2
Enhanced Multi-line Code for Minutiae-Based Fingerprint Template Protection
3
Wei Jing Wonga , Andrew B. J. Teohb , M. L. Dennis Wonga,1,∗, Yau Hee Khoa
1
4
a Faculty
of Engineering, Computing and Science, Swinburne University of Technology (Sarawak Campus), 93350 Kuching, Malaysia. b Electrical and Electronic Engineering, College of Engineering, Yonsei University, Seoul, South Korea.
5 6
7
Abstract In this paper, we propose a cancellable fingerprint template technique based on our previous work on multi-line code (MLC) (Wong et al., 2012). The modification and improvement focuses on the change of MLC values and the generation of binary MLC. In addition, an enhanced similarity measure is also proposed to compensate the loss in accuracy for binary MLC, called the dynamically weighted integrated Dice (DWID) similarity. Comprehensive experiments on three FVC datasets are carried out to compare the performance among different settings of MLC. The lowest equal error rate (EER) obtained in the stolen-key scenario is 1.93% for FVC2002 DB1. Besides, analysis on the revocability, non-reversibility and template size of the enhanced MLC have been presented.
8
Keywords:
9
Cancellable Fingerprint Template, Multi-line Code, Dynamically Weighted Integrated Dice,
10
Stolen-Key Scenario
11
1. Introduction
12
Biometric authentication systems offer a great range of advantages over knowledge-based
13
and token-based authentication systems, such as passwords, user IDs, identification cards and ∗
Corresponding author Email addresses:
[email protected] (Wei Jing Wong),
[email protected] (Andrew B. J. Teoh),
[email protected] (M. L. Dennis Wong),
[email protected] (Yau Hee Kho) 1 Tel: +6082-260966 Preprint submitted to Pattern Recognition Letters
January 31, 2013
14
PINs. Biometric authentication systems are automated authentication systems which make use
15
of distinctive anatomical and behavioural characteristics or identifiers (e.g., fingerprints, hand
16
geometry, face, iris, voice, signature) to identify a person. However, conventional biometric
17
databases store the original biometric features, once compromised, suffer from permanent pri-
18
vacy and security issue. Therefore, biometric template protection schemes are required to shield
19
the original biometric information. Cancellable biometrics is one of the promising candidates
20
of biometric template protection technique. It utilizes a systematic transformation of the derived
21
biometric features to protect the original biometric information. If a cancellable biometric tem-
22
plate is compromised, the transformation characteristics can be changed and the user’s biometrics
23
is mapped onto a new template, which replaces the compromised template. The three principle
24
objectives of cancellable biometrics (Maltoni et al., 2009) are:
25
(i) Non-reversibility: it should be computationally infeasible to recover the original biometric
26
data from the biometric template so that the biometric identifier can never be reconstructed
27
even when the template is stolen.
28
(ii) Accuracy: the accuracy of fingerprint recognition should not deteriorate after transforma-
29
tion. This determines the overall performance of the system and prevents false authentica-
30
tion.
31
(iii) Diversity: no same biometric template can be used in various applications. It is also refer-
32
ring to revocability of the biometric template, where new template can be reissued in the
33
event of compromise.
34
This paper extends our previous work (Wong et al., 2012) on multi-line code (MLC) with the
35
intention to boost the performance of MLC concerning accuracy, security and storage size of the
36
template. In a nutshell, we modify the original MLC in the following aspects:
37
38
(i) Change of MLC from number of minutiae in the region of interest to the mean of distances from these minutiae to the reference minutia (Pr ).
39
(ii) Conversion of the real number representation to a binary code.
40
(iii) Application of a new similarity measure in the MLC matching. 2
41
2. Related Work
42
Two main categories of cancellable biometrics include non-invertible transforms and biomet-
43
ric salting (Jain et al., 2008). The former approach applies non-invertible transform function to
44
the biometric data, either in signal level or feature level to make it unable to reconstruct the orig-
45
inal biometric data even if template and transformation method are compromised. In the context
46
of cancellable fingerprint, such approach usually implies a loss in accuracy due to the complexity
47
in aligning the fingerprints in the transformed domain. Hence, alignment-free methods have be-
48
come a trend in the research area. On the other hand, biometric salting applies transforms which
49
are invertible (Rathgeb and Uhl, 2011). In case of user-dependent transforms, a user-specific key
50
has to be presented at each transformation. Even though imposters are very likely to recover the
51
biometric feature from the biometric template, the biometric feature is extracted in such a way
52
that the original biometric pattern cannot be reconstructed.
53
Both non-invertible transforms and biometric salting can produce either string-based or fea-
54
ture vector-based cancellable template depending on the method used. In a nutshell, biometric
55
salting may maintain the recognition accuracy of biometric authentication systems while non-
56
invertible transforms yield higher security. In this section, we investigate several instances of
57
non-invertible transforms and biometric salting in the context of cancellable fingerprint template.
58
2.1. Non-invertible Transform
59
Ang et al. (2005) presented a geometric transformation based on the reflection of minutiae.
60
In this approach, a line passing through the core point is drawn, and the minutiae below the
61
line are reflected while the minutiae above remain. The gradient of the line is determined by a
62
user-specific key ranges from 0 to π. Confusion occurs when dealing with fingerprints with no
63
core point (arch) and with more than one core points (whorl). Also, since only one side of the
64
minutiae are reflected, the final template still retains a part of the original minutiae set and thus
65
weakens the security.
66
Ratha et al. (2007) proposed three kinds of non-invertible transforms including Cartesian
67
transform, polar transform and functional transform. Cartesian transform and polar transform di3
68
vide the fingerprint space into cells of equal size and re-arrange the minutiae according to the cell
69
they belong to on a many-to-one mapping basis. Functional transform applies a spatial distortion
70
to the fingerprint space using Gaussian kernels so that the position of the minutiae are translated
71
and rotated in the same way. However, Quan et al. (2008) pointed out that these transforms are
72
vulnerable to attacks as most of the transformed minutiae are possible to be reversed to their
73
original locations.
74
Tulyakov et al. (2005, 2007) used symmetric hash functions to convert the minutiae into hash
75
values. In this algorithm, a minutia is represented by a complex number ci . For each minutia
76
in the fingerprint, a triplet (ci , c j , ck ) is formed with its two nearest neighbouring minutiae and
77
is hashed using predefined hash functions. A secret key is introduced to seed the choices and
78
order of hash functions for different fingerprints. This work was extended (Kumar et al., 2010)
79
by combining more than one hash functions during implementation to increase the security of
80
the template. Also, k-plets of minutiae were used instead of triplets, where k can be more than
81
three. Although it is impossible to reverse the hashed data, a large number of high power hash
82
functions are needed to ensure the revocability of the template, which leads to high complexity.
83
For aforementioned approaches, matching of fingerprint templates requires pre-alignment of
84
the minutiae. This increases the computational time during fingerprint matching and thus re-
85
duces its applicability in real-time authentication systems. One of the solutions of eliminating
86
minutiae alignment is to use invariant features of minutiae in the generation of fingerprint tem-
87
plate as proposed by Lee et al. (2007). These features are extracted following the same fashion
88
used by Tico and Kuosmanen (2003). Together with a user-specific PIN, the invariant features
89
are used to parametrize two changing functions which contribute to the transformation of the
90
minutiae, namely the distance-changing function and the orientation-changing function. An-
91
other cancellable template utilizing invariant features based on triplets was proposed by Farooq
92
et al. (2007a). The features measured are the length of the three sides, the orientations of the
93
three vertex minutiae and the height of the longest side of a triplet. The template is a binary
94
string of quantized feature values, so it requires less database storage.
95
Recently, Wang and Hu (2012) proposed an alignment-free cancellable fingerprint template 4
96
based on a densely infinite-to-one mapping approach. In this method, the invariant features of
97
every minutiae pair are quantized and converted the generated binary string into a complex vector
98
by using discrete Fourier transform. A randomly generated parametric matrix is then blended
99
with the complex vector to obtain the final template. This approach excels in security, even when
100
the template and the parametric key are stolen.
101
A novel bit-string representation of fingerprint template was introduced by Lee and Kim
102
(2010), in which each minutia is described by a three dimensional array. The width and height of
103
the three dimensional array is the x-y plane of the fingerprint image, whereas the depth represents
104
the orientation of minutiae. The array is divided into cells of equal size, and the numbers of
105
minutiae in the cells form the final bit-string. It not only eases the matching of templates, but
106
also provides high revocability by using simple permutation. Other string-based cancellable
107
fingerprint templates include minutiae pair representation (Jin et al., 2010), polar-based 3-tuple
108
representation (Jin et al., 2011) and projection-based line vector (Ahmad et al., 2011).
109
One of the state-of-the-art fingerprint template representations is called the minutiae cylinder-
110
code (MCC) (Cappelli et al., 2010). It forms a cylinder around a minutia and the cylinder is
111
tessellated in the similar manner as presented by Lee and Kim (2010). Instead of counting the
112
number of minutiae in the cells, MCC considers all minutiae around the cell within a certain
113
range. The contribution of each minutia towards the cell value is regulated by its positional and
114
orientation distance from the centre of the cell. Such approach uses the basis of fixed radius-based
115
minutia descriptor without neglecting the area outside but nearby the perimeter. The relaxation
116
approach helps to improve the recognition rate but it increases the storage requirement and com-
117
putational time. Later, Ferrara et al. (2012) presented the protected MCC (p-MCC) as a template
118
protection scheme to enhance the security of MCC.
119
2.2. Biometric Salting
120
Fingerprint salting is also called BioHashing (Teoh et al., 2004, 2008). Other than Finger-
121
Code proposed by Jain et al. (2000), BioHashing pioneers in correlation-based biometric match-
122
ing schemes. It is a two-factor transform that employs the wavelet Fourier-Mellin transform
123
(WFMT) features of fingerprints and a user-specific tokenized key. User-dependent multi-state 5
124
discretization (Teoh et al., 2010) was used in the generation of binary bit-string to improve the
125
performance of BioHashing specifically for stolen-token scenario. As the security of biometric
126
salting lies with the secret key, once both the template and the key are compromised simultane-
127
ously, the protected templates become reversible. In addition, Yang et al. (2010) has suggested
128
dynamic random projection to enhance the security of the conventional random projection used
129
by BioHashing. The idea is to construct a random matrix dynamically, depending on the biomet-
130
ric feature vector itself.
131
By combining the concept of BioHashing (Teoh et al., 2004, 2008) and FingerCode (Jain
132
et al., 2000), Belgeuchi et al. (2010) presented a minutiae-based fingerprint salting scheme. The
133
proposed method extracts the FingerCode for every minutia and applies BioHashing on the Fin-
134
gerCode to produce a protected minutia template, named BioCode.
135
Another novel fingerprint salting approach was proposed by Takahashi and Hirata (2011).
136
The transformation utilizes chip matching algorithm (Mimura et al., 2001) based on correlation-
137
invariant random filtering (CIRF). It first extracts chip images centred at the minutiae from the
138
fingerprint image and transform these chip images using CIRF to generate the template. The
139
method stresses on the security and privacy of cancellable fingerprint template. The mathematical
140
properties of CIRF were further investigated by Takahashi (2009) to derive a new algorithm for
141
cancellable biometrics that establishes better security without affecting the accuracy.
142
3. Multi-line Code
143
In this section, we recapitulate the generation of multi-line code (MLC) (Wong et al., 2012)
144
for the benefits of the readers. MLC is a string-based minutia descriptor used for cancellable
145
fingerprint template. It describes a minutia by inspecting the minutiae distribution along multiple
146
lines of different orientation intersecting at the reference minutia itself. The generation of MLC
147
consists of two steps: MLC formulation and MLC permutation.
148
3.1. Formulation of MLC
149
150
Inspired by Lee’s algorithm (Lee and Kim, 2010) and MCC (Cappelli et al., 2010), the formulation of MLC inspects the fingerprint in three dimensional aspects which include the Cartesian 6
151
plane (x and y coordinates) and the orientation (θ). Taking a reference minutia, Pr (xr , yr , θr ) as
152
an instance, the procedures to create a MLC based on the reference minutia are as follows:
153
1) Divide the minutiae into different angular partitions according to the relative angle between
154
θr and the orientation of the neighbour minutia. As shown in Figure 1b, the depth of the
155
cylinders indicates the range of the angular partitions (∆ϕ) and the depth of the entire space
156
covers all the possible values of minutiae orientation, ranging from 0 to 2π.
157
2) Construct a straight line of length, l in the same direction as θr in every angular dimension
158
and take s sample points equally distributed along the line with distance, d in between one
159
another. .
160
3) Based on the location of the sample points marked in step 2, two semi-circle-shaped bit-wise
161
AND masks (with radius r) are applied on the minutiae map (which indicates the location
162
of all minutiae): one on the left side of the line and another on the right side of the line, to
163
obtain the number of minutiae in the region. This is demonstrated in Figure 1a where different
164
regions of semi-circles are distinguished by their shading.
165
166
4) The number of minutiae in every semi-circle is arranged sequentially according to different orientation to form a single-line code.
167
5) Repeat step 2 to step 4 for lines of different direction with equal angle in between and con-
168
catenate all the single-line codes to form a multi-line code. If we are using M lines to describe
169
the reference minutia, the directions of the lines are: θr , θr +
170
1a shows the graphical illustration of these lines when M = 3. Therefore, the MLC for a
171
minutia can be written as L = [a11 a12 ...a1n ...a1N ; a21 a22 ...a2n ...a2N ; ...; a M1 a M2 ...a Mn ...a MN ],
172
where N = 2 × ( dl + 1) ×
173
value, -1 if the sample point is located outside the boundaries of the fingerprint image.
2π ∆ϕ
π M , θr
+
2π M
... θr +
(M−1)π M .
Figure
is the length of a single-line code. amn is assigned an invalid
174
6) Repeat step 1 to step 5 for the rest of the minutiae extracted from the fingerprint to generate
175
the template of the fingerprint. The template is an array of multi-line codes, T = {L1 L2 ...LK },
176
where K is the total number of minutiae.
177
178
Since the lines are subject to the reference minutia, the position and direction of the lines change according to the coordinates and orientation of the reference minutia, so as the location of 7
179
the circles. Besides, the angular partition a minutia falls in is determined by its angular difference
180
with θr . Hence, MLC is invariant to translation and rotation.
181
The robustness of MLC against local non-linear distortion depends very much on the distance
182
between two adjacent circles (d) and their radius (r) which should be adjusted collaboratively so
183
that the circles overlap partially with one another. The idea is to create a buffer region (where two
184
or more circles overlap) to accommodate the close-to-border minutiae which may be excluded
185
from the circles they used to be in due to non-linear distortion. For instance if a close-to-border
186
minutia is slightly shifted, in the case of non-overlapping circles, the minutiae count of two adja-
187
cent regions can change from {α, β} to {α − 1, β + 1} (considering the worst case), introducing an
188
Euclidean distance of 2; whereas for overlapping-circles, the distance caused by such distortion
189
in the worst case is 1 (between {α, β} and {α − 1, β}). However, this only applies to minutiae near
190
certain parts of the circumference. The other parts, especially those orthogonal to the base line
191
are taken care of by increasing the number of lines (M) so that the circles may overlap each other
192
in all directions. The value of d, r and M used in this paper are 8, 25 and 3 respectively.
193
3.2. Permutation of MLC
194
In order to achieve revocability and diversity of the template, we introduce an external factor
195
that offers huge variety of transformations unto the generated multi-line code. In the previous
196
paper (Wong et al., 2012), we simply permute the code based on a user-specific secret key. The
197
secret key is a random number that seeds the permutation order of the MLC. It is important to
198
ensure that no two individuals or two applications of one individual can be assigned the same
199
number.
200
In addition, permutation of the MLC improves the performance of cancellable fingerprint
201
template. By introducing a unique “personality” to every fingerprint, it greatly reduces the false
202
acceptance rate (FAR) of the system. Figure 2 explains the realization of revocability and accu-
203
racy enhancement through MLC permutation.
204
4. MLC Enhancement Scheme
205
In this section, we propose two attempts towards enhancing the performance of MLC. 8
d l l
Pr
Pr
π/3
2π
οɔ
2r
2r
d
(a) Plane view.
(b) 3D view.
Figure 1: Illustration of MLC generation. Given that different marker of minutiae in (a) represents different orientation division that the minutia is in. If the sequence of the orientation division follows (blue filled circle, red unfilled circle, magenta filled square) order, the original minutiae count-based code generated based on the red solid line is Lθr = {0, 0, 0, 0, 0, 1, 0, 2, 0, 1, 1, 1, 3, 3, 2, 2, 0, 0; 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 3, 0, 0, 0, 0, 0, 0, 0; 0, 1, 0, 1, 0, 1, 3, 0, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0}. In the new mean distance representation, the same line will = {0, 0, 0, 0, 0, 19.2, 0, 17.5, 0, 10.9, 23.1, 22.8, 19.7, 14.2, 16.6, 15, 0, 0; produce a real number code Lθr 0, 0, 0, 0, 0, 0, 0, 0, 16.3, 0, 20.1, 0, 0, 0, 0, 0, 0, 0; 0, 5.8, 0, 6.9, 0, 16.1, 17.2, 0, 14.5, 0, 0, 0, 0, 0, 0, 0, 0, 0}. Finally, the unpermuted binary version of the code generated using non-uniform quantization method discussed in Section 4.2.2 is Lθr = {000000000010001000111010101111110000; 000000000000000011001000000000000000; 000100100011100011000000000000000000}. The blue dashed line and green dotted line are lines in other directions when M = 3 and will each generate a different code to obtain the complete MLC describing Pr .
206
4.1. Minutiae Contribution Measure
207
In this paper, we present a different measure of minutiae contribution in the stage of MLC
208
formulation. Instead of taking the number of minutiae as the code of the region, we now generate
209
the code by computing the mean value of distances between these minutiae and the corresponding
210
sample points. Therefore, the MLC expression is now L = [ xˆ11 xˆ12 ... xˆ1n ... xˆ1N ; xˆ21 xˆ22 ... xˆ2n ... xˆ2N ;
211
...; xˆ M1 xˆ M2 ... xˆ Mn ... xˆ MN ], where xˆmn denotes the mean distance in each region. Figure 1 gives an
212
example of the line code generated based on the new scheme. 9
(a) Assume that a fingerprint is first enrolled with key 1. In the case of template database compromise, the original template can be made obsolete and replaced with a new one generated with a different secret key, key 2.
(b) Taking A and B as two multi-line codes generated from two distinct individual fingerprints. Matching A and B might result in a high score due to inter-class similarity. However, by permuting A and B with two unique secret keys, we can increase the distance between the two MLCs, and hence decrease the FAR during fingerprint matching.
Figure 2: Purposes of permuting multi-line code.
213
According to Farooq et al. (2007b), the accuracy of a biometric system can be increased by
214
adding more information to the protected biometric template. In other words, it is an alteration
215
in the trade-off between accuracy and security. Even though by using the mean distance, the
216
imposter will have no idea about the exact number of minutiae, it may leak the information about
217
the distribution of these minutiae within the region. In this case, the imposter needs less effort
218
to crack the location of the minutiae through brute-force attack. Detailed analysis of the security
219
of MLC is presented in Section 6.4. However, in return we gain accuracy by introducing higher
220
distinctiveness to MLC.
221
Furthermore, another drawback of using mean distance as the minutiae contribution measure
222
is that it is larger in size. Since the number of minutiae is always a whole number, it can be
223
stored as a short integer, which consumes only two bytes of storage memory. On the contrary,
224
the mean distance contains decimal point and requires four bytes of storage if it is stored in a
225
single-precision floating-point format. This doubles the storage requirement of MLC, and thus
226
leading to MLC binarization (Section 4.2) with the intention to complement the trade-off.
10
227
228
4.2. MLC Binarization MLC binarization converts the original mean distance value representation into binary codes.
229
This section discusses different approaches of quantizing MLC to obtain the final binary code.
230
4.2.1. 1-bit Binary Implementation
231
232
In 1-bit binary implementation, each number in MLC is converted into a 1-bit binary number (1 or 0). This is a rather simple thresholding process and can be formulated as: 0 if xˆ < τb ; bα = 1 otherwise.
(1)
233
where b represents the binarized value of xˆ, and τb represents the threshold value of the conver-
234
sion.
235
In addition, since a binary string can only contain logical 1 and logical 0, it is essential to
236
create another binary string, same length as the original real number string to store the invalid
237
bits (indicated by -1 in the real number representation).
238
4.2.2. k-bit Binary Implementation
239
In order to ensure that the performance of fingerprint recognition will not deteriorate af-
240
ter binarization, we increase the quantization bit-length to preserve more information about the
241
original real number MLC. Instead of using only 1 bit to represent the code, we can apply k-
242
bit binarization, where k ∈ {Z|k ≥ 2}. In this paper, we demonstrate the employment of 2-bit
243
binarization. Given that r = 25, the step size of a 2-bit uniform quantization is:
∆β−1 =
r = 6.25 2B
11
(2)
244
where B is the quantization bit-length. The binarized code can be expressed as:
bβ−1
=
[00] if cβ−1 = 0; [01] if cβ−1 = 1;
(3)
[11] if cβ−1 = 2; [10] if cβ−1 = 3.
245
xˆ ⌋ is the classification rule of quantization. We choose Gray code over natural where cβ−1 = ⌊ ∆β−1
246
binary code as the binary sequence of the code because it is designed in such a way that the
247
Hamming distances between two adjacent numbers are equal. However, problem arises when
248
adopting Dice similarity (Dice, 1945) from our previous paper (Wong et al., 2012) in the match-
249
ing of binary MLC. Since Dice similarity considers only the positive matches, any match in-
250
volving [00] will result in a zero similarity, which is undesirable. For instance, the similarities
251
between [00] and [01], and [01] and [11] are supposed to be identical, but instead, the calculated
252
Dice similarities of the number pairs are 0 and 0.67 correspondingly. Hence, we propose two
253
solutions to address the issue as described in the followings:
254
(i) One way to resolve the problem is by applying non-uniform quantization where [00] is only
255
associated with 0 in the real number representation while the numbers range in (0,25) are
256
uniformly distributed to the other three quantization levels. In this scenario, equation 2 is
257
modified into: ∆β−2 =
258
r 25 = 2B − 1 3
(4)
and the classification rule is:
cβ−2
=
0 xˆ ⌈ ∆β−2 ⌉
if xˆ = 0;
(5)
otherwise.
259
(ii) Another solution is to use a different similarity measure that is specifically designed for bi-
260
nary biometric template recognition and gives credits to both positive and negative matches.
261
This can solve the zero similarity problem concerning matchings with [00]. Examples of 12
262
such similarity or dissimilarity measures include Hamming distance, Faith similarity, Sokal
263
& Michener similarity and AZZOO similarity (Cha et al., 2005). This is further discussed
264
in Section 5.1.
265
5. Fingerprint Matching
266
5.1. MLC-to-MLC Matching
267
Given a MLC Le taken from the enrolled fingerprint template (T E = {L1 L2 ...LE }) and a MLC
268
Lq taken from the query fingerprint template (T Q = {L1 L2 ...LQ }), where E and Q is the total
269
number of minutiae in T E and T Q respectively. The similarity between Le and Lq signifies the
270
likelihood of Lq in T Q being a correspondence to Le in T E . If either Le or Lq contains more
271
than 50% of invalid code, the pair is marked unmatchable and is assigned a zero similarity. This
272
applies to all similarity measures discussed in this section. Otherwise, the similarity between
273
two MLCs is calculated as (Wong et al., 2012):
S Dice =
2|Le • Lq | |L2e | + |L2q |
(6)
274
where • denotes a element-wise multiplication and | · | calculates the sum of all elements. The
275
values of S Dice range from 0 to 1, of which 0 indicates a total mismatch between Le and Lq ,
276
whereas 1 indicates a perfect match between them.
277
In the context of binary MLC, we express the computation of similarity measure in Opera-
278
tional Taxanomic Units (OTUs): ρ1 = |Le ∧ Lq |, ρ2 = |L¯e ∧ Lq |, ρ3 = |Le ∧ L¯q | and ρ4 = |L¯e ∧ L¯q |,
279
where ∧ represents a bit-wise AND operation and L¯e and L¯q are the complements of Le and Lq
280
respectively. Therefore, equation (6) can be rewritten as:
S BinDice =
2ρ1 2ρ1 + ρ2 + ρ3
(7)
281
As suggested in Section 4.2, we need a more appropriate similarity measure to improve the
282
performance of k-bit binary MLCs. AZZOO similarity (Cha et al., 2005) has been proven to
283
outperform other measures in binary feature vector recognition. Unlike Dice similarity which 13
284
only gives credit to positive matches (ρ1 ), AZZOO similarity credits both positive and negative
285
matches (ρ4 ). The formula of weighted AZZOO (WAZZOO) which gives different weights to ρ1
286
and ρ4 , is given as: S WAZZOO = σ p ρ1 + σn ρ4
(8)
287
For the ease of direct comparison between two chosen similarity measures, WAZZOO similarity
288
is normalized so that the resulting score ranges from 0 to 1. The normalized WAZZOO (NWAZ-
289
ZOO) similarity is represented by:
S NWAZZOO =
290
291
σ p ρ1 + σn ρ4 σ p ρ1 + ρ2 + ρ3 + ρ4
(9)
Furthermore, we propose an enhanced similarity measure integrated from Dice similarity, called the dynamically weighted integrated Dice (DWID) similarity. The formula is derived as:
S DWID =
σm ρ1 σm ρ1 + σn (ρ2 + ρ3 )
(10)
292
Similar to Dice’s, DWID similarity ignores the negative matches. Nevertheless, DWID similarity
293
weighs ρ1 dynamically so that it is not credited linearly but exponentially. In order to achieve
294
that, we let σm = σ′m ρ1 while the weight for the non-matches (ρ2 and ρ3 ) in the normalizing
295
denominator is σn = σ′n (ρ2 + ρ3 ). Hence equation (10) can be rewritten as:
S DWID =
296
σ′m ρ21 σ′m ρ21 + σ′n (ρ2 + ρ3 )2
(11)
5.2. Global Matching Score
297
When dealing with two fingerprint templates, each MLC in T Q is cross-matched with the ones
298
in T E so that we have a similarity matrix containing similarity scores among all MLCs between
299
two templates. Each element in the similarity matrix is then re-evaluated with the following
14
300
criterion to eliminate double-matching: S (e, q) Condition 1; S (e, q) = 0 otherwise.
(12)
301
Condition 1 implies that S (e, q) ≥ τ s and S (e, q) must be the maximum among all values of
302
S (e, i) (for i ∈ [1, Q]) and S (i, q) (for i ∈ [1, E]), where τ s is the lowest similarity value to say
303
that a pair of MLCs are matchable.
304
To determine the overall similarity between T E and T Q , a global matching score is used to
305
measure the likelihood of T E and T Q being two instances of the same fingerprint. With the
306
processed similarity matrix, we calculate the matching score with the following formula:
MS =
307
6. Experiments and Discussions
308
6.1. Experiment Setup
Q E P P
S (e, q)
e=1 q=1
min(E, Q)
(13)
309
The proposed method is evaluated on the following datasets: FVC2002 DB1, DB2 and
310
FVC2004 DB1, DB2. Each dataset contains 100 fingerprints, and each fingerprint has 8 samples
311
with different ways and levels of perturbation. The first impression of every fingerprint is stored
312
as the enrolled template and the remaining seven impressions are used as queries, and thus re-
313
sulting in 70,000 tests in total, which include 700 genuine tests and 69,300 imposter tests per
314
dataset per setting. There are eight distinct settings being tested as abbreviated below:
315
• mlcn-Dice - MLC representing numbers of minutiae matched using Dice similarity.
316
• mlcm-Dice - MLC representing mean distance values matched using Dice similarity.
317
• mlcmb1-Dice - 1-bit binary MLC representing mean distance values matched using Dice
318
similarity.
15
319
320
321
322
323
324
325
326
327
328
• mlcmb2uq-Dice - 2-bit uniformly quantized binary MLC representing mean distance values matched using Dice similarity. • mlcmb2nq-Dice - 2-bit non-uniformly quantized binary MLC representing mean distance values matched using Dice similarity. • mlcmb2uq-NWAZZOO - 2-bit uniformly quantized binary MLC representing mean distance values matched using NWAZZOO similarity. • mlcmb2uq-DWID - 2-bit uniformly quantized binary MLC representing mean distance values matched using DWID similarity. • mlcmb2nq-DWID - 2-bit non-uniformly quantized binary MLC representing mean distance values matched using DWID similarity.
329
Tests are carried out in both genuine-key scenario and stolen-key scenario. In the former
330
scenario, we assume that the secret key is kept secure, so every MLC is permuted with its own
331
unique key (assigned to individual fingerprint) before matching. Whereas in the stolen-key sce-
332
nario, it is assumed that the secret key is compromised and becomes obsolete, so the MLCs are
333
matched unpermuted.
334
6.2. Accuracy
335
In genuine-key scenario, the proposed scheme performs ideally where the EERs for all set-
336
tings are 0%. On the other hand, in the case of stolen key, the EERs declined as expected. Table
337
1 shows the EERs of the proposed scheme as well as other minutiae distribution-based algo-
338
rithms. Despite the fact that the performance of MLC is not directly comparable to the other
339
literature due to different minutiae extraction method applied, we use Lee’s method (Lee and
340
Kim, 2010) and p-MCC (Ferrara et al., 2012) as the references in accuracy evaluation. Figure 3
341
shows the ROC curves of all MLC settings zoomed in to the EER-intercept to provide a graphical
342
comparison of the performances.
343
344
The result has proven that the application of both approaches towards enhancing MLC improves the accuracy of the original MLC. Moreover, the solutions suggested in Section 4.2.2 has 16
Table 1: EERs of the proposed methods and other existing algorithms for stolen-key scenario over different FVC datasets. Method/Setting mlcn-Dice (Wong et al., 2012) mlcm-Dice mlcmb1-Dice mlcmb2uq-Dice mlcmb2nq-Dice mlcmb2uq-NWAZZOO mlcmb2uq-DWID mlcmb2nq-DWID Lee’s method (Lee and Kim, 2010) p-MCC (Ferrara et al., 2012)
FVC2002DB1 4.69
FVC2002DB2 5.03
FVC2004DB1 10.36
FVC2004DB2 11.05
3.2 3.26 2.37 2.27 2.37 2.05 1.97 -
3.53 4.08 3.39 2.85 4.18 2.99 2.54 -
8.26 8.88 7.38 6.92 7.45 7.22 6.53 10.3
10.4 11.04 10.28 9.98 10.37 9.75 9.2 9.5
1.88
0.99
-
-
345
successfully compensated the problem of undesirable similarity among the binary sequences,
346
while the combination of both can reduce the EER to 1.97%, 2.54%, 6.53% and 9.2% for
347
FVC2001DB1, FVC2001DB2, FVC2004DB1 and FVC2004DB2 respectively. However, NWAZ-
348
ZOO similarity does not suit MLC matching probably because in binary MLC, the 1’s are
349
sparsely distributed with too many 0’s in between and thus, the outcome is predominated by
350
the negative matches even when it’s weight is small.
351
6.3. Revocability
352
We adopt the method described by Lee et al. (2007) to evaluate the revocability or diversity of
353
the proposed cancellable fingerprint template. In this section, we briefly explain the experiments
354
performed under two cases.
355
6.3.1. Case 1: Original Templates Versus Permuted Templates
356
In this scenario, we measure the improbability of a permuted template to correlate with the
357
original template of the fingerprint. The experiment procedures are as follows:
358
1) One out of eight impressions for each fingerprint is used to generate 30 different permuted
359
templates as the enrolled templates.
360
2) The remaining seven impressions are matched against the 30 enrolled templates.
361
3) Generate the distribution (hereafter denoted as D1) of matchable MLCs over all fingerprints.
362
A pair of MLCs are said to be matchable if the similarity score satisfies the condition men-
363
tioned in equation (12). Then, calculate the separability between D1 and the original genuine 17
(a) FVC2002DB1.
(b) FVC2002DB2.
(c) FVC2004DB1.
(d) FVC2004DB2.
Figure 3: ROC curves of all settings in stolen-key scenario. We can observe that for all datasets, mlcmb2nq-DWID (marked by inverted triangle) has the lowest EER value.
364
distribution (hereafter denoted as OG), defined as: |µD1 − µOG | SeparabilityD1 = q 2 2
(14)
σD1 +σOG 2
365
where µD1 , µOG , σ2D1 and σ2OG are the means and variances of the corresponding subscript.
366
Taking FVC2002DB1 as an example, Figure 4 illustrates the distribution of D1 and OG for
367
the highest separability setting (mlcn-Dice) together with two low separability settings (mlcmb1-
368
Dice and mlcmb2uq-NWAZZOO). Both figures in Table 2) and Figure 4 show that the distri-
369
butions have no correlation or negligible correlation between each other even for the lowest
370
separability setting (mlcmb2uq-NWAZZOO).
18
371
6.3.2. Case 2: Permuted Templates Versus Permuted Templates
372
If an enrolled template is compromised, it is replaced by a new template associated with a
373
different permutation key. In this scenario, we measure the dissimilarity between templates from
374
the same fingerprint permuted with different keys. The experiment is conducted as follows:
375
1) Similar to previous case, one out of eight impressions for each fingerprint is used as the
376
377
378
379
380
enrolled templates with five distinct permutation orders. 2) Each of the remaining seven impressions is assigned another ten different keys to produce ten unique permuted templates and matched against the five enrolled templates. 3) Produce the distribution (hereafter denoted as D2) of matchable minutiae over all fingerprints for this scenario. Then, calculate the separability between D2 and OG, defined as: |µD2 − µOG | SeparabilityD2 = q 2 2
(15)
σD2 +σOG 2
381
where µD2 and σ2D2 are the mean and variance of D2 respectively.
382
Figure 4 also includes the distribution of D2 for mlcn-Dice, mlcmb1-Dice and mlcmb2uq-
383
NWAZZOO. Similar to those in case 1 (Section 6.3.1), the distributions are uncorrelated or hardly
384
correlated with OG. Hence, if the length of a real number MLC and binary MLC are 1,476 and
385
1,476B respectively (correspond to the parameters in Section 3.1), almost all of the 1,476! or
386
1,476B! permutation orders can be utilized. This applies to all the datasets used.
387
Revocability increases when the separability increases. Also, the revocability of cancellable
388
fingerprint template is one major factor which determines its diversity. From Table 2, we can
389
observe that for all datasets, mlcn-Dice yields the highest diversity while the enhanced MLC
390
weakens in this property.
391
6.4. Non-reversibility
392
In this section, we discuss the non-reversibility of the proposed system by evaluating its
393
security against brute-force attack. It is mainly determined by two factors - the strength of the
394
non-invertible transform and the amount of possible permutation keys. As discussed in Section 19
Table 2: Separabilities of [µOG , σ2OG ](µD1 , σ2D1 ), (µD2 , σ2D2 ). Method/Setting mlcn-Dice
mlcm-Dice
mlcmb1-Dice
mlcmb2uq-Dice
mlcmb2nq-Dice
mlcmb2uq-NWAZZOO
mlcmb2uq-DWID
mlcmb2nq-DWID
all
MLC
FVC2002DB1 4.38,4.38 [27.38,78.14] (0,0),(0,0) 3.85,3.85 [25.48,87.52] (0,0),(0,0) 3.56,3.56 [23.62,88.05] (0,0),(0,0) 3.65,3.65 [23.93,85.78] (0,0),(0,0) 3.75,3.75 [24.72,86.91] (0,0),(0,0) 2.83,2.83 [19.1,91.11] (0,0),(0,0) 3.61,3.61 [23.81,86.91] (0,0),(0,0) 3.72,3.72 [24.62,87.65] (0,0),(0,0)
settings
in
the
FVC2002DB2 4.4,4.4 [33.59,116.52] (0,0),(0,0) 3.88,3.88 [30.67,124.7] (0,0),(0,0) 3.43,3.43 [27.74,130.72] (0,0),(0,0) 3.59,3.59 [28.66,127.14] (0,0),(0,0) 3.72,3.72 [29.67,127.54] (0,0),(0,0) 3.86,3.86 [30.3,122.96] (0,0),(0,0) 3.9,3.9 [30.31,120.84] (0,0),(0,0) 4,4 [31.11,121.1] (0,0),(0,0)
format
of
SeparabilityD1 ,SeparabilityD2
FVC2004DB1 4.55,4.55 [25.46,62.58] (0,0),(0,0) 3.85,3.85 [22.43,67.75] (0,0),(0,0) 3.08,3.08 [18.86,74.81] (0,0),(0,0) 3.13,3.13 [19.06,74.25] (0,0),(0,0) 3.39,3.39 [20.54,73.23] (0,0),(0,0) 3.43,3.43 [20.21,69.33] (0,0),(0,0) 3.62,3.62 [21.12,68.19] (0,0),(0,0) 3.67,3.67 [19.39,94.9] (0,0),(0,0)
FVC2004DB2 3.3,3.3 [18.76,64.46] (0,0), (0.01,0.01) 3.22,3.22 [18.78,68.02] (0,0),(0,0) 2.8,2.8 [16.61,70.55] (0,0),(0,0) 2.99,2.99 [16.44,60.29] (0,0),(0,0) 3.05,3.05 [21.32,97.69] (0,0),(0,0) 2.82,2.82 [19.39,94.9] (0,0),(0,0) 3.02,3.02 [17.82,69.62] (0,0),(0,0) 3.04,3.04 [20.03,87.09] (0,0),(0,0)
Figure 4: Matchable MLCs distributions for FVC2002DB1. For the three settings shown in the figure, D1 and D2 has all-zero distribution, thus resulting in zero means (µD1 and µD2 ) and zero variances (σ2D2 and σ2D2 ) as shown in Table 2. Among the three, OG of mlcn-Dice is distributed furthest from its D1 and D2, resulting in highest separability.
395
6.3, the attackers require at most 1,476! (or 1,476B!) attempts to reconstruct the original template
396
from the permuted template, which is certainly computational infeasible in real time. Despite
397
that, under the worst case scenario where both the template and the key are compromised and the
398
transformation method is known, the security only relies on the strength of the transformation. It 20
399
refers to the improbability of unveiling the original minutiae set from the unpermuted template. For the number-of-minutiae version of MLC, provided ∆ϕ =
400
π 3
≈ 1.1 (from Section 3.1),
401
with precision of 0.1, there are 11 possible orientations in an angular division. Also given r = 25
402
and
403
Therefore, a 1 in the MLC may be the result of a minutia being in one of the 11 × 982 = 10, 802
404
locations in the semi-cylinder. Even if there are only 40 unique minutiae in the fingerprint,
405
the total number of repeatable minutiae contributing to all the entire template can easily exceed
406
3,000. Since there is no way to know which ones are repeating, the attacker requires more than
407
10, 802 × 3, 000 ≈ 30 million attempts to uncover the raw minutiae data.
πr2 2
≈ 982, we can know that there are approximately 982 pixels in a region (semi-circle).
408
It does not make it easier when the mean distance value is used as MLC. Due to the fact
409
that the calculation of mean value itself is a many-to-one mapping function, the attacker needs
410
to get all the distance values in a region before cracking the location of the minutiae, without
411
any information about the number of minutiae within the region. This creates even more hassles
412
for the attacker. Furthermore, the quantization process in binary MLC generation serves as an
413
additional level of protection as it is another many-to-one mapping function to be cracked. In
414
short, it is impracticable to reverse the transformation in real time.
415
6.5. Template Size
416
Given that the length of a MLC is 1,476×k, where k = 1 for real number MLC and k is equiva-
417
lent to the quantization bit-length (B) for binary MLC. Taking an integer as a two-byte data and a
418
decimal-point number as a four-byte data, the template size for mlcn and mlcm are approximately
419
115 KB and 230 KB respectively (assuming that there are 40 minutiae in a fingerprint).
420
With the implementation of MLC binarization, the original MLC is converted into a 1,476B-
421
bit binary MLC plus a 1,476-bit invalid codes. So when B = 1, the template size drops down
422
to 14 KB whereas it is 22 KB for B = 2. In general, the template compression rate from mean-
423
distance-value MLC to binary MLC is 32:(B+1). Besides, since MLC contains long repeated
424
0’s, the storage size can be further reduced using appropriate data compression algorithm.
21
425
7. Conclusions
426
In this paper, a two-staged enhancement method was proposed to ameliorate the performance
427
of MLC considering the recognition accuracy, template size and security. The idea was to ac-
428
quire the balance point among the four criterions. The results showed that the enhanced MLC
429
excelled in recognition accuracy and template size, but the computational cost and security were
430
compromised to a reasonable extent that the three main objectives of template protection scheme
431
(Section 1) were not violated.
432
One potential application of MLC (or specifically binary MLC) is biometric cryptography
433
(bio-cryptography), which includes key generation and key binding. However, MLC alone is not
434
robust enough to be used in bio-crypto systems. Error correction coding, fuzzy vault and fuzzy
435
commitment are the possible ways of incorporating MLC in bio-cryptography.
436
References
437
Ahmad, T., Hu, J., Wang, S., 2011. String-based cancelable fingerprint templates, in: 6th IEEE Conference on Industrial
438 439 440 441 442 443 444 445 446
Electronics and Applications, Beijing. pp. 1028–1033. Ang, R., Safavi-Naini, R., McAven, L., 2005. Cancelable key-based fingerprint template, in: Proceedings of 10th Australasian Conference (ACISP’05) Information Security and Privacy, pp. 109–128. Belgeuchi, R., Rosenberger, C., Ait-Aoudia, S., 2010. Biohashing for securing fingerprint minutiae templates, in: the 20th International Conference on Pattern Recognition (ICPR), Istanbul. pp. 1168–1171. Cappelli, R., Ferrara, M., Maltoni, D., 2010. Minutia cylinder-code: A new representation and matching technique for fingerprint recognition. IEEE Trans. Pattern Anal. Mach. Intell. 32, 2128–2141. Cha, S.H., Yoon, S., Tappert, C.C., 2005. Enhancing Binary Feature Vector Similarity Measure. Technical Report. Ivan E. Seidenberg School of Computer Science and Information Systems, Pace University.
447
Dice, L.R., 1945. Measures of the amount of ecologic association between species. Ecol. 26, 297–302.
448
Farooq, F., Bolle, R.M., Jea, T.Y., Ratha, N., 2007a. Anonymous and revocable fingerprint recognition, in: IEEE
449
Conference on Computer Vision and Pattern Recognition, Minneapolis. pp. 1–7.
450
Farooq, F., Ratha, N., Jea, T.Y., Bolle, R., 2007b. Security and accuracy trade-off in anonymous fingerprint recognition,
451
in: First IEEE International Conference on Biometrics: Theory, Applications, and Systems, Crystal City, VA. pp. 1–6.
452
Ferrara, M., Maltoni, D., Cappelli, R., 2012. Non-invertible minutia cylinder-code representation. IEEE Trans. Inf.
453 454
Forensics Secur. . Jain, A.K., Nandakumar, K., Nagar, A., 2008. Biometric template security. EURASIP J. Adv. Signal Process 2008, 1–17.
22
455 456
Jain, A.K., Prabhakar, S., Hong, L., Pankanti, S., 2000. Filterbank-based fingerprint matching. IEEE Trans. Image Process. 9, 846–859.
457
Jin, Z., Ong, T.S., Tee, C., Teoh, A.B.J., 2011. Generating revocable fingerprint template using polar grid based 3-tuple
458
quantization technique, in: IEEE 54th International Midwest Symposium on Circuits and Systems, Seoul. pp. 1–4.
459
Jin, Z., Teoh, A.B.J., Ong, T.S., Tee, C., 2010. Generating revocable fingerprint template using minutiae pair representa-
460 461 462 463 464 465 466
tion, in: 2nd International Conference on Education Technology and Computer, Shanghai. pp. 251–255. Kumar, G., Tulyakov, S., Gavindaraju, V., 2010. Combination of symmetric hash functions for secure fingerprint matching, in: 20th International Conference on Pattern Recognition, Istanbul. pp. 890–893. Lee, C., Choi, J.Y., Toh, K.A., Lee, S., Kim, J., 2007. Alignment-free cancelable fingerprint templates based on local minutiae information. IEEE Trans. Syst., Man Cybern. - Part B: Cybern. 37, 980–992. Lee, C., Kim, J., 2010. Cancelable fingerprint templates using minutiae-based bit-strings. J. Netw. Comput. Appl. 33, 236–246.
467
Maltoni, D., Maio, D., Jain, A.K., Prabhakar, S., 2009. Handbook of Fingeprint Recognition. Springer-Verlag, London.
468
Mimura, M., Ishida, S., Seto, Y., 2001. Development of personal authentication techniques using fingerprint matching
469 470 471 472 473 474 475
embedded in smart cards. IECIE Trans. Inf. Syst. E84-D, 812–818. Quan, F., Fei, S., Anni, C., Feifei, Z., 2008. Cracking cancelable fingerprint template of ratha, in: 2008 International Symposium on Computer Science and Computational Technology, Beijing. pp. 572–575. Ratha, N.K., Chikkerur, S., Connell, J.H., Bolle, R.M., 2007. Generating cancelable fingerprint templates. IEEE Trans. Pattern Anal. Mach. Intell. 29, 561–572. Rathgeb, C., Uhl, A., 2011. A survey on biometric cryptosystems and cancelable biometrics. EURASIP J. Inf. Secur. 2011, 1–25.
476
Takahashi, K., 2009. Unconditionally provably secure cancelable biometrics based on a quotient polynomial ring, in: the
477
3rd IEEE International Conference on Biometrics: Theory, applications and systems, Washington, DC. pp. 327–332.
478
Takahashi, K., Hirata, S., 2011. Generating provably secure cancelable fingerprint templates based on correlation-
479
invariant random filtering, in: 2011 International Joint Conference on Biometrics (IJCB), Piscataway, NJ. pp. 1–8.
480
Teoh, A.B.J., Ngo, D.C.L., Goh, A., 2004. Biohashing: Two factor authentication featuring fingerprint data and tokenised
481 482 483 484 485 486 487 488 489
random number. Pattern Recognit. 37, 2245–2255. Teoh, A.B.J., Yip, W.K., Lee, S., 2008. Cancellable biometrics and annotations on biohash. Pattern Recognit. 41, 2034–2044. Teoh, A.B.J., Yip, W.K., Toh, K.A., 2010. Cancellable biometrics and user-dependent multi-state discretization in biohash. Pattern Anal. Appl. 13, 301–307. Tico, M., Kuosmanen, P., 2003. Fingerprint matching using an orientation-based minutia descriptor. IEEE Trans. Pattern Anal. Mach. Intell. 37, 980–992. Tulyakov, S., Farooq, F., Govindaraju, V., 2005. Symmteric hash functions for fingerprint minutiae, in: Proceedings of 3rd International Conference on Advances in Pattern Recognition (ICAPR’05), pp. 30–38.
23
490 491 492 493
Tulyakov, S., Farooq, F., Mansukhani, P., Govindaraju, V., 2007. Symmteric hash functions for secure fingerprint biometric systems. Pattern Recognit. Lett. 28, 2427–2436. Wang, S., Hu, J., 2012. Alignment-free cancelable fingerprint template design: A densely infinite-to-one mapping (DITOM) approach. Pattern Recognit. .
494
Wong, W.J., Wong, M.L.D., Kho, Y.H., 2012. A low complexity multi-line code for cancelable fingerprint template,
495
in: the 2nd International Conference on Convergence Technology 2012, Korea Convergence Society, Qingdao. pp.
496
61–65.
497
Yang, B., Hartung, D., Simoens, K., Busch, C., 2010. Dynamic random projection for biometric template protection, in:
498
Fourth IEEE International Conference on Biometrics: Theory, apllications and systems, Washington, DC. pp. 1–7.
24