancelable biometrics based on a quotient polynomial ring, in: the

477

3rd IEEE International Conference on Biometrics: Theory, applications and systems, Washington, DC. pp. 327–332.

478

Takahashi, K., Hirata, S., 2011. Generating provably secure cancelable fingerprint templates based on correlation-

479

invariant random filtering, in: 2011 International Joint Conference on Biometrics (IJCB), Piscataway, NJ. pp. 1–8.

480

Teoh, A.B.J., Ngo, D.C.L., Goh, A., 2004. Biohashing: Two factor authentication featuring fingerprint data and tokenised

481 482 483 484 485 486 487 488 489

random number. Pattern Recognit. 37, 2245–2255. Teoh, A.B.J., Yip, W.K., Lee, S., 2008. Cancellable biometrics and annotations on biohash. Pattern Recognit. 41, 2034–2044. Teoh, A.B.J., Yip, W.K., Toh, K.A., 2010. Cancellable biometrics and user-dependent multi-state discretization in biohash. Pattern Anal. Appl. 13, 301–307. Tico, M., Kuosmanen, P., 2003. Fingerprint matching using an orientation-based minutia descriptor. IEEE Trans. Pattern Anal. Mach. Intell. 37, 980–992. Tulyakov, S., Farooq, F., Govindaraju, V., 2005. Symmteric hash functions for fingerprint minutiae, in: Proceedings of 3rd International Conference on Advances in Pattern Recognition (ICAPR’05), pp. 30–38.

23

490 491 492 493

Tulyakov, S., Farooq, F., Mansukhani, P., Govindaraju, V., 2007. Symmteric hash functions for secure fingerprint biometric systems. Pattern Recognit. Lett. 28, 2427–2436. Wang, S., Hu, J., 2012. Alignment-free cancelable fingerprint template design: A densely infinite-to-one mapping (DITOM) approach. Pattern Recognit. .

494

Wong, W.J., Wong, M.L.D., Kho, Y.H., 2012. A low complexity multi-line code for cancelable fingerprint template,

495

in: the 2nd International Conference on Convergence Technology 2012, Korea Convergence Society, Qingdao. pp.

496

61–65.

497

Yang, B., Hartung, D., Simoens, K., Busch, C., 2010. Dynamic random projection for biometric template protection, in:

498

Fourth IEEE International Conference on Biometrics: Theory, apllications and systems, Washington, DC. pp. 1–7.

24