String-based Cancelable Fingerprint Templates - Semantic Scholar

String-based Cancelable Fingerprint Templates Tohari Ahmad

Jiankun Hu

Song Wang

School of Computer Science and Information Technology RMIT University Melbourne, Australia [email protected]

School of Engineering and Information Technology UNSW@ADFA Canberra, Australia [email protected]

School of Engineering and Mathematical Sciences La Trobe University Melbourne, Australia [email protected]

Abstract—Cancelable (revocable) fingerprint templates have been proposed to protect fingerprint data. However, many of them have incurred significant authentication performance degradation. In this paper, we propose a cancelable fingerprint template design mechanism to protect fingerprint data while maintaining a satisfactory authentication performance. The proposed scheme transforms fingerprint minutiae points into a vector string which serves as the cancelable fingerprint template. The results of the experiment carried out using a public database FVC2002DB2 show that it meets the requirements of revocability, diversity and security for cancelable fingerprint templates, in addition to the low error level.

I. I NTRODUCTION Biometric authentication has been widely applied in many applications, which is likely to replace the use of conventional authentication in the future. Some biometric modalities, such as fingerprint and iris, can be potential candidates for further improvement due to their characteristics [13], e.g. distinctiveness and universality. However, security and privacy remain an issue as once biometrics are compromised they are lost forever. Some biometric attack models have been presented in [13], [20], [21], which, in general, show that attacks can take place at the scanner, feature extractor, matcher, system database, and the channels between those modules. Various attacks which can be launched against those targeted points have been described in [3], [18]. A common objective of these attacks is to obtain a user’s biometric template because compromising it will make it easier to get the user’s identity which leads to privacy attacks. Moreover, some attacks to the biometric template have made it possible to reconstruct the raw (original) template [22], [25]. To protect fingerprint biometric templates, many methods have been proposed. Generally they can be classified into following categories [12]: (i) image encryption [9], [11] (ii) biometric encryption [6], [15] (iii) cancelable (revocable) biometrics [20], [5], [24], [27]. Image-based encryption approaches require storing a cryptographic key which is problematic by itself [10]. Intrauser variability and interuser similarity, however, present a major challenge to the approaches in the other two categories. Furthermore, it is likely that the authentication performance of the transformed biometric template is poorer than that of the untransformed one. This paper proposes a cancelable fingerprint template scheme by building upon our previous work [1] to improve

c 978-1-4244-8756-1/11/$26.00 2011 IEEE

the authentication performance and security. Through adding a new step, the proposed template transformation generates a vector string to represent secure fingerprint features. The transformation is parameterized by a set of keys. So, in the worst case where the template is compromised, a new template can be generated, which is different enough from the old one, by using a different set of parameters or keys. It is infeasible to reconstruct the original fingerprint data, given the transformed template or even with the key itself. Therefore, the proposed scheme offers revocability, diversity and security properties. The transformation function is tested in various scenarios using a public data set whose quality varies. The rest of the paper is organized as follows. Section II describes the related works and existing researches. Section III presents the proposed scheme in detail while section IV analyses the experimental results. Finally, the conclusion is drawn in section V. II. R ELATED WORK In general, there are some advantages of biometric encryption [4], which are also applicable to other biometric protection schemes, for instance: ∙ it can be used for multiple identifiers ∙ it does not need to retain the original biometric image/template ∙ it is appropriate for large-scale application ∙ it is more accepted by public The concept of cancelable biometric templates is introduced by Ratha et al. [20] by scrambling the biometric signal or feature such that it is infeasible to recover it given the transformed biometrics. So, the transformation function should not only be able to distinguish the fingerprints between users (discriminability), but also make it hard to reverse the transformed template (noninvertibility). This is difficult to achieve as both properties are inversely proportional. Different to conventional cryptographic algorithms, apart from irreversibility, it is argued that the transformation function should be secret [4]. In addition to this concept, some more properties should be met to alleviate the threats [16], which include: ∙ the information stored should be minimal with respect to users’ identity and their biometrics. So, acquiring the information is not adequate to launch an impersonation attack

1028

Fig. 1.

∙ ∙ ∙

The general scheme of secure string generation

the verifier is not able to access the untransformed biometric templates a single biometric template can derive multiple representations two “identical” (but not exactly same) biometric templates can successfully be authenticated if their distance is considered small

Arakala et al. [2] implement this concept by using fuzzy extractor [6]. They employ both global and local features to represent fingerprint minutiae. Using private and public databases, the implementation is able to achieve Equal Error Rate (EER) of 10% and 15%, respectively. It is shown that the error is caused by incorrectly detecting the core point. Sutcu et al. [24] transform the minutiae points into a circle whose radius is specified. Each point is connected to another point by a straight line whose intersection to the circle is to be the mapping point. Still using a circle for mapping, Yang et al. [27], improve the performance by changing the mapping point into the perpendicular direction to the connecting line. This is intended to reduce the effect of the use of the straight line which is believed to cause arbitrary distances of mapping points. In addition, it uses both global and local features which contain the angle between two minutiae points, the angle between the connecting line and the minutiae orientation to increase performance. They have been able to decrease the EER from 19.8% on average to 13%. Lee and Kim [17] generate bit strings by mapping minutiae points into a three dimensional array (3D array). A minutia is chosen as the reference to the remaining minutiae points. This process is repeated until all minutiae have been used one by one as the reference. A bit string is generated based on the number of mapped points in each cell, that is, cells which contain more than one point are set to 1 and the others are set to 0. Using the different keys for transformation, they are able to achieve the EER close to 0. However, when the same key is applied, the EER increases to 6.8%. Another weakness is that

the transformation is invertible which makes it vulnerable to attack. Even though it has been transformed, if the template and key are compromised, the raw fingerprint is likely to be revealed. III. P ROPOSED S CHEME Inspired by our previous research [1], we make an improvement to the proposed noninvertible string generator based on the users’ fingerprint information and key. The improved scheme only needs to store the generated string in the database/smart card serving as the cancelable fingerprint template, instead of minutiae data. Its representation is different from the extracted raw fingerprint features, that is, the coordinate, orientation and type of the minutiae points are not stored. The bit string generation process consists of a number of steps along with its respective key, and is depicted in fig. 1. First of all, the fingerprint is extracted to get a set of minutiae and singular points which are expressed in eq. 1. ⎫ 𝐵∈𝜓   ⎬ 𝐵 = {𝑚𝑖 }𝑛𝑖=1 (1) 𝑚𝑖 = (𝑥, 𝑦, 𝜃)𝑖   ⎭ 𝑚𝑠𝑝 = (𝑥, 𝑦, 𝜃)𝑠𝑝 where 𝜓 is a fingerprint domain space; 𝐵 is a set of minutiae points extracted from a fingerprint image; 𝑚𝑖 and 𝑚𝑠𝑝 are the 𝑖𝑡ℎ minutiae point and the singular point, respectively; (𝑥, 𝑦) is the minutiae point coordinate in the Cartesian space; 𝜃 is the minutiae orientation and 𝑛 is the total number of minutiae points in 𝐵. In this case, the singular point (i.e., core point) is the transformation reference point. A. Quantization In the fingerprint coordinate space, the core point is located at the center 𝑚𝑠𝑝 (0, 0) whose orientation is aligned to the 𝑥 − 𝑎𝑥𝑖𝑠 of the space. The fingerprint area is then divided into

2011 6th IEEE Conference on Industrial Electronics and Applications

1029

Fig. 3. The projection step. All mapped points 𝑚𝑐 are projected with respect to both 𝑥 − 𝑎𝑥𝑖𝑠 and 𝑦 − 𝑎𝑥𝑖𝑠 to the line 𝐿 whose slope is determined by 𝜅𝛼

Fig. 2. The quantization step. The fingerprint coordinate space is divided into subspaces

cells (squares) as shown in fig. 2 [23], such that all or most of the minutiae points are covered by the cells, depending on the total number and size of the cells. This information is stored in the key 𝜅𝑐 . All minutiae points in each cell, if any, are mapped by the function 𝑓𝑐 to the center of the respective cell. So, in case there is more than one point in a cell, there will be manyto-one mapping in that cell. The information of the number of points in each cell is not stored. As a result, there is no information about which cell performs many-to-one or one-toone mapping. An empty cell, of course, represents that there is no minutiae point in that cell both before and after the mapping. This step can be explained as: 𝑐 = 𝑓𝑐 (𝜅𝑐 , {𝑚𝑖 }𝑛𝑖=1 ) {(𝑚𝑖 )𝑐 }𝑛𝑖=1

(2)

where (𝑚𝑖 )𝑐 and 𝑛𝑐 are the minutiae point which has been mapped by the function 𝑓𝑐 and the number of mapping points, respectively. The following steps are based on the idea of our previous work [1]. B. Projection A line 𝐿 crossing 𝑚𝑠𝑝 (0, 0) is drawn in the coordinate space. Its slope is controlled by the key 𝜅𝛼 which represents its rotational distance from 𝑥 − 𝑎𝑥𝑖𝑠 counterclockwise. All of 𝑐 , are projected to the line mapped minutiae points, {(𝑚𝑖 )𝑐 }𝑛𝑖=1 𝐿 with respect to the 𝑥 − 𝑎𝑥𝑖𝑠 and 𝑦 − 𝑎𝑥𝑖𝑠 as depicted in fig. 3 to arrive at 𝛼 𝑐 {(𝑚𝑖 )𝛼 }𝑛𝑖=1 = 𝑓𝛼 (𝜅𝛼 , {(𝑚𝑖 )𝑐 }𝑛𝑖=1 )

(3)

where (𝑚𝑖 )𝛼 , 𝑛𝛼 and 𝑓𝛼 are the projected minutiae point, the number of projected points and the projection function, respectively. It follows that 𝑛𝛼 = 2𝑛𝑐 , which spreads those points over the line 𝐿.

1030

Fig. 4. The grouping step. In this example, projected points 𝛼 {(𝑚𝑖 )𝛼 }𝑛 𝑖=1 , 𝑛𝛼 = 10 are grouped into 4 partitions. There are 4 points ((𝑚1 )𝛼 , (𝑚2 )𝛼 , (𝑚9 )𝛼 , (𝑚1 0)𝛼 ) which are not covered by those groups because they are beyond the line length 𝑙 as specified by 𝜅𝑙

C. Grouping 𝛼 are divided into (𝑙/𝑝) The projected points {(𝑚𝑖 )𝛼 }𝑛𝑖=1 groups, where 𝑙 and 𝑝 are determined by the key 𝜅𝑙 and 𝜅𝑝 , respectively. Specifically, 𝜅𝑙 and 𝜅𝑝 determine the length of line 𝐿 involved in the grouping and the length of each group, as illustrated in fig. 4. The number of points in each group is counted and mapped into an array vector 𝑣 whose length is also (𝑙/𝑝). So, there is a one-to-one mapping between the (𝑙/𝑝) groups along 𝐿 and (𝑙/𝑝) elements in 𝑣. Note that it is 𝛼 are beyond likely that some projected points in {(𝑚𝑖 )𝛼 }𝑛𝑖=1 the range of 𝑙, which means that they may not be involved in the grouping process. The values of 𝑙 and 𝑝 also determine which part of 𝐿 is used in the grouping. In this case, it needs to define the 𝑚𝑟 (𝑥𝑟 , 𝑦𝑟 ) to be the middle of 𝐿, as shown in fig. 4. It is defined as [1]: } 𝛼) + 𝑚𝑖𝑛(Π𝑥𝛼 ) 𝑥𝑟 = 𝑚𝑎𝑥(Π𝑥𝛼 )−𝑚𝑖𝑛(Π𝑥 2 (4) 𝑦𝑟 = 𝑡𝑔(𝛼)𝑥𝑟 𝛼 . Therefore, where Π𝑥𝛼 is the set of abscissa of {(𝑚𝑖 )𝛼 }𝑛𝑖=1 𝑚𝑟 (𝑥𝑟 , 𝑦𝑟 ) does not have to be the same as 𝑚𝑠𝑝 (0, 0). Mapping between the number of points in each group and the vector 𝑣 is specified by key 𝜅𝑖𝑛 , that is, this key arranges the indices (permutation) of each group in 𝐿. For example, the


grouping step which is depicted in fig. 4 may generate vector 𝑣 = {(1, 2, 0, 3), (1, 2, 3, 0), ...((0, 3, 2, 1)}, depending on the value of 𝜅𝑖𝑛 . The grouping and vector generation steps can be formulated as:

90 False Acceptance Rate (FAR) False Rejection Rate (FRR)

80 70

𝑛

𝑙𝑝 𝛼 𝑣 = 𝑓𝑖𝑛 (𝜅𝑖𝑛 , {𝑓𝑙𝑝 ((𝜅𝑙 , 𝜅𝑝 ), {(𝑚𝑖 )𝛼 }𝑛𝑖=1 )}𝑖=1 )

(5)

where 𝑓𝑙𝑝 , 𝑓𝑖𝑛 and 𝑛𝑙𝑝 (= 𝑙/𝑝) are grouping function, permutation functions and number of groups, respectively.

Error Rate (%)

60 50 40 30 20

D. Verification Finally, the vector 𝑣 is stored in the database or smart card as a template. In the verification, the fingerprint query will follow the same steps which generate 𝑣 ′ . If 𝑣 ′ is similar enough to 𝑣, then the verification is successful. The similarity (distance) between the fingerprint query and template is measured by using mean absolute error [1], [24], that is, the sum of difference between each pair of vector elements in 𝑣 ′ and 𝑣 as in eq. 6. 𝑑𝑖𝑠(𝑣, 𝑣 ′ ) =

1 𝜖 Σ ∣𝑠𝑖 − 𝑠′𝑖 ∣ 𝜖 𝑖=1

10 0

1

1.5

2

2.5

3 dis(v,v’)

3.5

4

4.5

5

Fig. 5. The EER of the worst case situation where the key 𝜅 = {𝜅𝑐 , 𝜅𝛼 , 𝜅𝑙 , 𝜅𝑝 , 𝜅𝑖𝑛 } is compromised. The adversary uses the key and his/her fingerprint to authenticate him/herself

A. Performance (6)

where 𝜖, 𝑠𝑖 and 𝑠′𝑖 are total element number of 𝑣, the 𝑖𝑡ℎ element in vector 𝑣 and 𝑣 ′ , respectively. Note that (i) 𝜖 = 𝑛𝑙𝑝 ; (ii) 𝑣 and 𝑣 ′ must have the same 𝜖 to make them verifiable. If 𝑑𝑖𝑠(𝑣, 𝑣 ′ ) is below or same as the specified threshold, then the query is verified successfully or otherwise. To sum up, the proposed scheme requires the key 𝜅 = {𝜅𝑐 , 𝜅𝛼 , 𝜅𝑙 , 𝜅𝑝 , 𝜅𝑖𝑛 } to transform the raw fingerprint template into the cancelable template 𝑣 = 𝑓 (𝜅, 𝐵), where 𝑓 is the composite transformation function. IV. E XPERIMENT AND A NALYSIS Fingerprints are extracted by using Verifinger software [19] to collect the sets of minutiae points 𝐵 = {𝑚𝑖 }𝑛𝑖=1 ; and FOMFE model [26] to get the core points 𝑆 = 𝑚𝑠𝑝 . The proposed scheme is evaluated by employing public databases FVC2002DB2 [8] which contain some fingerprint impressions (databases) whose quality varies. In the experiment, the first database is used for the template while the second is for the query. The evaluation results are represented in Equal Error Rate (EER) and Receiver Operating Characteristic (ROC) curves which provide the Genuine Acceptance Rate (GAR) and False Acceptance Rate (FAR) information. The genuine testing is carried out by comparing each fingerprint of the second database to the corresponding fingerprint in the first database while the imposter testing is performed by comparing each fingerprint in the second database to all fingerprints in the first database except its corresponding fingerprint. In addition, the purpose of evaluation is to measure the characteristics of the proposed scheme in terms of: (i) performance, (ii) capability of fulfilling revocability and diversity and (iii) security.

In the first scenario, it is assumed that an adversary has compromised the key 𝜅 = {𝜅𝑐 , 𝜅𝛼 , 𝜅𝑙 , 𝜅𝑝 , 𝜅𝑖𝑛 } which represents the worst case in the real world. It means that the adversary may use this key to pretend to be a legitimate user by using his/her own fingerprint data. We measure this possibility and present the result in fig. 5. It is found that the EER ≈ 6%, and when FAR = 5.03%, GAR = 94%. The error rejection is mostly caused by incorrectly locating the core point that may have a significant effect on its orientation. Moreover, it is likely that the core point can not be detected at all which results in failing to register/verify. In the second scenario, it is assumed that only part of the key is compromised. Note that, if 𝜅𝑙 and 𝜅𝑝 are secure, then compromising the other keys may have no effect. This is because the query must have the same total partition number as the template has, which is determined by 𝜅𝑙 and 𝜅𝑝 combination (see Section III-D). Different combinations may cause the total vector element different, which also makes the query unverifiable. Assume that among the set of the key 𝜅 = {𝜅𝑐 , 𝜅𝛼 , 𝜅𝑙 , 𝜅𝑝 , 𝜅𝑖𝑛 } only one key is still unknown while all the others have been compromised. We perform a brute force attack by trying the combination of the key 𝜅𝑐 = {10, 20, 30, 50, 70, 80, 90}, 𝜅𝛼 = {10, 20, 30, 40, 50, 70, 80} and random 𝜅𝑖𝑛 to measure the FAR as shown in table I. It is found that the FAR is relatively low, comparing to 5.03% when the whole key is compromised. B. Revocability and Diversity In case the key has been compromised as in section IV-A, it should be revoked and a new key is created to generate a new fingerprint template. In this case, the new key must be different enough from the old one, such that it can not authenticate the


1031

TABLE I M EAN (𝜇) AND STANDARD DEVIATION (𝜎)OF VARIOUS FAR, ASSUMING THAT THERE IS ONLY ONE KEY IN {𝜅𝑐 , 𝜅𝛼 , 𝜅𝑖𝑛 } THAT IS NOT COMPROMISED . 𝜅𝑐 (%) 1.23 1.23

𝜅𝛼 (%) 1.24 0.40

𝜅𝑖𝑛 (%) 0.26 0.08

old template and the old key can not authenticate the new template. To evaluate the revocability and diversity properties, we randomly generate 10000 𝜅𝑖𝑛 for each query to authenticate the corresponding template. This is to be the pseudo imposters that are actually generated from the same fingerprint as the template. We find that the average of FAR is 1.52% with 𝜎 = 0.01%, which is close to the result for the real imposter. It means that this different key will generate different templates from the same fingerprint as if they are from different fingerprints. It also means that the possibility of cross-matching among databases is low [7], [14], which makes the proposed scheme applicable in various applications.

98 96 Genuine Acceptance Rate (GAR)

FAR 𝜇 𝜎

100

92 90 88 ε=6

86

ε=8

84

ε = 12

82

ε = 14

80

ε = 16

78 0

5 10 False Acceptance Rate (FAR)

15

Fig. 6. The ROC curve of various 𝜖. Too low or too high 𝜖 decreases the performance. In this example, 𝜖 = 12 gives better performance than 6, 8, 14 or 16.

100

As has been discussed in Section III-D, to make the query verifiable, its total number of vector elements must be the same as the template has. It is determined by 𝜖 = (𝑙/𝑝) which is derived from {𝜅𝑙 , 𝜅𝑝 }. If only either 𝑙 or 𝑝 is compromised, then 𝜖 is still safe. However, 𝜖 can also be resulted from different (𝜅𝑙 , 𝜅𝑝 ) pairs, such that 𝜖 = (𝑙/𝑝) = (𝑙′ )/(𝑝′ ) with 𝑙 ∕= 𝑙′ , 𝑝 ∕= 𝑝′ . Therefore, 𝜖 can be inferred if either (𝑙, 𝑝) or the fingerprint template 𝑣 is known, or by trying {𝑙′ , 𝑝′ } ∈ ℝ combination. A greater 𝜖 makes the template 𝑣 more secure. This is because it will increase the number of possible permutation of the vector element indices (widening the 𝜅𝑖𝑛 space) which is proportional to the entropy (𝑙𝑜𝑔2 𝜖!). However, a too big 𝜖 will decrease the performance as shown in fig. 6. On the other hand, too low or too high 𝜅𝑙 and 𝜅𝑝 will decrease the performance too, as depicted in fig. 7, where a fixed 𝜖 constructed by various (𝜅𝑙 , 𝜅𝑝 ) pairs. In case both 𝜅 and 𝑣 are compromised, the adversary may be able to infer the total number of points in each group as illustrated in fig. 4. The exact location of each projected point (𝑚𝑖 )𝛼 , however, is still unknown. Furthermore, as there is a one-to-many mapping in the projection step (see Section III-B), the adversary can find the corresponding pair point to arrive at the nonprojected point (𝑚𝑖 )𝑐 coordinate. On the other hand, this corresponding pair point may not be included in the template if it is not covered by the line length 𝑙, so there is no information about it. For example, the information of points (𝑚1 )𝛼 , (𝑚2 )𝛼 , (𝑚9 )𝛼 and (𝑚10 )𝛼 in fig. 4 is not stored in the database/smart card. In case all (𝑚𝑖 )𝑐 points can be found, the adversary may use the information in 𝜅𝑐 . Yet, it only contains the range of where a point 𝑚𝑖 is originally located without providing the information of its exact location. Moreover, if there is more

Genuine Acceptance Rate (GAR)

C. Security

1032

94

95

90

κp = 18

85

κ = 28 p

κp = 38

80

κp = 48 κp = 58

75

0

5 10 False Acceptance Rate (FAR)

15

Fig. 7. The ROC curve of various {𝜅𝑙 , 𝜅𝑝 } pairs, while the 𝜖 is fixed. It is shown that 𝜅𝑝 = 38 has better performance than 18, 28, 48 or 58.

than one point in the cell whose size is specified by 𝜅𝑐 , all those 𝑚𝑖 points are mapped into the same (𝑚𝑖 )𝑐 point. So, even though (𝑚𝑖 )𝑐 can be revealed, which is actually hard, 𝑚𝑖 is still hidden. V. C ONCLUSION Cancelable fingerprint templates can provide protection against security and privacy attacks. The existence of intrauser variability and interuser similarity is a challenge to the performance of secure fingerprint authentication. In this paper we have developed a cancelable fingerprint template scheme, which generates a vector string to be stored in the database or smart card as the cancelable fingerprint template. The proposed scheme exhibits a relatively low EER and meets revocability, diversity and security requirements for cancelable fingerprint


template design . ACKNOWLEDGMENT The authors would like to thank the financial support from the ARC Discovery grant DP0985838. R EFERENCES [1] Tohari Ahmad and Jiankun Hu. Generating cancelable biometric templates using a projection line. In The 11th International Conference on Control, Automation, Robotics and Vision, ICARCV 2010, 2010. [2] A. Arakala, J. Jeffers, and K. J. Horadam. Fuzzy extractors for minutiaebased fingerprint authentication. ICB 2007, LNCS 4642, pages 760–769, 2007. [3] A. Cavoukian and A. Stoianov. Biometric encryption: A positive-sum technology that achieves strong authentication, security and privacy. Information and Privacy Commissioner/Ontario, pages 1–48, 2007. [4] Ann Cavoukian, Alex Stoianov, and Fred Carter. Biometric encryption: Technology for strong authentication, security aand privacy. IFIP International Federation for Information Processing, 261:57–77, 2008. [5] S. Chikkerur, N.K. Ratha, J.H. Connell, and R.M. Bolle. Generating registration-free cancelable fingerprint templates. In 2nd IEEE International Conference on Biometrics: Theory, Applications and Systems, pages 1–6, 2008. [6] Y. Dodis, L. Reyzin, and A. Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptoogy (EUROCRYPT’04), LNCS 3027, pages 523–540, 2004. [7] F. Farooq, R.M. Bolle, Jea Tsai-Yang, and N. Ratha;. Anonymous and revocable fingerprint recognition. In IEEE Conference on Computer Vision and Pattern Recognition, pages 1–7, 2007. [8] FVC2002. Fingerprint verification competition, 2002. [9] F. Han, J.Hu, X. Yu, and Y. Wang. Fingerprint images encryption via multi-scroll chaotic attractors. Applied Mathematics and Computation, Elsevier. [10] J. Hu, H.H. Chen, and T.W. Hou. A hybrid public key infrastructure solution (hpki) for hipaa privacy/security regulations. Special Issue on Information and Communications Security, Privacy and Trust: Standards and Regulations. Computer Standards & Interfaces, Elsevier. [11] J. Hu and F. Han. A pixel-based scrambling scheme for digital medical images protection. Journal of Network and Computer Applications, Elsevier. [12] Jiankun Hu. Mobile fingerprint template protection: progress and open issues. In 3rd IEEE Conference on Industrial Electronics and Applications, pages 2133–2138, 2008. [13] A. K. Jain, A. Ross, and S. Pankanti. Biometrics: a tool for information security. IEEE Transactions on Information Forensics and Security, vol. 1 no. 2:125 – 143, 2006. [14] Zhe Jin, Andrew Beng Jin Teoh, Thian Song Ong, and Connie Tee. Secure minutiae-based fingerprint templates using random triangle hashing. LNCS 5857, pages 521–531, 2009. [15] A. Juels and M. Sudan. A fuzzy vault scheme. Designs, Codes and Cryptography, vol. 38 no. 2:237–257, 2006. [16] T. Kevenaar. Protection of biometric information. Security with Noisy Data: Private Biometrics, Secure Key Storage and Anti-Counterfeiting, pages 169–193, 2007. [17] Chulhan Lee and Jaihie Kim. Cancelable fingerprint templates using minutiae-based bit-strings. Journal of Network and Computer Applications, vol. 33 no. 3:236–246, 2010. [18] D. Maltoni, D. Maio, A. K. Jain, and S. Prabhakar. Handbook of Fingerprint Recognition. Springer, 2003. [19] Neurotechnology. Verifinger, version 5.0. [20] N. K. Ratha, J. H. Connell, and R. M. Bolle. Enhancing security and privacy in biometrics-based authentication systems. IBM Systems Journal, vol. 40 no. 3:614–634, 2001. [21] Chris Roberts. Biometric attack vectors and defences. Computers and Security, vol. 26 no. 1:14–25, 2007. [22] A. Ross, J. Shah, and A.K. Jain. From template to image: Reconstructing fingerprints from minutiae points. IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 29 no. 4:544–560, 2007.

[23] Yoichi Shibata, Masahiro Mimura, Kenta Takahashi, and Masakatsu Nishigaki. A study on biometric key generation from fingerprints: Fingerprint-key generation from stable feature value. In Conference on Security and Management, pages 45–51, 2007. [24] Y. Sutcu, H.T. Sencar, and N. Memon. A geometric transformation to protect minutiae-based fingerprint template. SPIE, 6539, 65390E-1-8, 2007. [25] Y. Wang and J. Hu. Global ridge orientation modeling for partial fingerprint identification. IEEE Transactions on Pattern Analysis and Machine Intelligence, 10.1109/TPAMI.2010.73 (2010), 2010. [26] Y. Wang, J.Hu, and D. Philip. A fingerprint orientation model based on 2d fourier expansion (fomfe) and its application to singular-point detection and fingerprint indexing. IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 29 no. 4:573–585, 2007. [27] H. Yang, X. Jiang, and A. C. Kot. Generating secure cancelable fingerprint templates using local and global features. In 2nd IEEE International Conference on Computer Science and Information Technology, pages 645–649, 2009.


1033